With The California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, many firms that collect personal information will need to carefully consider whether the CCPA applies to them, whether they handle personal information of California residents subject to the CCPA, and, if so, what steps they need to take in order to comply with the CCPA in the new year.
Firms should consider:
- Even if they are exempt from the CCPA for personal information they process that is already subject to the Gramm-Leah-Bliley Act (GLBA), they may not be fully exempt if they process any personal information not subject to the GLBA.
- The CCPA does not only apply to firms in California but includes firms that do business in California and have annual revenues of over $25 million.
- The CCPA's broad definition of personal information includes all personal information related to an identified or identifiable consumer, not just non-public personal information (NPI).
- Unlike the GLBA, the CCPA covers information that identifies an individual engaged in business-to-business transactions.
Are Firms Fully Exempt Under the Gramm-Leach-Bliley Act?
Private fund managers that are SEC registered investment advisers and many other regulated entities (e.g. broker-dealers) that collect personal information are already subject to the federal Gramm-Leach-Bliley Act (GLBA). In general, the GLBA protects non-public personal information (NPI) of a consumer. Although there is an exemption from the CCPA for personal information that is subject to the GLBA, this exemption is not a full exemption for GLBA-regulated entities. These firms are still subject to the CCPA to the extent that they process personal information that is not subject to the GLBA, which many firms do. Therefore, the new California Privacy rules could nevertheless apply to certain information that private fund managers and other firms collect.
Is The CCPA Limited to California Firms?
The CCPA applies to, among others, firms that do business in California and have annual gross revenues of more than $25 million and that collect personal information from "consumers"; this is measured on worldwide revenues, not just revenue in California. More information is available here.
The CCPA defines "consumers" exceptionally broadly — natural persons who are California residents. Therefore, for private funds managers and investment advisers, this could include fund investors, prospective investors, advisory clients, employees, job applicants and business contacts, who are residents of California.
What Type of Information Does CCPA Cover?
The CCPA is much broader than the GLBA. "Personal information" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This means that the CCPA applies to all personal information relating to an identified or identifiable consumer, not just information that is NPI. The CCPA identifies a number of examples, including online identifiers, Internet Protocol addresses, commercial information (such as records of personal property purchased or considered), information collected from website visitors, audio and video recordings, professional and employment-related information and email addresses. ("Personal information" does not include, among other things, information that is lawfully, publicly available information from federal, state or local government records.)
Also, unlike the GLBA, which does not cover information from individuals affiliated with an entity, the CCPA's broad definition of "Personal Information" includes information that identifies an individual person who engaged in business-to-business transactions. For example, this would cover the email address, social security number, driver's license number and passport number of an individual (e.g. an authorized signatory) acting on behalf of a fund investor or client. (Although, we note that there is a one-year moratorium for certain provisions of the CCPA for employee data and certain data from other businesses collected in the business-to-business context. But the requirements to notify consumers prior to collection of information and the statutory damages provisions of the CCPA apply as of January 1, 2020.) More information is available here.
What Firms Should Do.
If they have not done so already, firms should determine whether or not the CCPA applies to them. If the CCPA does apply, you should take steps to comply with the CCPA, including begin "data mapping" — identifying the type of personal information that is being collected from California consumers.