Financial services firms with clients in California should take note of a new state law giving individuals the right to access personal data that has been collected about them, opt out of the sale of that data and demand its deletion.
The California Consumer Privacy Act, which took effect Jan. 1, applies to companies that have annual gross revenue exceeding $25 million, collect personal information of 50,000 people a year or derive half their annual revenue from selling consumers’ personal information.
Companies don’t have to be domiciled in California to fall under its jurisdiction; they need only have clients based there. Regulations implementing the legislation are not yet finalized but will be forthcoming on or before July 1, as mandated by the law, according to California Attorney General Xavier Becerra.
Registered investment advisory firms with less than $2.5 billion in assets likely won’t be subject to the new law, but larger RIAs and dually registered firms will, along with brokerages and insurers with California clients, unless they are exempted by carve-outs as a result of superseding federal law.
Registered broker-dealers and investment companies, for example, are subject to privacy policies mandated by the Securities and Exchange Commission’s Regulation S-P, which implements requirements in the Gramm-Leach-Bliley Act (GLB) of 1999, but their exemptions from the California law are murky.
“The scope of this carve-out is not completely clear,” says Gail Bernstein, general counsel of the Investment Adviser Association. She added that that her association, which represents 650 SEC-registered investment advisers, including many who “could easily be captured” by the new law, is “getting a lot of questions” about it.
“Everyone is concerned about this and trying to figure out whether or not it affects them,” says Bernstein. “Even if it doesn’t directly apply to them, other regulations are coming down the pike that might apply to them.”
The California privacy law “should be a heads up, an alert, to what’s coming on the horizon,” says Evelyn Zohlen, founder of Inspired Financial in Huntington Beach, California, chair of the Financial Planning Association and its 2019 president. “It’s only a matter of time before such legislation starts drifting downmarket into other states as well.” She added that the law currently affects few RIA firms.
The CCPA uses a very broad definition of personal information beyond the usual names and passport and license numbers. Its definition includes household information and internet browsing history, for example, and all the data covered would have to be provided to individuals upon request.
The law also differs from other privacy regulations in its broad universe of covered companies. Traditionally U.S. privacy protections have been industry-specific, such as Health Insurance Portability and Accountability Act requirements for health care providers, enforced by individual federal agencies. “CCPA is across the board,” says Bernstein.
The California law is designed primarily to capture the personal information that internet companies like Facebook and Google collect on users — information that is key to their business model — but its coverage goes well beyond that.