On this episode of Ropes & Gray's California Law for Asset Managers podcast series, asset management partner Catherine Skulan is joined by data, privacy & cybersecurity partner Ed McNicholas to discuss recent developments in California privacy law. California's privacy laws can implicate a wide range of managers—from those based in the state to those that simply have California investors. Catherine and Ed delve into the implications for asset managers of the California Consumer Privacy Act (CCPA) of 2020 and its amending legislation, the California Privacy Rights Act (CPRA), which became enforceable for violations after July 1, 2023.
Transcript:
Catherine Skulan: Hello, and welcome to this Ropes & Gray podcast. I'm Catherine Skulan, a partner in the Ropes & Gray asset management group in San Francisco. I'm excited to have you join us for this installment of our podcast series on California law considerations for asset managers. With me today is Ed McNicholas to talk about developments in California privacy law. Ed leads Ropes & Gray's data, privacy & cybersecurity group, and advises many of our asset management clients on compliance with federal and state data protection laws. This includes, of course, the Gramm-Leach-Bliley Act's privacy and safeguard rules, but also state privacy laws that contain increasingly onerous compliance requirements. Ed, what is happening in California?
Edward McNicholas: Catherine, thank you for having me here today—this is a great time to provide an update on this topic. The California Consumer Privacy Act (the CCPA) has been in operation since January 2020. We'll come back in a minute to how it applies to asset managers, but amendments to the CCPA put in place by the California Privacy Rights Act (the CPRA) have also gone into operation and are now enforceable. These laws also created a new privacy administrative agency, the California Privacy Protection Agency (the CPPA). The agency has been getting busy getting organized and issuing regulations. Among other things, these laws require expanded notices, and in some instances, new contractual terms with service providers. They also pose additional restrictions on the use of personal information, and create new privacy rights, among many other things.
Catherine Skulan: They're certainly a timely topic then, and it's worth flagging these developments. But as you mentioned, for our current audience, it's important to understand what all this means for asset managers. For example, the CCPA includes an exception for most investor information that is collected by funds and their sponsors. Can you explain how the CCPA applies to asset managers?
Edward McNicholas: That's correct, and we don't want to overstate its application to asset managers. The CCPA does put outside of its scope, application information that is subject to the Gramm-Leach-Bliley Act, which could include most information asset managers collect about "natural person" investors (that is, real persons, not institution investors). But there's still important information that asset managers collect that is subject to the law. For example, information collected about some prospective "natural person" investors prior to their admission to the fund could be subject to the law. It would also include some information that asset managers collect online. Also, information about "natural persons" (that's again, individuals) that is not subject to the Gramm-Leach-Bliley Act could be included as well, such as information about trust beneficiaries. And, importantly, the CPRA funded some exceptions that previously applied to information related to employees and business contacts. This means information about an organization's own employees will now be in scope, as well as information about employees of other entities with which the asset manager interacts, like information about the owners of institutional investors a fund may collect for KYC purposes, as just one example.
Catherine Skulan: And the law also sets up parameters as to which asset managers it applies.
Edward McNicholas: That's right. The CCPA has scoping criteria that you need to pay particular attention to. The CCPA applies only to for-profit institutions that "do business in California," collect and process personal information about California residents, and meet one of three thresholds, the most obviously applicable one being having more than $25 million in revenue.
Catherine Skulan: Let's take each of those requirements in turn. First, the "doing business" prong. This prong is important, because even if a business has no physical location in California, it could still be subject to the CCPA if it is found to be "doing business" in the state. Now, the Act does not define "doing business," although it does provide some examples of what would not constitute doing business in California. For example, it provides very narrowly that businesses collecting or selling consumer personal information, where every aspect of that commercial conduct takes place wholly outside of California, are not subject to the Act's requirements. Has there been any guidance from the California Attorney General or the California Privacy Protection Agency on what this prong means since the Act came into force?
Edward McNicholas: Unfortunately, we don't have direct guidance on this today, and we can expect that the CPPA will consider its own jurisdiction expansively. Now, we were able to look at related statutes and judicial decisions, particularly under California's Revenue and Taxation Code and the California Corporations Code. Both of those statutes use the same phrase, "doing business," and are good touch points. They suggest that "doing business" is a "continuous and active engagement," rather than activity that would only be considered "incidental" contact with the state. To be clear, the California AG or CPPA could ultimately interpret the statute differently, because it is a different statute. What "active engagement" means will be a fact-based determination. Soliciting investors in California is one example of conduct that might be considered being actively engaged in a state. But, again, it's a fact-specific analysis and each asset manager will need to evaluate the question on a case-by-case basis.
