On June 1, 2020, Xavier Becerra, the Attorney General for California, submitted the final package of regulations for the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”). For businesses required to comply with the CCPA, the package outlines the requirements for privacy notices, methods for submitting requests to know and delete consumer information, verification of consumers, special rules regarding minors, and non-discrimination.
Background on the CCPA
The CCPA was signed into law in June 2018 to provide additional protections for consumers and their rights to know, delete, and opt-out of storing their data. The law also gives greater legal recourse to consumers if their data is improperly stored by, and/or stolen from, companies subject to the law. Among its many protections, the CCPA affords consumers the right to:
- Request that a business disclose the categories and specific pieces of personal information the business has collected.
- Request that a business delete any personal information which the business has collected.
- Request that a business that collects personal information disclose the following:
- The categories of personal information it has collected.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected.
- Request that a business that sells personal information, or discloses it for a business purpose, disclose:
- The categories of personal information that the business collected.
- The categories of personal information that the business sold and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.
- The categories of personal information that the business disclosed for a business purpose.
- Direct, at any time, a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information also known as the right to opt-out.
A consumer that finds a business to be in violation of the CCPA has recourse to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per incident or actual damage, whichever is greater; injunctive or declaratory relief; and/or any other relief the court deems to be appropriate.
Read the full text of the law here.
The Proposed Final Regulations
Under the proposed final regulations, businesses that must comply with the CCPA must abide by several requirements, including the following:
- Provide a privacy notice and policy in accordance with CCPA requirements at the time of data collection.
- If the business sells personal information, the business must provide a notice of right to opt-out.
- Businesses that offer financial incentives or prices or service differences must provide a notice of financial incentive.
- Other than businesses that operate strictly online and have a direct relationship with a consumer, businesses must provide two or more designated methods for submitting requests to know and requests to delete.
- Establish, document, and comply with a process for verifying that persons making a request to know or a request to delete is the person whom the business has collected data.
- Establish reasonable means of verification that parents of children under 13 are opting in for the sale of personal data in accordance with the CCPA and the Children’s Online Privacy Protection Act (“COPPA”)
- Businesses cannot treat a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.
- Businesses can offer a financial incentive, price, or service difference if it is reasonably related to the value of the consumer’s data; however, businesses cannot offer financial incentives, price, or service differences if they are unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive, price or service difference is reasonably related to the value of the consumer’s data.
Read the final proposed regulations here.
How Does the CCPA Affect My Investment Advisory Business?
The CCPA exempts certain information that is collected, processed, sold, or disclosed pursuant to the requirements set forth in the Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“CA SB-1”). This would include information such as driver’s license information, social security numbers and other information obtained to provide investment services.
More than likely, what is not exempt is information collected on non-consumers (such as prospects or lead lists and business contacts) and other information not required for the delivery of investment services (such as internet use, CRM/marketing data, “cookies” data, employee data and deal sourcing data).
What Should I Consider When Reviewing My Privacy Policy and the CCPA?
Firms should begin by reviewing and mapping the types of consumer data that are captured. Next, firms should review the text of the final regulations and consider if any of their data collection activities are subject to the CCPA. Firms should then take steps to consider (1) how they handle requests to know and delete data; (2) verifying the identities of individuals requesting to know and delete data; (3) providing training to employees that will handle the requests; (4) performing due diligence on service providers that are required to comply with the CCPA and consider updating service agreements to include additional protections; and, (5) reviewing cybersecurity, privacy, and incident response policies and procedures to ensure that data protection controls are up-to-date.
Jacko Law Group can help your firm with reviewing your firm’s privacy policies and determining if any of your data collection activities may be subject to the CCPA and updating your privacy policies and notice accordingly. Additionally, our attorneys can assist you with reviewing your service agreements to ascertain if additional provisions and protections need to be added for service providers that are subject to the CCPA. Our team of attorneys will use our extensive experience to ask detailed questions designed to assist your firm with determining if it is subject to the CCPA and ensuring that adequate controls are in place to remain compliant.