The California Consumer Privacy Act Exemption Important to Investment Advisers
The California Consumer Privacy Act (“CCPA”) is a broad consumer privacy law that is effective as of January 1, 2020, and will apply to most large investment advisers (those with revenue in excess of $25 million). The CCPA is the most sweeping and comprehensive privacy and data protection law in the US and has been compared to the European Union’s GDPR – although in some ways, including the information subject to the CCPA, the CCPA is an even more far reaching law. Among other things, the CCPA requires that consumers be informed of the categories of information that is collected about them, allows consumers to obtain copies of their information, allows consumers to request their information be deleted, and allows consumers to opt out of having their data sold or shared. The law is enforced by the California Attorney General and through the creation of a private right of action. For businesses subject to the CCPA, the implementation of the mechanisms necessary to comply with the law is a significant undertaking.
The challenge of complying with the CCPA is compounded by the fact that the CCPA remains a work in progress. The initial bill was rushed through the legislature and was almost immediately amended to correct obvious errors and internal inconsistencies. However, the amendment process is far from over and there have been approximately ten bills introduced in the California legislature that, if passed, would make further meaningful revisions to the law (including expanding the private right of action). In addition, the California Attorney General is required to promulgate regulations implementing the CCPA, and at present that process is not required to be completed until July 1, 2020.
The good news for investment advisers is that there is an exemption from many of the CCPA’s requirements for information that is subject to the Gramm Leach Bliley Act (“GLB”) and its implementing regulations. For registered investment advisers, the implementing regulations are those of the Securities and Exchange Commission’s Regulation S-P. For exempt reporting advisers and state-registered advisers, the implementing regulations are now those of the CFPB’s Regulation P (which defines personal information in the same way as SEC Regulation S-P). Thus, if the personal information collected by an adviser is subject to GLB, then the CCPA does not apply to that information. The critical analysis for an adviser, therefore, is whether it obtains any personal information as defined by the CCPA that is not already covered by Regulation S-P and GLB. For many investment advisers, and especially for hedge and other private fund advisers, it is likely that most, if not all, of the personal information collected is already subject to GLB and therefore – at least as the CCPA is presently worded – they will be exempt from the bulk of the CCPA’s requirements.
However, the CCPA’s private right of action for damages from a data breach will remain applicable to an adviser even if otherwise exempt from the CCPA due to the GLB exemption. A requirement for such a private lawsuit is that the breach result from a “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . .” Thus, an adviser fully complying with SEC Regulation S-P and Regulation S-ID, which require a registered adviser to have data protection policies in place, should have a built-in defense to private lawsuits under the CCPA.
Stepping back, California is likely the first of what will turn out to be many states adopting consumer privacy legislation. Currently there are at least ten other states considering some form of legislation, and some of those laws have no exemption for information subject to GLB. There has also been movement at the federal level toward adoption of a national privacy law – which if passed, may or may not pre-empt some or all of the various state laws. Advisers need to keep tabs on this dynamic and changing area of law to determine if they are subject to any requirements beyond those of GLB and the SEC’s regulations. With the effective date of the CCPA only six months away, now is a good time to determine if the information an adviser collects is exempt from the requirements of the CCPA. That assessment begins with an inventory of the types of personal information it collects. A determination can then be made as to whether the information is covered by GLB and therefore exempt from the CCPA’s requirements.
The CCPA inventory process should also be used as an opportunity to conduct a comprehensive assessment of the adequacy and strength of the adviser’s policies and procedures under Regulations S-P and S-ID. The SEC has recently made clear that cybersecurity and privacy issues are a priority for the examination and enforcement groups. Highlighting this focus, in mid-April the SEC’s examination group released a Risk Alert highlighting the most common Regulation S-P compliance deficiencies identified during examinations of investment advisers and broker-dealers. Likewise, the Enforcement Division brought the first case under Regulation S-ID last September in a case which also found fault with the adequacy of a firm’s data protection policies and the firm’s response to a cyber intrusion. With both the CCPA and the SEC putting privacy and data protection in the spotlight, advisers are well-advised to make an extra effort to update and strengthen their privacy policies and procedures this year.