A pointillist image of an unlocked lock, with each point being a person (Image: Shutterstock)

Financial services firms with clients in California should take note of a new state law giving individuals the right to access personal data that has been collected about them, opt out of the sale of that data and demand its deletion.

The California Consumer Privacy Act, which took effect Jan. 1, applies to companies that have annual gross revenue exceeding $25 million, collect personal information of 50,000 people a year or derive half their annual revenue from selling consumers’ personal information.

Companies don’t have to be domiciled in California to fall under its jurisdiction; they need only have clients based there. Regulations implementing the legislation are not yet finalized but will be forthcoming on or before July 1, as mandated by the law, according to California Attorney General Xavier Becerra.

Registered investment advisory firms with less than $2.5 billion in assets likely won’t be subject to the new law, but larger RIAs and dually registered firms will, along with brokerages and insurers with California clients, unless they are exempted by carve-outs as a result of superseding federal law.

Registered broker-dealers and investment companies, for example, are subject to privacy policies mandated by the Securities and Exchange Commission’s Regulation S-P, which implements requirements in the Gramm-Leach-Bliley Act (GLB) of 1999, but their exemptions from the California law are murky.

“The scope of this carve-out is not completely clear,” says Gail Bernstein, general counsel of the Investment Adviser Association. She added that that her association, which represents 650 SEC-registered investment advisers, including many who “could easily be captured” by the new law, is “getting a lot of questions”  about it.

“Everyone is concerned about this and trying to figure out whether or not it affects them,” says Bernstein. “Even if it doesn’t directly apply to them, other regulations are coming down the pike that might apply to them.”

The California privacy law “should be a heads up, an alert, to what’s coming on the horizon,” says Evelyn Zohlen, founder of Inspired Financial in Huntington Beach, California, chair of the Financial Planning Association and its 2019 president. “It’s only a matter of time before such legislation starts drifting downmarket into other states as well.” She added that the law currently affects few RIA firms.

The CCPA uses a very broad definition of personal information beyond the usual names and  passport and license numbers. Its definition includes household information and internet browsing history, for example, and all the data covered would have to be provided to individuals upon request.

The law also differs from other privacy regulations in its broad universe of covered companies. Traditionally U.S. privacy protections have been industry-specific, such as Health Insurance Portability and Accountability Act requirements for health care providers, enforced by individual federal agencies. “CCPA is across the board,” says Bernstein.

The California law is designed primarily to capture the personal information that internet companies like Facebook and Google collect on users — information that is key to their business model — but its coverage goes well beyond that.

Like other privacy legislation, including the EU’s General Data Protection Regulation, which famously allows consumers the “right to be forgotten” via deletion of personal data, the CCPA “codifies the idea that data is owned by the consumer,” who should be asked for permission by companies that want to use that data, says Rob Krugman, chief digital officer at Broadridge Financial Solutions.

Financial firms already ask for client for consent for much of the data they collect in order to serve clients, but the California law “expands the concept of consent in preference management,” says Krugman.

That leaves financial firms under its jurisdiction with the question of whether to institute a subset of its compliance program for clients in California or revise its entire program to conform with the California law, says Dan Bernstein, chief regulatory counsel at MarketCounsel (no relation to Gail Bernstein).

Mark Wernig, a lead advisor and principal at Dowling & Yahnke Wealth Advisors in San Diego, says his firm is nearing the law’s threshold for coverage and preparing to comply. The firm is investing in training curriculum for all client-facing advisors to educate them about the California law, including its definition of personal information, which covers a household, not just individuals, and 12-month lookback for personal data collection, says Wernig.

“We have completely revamped management of data since last summer and are looking to work exclusively with third parties that emphasize data control,” says Wernig, who’s also a CFP Board ambassador. “We want our advisors to have a healthy appreciation for client privacy — what’s appropriate and what’s not.”

IAA’s Bernstein advises the association’s member firms to look at their data mapping policies, all service provider contracts and website notifications.

Zohlen suggests that RIA firms consult with legal counsel to confirm what policies are already covered and addressed by other regulations, what items aren’t covered and what processes need to be put in place to confirm with California privacy law if they fall under its jurisdiction.

Failure to comply could result in fines up to $7,500 per violation and consumer lawsuits, including class action suits.

The Securities Industry and Financial Markets Association, in its comment to California’s attorney general about upcoming regulations stemming from the new privacy law, asked that the law’s enforcement be delayed “until Jan. 1, 2022 to allow businesses to appropriately implement the complex systems of accepting, verifying and responding to consumers’ requirements in accordance with regulations’ requirement.” At present there are no indications that the AG will delay enforcement.

Since the Golden State often leads the country in precedent-setting legislation, its new privacy law is raising concerns that other states will follow suit, passing their own versions that go beyond current national rules. Given that possibility, IAA is advocating for a uniform federal privacy law because “no one benefits from a patchwork of requirements,” Bernstein said.

— Related on ThinkAdvisor: