The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA), a broad statute which imposes new data privacy obligations on certain companies that do business in California, will become effective on January 1, 2020. Fund managers and other investment advisers (“Advisers”) and certain of their affiliates that are currently subject to data privacy laws pursuant to the Gramm-Leach-Bliley Act (GLBA) or the UK General Data Protection Regulation (GDPR) may have additional obligations to consider and prepare for as the CCPA compliance deadline approaches.
Which Advisers are Subject to the CCPA
Generally, the CCPA will apply to Advisers that:
- do business in California (even if they have no place of business in California);
- have annual gross revenue in excess of $25 million; and
- collect, process, use, or share personal information regarding natural persons who are resident in California.
What is Required by the CCPA
Advisers that are covered by the CCPA are required to:
- Disclose information regarding their collection, use, disclosure and sale of personal information pertaining to clients, investors and prospective clients and investors who are natural persons (“Consumers”);
- Permit Consumers to opt-out of the “sale” of their personal information and, where applicable, delete personal information upon Consumers’ verified demand;
- Develop and implement policies and procedures to receive and respond to verified Consumer requests to exercise their rights under the CCPA, including establishing a toll-free telephone number and, if the Adviser has a website, a website address;
- Train employees and contractors who will be responsible for responding to Consumer requests; and
- Secure against data breaches.
Steps Advisers Should Take
Map Data. Advisers should identify the specific types of personal information they collect about Consumers and the sources and uses of Consumer information; determine how such information is processed; and ascertain whether it is sold or otherwise shared with others and, if so, to whom (by category).
Develop and Adopt Policies and Procedures. Advisers should develop and adopt policies and procedures to authenticate and respond to inquiries and requests from Consumers regarding their personal information. Such Consumer inquiries and requests may include, among others, what personal information is collected, whether their personal information is sold or disclosed (and the categories of persons to whom it was sold or disclosed) and the exercise of their rights to access their personal information and prohibit the sale of that information. Consumers who exercise any rights under the CCPA may not be discriminated against, including with respect to services or prices. Compliance policy manuals should be revised to synthesize existing and new policies.
Update Disclosures in Offering Memoranda and Other Fund Documents. Revise offering memoranda, subscription materials and other fund documents, as necessary, to include disclosures to address CCPA requirements.
Train Employees and Consultants. Advisers should train employees and consultants who are responsible for addressing Consumer requests so that they understand Consumers’ rights and the Adviser’s obligations under the CCPA. Employees and consultants should understand the ways in which Consumers may exercise their rights.
Review and Amend Services Agreements. Advisers should review all agreements with placement agents, administrators, custodians, prime brokers and other service providers to ensure they provide adequately for data security and include other provisions deemed necessary and advisable to comply with the CCPA. Such agreements should be reviewed carefully to determine whether they provide for a “sale” of personal information. A sale may take many forms, some of which may not be easily recognized. For example, a sale may occur where a service provider gives a discount or any other type of value in consideration or exchange for the ability to access and use Consumers’ personal information. Agreements may need to be amended to prohibit sales of Consumers’ personal information, unless the express written consent of Consumers is first obtained and not withdrawn.
Review and Revise Website. Advisers should update their online privacy policies to describe Consumer rights, delineate at least two methods by which Consumers may submit requests and provide other information required under the CCPA.
Pillsbury’s Investment Funds and Investment Management and Data Privacy teams are available to assist with CCPA compliance. Please contact your client relationship attorney for additional information regarding Consumers’ rights and your obligations under the CCPA.