There are many aspects to compliance and from time to time, I like to bring in complementary experts to share their perspectives and knowledge. This week, I’m delighted to have Michael Williams from Clym (pronounced like “climb”) tell you more about data privacy on your website and an important new regulation from California that can affect any firm in the country. I hope you enjoy this post. After reading, please contact us or Michael if you think this could be an issue for your firm. – Bo Howell
by Michael Williams of Clym
The CCPA is currently in effect and covered businesses, regardless of whether they are located in or outside of California, are already obligated to comply with its provisions. The California Attorney General has stated that his office will enforce violations that occurred prior to the enforcement date, so unless that position changes, businesses must comply with CCPA regulations, or take the steps necessary to achieve compliance as soon as possible. The cost of noncompliance can be high.
Who is subject to CCPA?
Generally, for-profit companies doing business in California are subject to the law if they collect personal information from California residents and if one or more of the following is true:
- The business earns $25 million or more in annual revenue.
- The business holds or transfers personal data of at least 50,000 consumers; and/or
- The business derives at least 50% of its revenues from the sale of consumers’ personal data.
It is important to note that “doing business” in California does not mean that a company must have a physical presence in the state. Therefore, as long as the investment adviser, regardless if that adviser sits outside of California or even the United States, collects, buys, shares, sells or receives personal information of California consumers, households or electronic devices, the CCPA will likely apply.
Pro tip: Be sure to check both revenue tests and any CRM system that contains information on both potential and existing clients and employees.
Why is CCPA Important?
First, let’s talk about compliance with the law. Widely considered to be the strictest data privacy law enacted to date in the United States, the CCPA affects companies both inside and outside of California, by providing consumers with a wide array of privacy rights and protections. For companies subject to CCPA, implementing the mechanisms necessary to comply with the law can be a significant undertaking, a task made more difficult given that the California Attorney General has not yet issued final guidance regarding certain provisions of the CCPA. Registered investment advisors maintaining information on California residents should familiarize themselves with CCPA to avoid the significant financial penalties imposed for non-compliance.
Pro tip: The California Attorney General did release proposed regulations yesterday on how business can comply with CCPA.
The CCPA creates new consumer rights regarding personal information that is collected by businesses. The CCPA defines consumer as any “natural person who is a California resident.” The intentions of the CCPA are to provide California residents with the right to:
- Know what personal information is being collected about them;
- Know if and to whom their personal information is sold;
- Prevent the sale of personal information;
- Access their personal information;
- Request that a company delete their personal information; and
- Not be discriminated against for exercising their privacy rights.
The CCPA broadly defines personal information to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Additionally, the concept of a “sale” for CCPA purposes is the exchange of someone’s personal information for value (e.g. selling and renting but also disclosing, transferring and making available); this broad definition is important, as it could include information like cookies that are collected and tracked by websites.
Businesses subject to the CCPA must:
- Provide notice to consumers at or before the point of data collection;
- Make disclosures about the information that they collect and the rights held by consumers under the CCPA; and
- Create procedures to respond to requests from consumers to know, delete and opt-out within certain timeframes and verify the identity of consumers who make requests.
Am I Exempt from CCPA? Not Exactly.