On June 1, 2020, Xavier Becerra, the Attorney General for California, submitted the final package of regulations for the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”). For businesses required to comply with the CCPA, the package outlines the requirements for privacy notices, methods for submitting requests to know and delete consumer information, verification of consumers, special rules regarding minors, and non-discrimination.
Background on the CCPA
The CCPA was signed into law in June 2018 to provide additional protections for consumers and their rights to know, delete, and opt-out of storing their data. The law also gives greater legal recourse to consumers if their data is improperly stored by, and/or stolen from, companies subject to the law. Among its many protections, the CCPA affords consumers the right to:
- Request that a business disclose the categories and specific pieces of personal information the business has collected.
- Request that a business delete any personal information which the business has collected.
- Request that a business that collects personal information disclose the following:
- The categories of personal information it has collected.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected.
- Request that a business that sells personal information, or discloses it for a business purpose, disclose:
- The categories of personal information that the business collected.
- The categories of personal information that the business sold and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.
- The categories of personal information that the business disclosed for a business purpose.
- Direct, at any time, a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information also known as the right to opt-out.
A consumer that finds a business to be in violation of the CCPA has recourse to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per incident or actual damage, whichever is greater; injunctive or declaratory relief; and/or any other relief the court deems to be appropriate.
The Proposed Final Regulations
Under the proposed final regulations, businesses that must comply with the CCPA must abide by several requirements, including the following:
- Provide a privacy notice and policy in accordance with CCPA requirements at the time of data collection.
- If the business sells personal information, the business must provide a notice of right to opt-out.
- Businesses that offer financial incentives or prices or service differences must provide a notice of financial incentive.
- Other than businesses that operate strictly online and have a direct relationship with a consumer, businesses must provide two or more designated methods for submitting requests to know and requests to delete.
- Establish, document, and comply with a process for verifying that persons making a request to know or a request to delete is the person whom the business has collected data.
- Establish reasonable means of verification that parents of children under 13 are opting in for the sale of personal data in accordance with the CCPA and the Children’s Online Privacy Protection Act (“COPPA”)
- Businesses cannot treat a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.
- Businesses can offer a financial incentive, price, or service difference if it is reasonably related to the value of the consumer’s data; however, businesses cannot offer financial incentives, price, or service differences if they are unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive, price or service difference is reasonably related to the value of the consumer’s data.
How Does the CCPA Affect My Investment Advisory Business?
The CCPA exempts certain information that is collected, processed, sold, or disclosed pursuant to the requirements set forth in the Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“CA SB-1”). This would include information such as driver’s license information, social security numbers and other information obtained to provide investment services.
More than likely, what is not exempt is information collected on non-consumers (such as prospects or lead lists and business contacts) and other information not required for the delivery of investment services (such as internet use, CRM/marketing data, "cookies" data, employee data and deal sourcing data).
Firms should begin by reviewing and mapping the types of consumer data that are captured. Next, firms should review the text of the final regulations and consider if any of their data collection activities are subject to the CCPA. Firms should then take steps to consider (1) how they handle requests to know and delete data; (2) verifying the identities of individuals requesting to know and delete data; (3) providing training to employees that will handle the requests; (4) performing due diligence on service providers that are required to comply with the CCPA and consider updating service agreements to include additional protections; and, (5) reviewing cybersecurity, privacy, and incident response policies and procedures to ensure that data protection controls are up-to-date.
Jacko Law Group can help your firm with reviewing your firm’s privacy policies and determining if any of your data collection activities may be subject to the CCPA and updating your privacy policies and notice accordingly. Additionally, our attorneys can assist you with reviewing your service agreements to ascertain if additional provisions and protections need to be added for service providers that are subject to the CCPA. Our team of attorneys will use our extensive experience to ask detailed questions designed to assist your firm with determining if it is subject to the CCPA and ensuring that adequate controls are in place to remain compliant.
Add a comment
- Starting Out: Mergers & Acquisitions – Term Sheets and Due Diligence
- Four P Words to Remember During the Breakaway and Transition Process
- Proactive Risk Mitigation
- How a Popular Index’s Lack of Risk Disclosures Resulted in a Recent $9 Million SEC Fine: Lessons Learned
- The Importance of Having a Successful Succession Plan
- Why Advisors Should Seek Specialized Counsel When Making a Business Transition
- Protecting Your Firm Through Risk Management
- A Financial Advisory Firm’s Simple, but Costly Lesson in the Need for Adequate Fee Disclosure
- Five Investor Protections to Remember When Finalizing FINRA Pre-dispute Arbitration Agreements
- Compliance Steps Fiduciaries Should Take Now to Help Ensure Continued Adherence with the DOL’s New ERISA Exemption
- Transition Services
- Securities and Exchange Commission (SEC)
- Investment Advisers
- Policies and Procedures
- Due Diligence
- Regulatory Examinations
- Social Media Marketing
- California Consumer Privacy Act (CCPA)
- Aging Clients
- Advisers Act
- Virtual Currency
- Dodd-Frank Act
- Ponzi Scheme
- Office of Compliance Inspections and Examinations (OCIE)
- Securities Law
- Broker Protocol
- Form U5
- Private Equity
- Private Funds
- Hedge Funds
- Regulation Best Interest
- Personally Identifiable Information (PII)
- Government Shutdown
- Risk Alert
- Exchange-Traded Funds (ETFs)
- Investment Company Act
- Rule 6c
- Wells Fargo