California Consumer Privacy Act and Asset Managers: What You Need to Know

There has been much discussion about the California Consumer Privacy Act ("CCPA") enacted in 2018 and effective January 1st, 2020. The CCPA secures new personal information privacy rights for California consumers and regulates the data collection practices of certain businesses, including asset managers. 

While CCPA was effective January 1st, if you are not already in compliance, it's not too late to get started as the California Attorney General cannot bring enforcement action until six months after publication of that offices's regulation, or July 1st, 2020, whichever comes first. Mitigating your risk sooner rather than later will help to ensure you avoid costly fines and enforcement.

How are Businesses Defined Under CCPA? 

Businesses that are impacted by CCPA are specific. Under CCPA, businesses are defined as:

A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers' personal information.

In general, the law will only apply to asset managers collecting personal information of California residents (even if the management company, adviser, and/or fund are not organized under California law or don't have physical presence in California) and who have more than $25 million of annual gross revenue.  

This article at the Hedge Fund Law points out that:

In calculating the $25 million in annual gross revenue, fund managers operating with a bifurcated management structure (separate management company and general partner entities) will likely have to aggregate the revenues of the general partner and management entities. The CCPA expands the definition of a "business" to entities who control or are in common control with another business and which share a common branding. In this case, if the threshold is met across both management entities, each entity will be subject to the provisions of the CCPA. If the general partner and investment manager do not share common branding, our view is that the revenues of the entities will not need to be aggregated.

It is also worth pointing out that there has yet to be definitive guidance as to whether "revenue" distinguishes between management fees and carried interest so it would be prudent to read this revenue threshold broadly unless and/or until there is further guidance.

The Information That's Subject to CCPA 

The good news for investment advisers is that there is an exemption from many of CCPA's requirements for information that is subject to Gramm Leach Bliley Act ("GLBA") and it's implementing regulations. For registered investment advisers (RIA) the implementing regulations are those of the SEC's Reg S-P. For exempt reporting advisers (ERA) and state-registered advisers, the implementing regulations are CFPB's Reg P. "Personal Information" is defined in the same way between Reg S-P and Reg P and so if personal information collected by the adviser is subject to GLBA then the CCPA technically does not apply to that information. 

The critical analysis for an adviser as a result is whether they collect any personal information as defined by CCPA that is not already subject to GLBA. For many investment advisers, and especially for hedge and other private fund advisers, it is likely that most, if not all, of the personal information collected is already subject to GLBA and therefore - at least as CCPA is presently worded - will be exempt from a bulk of the CCPA's requirements.

However, the CCPA's private right of action for damages from a data breach will remain applicable to an adviser even if otherwise exempt from CCPA due to GLBA exemption. A requirement for such private lawsuit is that the breach results from a "violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information." An adviser fully complying with GLBA should have built-in defenses to a private lawsuit under CCPA as a result but still might have exposure to the legal costs for defending this sort of allegation.

If You're a Asset Manager Who Is Subject to CCPA, What's Next?

What should you do if you're potentially subject to the CCPA? Start thinking about the following steps:

Be Prepared to Act

Within 45 days of a CCPA request, you will need to be able to provide a client with: 

• Access to their specific personal information, free of charge: Clients have the right to know the categories of this specific personal information and the ways those categories will be used. 
• Rights with respect to data portability: The personal information may be delivered by traditional mail or electronically. It must be in a format easily transmitted from the client to another entity.
• Data deletion: As long as the personal information is no longer needed to fulfill transactions, warranties, or other business agreements with the client, and if deletion won't compromise security or legality, you must delete the data from its own records. You must also direct associated service providers to delete the personal information. 
• Non-discrimination for exercise of any CCPA right: You may not deny the client goods or services (or lower goods/services quality), charge them differently than other clients, or even suggest that these might be the case with data deletion. An exception to this is if costs or quality are unavoidably compromised without the personal information. 

Review and/or Update Privacy Policy

You may need to update your privacy policy to inform clients of their rights under the CCPA and instructions on how to exercise those rights. 

The Better Business Bureau recommends specifying the categories of personal information being collected, the purpose for each category's collection, opt-out links, client rights under the CCPA, and methods for submitting requests. 

Managers who are RIAs should also distribute their annual privacy policy update to all clientele in January or as soon as possible.

Update the Website Policy if You Collect Personal Information

When you operate a website that collects personal information ) you must publish CCPA-compliant privacy disclosures on the website. 

For example, if you have an online portal, you need a disclosure for that. If your website also collects data, you'll need a separate one for that, too.

In fact, experts point out that consumers can sue when there isn't a clearly visible footer on the website that allows a person to opt out of data sharing. If your website does not collect personal information, it needs no separate disclosures. 

Consider Updating Service Provider Agreements

As this article points out, "data intermediaries, partners and service providers may also be subject to the CCPA." 

Given the third party administrators and auditors will maintain client personal information, you may want to consider updating your agreements to include a representation from the service provider that it is in compliance with CCPA regulations. 

Asset managers are accustomed to integrating layers of compliance into their operations. While there could be future amendments to the CCPA, as well as expected implementing regulations, the central requirements of the law are not expected to change significantly. Other states are likely to take a page from California's book, however, so it might make sense to start considering a nationwide "data management" standard to guide internal operations. Planning ahead and being proactive with your data management is an investment worth making. For a more in-depth explanation of the terms of the CCPA, refer to Dan Burke's article.

The SEC has made it clear in recent years that cyber security and privacy issues are a priority for the examination and enforcement groups. With both CCPA and SEC putting privacy and data protection in the spotlight, asset managers are well-advised to make an extra effort to update and strengthen their privacy policies and procedures.

Over the past several years, well-brokered cyber liability policies have been expanded to cover fines, penalties, or statutory damages connected with CCPA and similar regulations. This is in addition to covering legal expenses in connection with violations of privacy, breaches in network security and other costs incurred following a breach events. Talk to your insurance broker to make sure both the scope of your liability policy and limits are adequate to address this increasing exposure to your business.