The California Consumer Privacy Act (the “CCPA”), which was passed as law on June 28, 2019, will be effective as of January 1, 2020. Please be aware most fund managers will not be affected, but given the upcoming date of effectiveness it may be prudent to evaluate the reach of the law.
First, WHO does the CCPA affect?
The CCPA will affect fund managers who do business in California AND either (i) have at least $25 million of annual gross revenue; (ii) buy, sell, share or receive personal data; or (iii) receive over half of their revenue from the sale of personal data of California residents. Most fund managers who do business in California will not meet any of these prongs. The few managers who the CCPA will affect will likely fall under prong (i) – those who do business in California and have at least $25 million in annual gross revenue.
In calculating the $25 million in annual gross revenue, fund managers operating with a bifurcated management structure (separate management company and general partner entities) will likely have to aggregate the revenues of the general partner and management entities. The CCPA expands the definition of a “business” to entities who control or are in common control with another business and which share a common branding. In this case, if the threshold is met across both management entities, each entity will be subject to the provisions of the CCPA. If the general partner and investment manager do not share common branding, our view is that the revenues of the entities will not need to be aggregated.
Second, WHAT information does the CCPA cover?
The CCPA generally covers “personal information” that identifies, relates to, describes, associates with, directly or indirectly, a particular institutional or prospective client. This information includes, without limitation, names, addresses, email addresses, social security numbers, driver’s license or state issued ID number and passport numbers.
Typically, fund managers maintain the personal information of (i) their own employees (ii) individual clients (iii) institutional or entity clients and (iv) prospective clients. Fund managers may be relieved to learn that, due to certain statutory exemptions, information collected (i) about manager’s employees, (ii) via certain business to business transactions and (iii) about individual clients (if a manager is an SEC Registered Investment Adviser), does not constitute personal information and as a result, does not fall under the scope of the CCPA. Thus, the CCPA will generally only cover personal information of a fund manager’s (i) entity or institutional clients and (ii) prospective clients.
The CCPA exempts from coverage all data pre-empted by the Gramm-Leach-Bliley Act (the “GLBA”), which only applies to SEC Registered Investment Advisers (each, an “RIA”). The GLBA protects nonpublic personal information that is provided by a consumer to a financial institution in connection with obtaining financial products/services from the institution. The GLBA’s definition of nonpublic personal information differs from the definition of personal information under the CCPA, and is limited to individual investor information. Thus, while certain individual investor information may be pre-empted from the scope of the CCPA, personal information of entity investors, institutional investors and prospective investors is not within the scope of the GLBA and as such, will be covered by the CCPA.
Third, HOW should fund managers comply?
To the extent that clients or client prospects of fund managers are protected by the CCPA, their rights include the right to request disclosure of information that is collected and shared, the right to delete personal information and the right to non-discrimination. To ensure such compliance with the CCPA, we recommend that managers within the scope of the CCPA take the below actions:
-
- Fund managers must broadly be prepared to promptly respond to California client rights and requests including clients’ rights to (i) access specific personal information (ii) data portability (iii) data deletion and (iv) non-discrimination for exercise of any CCPA right. Once a fund manager has received a verifiable consumer request from a client, it must be prepared to disclose and deliver the required information to the client within 45 days.
-
- Typical privacy policies currently used by fund managers may need to be updated to (i) inform clients of their rights under the CCPA and instructions on how to exercise those rights and (ii) reword and incorporate as a comprehensive list all personal information (including drivers licenses, passport numbers or any other personal identifiers) collected and shared with service providers (such as the fund administrator, auditor, legal/regulatory service providers and I.T. providers). RIAs should also distribute their annual privacy policy update to all clientele in January.
-
- Fund managers operating a website which collects personal information (either through an online portal access, cookies or other website function) must publish a separate CCPA compliant privacy disclosure on such website relating to the collection and use of such personal information. Many fund managers do not collect personal information on their websites, and thus will not need to include such privacy disclosure on their webpage.
-
- Fund managers should consider updating their agreements with their fund administrator and possibly other service providers that have access to covered information of clients to include a representation from the service provider that it is in compliance with CCPA regulations.
|