The California legislature recently adjourned its 2022 session without extending several exemptions from the California Consumer Privacy Act of 2018 (CCPA). As a result, due to the California Privacy Rights Act (CPRA) amendments to the CCPA that go into effect on January 1, 2023, compliance with the CCPA will become more complicated for in-scope asset managers and financial institutions that have: California-resident employees or job applicants; and/or business contacts resident in California.
CCPA’s Current Limited Impact on Federally Regulated Financial Institutions
As an initial matter, the CCPA currently applies to any for-profit entity that is a “business” because it: does business in the State of California; collects the personal information (PI)1 of California consumers2 and alone or jointly with others determines the purposes and means of the processing of consumers’ PI; and satisfies at least one of the following thresholds: it has annual gross global revenue of over $25 million; it annually buys, receives for the business’s commercial purposes, or sells the PI of 50,000 or more consumers, households or devices; or it derives 50% or more of its annual revenues from selling consumer PI.
While many asset managers and other covered institutions satisfy these threshold requirements, the CCPA has had a limited impact on most participants in the asset management industry due to various exemptions. For example, the CCPA does not apply to PI “collected, processed, sold, or disclosed” pursuant to the Gramm Leach Bliley Act3 (GLBA carve-out). This means that the CCPA generally does not apply to the normal-course collection and sharing by GLBA-covered institutions of PI collected from or about individual consumers to whom a financial product or service is provided. The CCPA also includes partial carve-outs for PI collected from California-resident representatives of businesses (B2B carve-out) and California-resident employees, contractors, job applicants, directors and officers (Employment carve-out).
January 1, 2023: Key CCPA Carve-Outs Expire
On January 1, 2023, key carve-outs that allowed asset managers and other financial institutions to reduce their CCPA compliance obligations will fall away. While the CCPA, as amended by the CPRA, merely modifies the applicability threshold for covered businesses,4 the CCPA’s Employment carve-out will expire on that date. This change will require covered institutions to treat PI of California-resident employees, contractors, job applicants, directors and officers as fully “in scope” of the CCPA. As a result, such entities will need to deliver a compliant privacy notice to such individuals, which provides them with their full California privacy rights, including the right to: access and delete PI; correct inaccurate PI; and limit the use of “sensitive” PI (in each case, subject to certain exceptions).
The B2B carve-out also will expire on January 1, 2023. Covered institutions therefore will need to provide California-resident representatives of businesses (e.g., representatives of institutional clients or prospects, representatives of service providers) the full suite of California privacy rights. Covered institutions also will need to consider whether they engage in “purchases” or “sales” of PI in the B2B context – such as through participation in data enrichment subscription services that use PI received from third-party providers – that may require them to provide additional privacy notice disclosures and/or “opt-out” rights to impacted California residents.
Final Regulations Likely Will Add to Financial Institutions’ CCPA Obligations
The California Privacy Protection Agency (CPPA) is tasked with issuing regulations pursuant to the CCPA, as amended by the CPRA. The CPPA published initial proposed regulations for notice and comment on July 8, 2022, and the comment period ended August 23, 2022.5 It then released modified proposed regulations on October 17, 2022, in connection with its October 28-29, 2022 Board meetings.6 On November 3, 2022, the CPPA published the modified proposed regulations for notice and comment. The written comment period will last 15 days, closing at 8:00 AM PT on Monday, November 21, 2022. While the modified proposed regulations (at 73 pages) are substantial and add to the CCPA’s statutory requirements, they also continue to be very much in flux. For example, the modified proposed regulations still do not address some key issues (e.g., requirements regarding automated decision making and profiling). Nonetheless, in-scope asset managers and other institutions should monitor the text of the modified proposed regulations to ascertain the potential breadth of future obligations.
An Update on Enforcement
The effective date of the CPRA amendments to the CCPA is January 1, 2023. The CPRA amendments will not be enforced until July 1, 2023, and then only for violations occurring on or after that date. Both the California Attorney General (CA AG) and the CPPA will have full enforcement authority. In addition, a private right of action exists for certain data breaches involving consumer PI.
Notably, the CPRA amendments do away with the current mandatory 30-day cure period for alleged noncompliance with the CCPA, which begins after the CA AG sends a notice of alleged noncompliance to a business.7 The CPPA will instead have discretion as to whether to provide a business with time to cure an alleged violation.
Many financial institutions, including SEC registered investment advisers, are actively engaged in updating their privacy programs to comply with the new CCPA obligations to which they will become subject on January 1, 2023. Financial institutions are also actively monitoring the CPPA’s rulemaking process. Asset managers and other GLBA financial institutions that have not recently assessed their California privacy compliance obligations should act swiftly to begin doing so. With the expiration of the Employment and B2B carve-outs, additional categories of individuals will have rights under the CCPA that in-scope managers and other institutions will need to account for.
1) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
2) A “consumer” means a natural person who is a California resident, however identified, including by any unique identifier.
3) Title V of the Gramm Leach Bliley Act requires that federal financial regulators adopt rules to govern the use of consumers’ personal information by the financial institutions they regulate. In carrying out this mandate, the Securities and Exchange Commission adopted Regulation S-P, which governs the ability of brokers, dealers, investment companies and investment advisers to share nonpublic personal information with unaffiliated third parties.
4) On January 1, 2023, the thresholds for an entity that is a covered “business” under the CCPA will be modified slightly. The revenue thresholds will be calculated based on gross annual revenues as of January 1 of the calendar year. The volume of processing thresholds will apply when a business annually buys, sells or shares the PI of 100,000 or more consumers or households, and the “sales” threshold will be calculated based on whether the business derives 50% or more of its annual revenues from selling or “sharing” PI.
5) For more information regarding the initial Draft Regulations, please refer to Dechert OnPoint, Ready Set Go: California Privacy Protection Agency Previews Draft Regulations.
6) For more information regarding the Modified Proposed Regulations, please refer to Cyber Bits Issue 23.
7) For examples of instances where the CA AG has issued a notice of alleged noncompliance, please refer to Dechert OnPoint, It’s a Wrap: California Attorney General Announces First-Year CCPA Enforcement Update. For a discussion of the CA AG’s sole CCPA enforcement action to date, please refer to Dechert OnPoint, California AG Throws A Stake in the Ground on “Sales” With $1.2 Million Fine.