The California Consumer Privacy Act (CCPA), effective January 1, 2020, is the first comprehensive data protection law in the United States. In contrast to most United States data protection laws, which apply only to certain industries, the CCPA regulates organizations in any industry that meet the statutory requirements. Our team of privacy and cybersecurity attorneys developed this FAQ specifically to assist our investment management clients with CCPA compliance strategies.

What is the purpose of the CCPA?

The CCPA provides California residents (referred to in the CCPA as “consumers”), households, and devices with enhanced protection of personal information (defined within the CCPA), and the right to control the collection, use, and disclosure of such personal information (online and offline). If your investment management firm collects or processes this personal information, then the CCPA may apply–whether or not your business has any presence in California.

How is the CCPA enforced?

Enforcement actions are handled by the California Attorney General and have the potential for stiff fines. The CCPA also allows individuals to pursue private causes of action against a business for a data breach resulting from failure to implement “reasonable security practices” and to receive statutory damages without any need to prove actual harm.

Is our firm subject to the CCPA?

An investment management firm is a “business” regulated by the CCPA if it is a for-profit organization that (i) does business in California;1 (ii) collects or processes the “personal information” of California consumers, households, or devices (or on whose behalf such information is collected or processed); and (iii) meets one of the following three criteria:

  • Buys, sells, or receives for the business’s commercial purposes the personal information of 50,000 or more California consumers, households, or devices per year; or
  • Derives at least 50 percent of its annual revenue from “selling” California consumers’ personal information.

The CCPA also applies to entities that control, or are controlled by, a CCPA-regulated business and share common branding with the CCPA-regulated business; service providers that process personal information on behalf of a business; and third parties that have relationships with businesses.

What do all these key terms actually mean?

The CCPA has its own unique definitions that inform each provision of the law, including the qualifying criteria. In particular, the CCPA’s definitions of “personal information,” “consumer,” and “sell” impact the determination of whether and how the CCPA applies to an investment manager.

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device.

“Consumer” refers to any resident of California, including individuals, employees, contractors, job applicants, directors and officers, prospective investors, and business contacts.

“Sell” encompasses renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer’s personal information for monetary or other valuable consideration.

I’ve heard that financial services organizations are exempt from the CCPA. True?

No industry is exempt from the CCPA, but specific categories of data may be exempt. Specifically with respect to financial services, including investment management firms registered as investment advisors with the Securities and Exchange Commission, nonpublic personal information processed by a financial institution under the Gramm-Leach-Bliley Act (GLBA) is not regulated by the CCPA. All other personal information of California residents, households, and devices processed by the investment management firm is governed by the CCPA, including personal information pertaining to employees, business contacts, and online activities.

As a result, information available to a registered investment manager and protected by the GLBA covers most but not all information that is protected by the CCPA.

What are some examples of personal information investment management firms may be collecting that is not governed by the GLBA but is subject to the CCPA?

The definition of “personal information” under the CCPA is broader than the definition of “nonpublic personal information” under the GLBA in several ways. First, under the CCPA, personal information includes information that is reasonably linked or associated with a household or a device, not just an individual resident of the state of California. Second, nonpublic personal information under the GLBA focuses on information of an individual who has a consumer relationship with the investment management firm. In contrast, the CCPA governs information collected about consumers generally, regardless of whether those individuals have a consumer or customer relationship with the firm. For example, the CCPA governs personal information collected concerning your employees, contractors, and job applicants; prospective investors and referral sources; behavioral marketing information, including consumer profiles; website visitors; or business contact information of employees of an institutional investor, supplier, or vendor. None of the foregoing categories of personal information are subject to the GLBA.

Our firm already complies with the GDPR, and surely that’s enough to cover the CCPA, right?

Unfortunately, it is not. While the General Data Protection Regulation (GDPR) clearly influenced the CCPA, there are substantial differences between them. Investment management firms should be able to leverage some of the work done for GDPR compliance, but compliance with the CCPA imposes new and different requirements.

Once it’s determined that the CCPA regulates our firm, what are the next steps?

The CCPA compliance process may differ among investment management firms due to location, scope of operations, and other factors specific to each firm. At a high level, the requirements for compliance with the CCPA can be summarized in three main categories:

  • Data inventory. The first step, and the most critical, is to inventory the personal information collected by or on behalf of the business that is not covered under the GLBA exception. Essentially, this means being in a position to answer the following questions:
    • What personal information was collected from or about consumers, households, and devices during the past 12 months (online and/or offline), and where is it located?
    • What is the source for such personal information?
    • What are the business purposes for collecting such personal information?
    • With whom has such personal information been shared, or with whom will such personal information be shared?

Additionally, using alternative data, selling/sharing personal information, and offering financial incentives for personal information should be considered with special care, because the CCPA imposes enhanced requirements with respect to each of these activities.3

  • Disclosure requirements. The CCPA mandates (i) providing notice to California residents at or before each instance of collecting their personal information; and (ii) updating the investment management firm’s privacy policy with information specifically for California residents, including the categories of personal information collected, the third parties with whom the information is shared, and a description of the applicable consumer rights granted to California residents under the CCPA. Typically, these requirements can be satisfied by updating or supplementing subscription agreements, although additional steps may be necessary for some businesses. The Regulation S-P privacy policy already included in most registered investment managers’ subscription agreements is separate and unaffected by the CCPA.
  • Consumer rights requests. To honor consumer rights requests, investment management firms must develop and disclose mechanisms to receive, verify, and respond to consumer rights requests, and train their personnel to process them within the time frames required by the CCPA.

The CCPA’s effective date was Jan. 1, but there is a 12-month “look-back” for compliance purposes. Covered organizations are responsible for the personal information of consumers, households, and devices that was collected or received during 2019. Initially, civil actions and enforcement proceedings could focus on that time frame.

During Q4 2019, California passed seven amendments to the CCPA, and the California Attorney General released extensive draft regulations. In mid-February, the Attorney General issued substantially revised regulations for additional public comment. California is expected to continue modifying the CCPA in 2020.