Upcoming July 1, 2023, Compliance Deadline under the California Consumer Privacy Act
Generally, an adviser that does business in California and has a gross annual revenue of over $25 million in the prior calendar year is subject to California privacy rules in the current calendar year. The California Consumer Privacy Act of 2018, as amended (the “CCPA”) requires any adviser subject to its requirements to notify California residents when their personal information is collected and what statutory privacy rights are granted to California residents (among other requirements). As noted in our Annual Letter, although most advisers are familiar with the privacy notification requirements under the Gramm-Leach-Bliley Act (the “GLBA”), the CCPA requirements are broader and may require an adviser to update its website, develop an additional CCPA specific privacy policy, provide notifications whenever personal information is collected from California residents and update its contracts with service providers, among other tasks.
The California Privacy Protection Agency (the “Agency”) recently enacted privacy regulations that are enforceable as of July 1, 2023. CCPA-subject advisers who have not yet updated their policies should not delay. After July 1, 2023, penalties for noncompliance could be up to $2,500 per violation (or, up to $7,500 for violations that are intentional), with each impacted California consumer potentially giving rise to a separate “violation.”
The CCPA regulations and requirements are complex. See Cal. Civ. Code §§ 1798.100 to 1798.199.100, Cal. Code Regs. tit. 11, §§ 7000 to 7304 and the California Privacy Protection Agency website for more information. Below are a few FAQs to assist advisers who may be unfamiliar with the CCPA.
- Q: Does my investment adviser firm need to comply with the CCPA?
A: Not unless the adviser meets a specific criteria (most small to mid-size advisers will not be subject to the CCPA).
An adviser will be subject to the CCPA only if it collects personal information from California residents, does business in California and has over $25 million in gross annual revenue. If a business crosses the $25 million gross annual revenue threshold during a calendar year, it does not need to comply with the CCPA until the beginning of the following calendar year. The CCPA also applies to entities that are controlled by another CCPA-subject business, if both entities share common branding. The CCPA may apply to businesses located outside of California.
- Q: I already have a privacy notice provided to investors when they engage my firm for advisory services, is that sufficient?
A: No, a privacy notice that complies with only the GLBA is not sufficient under the CCPA.
Advisers are generally required to provide GBLA-compliant privacy notices to individual investors at the time those investors engage an adviser for advisory services. By contrast, the CCPA requires specific privacy notifications at the time any personal information is collected from a California resident, regardless of whether those persons are seeking investment services. Consequently, a CCPA compliant privacy notification will need to be distributed more widely than an adviser’s standard GLBA privacy notification. A privacy notification that does not inform California consumers of their specific CCPA statutory privacy rights is also not CCPA compliant.
- Q: I already have a CCPA specific privacy approach developed a couple of years ago; does it have to be updated?
A: Yes, if the adviser is still subject to the CCPA.
The CCPA was amended in 2020 by the California Privacy Rights Act (the “CPRA”), which added additional requirements to the CCPA and created the Agency. The statutory CPRA amendments went into effect on January 1, 2023; notably, exceptions from certain requirements that applied to employment-related personal information and business-to-business communications also expired at that time. The Agency has also recently promulgated new regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7304, the “Regulations”) that became effective March 29, 2023.
Enforcement of both the new Regulations and the CPRA amendments, including the requirements applicable to employment-related personal information and business-to-business communications, was delayed until July 1, 2023. Thus, any CCPA-subject adviser’s privacy compliance regime that has not been updated for the latest Regulations or that was originally drafted in reliance on the temporary exceptions for employment-related personal information and business-to-business communications should be revised.
One approach to comply with these new requirements is for CCPA-subject advisers to create an updated CCPA compliant privacy policy and collection notice to be posted on the firm’s website and circulated widely when contact information is collected from prospects and other parties, in addition to developing a separate CCPA compliant collection notice that can be provided to employees, job applicants and vendors.
- Q: Do I have to have a website privacy policy if I do not collect any personal information through my website?
A: Yes, if the adviser is subject to the CCPA.
A CCPA-subject adviser with a website is required to post a CCPA compliant privacy policy on its website, even if the adviser does not collect any personal information from consumers through its website. Further, CCPA-subject advisers, who are required to post CCPA compliant collection of information notices or privacy policies in their offices or otherwise need to distribute such notifications by email, may consider providing links to such content already posted on the firm’s website for ease of distribution under a variety of circumstances.
Any CCPA-subject adviser who tracks activity on its website (such as through the use of Google Analytics) should revisit existing CCPA opt-out requirements with respect to collecting consumer information that is shared with data collectors for cross-contextual behavioral advertising. A CCPA-subject adviser wanting to avoid triggering the requirement to have an opt-out banner on its website may prefer to restrict what personal information they share (by cookies and similar means) with data analytics collectors. Advisers who do share information for cross-contextual behavioral advertising through cookies and similar automated means should confirm their existing opt-out banners are compliant with updated CCPA regulations.
- Q: Do I need to update my service provider contracts for the CCPA?
A: Yes, if the adviser is subject to the CCPA and has contracts with respect to CCPA regulated information that haven’t been updated for the latest CCPA Regulations.
Most advisers enter into service provider arrangements, such as administration agreements, for the processing of investor personal information that is related to investment advisory activity. Such personal information would be subject to the protections of the GLBA for those natural persons who provide such information in connection with seeking a financial service for primarily personal, family or household purposes. Generally, the CCPA does not apply to personal information collected, processed or disclosed under the GLBA. Frequently, however, advisers control the collection of personal information from California residents that relate to investment services that are sought by businesses (such as KYC or AML required information to verify a business officer’s identity for that business entity’s subscription into a fund), which would be personal information that is not covered by the GLBA. For information that is not covered by the GLBA, the adviser is required to ensure that those service provider agreements meet CCPA requirements.
For example, such agreements must prohibit the service provider from using personal information for any reason other than the business purposes set forth in the agreement (or as otherwise permitted by the CCPA) and must require the service provider to notify the adviser if it determines it cannot meet CCPA obligations. The Regulations added new, specific requirements for contracts with service providers and contractors. See Cal. Code Regs. tit. 11, § 7051.
- Q: Do I need to update any of my firm’s internal procedures for the CCPA?
A: It is recommended to alert employees of time sensitive CCPA consumer request response requirements and review retention policies for CCPA compliance.
CCPA-subject advisers are required to respond to California consumer requests exercising their statutory privacy rights within specified time periods and may want to consider updating their policies and procedures to require employees to escalate any such requests to the adviser’s chief compliance officer for appropriate timely response.
The CCPA requires businesses to not retain personal information longer than is reasonably necessary for the disclosed purpose. CCPA-subject advisers may want to revisit their data retention policies and determine what processes the adviser should pursue to ensure they regularly identify and dispose of personal information of California consumers that is not required to be retained for any legitimate business purposes or to comply with applicable law.
Please contact one of the Shartsis Friese attorneys in the Investment Funds & Advisers Group if you believe you are subject to the CCPA and need assistance in complying with any of the requirements under the CCPA.