The California Consumer Privacy Act (CCPA): What You Should Do Now to Prepare
Privacy safeguards - and how financial institutions are implementing consumer protections - are at the forefront of regulatory focus. For SEC registrants, on April 16, 2019, the Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert, "Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P - Privacy Notices and Safeguard Policies" (the "Risk Alert"). This Risk Alert highlighted a number of compliance issues involving Regulation S-P and emphasized the importance of providing compliant privacy and opt-out notices, adopting and implementing effective policies and procedures for safeguarding customer records and information and training on and monitoring of privacy safeguards.1
On June 28, 2018, California Governor Jerry Brown approved AB-375,2 which previously had been passed by the California State Legislature. Referred to as the California Consumer Privacy Act ("CCPA"), its intent is to provide greater privacy protections to California residents. Specifically, the CCPA is designed to notify consumers that they can learn about what personal data is collected about them and whether such personal data is sold or disclosed to others (and to whom). The consumer also has the ability to "opt-out" of the sale of his or her personal data, gain access to the consumer's personal data and receive the same services for the same price regardless if the resident exercises such privacy rights. The effective date for the CCPA is January 1, 2020 and enforcement shall commence on July 1, 2020.
This month's Legal Risk Management Tip will walk you through highlights of the CCPA and who is impacted and what is exempted. We will then provide you with guidance on what you must do to comply with the CCPA and tips on what you should do right now to prepare and mitigate risks.
Highlights of the CCPA
The primary purpose of the CCPA is to protect consumer rights of those "natural persons" who are residents of California. The CCPA applies to any legal, for-profit business entity (regardless if based in California or not) that does business in California, collects consumers' personal data and meets one of the following thresholds:
- Possesses the personal information of 50,000 or more consumers, households, or devices;
- Has annual gross revenues in excess of $25 million; or
- Earns more than half of its annual revenue from selling a consumer's personal information.
A consumer’s "personal information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."3 This would include such things as name, address, email address, employer, investment preferences and internet activities.
A. What is Not Subject to the CCPA?
There are several areas not subject to the CCPA. These include consumers who are not residents of California, information and data that is publicly available, aggregated data that is not considered personal information, information that is used to comply with law enforcement and/or federal, state or local laws (such as the Gramm-Leach-Bliley Act as further described below) and information obtained through a mergers and acquisitions transaction (as the data is not being sold).
B. What is the Impact of the CCPA?
For financial institutions already subject to California’s Financial Information Privacy Act known as SB-1, there are things that differ in the CCPA. While it is anticipated that the CCPA will likely be amended prior to enactment, under the current version of the CCPA, firms will be required to:
- Provide consumers with additional notice requirements (including consumer rights);
- Obtain opt-in consent before selling personal information of those under age 16;
- Upon request, provide consumers information on what the firm has collected about them, how, why it was collected and whether it has been sold or shared - and to who; and
- Provide for deletion measures and allow consumers the ability to "opt-out" of the sale of personal information to third-parties.
Moreover, firms can be held liable for data breaches, including the loss of electronic and hard copy information. Consumers will have the right to a private cause of action and firms can be fined $100 to $750 (statutory damages) for each consumer data breach. Consequently, the scope of due diligence performed on third-party vendors providing services to or on behalf of financial institutions must increase to ensure that the vendors have privacy safeguards in place to prevent such data breaches.
C. What is Exempted from the CCPA?
The CCPA exempts information that is collected, processed, sold, or disclosed pursuant to the requirements set forth in the Gramm-Leach-Bliley Act and the California Financial Information Privacy Act.4 This would include information such as driver’s license information, social security numbers and other information obtained to provide investment services. What might not be exempt is information collected on non-consumers5 (such as prospects or lead lists and business contacts) and other information not required for the delivery of investment services (such as internet use, CRM/marketing data, "cookies" data, employee data and deal sourcing data). Based on this, financial firms will need to review the types of data collected to determine whether they meet the specific criteria of the CCPA exemption as it is written today.
Tips on How to Prepare and Mitigate Risks
With the effective date now just six (6) months away, there are several things that financial firms should do to prepare for the compliance date:
- Map the data currently collected to analyze what personal information is in the firm's possession;
- Review the firm activities (such as obtaining marketing data) to see how these activities could be subject to the CCPA;
- Determine how the firm will respond to consumer requests for personal information and deletion requests;
- Establish a firm procedure to authenticate verifiable consumer requests;
- Provide training to those persons who will be handling consumer requests and establish policies and procedures accordingly;
- Conduct due diligence on vendors to see how they will be complying with the CCPA and consider adding contractual provisions regarding privacy safeguard protections as needed; and
- Review the firm's data security protections and incident response plans.
Be proactive. Consider these tips and considerations to help strengthen your internal controls now so that you are ready for the CCPA when it does go into effect.
JLG can assist you in assessing your privacy safeguards. For more information on these and other considerations relating to preparing for the CCPA, please contact us at firstname.lastname@example.org, or (619) 298-2880.
Author: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This communication is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended. The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. ("JLG") and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.
You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.
1 For more information, see https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.
3 Id. at Sec. 1798.140(0)(1).
4 Note that through the passage of SB 1121 on September 23, 2018, the California State Legislature added the California Financial Information Privacy Act to the exemption.
5 Under the Gramm-Leach-Bliley Act, a consumer is defined as an individual who obtains or has obtained a financial product or service from a financial institution.