Managers of private investment funds that collect personal information are required to comply with the landmark California Consumer Privacy Act – with some exemptions. This installment of our Investment Funds Update discusses when private investment funds are subject to the CCPA, when they are exempt, and what they need to do to comply with the new law.
What Is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) was signed into law on January 28, 2018, by then- Governor Jerry Brown, ushering in what appears to be a new era in US privacy regulation. The principal features of the CCPA, which became effective on January 1, 2020, include the creation of the following new consumer privacy rights for residents of California:
- The right to know specific pieces and categories of personal information to be collected about the consumer
- The right to have personal information deleted
- The right to opt out of the sale of personal information to third parties
- The right to equal service and price
Who Enforces the CCPA?
The CCPA can be enforced by the California attorney general. Private plaintiffs may also bring an action under the CCPA with respect to a security breach involving personal information, with statutory damages available. But there is a wrinkle: businessman Alastair Mactaggart, the primary backer of the California ballot initiative that was the impetus for the CCPA, has formally filed the California Privacy Rights and Enforcement Act, a new initiative that will appear on the California ballot in November 2020 if it obtains sufficient signatures. The proposed ballot measure includes provisions that would add significant new privacy obligations to the CCPA, eliminate the California attorney general’s responsibility for enforcing the CCPA, and grant that authority to a new California Privacy Protection Agency.
Are There Any Exemptions from CCPA Obligations Available for Managers of Private Investment Funds?
Yes! The CCPA would not apply to the following information collected by private fund managers:
Personal Information Subject to the GLBA
The consumer privacy rights obligations of the CCPA do not apply to personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), with which many private fund managers are already complying.
Note, however, that the scope of the CCPA is broader than the scope of the GLBA, which is limited to nonpublic personal information of consumers and does not always cover prospective investors. For instance, if a private fund manager were to collect marketing-lead information about high-net-worth individuals that might become potential customers of the manager’s financial services, then that personal information is likely to be subject to the CCPA’s consumer privacy rights because an individual on a list of leads has not yet become a “consumer” or “customer” of the manager, as those terms are defined under the GLBA. Accordingly, the GLBA exemption cannot be relied on as a blanket exemption to the CCPA in all instances.
Employee, Officer, Director, Applicant, and Contractor Information
The CCPA exempts certain personal information collected from job applicants, employees, owners, directors, officers, and contractors of a business from most requirements of the CCPA for one year, until January 1, 2021. The information covered by the exemption includes personal information (1) collected about a person as a job applicant, employee, owner, director, officer, medical staff member, or contractor of that business; (2) collected and used solely for the purpose of maintaining emergency contact information; and (3) collected and used solely to administer benefits to an individual, all of which would typically be categorized as “Human Resources Data.”
Note, however, that fund managers that would otherwise be subject to the CCPA would still be required to provide these individuals with a CCPA-compliant privacy notice.
B2B Transaction Data
When Would a Private Fund Manager Be Subject to the CCPA?
The CCPA will generally apply to private fund managers that collect personal information of California consumers that is not subject to an exemption such as those listed above, do “business” in California, determine the purposes and means of processing that personal information, and (i) have annual gross revenues in excess of $25 million; (ii) buy, receive, sell, or share “personal information” of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of their annual revenue from selling consumer information. The CCPA defines “consumers” broadly as natural persons who are California residents. This could include, for instance, current fund investors, prospective investors, advisory clients, employees, and applicants who are California residents.
The CCPA does not define what it means to “do business” in California, and, therefore, absent further guidance, this term is likely to be construed broadly. For instance, a private fund manager may be considered to be “doing business” in California just by operating a website in which California residents are permitted to provide their personal information, even if the manager is not organized under California law and has no physical presence in California.
If a Private Fund Manager Cannot Rely on an Exemption and Is Subject to CCPA Obligations, What Can the Manager Do to Prepare for Compliance?
- Review California Ties. Consider whether any current fund investors, prospective advisors, employees, or other business contacts are California residents, and whether websites run by the manager may be collecting personal information from California residents.
- Data Mapping. Develop procedures for identifying the types of personal information that is collected from California consumers and for what purposes such information is used in order to implement compliance measures necessary to comply with the CCPA.
- Update Privacy Policies and Procedures. Update privacy policies and procedures to provide disclosures required under the CCPA regarding a consumer’s rights to opt out, know, and delete.
- Review Service Provider Agreements. Ensure that the applicable agreements limit the service provider’s use of personal information as strictly as the CCPA requires, and revise as necessary.
- Employee Training. Ensure that personnel responsible for handling consumer inquiries regarding the CCPA’s new privacy rights are informed of the applicable requirements and know how to direct consumers to exercise those rights.
- Create Processes to Respond to Consumer Requests. Fund managers subject to the CCPA will generally be required to make available two or more designated methods for submitting requests to exercise the new privacy rights under the CCPA.
- Create a Robust Incident Response Plan. The CCPA’s new private right of action and statutory damages for security breaches further underscore the need for a thoughtful and comprehensive approach to breach response.
What Are We Doing?
Our lawyers continue to closely follow each new development as the CCPA is amended and regulations and guidance documents are issued. Since the start of 2019, at least 10 other state legislatures have introduced privacy bills inspired to varying degrees by the CCPA, and we are also following developments in such other states. Our team assists private fund managers in understanding how these important changes affect their businesses and how to navigate the changing data privacy landscape. Visit our CCPA Resource Center for additional information on our team’s publications, events, and media appearances addressing the CCPA and similar state-sponsored legislation.