From the continuous headlines of high-profile data breaches to the political and corporate misuses of data, data privacy has evolved from a distant thought to a legal right with severe penalties in some jurisdictions. So says my colleague, Trina Glass, in response to my inquiry regarding client concerns pertaining to the applicability of the new California Consumer Privacy Act (CCPA).
Trina advised that the CCPA, effective Jan. 1, 2020, requires certain companies to provide consumers more transparency and control over their personal information. It prevents companies from using personal information in ways that you aren’t aware of, for example, in tracking your geolocation and from making a profit selling your data to other companies without your permission. Companies that fail to prioritize data privacy will face severe fines.
In October 2019, California’s Attorney General published its proposed regulations related to the CCPA. The industry is still awaiting action from the AG on those proposed amendments. The AG has stated that he expects to publish the final implementing regulation in the spring and enforcement will begin six months after the final regulations have been published.
Is This Applicable to My Firm?
Based on the threshold criteria stated below, most RIAs will not be subject to the CCPA. However, the CCPA is applicable to any for-profit business conducting business in California regardless of where it is registered and that meets any of these criteria:
• Has annual revenues exceeding $25 million;
• Collects, receives, shares, sells or buys personal information from 50,000 or more California residents, households or devices each year; or
• Derives 50% or more of its annual revenue from selling the personal information of California residents.
Data Privacy Rights
Pursuant to the CCPA, California residents have the following:
• Right to request information regarding:
1. The categories of personal information that the business collected about the consumer and the business purpose.
2. The sources from which that personal information was collected.
3. The categories of personal information sold to third parties.
4. The categories of third parties to whom personal information was sold or shared.
5. The business or commercial purposes for which personal information was collected, shared or sold.
6. The specific pieces of personal information collected.
• Right to request that a business and their service providers delete or refrain from sharing or selling any personal information which the business has collected, with some exceptions.
• Right to “opt-out,” at any time, from the sale of their personal information to third parties by including a “Do Not Sell My Personal Information” link on the company’s web page.
This list is not exhaustive. Also, Trina said that under the CCPA, when a consumer requests access to their personal information, it must be provided “in a readily usable format that allows the consumer to transmit that information from one entity to another without hindrance.”
Privacy should be a priority for your company as it presents one of the highest risks to your business. Privacy impacts every business function in an organization, including IT, business development, marketing, compliance and HR and is the responsibility of everyone within the company and everyone that does business on behalf of the company.
Firms should conduct a data inventory and mapping exercise to understand how data flows within their organization. Finally, companies must consider whether certain service level agreements with third-party processors of personal information must be updated or amended.
Thomas D. Giachetti is chairman of the Investment Management and Securities Practice Group of Stark & Stark. He can be reached at firstname.lastname@example.org.