CCPA Checklist for Investment Advisers

The California Consumer Privacy Act (CCPA) imposes sweeping obligations on a diverse array of businesses, but investment advisers subject to Regulation S-P (adopted pursuant to the federal Gramm-Leach-Bliley Act (GLBA)) are treated somewhat differently. The CCPA does not provide a blanket exemption for investment advisers with retail clients, although the CCPA’s exception for personal information covered by the GLBA takes the edge off the CCPA. In addition, two late amendments to the CCPA also reduce the scope of the CCPA for investment advisers during the year 2020.

The CCPA applies to some personal information that investment advisers routinely handle. Therefore, it’s important that investment advisers examine the compliance burdens they may have under the CCPA. This checklist is intended to help investment advisers track their CCPA compliance obligations for 2020 and 2021.

What is the CCPA?

The CCPA provides California residents with expansive rights with respect to their personal information, such as the right to

• Be informed about the personal information businesses collect, use and share about them (the right to “know”);
• Access the personal information a business has about them (the “access” right);
• Have a business delete their personal information (the “deletion” right)[1]; and
• Require a business not to sell their personal information to third parties (the “do not sell” right).

Also, under the CCPA, a business may not afford an individual less favorable economic or service terms by virtue of the individual having exercised one of these rights (the “non-discrimination” right).

Finally, the CCPA gives individuals the right to sue a business in a private action, with the potential to win statutory damages, if the business has suffered a data breach of personal information in certain circumstances (the “private right of action”).

Many compliance officers are familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective in 2018. While some rights under the CCPA are similar to those granted under the GDPR (such as the access and deletion rights), the CCPA and the GDPR differ in important ways. For example, unlike the CCPA, the GDPR does not include a specific right to opt of the sale of an individual’s personal information. On the other hand, the GDPR includes concepts that are not addressed in the CCPA. Although compliance with the GDPR is not sufficient to comply with the CCPA, investment advisers that have policies and procedures designed for GDPR compliance have a head start for compliance with the CCPA.

Although the CCPA became operative on January 1, 2020, during the year 2020, the CCPA only applies to certain subsets of personal information processed by investment advisers. 2020 is an opportunity for investment advisers to prepare for 2021, when certain exemptions expire and the full breadth of the CCPA’s requirements kick in.

How does the CCPA apply to investment advisers?

Three considerations are key in the analysis of whether and how the CCPA applies to investment advisers:

(1) Does the investment adviser meet the revenue threshold to be considered a “business” covered by the CCPA (annual gross revenue in excess of $25 million)?

If the investment adviser does not meet this threshold, it is not covered by the CCPA.

(2) What is carved out by the CCPA’s exception for personal information “collected, processed, sold, or disclosed” under the GLBA?

The CCPA’s GLBA exception carves out the personal information of individuals who are investing primarily for personal, family or household purposes, which includes family offices and retail investors. However, the CCPA does apply to other personal information that investment advisers routinely handle. For further discussion of personal information that falls outside the CCPA’s GLBA exception, please see our article about people, activities and information that could fall outside of the GLBA.[2]

(3) What types of personal information are carved out by the CCPA’s temporary exemptions for 2020?

During 2020, covered businesses have the benefit of exemptions that take two types of personal information out of the scope of most of the CCPA’s individual rights (such as the access right and the deletion right).

• The first type is personal information connected to certain business-to-business (B2B) communications or transactions.[3] This includes personal information that an investment adviser collects about representatives of institutional or business clients, portfolio companies that the investment adviser is conducting due diligence on, and service providers. This B2B exemption does not apply to the right to opt out of a sale or to the right of non-discrimination.
• The second type is certain human resources related personal information, including personal information about an investment adviser’s employees, independent contractors, job applicants, owners, directors and officers.[4] This HR exemption does not apply to the CCPA’s private right of action. During 2020, the CCPA does require that businesses provide a privacy notice to this group of HR constituents, but this privacy notice is a shorter version of the “full” privacy notice that the CCPA requires businesses to provide to individuals who are not exempted.

These two exemptions expire on January 1, 2021, when businesses may, depending on what the California legislature enacts during 2020, become subject to the CCPA’s full array of obligations for these two types of personal information.

CCPA Checklist for 2020

After considering the GLBA exception and the two temporary exemptions for 2020, investment advisers are left with certain subsets of individuals to address in their CCPA compliance program in 2020. These subsets of individuals whose personal information is processed by investment advisers include:

• Some prospective investors and referrals[5];
• Individuals associated with portfolio companies that the investment adviser is no longer conducting due diligence on; and
• Accountants or trusts and estates lawyers to whom the investment adviser refers clients.[6]

Investment advisers should confirm that they have prepared the following for 2020:

• A privacy notice for prospective investors, referrals and portfolio companies and other individuals who fall outside the CCPA exemptions;
• To the extent an investment adviser has personnel, job applicants or the like, in California, a CCPA privacy notice for such individuals;
• An internal written procedure to handle CCPA individual rights requests during 2020; and
• An addendum to be added to certain service provider agreements.

CCPA Checklist for 2021

Investment advisers should focus on the following compliance action items in time for 2021:

• Prepare a privacy notice for beneficial owners and representatives of entity investors and representatives of vendors and other businesses that the investment adviser interacts with;
• Update the 2020 CCPA personnel and job applicant privacy notice to add the parts of the “full” CCPA privacy notice that did not appear in the 2020 version;
• Update the written procedure for handling CCPA individual rights requests to address individuals covered by the CCPA exemptions that expire in January 2021; and
• Train personnel on the CCPA.

[1] The CCPA includes a number of exceptions to the deletion right; for example, a business is not required to comply with a consumer’s request to delete personal information if it is necessary for the business to maintain such information in order to comply with a legal obligation. Recordkeeping obligations imposed on investment advisers under applicable law fall within this exception to the deletion right.

[2] Kristen Mathews and Adam Fleisher, Bloomberg Law, “Financial Institutions Find Some Relief Under the CCPA”.

[3] Specifically, information that is connected to a written or verbal communication or a transaction between the business and an individual acting as an employee, owner, director, officer, or contractor of another entity, where the communication or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, the other entity.

[4] Specifically, information about employees, independent contractors, job applicants, owners, directors or officers (or their emergency contacts or recipients of employment benefits), where such information is collected and used solely in the context of such person’s role within the business.

[5] These individuals may not be eligible for the B2B exemption because the investment adviser is not yet providing a product or service to them. Moreover, if they are not covered by GLBA, they would not be eligible for the GLBA exception either.

[6] These individuals are not eligible for the B2B exemption because, although they may provide services to investors, they do not provide services to the investment adviser and the investment adviser does not provide services to them.