California, the birthplace of the social network, has until this point been synonymous with the unbridled innovation of Silicon Valley and not often associated with the regulation of its giants of technology. In the wake of the Cambridge Analytica scandal, however, there has been a marked shift in public opinion and change is on the horizon.
The California Consumer Privacy Act 2018 (“CCPA”) was approved on 28 June 2018 and represents a milestone step towards regulating businesses involved in collecting and sharing personal information (“Personal Information”) on California residents. Effective January 1, 2020, California residents will be afforded a number of new protections.
Key Rights and Obligations Common to CCPA and GDPR
Although of lesser size and scope than the European Union’s General Data Protection Regulation (“GDPR”), the CCPA creates a number of rights and obligations similar to those created under GDPR albeit with nuances in terminology.
CCPA | GDPR |
Rights of individuals | |
Transparent access to Personal Information held by a (for profit) business
To know how Personal Information will be shared or sold To have Personal Information deleted by a business To ‘opt out’ of the sale of Personal Information to third parties |
Transparent access to personal data held by a data controller
To know how personal data will be processed To have personal data erased by a data controller To withdraw consent for processing of personal data for direct marketing purposes |
Obligations on Businesses (CCPA) and Data Controllers (GDPR) | |
Provide consumers access to their Personal Information withing 45 days of a verifiable request
Provide consumers with the ability to ‘opt out’ of the sale of their Personal Information Set out how Personal Information will be used in a Privacy Policy available to consumers Obligations are not limited to businesses domiciled in California (extra-territorial effect |
Provide data subjects access to their personal data within one month of an access request
Where consent is the legal basis of processing, seek positive and unambiguous affirmation from the data subject (an ‘opt in’) Give data subjects the processing details at the point of collection* Obligations are not limited to data controllers domiciled in the EU (extra-territorial effect) |
*Including the name of the data controller, purpose of processing and details of parties with whom it will be shared.
Territorial Scope
The CCPA applies to businesses ‘doing business’ in California and is not limited to businesses domiciled in California. Enforcement issues aside, this is a big step in US Data Protection.
Individuals granted rights under the CCPA
The CCPA grants rights to ‘consumers’ who are defined quite broadly as natural persons resident in California.
Definition of personal information
Personal Information is defined in similarly broad terms to GDPR as information not publicly available that could identify a consumer or household such as an ID number, email address or IP address. Certain commercial information is also included, for example, records of personal property and products or services purchased.
Key rights granted to consumers
Consumers have the right to:
- Know what categories of Personal Information has been collected on them and from what categories of sources;
- Know the business or commercial purpose for collecting or selling this information;
- To ‘opt out’ of the sale of this information; &
- To take a civil action against a business in the event of a breach of Personal Information
Key obligations on businesses subject to the CCPA
- Upon receipt of a verifiable request from a consumer, a business must disclose the above mentioned details within 45 days
- Make available at least two methods for consumers to make such requests that includes at a minimum a toll free number and web address (where the business has a website)
- Delete a consumer’s personal information on request. This is subject to an exception for legal compliance obligations so it is reasonable to assume that a business would not have to delete any personal information subject to regulatory retention requirements
- Give consumers details of their rights under the CCPA in a Privacy Policy available on the business’ website
Businesses subject to CCPA
The CCPA applies to businesses[2] ‘doing business’ (but not necessarily domiciled) in California that collect Personal Information on Californian residents. In order to qualify, the business must determine the purpose and means of processing the Personal Information and also reach a substance threshold. For businesses not engaged in the sale of Personal Information, the most relevant threshold is to generate gross annual revenue of at least $25,000,000.
There is no definition of ‘doing business’ contained in the CCPA, however, the narrow exception where ‘every aspect of that commercial conduct takes place wholly outside of California’ is instructive. The act explains that this exception applies where personal information was collected and sold while the consumer was outside of California and no part of the sale took place in California.
While much of the CCPA is aimed at businesses that sell large volumes of Californian consumers’ personal information for profit, it also applies to businesses and service providers that share consumer Personal Information for a business purpose. The definition of ‘business purpose’ includes verifying customer information and processing payments. This would suggest that the vast majority of commercial interactions involving California residents and the collection of their Personal Information would be subject to the CCPA. There is, however, one very pertinent exception.
Financial Institutions Exception
The original text of the CCPA created an exclusion where Personal Information was collected and disclosed pursuant to the federal Gramm-Leach-Bliley Act[3] (“GLBA”) provided there was a ‘conflict’ between the GLBA and the CCPA. After much industry comment, the GLB exclusion was amended in September 2018 via SB1121 with the removal of the ‘conflict’ requirement and as such information gathered pursuant to the GLBA will now not be subject to the CCPA (explained below).
Gramm-Leach Bliley Act Exclusion
The GLBA imposes similar obligations to the CCPA on financial institutions gathering personal information as part of the provision of financial services. These obligations include adopting a privacy policy, providing it to customers and offering an ‘opt out’ for certain types of disclosures.
The GLBA applies to both investment advisors registered with the Securities Exchange Commission and those registered at a state level meaning that personal information gathered as part of an investor’s subscription to a fund such as ID numbers and passports would typically be out of scope for most of the CCPA’s provisions.[4]
Investment advisors, however, are not exempt from the private right of action granted to consumers for data breaches under section 1798.150 of the act. In the event of a breach, financial institutions can still be held liable for the extent of actual damages to a consumer or a maximum award of $750, whichever is greater.
The CCPA is silent on the issue of non-USA resident businesses and so, enforceability issues aside, it is reasonable to assume that the same rules apply to foreign businesses collecting Personal Information on California residents. Non-USA domiciled fund managers and administrators who are not subject to the GLBA should therefore pay careful attention to the CCPA and any upcoming amendments which may clarify this point.
For more information on how The ID Register complies with the Gramm Leach Bliley Act, click here.
Conclusion
The CCPA represents another step in the evolution of data protection in the USA. While the requirements of the CCPA are not too onerous, the nature of CCPA rights and obligations clearly demonstrates that US state legislatures are paying attention to international data protection developments and are adopting comparable frameworks to suit local needs.
The extraterritorial effect of the CCPA means that fund managers and administrators based outside the USA should take heed of CCPA requirements and registered investment advisors within the USA should be aware of the new private right of action for data breaches.
The CCPA was rushed through the legislative approval process in order to preserve the legislature’s ability to amend the act and has already been subject to amendment in September 2018. As recently as January 2019, the AG has proposed further amendments and as such the act is likely to go through a number of changes prior to the effective date. A ‘watch this space’ approach would therefore be prudent for all businesses doing business in California.
It is also increasingly likely that other US states and indeed international jurisdictions will introduce similar but slightly different laws making it challenging for a firm to keep internal procedures and privacy policies compliant with multiple jurisdictions.
An arguably safer approach, therefore, would be to give investors real time access to their personal information and control over its disclosure to counterparties. This approach empowers investors and negates the need for both information access requests and frequent updates to privacy policies.
[1] Including the name of the data controller, purpose of processing and details of parties with whom it will be shared
[2] Under the CCPA a business is defined as a (for profit) sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that does business in the State of California, collects consumers’ personal information and (jointly or individually) determines the purpose and means of the processing of the consumers’ personal information
[3] Public Law 106-102
[4] Via implementing regulations from the SEC and FTC