How California's Privacy Act Impacts Advisors

The California Consumer Privacy Act (CCPA) imposes sweeping obligations on a diverse array of businesses, but investment advisors subject to Regulation S-P (adopted pursuant to the federal Gramm-Leach-Bliley Act (GLBA)) are treated somewhat differently.

The CCPA applies to some personal information that advisors routinely handle. This checklist is intended to help IAs examine their compliance burden under the CCPA and track their compliance obligations for 2020 and 2021.

2020 is an opportunity for advisors to prepare for 2021, when certain exemptions are slated to expire and the full breadth of the CCPA’s requirements may kick in.

What does the CCPA mean for advisers/?

Three considerations are key in the analysis of whether and how the CCPA applies to IAs:

• Does the investment advisor meet the revenue threshold to be considered a “business” covered by the CCPA (annual gross revenue in excess of $25 million)?

If the IA does not meet this threshold, it is not covered by the CCPA.

• What is carved out by the CCPA’s exception for personal information “collected, processed, sold, or disclosed” under the GLBA?

The CCPA’s GLBA exception carves out personal information includes family offices and retail investors. However, the CCPA does apply to other personal information that IAs routinely handle. (For further discussion, please see our article about people, activities, and information that could fall outside of the GLBA.)

• What types of personal information are carved out by the CCPA’s temporary exemptions for 2020?

During 2020, covered businesses have the benefit of exemptions that take two types of PI out of the scope of most of the CCPA’s individual rights.

The first type is PI connected to certain business-to-business communications or transactions, specifically those that occur within the context of the IA conducting due diligence regarding, or providing or receiving a product or service to or from, the other entity.

This includes personal information, or PI, that an IA collects about representatives of institutional or business clients, portfolio companies that the IA is conducting due diligence on, and service providers. This B2B exemption does not apply to the right to opt out of a sale or to the right of non-discrimination.

The second type is certain human resources-related PI, including PI about an IA’s personnel and job applicants, where the information is collected and used solely for the person’s role within the business.

This HR exemption does not apply to the CCPA’s private right of action. During 2020, the CCPA does require that businesses provide a privacy notice to this group of HR constituents, but this privacy notice is a shorter version of the “full” privacy notice that the CCPA requires businesses to provide to individuals who are not exempted.

These two exemptions expire on Jan. 1, 2021, when businesses may, depending on what the California legislature enacts during 2020, become subject to the CCPA’s full array of obligations for these two types of personal information.

CCPA Checklist for 2020

After considering the GLBA exception and the two temporary exemptions for 2020, IAs are left with certain subsets of individuals to address in their CCPA compliance program in 2020. These subsets of individuals include:

• Some prospective investors and referrals;
• Individuals associated with portfolio companies that the IA is no longer conducting due diligence on; and
• Accountants or lawyers to whom the IA refers clients.

Advisors should confirm that they have prepared the following for 2020:

• A privacy notice for prospective investors, referrals, and portfolio company and other individuals who fall outside the CCPA exemptions;
• To the extent an IA has personnel or job applicants in California, a CCPA privacy notice for such individuals;
• An internal written procedure to handle CCPA individual rights requests during 2020;
• An addendum to be added to certain service provider agreements; and
• Train personnel on the CCPA.

CCPA Checklist for 2021

Advisors should focus on the following compliance action items in time for 2021:

• Prepare a privacy notice for beneficial owners, representatives of entity investors and representatives of businesses that the IA interacts with;
• Update the 2020 CCPA personnel and job applicant privacy notice to add the parts of the “full” CCPA privacy notice that did not appear in the 2020 version;
• Update the written procedure for handling CCPA individual rights requests to address individuals covered by the CCPA exemptions that expire in January 2021; and
• Train personnel on the CCPA.

We recommend that IAs adopt an internal written procedure for handling CCPA individual rights requests to fulfill with the strict requirements for responding to and complying with them.

The modified set of draft CCPA regulations published by the California Attorney General’s office on February 7, 2020 specifies, among other things, timeframes and other requirements for confirming, responding to, and complying with access, deletion, and do-not-sell requests.

Below, we provide some examples of the level of specificity provided in the modified draft regulations

Timing

Businesses must:

• Confirm receipt of access requests and deletion requests within 10 business days and provide information about how the business will process the request;
• Comply with do-not-sell requests within 15 business days from the date of receipt; and
• Respond to access requests and deletion requests within 45 calendar days.

More PI Details

Personal Information that generally cannot be disclosed in response to an access request:

• Social Security number
• Driver’s license number or other government-issued identification number
• Financial account number
• Any health insurance or medical identification number
• An account password or security questions and answers
• Unique biometric data

For additional information, please see our article about the Attorney General’s modified draft regulations.

Related on ThinkAdvisor:

• What California’s Data Privacy Act Means for RIAs
• 6 Steps to Calm Clients Who Want to Sell

***

Kristen Mathews is a partner in Morrison & Foerster’s Global Privacy +Data Security Group; for more than 20 years Kristen’s practice has focused on advising clients on the full spectrum of the most complex privacy and cybersecurity issues, including regulatory and compliance matters.

Tiffany Quach is an associate in the Global Privacy + Data Security and Technology Transactions Groups.