Is it Time to Overhaul Your Privacy Policy and Notice?

Is it Time to Overhaul Your Privacy Policy and Notice?

California recently passed amendments to the California Consumer Protection Act (“CCPA”), which took effect on January 1, 2020. Under the CCPA, investment advisers that are located in or have clients in California may need to update their privacy policy and notices to comply with the new law.

For a deeper discussion of the new law, I recommend Morgan Lewis’ LawFlash updates from July and September. Many commentators are comparing the law to the European Union’s General Data Protection Regulation or GDPR.

To determine if you are subject to the CCPA, follow the analysis below.

  1. Are you a for-profit organization or legal entity?
  2. Do you collect personal information, either directly or indirectly, on California residents?
  3. Are you a covered business?
  • Do you have annual gross revenue in excess of $25 million (including revenue from non-California clients)?
  • Do you handle personal information of 50,000 or more consumers (including employees), households, or devices, or some combination of the three?
  • Do you derive more than 50% of your annual revenue from selling consumers’ personal information?

The definition of “personal information” in the law is broad and extends beyond the typical personal identifiable information used in most SEC regulations; it also covers employees, owners, and contractors. If you answer yes to parts 1 and 2 and any of the thresholds in part 3, then you are a covered business.

Note. The definition of consumer is broad enough to cover job applicants and employees, which means the CCPA will apply to any California resident that is in either category. While there is a one-year temporary reprieve for these categories of consumers, you must still provide them with notice of your privacy policy and protect their information or risk being subject to litigation for a breach of security. For more information on how you should handle information obtained from applicants and employees, read this legal Insight from Morgan Lewis.

Exceptions for Financial Services Firms

Even if an investment adviser is a covered business, it may be exempt from complying with the CCPA if it is meeting privacy standards under the Gramm-Leach-Bliley Act (GLBA). But as noted in the July LawFlash, it’s not clear whether the exemption is only for parts of the CCPA that conflict with the GLBA. Investment advisers that are covered businesses should consult with legal counsel to determine the best course of action.

New Consumer Protection Rights

Even if investment advisers are excluded from the CCPA, there’s a good chance that some of your system providers may not be excluded (e.g., your CRM provider). If you or a vendor are a covered business, then the new Consumer Privacy Rights impact compliance policies and procedures. Here is a summary of the rights.

California residents have

  • The right to know the categories of information that a business collects, sells, or discloses about the consumer, and to whom information was sold or disclosed, as well as the right to prevent the business from selling or disclosing the consumer’s personal information
  • The right to access a copy of the “specific pieces of personal information that the business has collected about that consumer,” to be delivered free of charge within 45 days in a portable manner by mail or electronically
  • The right to be forgotten by requesting that a business delete, and direct any third-party service providers to delete, any personal information collected about the consumer
  • The right to opt out of the sale of personal information to third parties by requiring a business to post a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on its website’s home page
  • The right to equal service and price, which prohibits a business from discriminating against consumers who exercise their rights under the CCPA

Other Important elements of the CCPA

  • In addition to the Consumer bill of rights listed above, investment advisers are prohibited from sharing personal information with a third party unless the third party contractually agrees not to sell the information or use it for any purpose outside of the contractual arrangement with the investment adviser (e.g., CRMs).
  • Additionally, investment advisers cannot ask clients to contractually waive their rights under the CCPA, including any right to a remedy or means of enforcement (e.g., arbitration provisions).
  • California residents now have a private right of action and access to statutory damages if there is a security breach related to their personal information.

Next Steps

  1. Work with legal counsel to determine if you are a covered business.
  2. Identify which of your system providers are covered businesses.
  3. Your covered vendors should ensure that your contractual agreements are CCPA compliant.
  4. For any covered business, review privacy notices and opt-out or -in rights to ensure they are compliant with the law.
  5. If needed, prepare to delete personal information data to comply with any requests-to-be-forgotten. Recent amendments to the law require that each covered business have at least two ways that consumers can request to have their information deleted.
  6. If needed, train personnel on the new regulations.