Catherine Skulan: Next, it's crucial to understand what "personal information" is. Importantly, the term is very broadly defined. It's not just things like social security numbers—it's any information that relates to an identifiable California resident, even something like an IP address. So, it's extremely easy to fall within this prong.
Edward McNicholas: That's absolutely right. We're getting every indication that the sweep of personal information will be very broad.
Catherine Skulan: Then, finally, the threshold requirement. Ed, you mentioned that having an annual gross revenue of over $25 million is the factor that is most likely to be relevant for asset managers. But "gross revenue" isn't defined, and unlike other threshold prongs, does not appear to have a geographical limit. Then, how should asset managers think about this number—is it basically all revenue streams, including carry, management fees, transaction fees, earned by an asset manager globally?
Edward McNicholas: I think that's right. We can't be sure about that today, but the revenue threshold is generally understood as global—it is not limited to revenue generated in California or from California residents. It gets at the size of the business and the resources it has to comply.
Catherine Skulan: Now, having worked through each of those prongs and assuming it is in scope, what should an asset manager do to comply with the Act?
Edward McNicholas: Compliance with the evolving law of privacy in California will be a process; you're not going to be able to achieve it all at once—there is no silver bullet. Most asset managers will need to be building off of what they've already done in terms of compliance with the Gramm-Leach-Bliley Act or the EU's GDPR. Since the CCPA came into effect in January of 2020, businesses to which it applies have had to deal with principles common to many data protection rules, such as notice requirements, customer data subject rights, vendor management issues, data breach notification requirements, and security requirements. The CCPA also has some unique requirements relating to disclosure of whether the business sells personal information—and if so, providing an opt-out mechanism—along with more information about requirements for implementing reasonable security standards. Significantly, the CCPA has been interpreted that selling information includes sharing information with another entity, and so, we're going to see small nuances like that take on more meaning as this body of law develops. What we're discussing today is the development of concepts under the CPRA.
So, let's get started with the notices. You're supposed to supply a website privacy notice with information about how you collect and use personal information, both offline and online. It's more comprehensive than most website privacy notices historically have been, and should also inform people about their privacy rights, including the ability to exercise rights for access to data, deletion of data, and correction of data.
In addition to the website privacy notice, you're also supposed to supply a so-called "notice at collection." That is a notice you supply to the individuals at or before the point where you collect their personal information, which can be a challenge for individuals like business contacts at institutional investors. One way I've tried to incorporate that notice is to include it as part of a generally applicable investor privacy notice with the requirement that it be supplied to investors at the time of collection. But that's not the only way to do it—it's just one option—and asset managers may also create other ways to provide notice that maybe they would find more or less attractive.
Catherine Skulan: I suppose that doing it that way does have the advantage of putting your privacy disclosures to investors and employees all in one place. One downside, though, is that you are adding some complexity to a notice otherwise intended only for individual, not institutional investors.
Edward McNicholas: That's right. You could also email a copy of the notice or draft a separate notice as part of your sub-doc. Like I said, there's no one-size-fits-all solution here.
Catherine Skulan: So, what are some other obligations?
Edward McNicholas: I think an important one to keep in mind has to do with record retention. We're hearing a lot about record retention these days, with the SEC focused on retaining text messages and other information arguably falling within its recordkeeping rules, and the new revisions to Reg S-P also include detailed recordkeeping rules under SEC requirements—that's about preserving information. The rules under the CPRA are really about the opposite. They're about deleting personal information when you no longer have a reasonable business purpose for keeping it—keeping personal information for only as long as you need to have it, and then having procedures to identify that information and delete it securely.
Now, California isn't alone in trying to address this issue. It comes up in other privacy laws, and the FTC's recent updates to its safeguards rules, which are generally applicable to private funds, and are now in operation as well.
Catherine Skulan: You had also mentioned Reg S-P having detailed data retention requirements. This all sounds like a challenge to implement. How are managers dealing with these countervailing considerations?
Edward McNicholas: It's quite a balance actually. Managers obviously need to keep information that they're required to keep by law—and the laws are clear on that—but they should move away from the mindset that they should always retain as much information as they can indefinitely. If there's not a legal or other business need to keep personal information about individuals, asset managers should have processes for its deletion. It's also a practical way to avoid some data breach issues and other privacy issues. If managers don't have sensitive personal information, it can't be subject to a data breach.
Catherine Skulan: Which makes a lot of sense. Now, it's not just notice considerations and information retention issues that are going to become more pointed for managers as these items become enforceable under the CPRA. Separately, I'm seeing a lot of new contractual requirements in agreements I'm reviewing.
