Managers of private investment funds that collect personal information are required to comply with the landmark California Consumer Privacy Act – with some exemptions. This installment of our Investment Funds Update discusses when private investment funds are subject to the CCPA, when they are exempt, and what they need to do to comply with the new law.
The California Consumer Privacy Act (CCPA) was signed into law on January 28, 2018, by then- Governor Jerry Brown, ushering in what appears to be a new era in US privacy regulation. The principal features of the CCPA, which became effective on January 1, 2020, include the creation of the following new consumer privacy rights for residents of California:
The CCPA can be enforced by the California attorney general. Private plaintiffs may also bring an action under the CCPA with respect to a security breach involving personal information, with statutory damages available. But there is a wrinkle: businessman Alastair Mactaggart, the primary backer of the California ballot initiative that was the impetus for the CCPA, has formally filed the California Privacy Rights and Enforcement Act, a new initiative that will appear on the California ballot in November 2020 if it obtains sufficient signatures. The proposed ballot measure includes provisions that would add significant new privacy obligations to the CCPA, eliminate the California attorney general’s responsibility for enforcing the CCPA, and grant that authority to a new California Privacy Protection Agency.
Yes! The CCPA would not apply to the following information collected by private fund managers:
Personal Information Subject to the GLBA
The consumer privacy rights obligations of the CCPA do not apply to personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), with which many private fund managers are already complying.
Note, however, that the scope of the CCPA is broader than the scope of the GLBA, which is limited to nonpublic personal information of consumers and does not always cover prospective investors. For instance, if a private fund manager were to collect marketing-lead information about high-net-worth individuals that might become potential customers of the manager’s financial services, then that personal information is likely to be subject to the CCPA’s consumer privacy rights because an individual on a list of leads has not yet become a “consumer” or “customer” of the manager, as those terms are defined under the GLBA. Accordingly, the GLBA exemption cannot be relied on as a blanket exemption to the CCPA in all instances.
Employee, Officer, Director, Applicant, and Contractor Information
The CCPA exempts certain personal information collected from job applicants, employees, owners, directors, officers, and contractors of a business from most requirements of the CCPA for one year, until January 1, 2021. The information covered by the exemption includes personal information (1) collected about a person as a job applicant, employee, owner, director, officer, medical staff member, or contractor of that business; (2) collected and used solely for the purpose of maintaining emergency contact information; and (3) collected and used solely to administer benefits to an individual, all of which would typically be categorized as “Human Resources Data.”
Note, however, that fund managers that would otherwise be subject to the CCPA would still be required to provide these individuals with a CCPA-compliant privacy notice.
B2B Transaction Data
The CCPA will generally apply to private fund managers that collect personal information of California consumers that is not subject to an exemption such as those listed above, do “business” in California, determine the purposes and means of processing that personal information, and (i) have annual gross revenues in excess of $25 million; (ii) buy, receive, sell, or share “personal information” of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of their annual revenue from selling consumer information. The CCPA defines “consumers” broadly as natural persons who are California residents. This could include, for instance, current fund investors, prospective investors, advisory clients, employees, and applicants who are California residents.
The CCPA does not define what it means to “do business” in California, and, therefore, absent further guidance, this term is likely to be construed broadly. For instance, a private fund manager may be considered to be “doing business” in California just by operating a website in which California residents are permitted to provide their personal information, even if the manager is not organized under California law and has no physical presence in California.
Our lawyers continue to closely follow each new development as the CCPA is amended and regulations and guidance documents are issued. Since the start of 2019, at least 10 other state legislatures have introduced privacy bills inspired to varying degrees by the CCPA, and we are also following developments in such other states. Our team assists private fund managers in understanding how these important changes affect their businesses and how to navigate the changing data privacy landscape. Visit our CCPA Resource Center for additional information on our team’s publications, events, and media appearances addressing the CCPA and similar state-sponsored legislation.
If you have any questions or would like more information on the issues discussed in this Investment Funds Update, please contact any of the following Morgan Lewis lawyers:
Ethan W. Johnson