The California Consumer Privacy Act (CCPA) imposes sweeping obligations on a diverse array of businesses, but investment advisors subject to Regulation S-P (adopted pursuant to the federal Gramm-Leach-Bliley Act (GLBA)) are treated somewhat differently.
The CCPA applies to some personal information that advisors routinely handle. This checklist is intended to help IAs examine their compliance burden under the CCPA and track their compliance obligations for 2020 and 2021.
2020 is an opportunity for advisors to prepare for 2021, when certain exemptions are slated to expire and the full breadth of the CCPA’s requirements may kick in.
What does the CCPA mean for advisers?
Three considerations are key in the analysis of whether and how the CCPA applies to IAs:
- Does the investment advisor meet the revenue threshold to be considered a “business” covered by the CCPA (annual gross revenue in excess of $25 million)?
If the IA does not meet this threshold, it is not covered by the CCPA.
- What is carved out by the CCPA’s exception for personal information “collected, processed, sold, or disclosed” under the GLBA?
The CCPA’s GLBA exception carves out personal information includes family offices and retail investors. However, the CCPA does apply to other personal information that IAs routinely handle. (For further discussion, please see our article about people, activities, and information that could fall outside of the GLBA.)
- What types of personal information are carved out by the CCPA’s temporary exemptions for 2020?
During 2020, covered businesses have the benefit of exemptions that take two types of PI out of the scope of most of the CCPA’s individual rights.
The first type is PI connected to certain business-to-business communications or transactions, specifically those that occur within the context of the IA conducting due diligence regarding, or providing or receiving a product or service to or from, the other entity.
This includes personal information, or PI, that an IA collects about representatives of institutional or business clients, portfolio companies that the IA is conducting due diligence on, and service providers. This B2B exemption does not apply to the right to opt out of a sale or to the right of non-discrimination.
The second type is certain human resources-related PI, including PI about an IA’s personnel and job applicants, where the information is collected and used solely for the person’s role within the business.