Edward McNicholas: Correct. The CCPA requires businesses enter into contractual terms with their service providers, contractors, and even third parties that they sell or share personal information with for purposes of cross-contractual behavioral advertising—these terms put restrictions on the secondary uses of the information. So, let's focus on service providers for a moment, because that's probably the most applicable. With some exceptions, service providers are supposed to be restricted by contract from using personal information for purposes other than providing their services. Now, there are some exceptions for the internal development of their products, but they cannot share that information with other parties or use it for purposes that are not connected to the provision of services. In addition, they must agree to assist in responding in a data subject rights request, and even provide a right to audit compliance in some circumstances.
Catherine Skulan: And how are you seeing that part play out?
Edward McNicholas: Unfortunately, there's still a great deal of confusion—vendors are still struggling to get it right. Audit rights are a perfect example. The statute requires that businesses be permitted to "take reasonable and appropriate steps to ensure that the service provider is using personal information in a manner consistent with the business's obligations under the CCPA." But what does that mean in practice? There are some examples of the regulations, like possibly having contractual rights to conduct manual reviews or automated scans of the service provider's systems, but many service providers are pushing back on those kinds of requirements for the obvious reasons that they can be quite intrusive.
Catherine Skulan: This sounds like another area where managers and vendors may take different approaches until further guidance comes out, which, unfortunately, sounds like it might not be until there's an enforcement action by the California authorities on this requirement.
So, let's move on—let's cover one final obligation. You also mentioned that the CPRA created new privacy rights. Can you describe what's happening there?
Edward McNicholas: Yes. This is very much part of the CPPA that stems from its heritage as trying to be connected to the GDPR. There's a new right to correct inaccurate personal information and to limit uses of certain sensitive personal information. There's also a right that's similar to the EU's "right to be forgotten," but there is some tension here in the U.S. with our First Amendment "right to remember." Perhaps what's most significant for asset managers are the rights that apply to employees and business contact information. Previously, amendments to the CCPA carved out employees, contractors, and most business contact information, but the CPRA did away with those exceptions. That means the right to access personal information (the "right to know" as it's sometimes called) to get a copy of the personal information you have about someone, as well as the right to delete personal information, could apply to categories of information along with new rights I just mentioned, like the right to correct personal information. These rights are not absolute—there are exceptions. For instance, just because someone says, "Delete my personal information," an asset manager is not necessarily required to do so if the asset manager has valid legal reasons why they need to keep it, for example, because it's a regulatory requirement.
Catherine Skulan: That makes a lot of sense. Now, these amendments to the CCPA we've been discussing are fully enforceable now for violations on or after July 1, 2023. Can you touch briefly on what that means in the context of this California privacy law regime?
Edward McNicholas: Absolutely. The CPRA created a new agency, the California Privacy Protection Agency. That agency is particularly charged with enforcing the law. It is the first time in the U.S. that we've seen an agency created particularly to enforce a privacy law, and we expect it to be a very active regulator. This regulator is closely analogous to a data protection authority that we've seen under the European regime for many years. The CPPA can issue fines, which potentially could be quite significant: up to $2,500 for each violation, or $7,500 for each intentional violation or a violation involving children. Now, regulators will typically argue that each individual impacted by alleged non-compliance constitutes a separate violation, so those fines can add up very quickly if the regulator chooses to be aggressive. It's worth noting that the Attorney General will still also have enforcement authority on top of the CPPA, and the Attorney General has already been aggressive in conducting investigations under the statute. At present, the primary targets are likely to be consumer-facing businesses rather than asset managers, but it is certainly possible that an aggrieved employee or other individual could spark regulatory interest. In addition to all this, there is a private right of action for certain data breaches involving consumers, when there have been unreasonable security practices—that creates a new significant risk for data breaches. The potential statutory penalties there are up to $750 per individual impacted by the data breach, and so, again, that could add up very quickly if a company unfortunately does experience a large-scale data breach.
Catherine Skulan: Thanks, Ed. That's a lot to unpack, and we've covered quite a bit today. Hopefully this has been a helpful update to our asset manager listeners. If anyone has any questions on this or any related topic discussed today, please don't hesitate to reach out. Also, for more information on these or other topics of interest in the asset management or the data, privacy, and cybersecurity areas, please visit our website at www.ropesgray.com. If you enjoyed today's discussion, please subscribe and listen on Apple and Spotify, or your preferred podcast service to other installments in this series on California law considerations for asset managers. Thank you again for listening.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.