The California legislature recently adjourned its 2022 session without extending several exemptions from the California Consumer Privacy Act of 2018 (CCPA). As a result, due to the California Privacy Rights Act (CPRA) amendments to the CCPA that go into effect on January 1, 2023, compliance with the CCPA will become more complicated for in-scope asset managers and financial institutions that have: California-resident employees or job applicants; and/or business contacts resident in California.
CCPA’s Current Limited Impact on Federally Regulated Financial Institutions
As an initial matter, the CCPA currently applies to any for-profit entity that is a “business” because it: does business in the State of California; collects the personal information (PI)1 of California consumers2 and alone or jointly with others determines the purposes and means of the processing of consumers’ PI; and satisfies at least one of the following thresholds: it has annual gross global revenue of over $25 million; it annually buys, receives for the business’s commercial purposes, or sells the PI of 50,000 or more consumers, households or devices; or it derives 50% or more of its annual revenues from selling consumer PI.
While many asset managers and other covered institutions satisfy these threshold requirements, the CCPA has had a limited impact on most participants in the asset management industry due to various exemptions. For example, the CCPA does not apply to PI “collected, processed, sold, or disclosed” pursuant to the Gramm Leach Bliley Act3 (GLBA carve-out). This means that the CCPA generally does not apply to the normal-course collection and sharing by GLBA-covered institutions of PI collected from or about individual consumers to whom a financial product or service is provided. The CCPA also includes partial carve-outs for PI collected from California-resident representatives of businesses (B2B carve-out) and California-resident employees, contractors, job applicants, directors and officers (Employment carve-out).
January 1, 2023: Key CCPA Carve-Outs Expire
On January 1, 2023, key carve-outs that allowed asset managers and other financial institutions to reduce their CCPA compliance obligations will fall away. While the CCPA, as amended by the CPRA, merely modifies the applicability threshold for covered businesses,4 the CCPA’s Employment carve-out will expire on that date. This change will require covered institutions to treat PI of California-resident employees, contractors, job applicants, directors and officers as fully “in scope” of the CCPA. As a result, such entities will need to deliver a compliant privacy notice to such individuals, which provides them with their full California privacy rights, including the right to: access and delete PI; correct inaccurate PI; and limit the use of “sensitive” PI (in each case, subject to certain exceptions).
The B2B carve-out also will expire on January 1, 2023. Covered institutions therefore will need to provide California-resident representatives of businesses (e.g., representatives of institutional clients or prospects, representatives of service providers) the full suite of California privacy rights. Covered institutions also will need to consider whether they engage in “purchases” or “sales” of PI in the B2B context – such as through participation in data enrichment subscription services that use PI received from third-party providers – that may require them to provide additional privacy notice disclosures and/or “opt-out” rights to impacted California residents.
Final Regulations Likely Will Add to Financial Institutions’ CCPA Obligations
The California Privacy Protection Agency (CPPA) is tasked with issuing regulations pursuant to the CCPA, as amended by the CPRA. The CPPA published initial proposed regulations for notice and comment on July 8, 2022, and the comment period ended August 23, 2022.5 It then released modified proposed regulations on October 17, 2022, in connection with its October 28-29, 2022 Board meetings.6 On November 3, 2022, the CPPA published the modified proposed regulations for notice and comment. The written comment period will last 15 days, closing at 8:00 AM PT on Monday, November 21, 2022. While the modified proposed regulations (at 73 pages) are substantial and add to the CCPA’s statutory requirements, they also continue to be very much in flux. For example, the modified proposed regulations still do not address some key issues (e.g., requirements regarding automated decision making and profiling). Nonetheless, in-scope asset managers and other institutions should monitor the text of the modified proposed regulations to ascertain the potential breadth of future obligations.
An Update on Enforcement
The effective date of the CPRA amendments to the CCPA is January 1, 2023. The CPRA amendments will not be enforced until July 1, 2023, and then only for violations occurring on or after that date. Both the California Attorney General (CA AG) and the CPPA will have full enforcement authority. In addition, a private right of action exists for certain data breaches involving consumer PI.
Notably, the CPRA amendments do away with the current mandatory 30-day cure period for alleged noncompliance with the CCPA, which begins after the CA AG sends a notice of alleged noncompliance to a business.7 The CPPA will instead have discretion as to whether to provide a business with time to cure an alleged violation.
Many financial institutions, including SEC registered investment advisers, are actively engaged in updating their privacy programs to comply with the new CCPA obligations to which they will become subject on January 1, 2023. Financial institutions are also actively monitoring the CPPA’s rulemaking process. Asset managers and other GLBA financial institutions that have not recently assessed their California privacy compliance obligations should act swiftly to begin doing so. With the expiration of the Employment and B2B carve-outs, additional categories of individuals will have rights under the CCPA that in-scope managers and other institutions will need to account for.