Privacy and Data Security for Private Fund Managers

The California Consumer Privacy Act (the “CCPA”) was enacted in 2018 and becomes effective January 1, 2020. The CCPA gives consumers in California four basic privacy rights including:

• To know what personal information a business has about them, and from where (categorized) that personal information came or was sent;
• To request deletion of personal information that a business collected from them or to require that personal information not be shared;
• To opt-out of sale of personal information about them; and
• To receive equal service and pricing from a business, even if they exercise their privacy rights under the CCPA.

The CCPA will impact private fund managers (or their portfolio companies) doing business in California (1) with annual gross revenues in excess of $25 million, including managers that are not located in California, but whose funds have California investors; (2) that buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices annually; (3) that derive 50% or more of annual income from selling consumers’ personal information.

Under the CCPA, organizations must: (1) track consumer information from collection through sale or deletion; and (2) create a system to promptly respond to requests from consumers. The CCPA also has a 12-month requirement that potentially private information be retained for a full year and to track how it is used both internally and by third parties. Of course, all systems must be designed to keep personal information private. Further, there must be at least two systems for receiving consumer requests (e.g., website link and direct email). Such requests generally must be answered within 45 days. All requests from consumers must be “verified” as coming from the actual consumer.

The organization’s privacy policy is also subject to enhanced disclosure requirements. Privacy notices must now describe the consumer rights and how to exercise them, and provide a list of categories of personal information collected, sold and disclosed in the prior 12 months and updated every 12 months, a link to a “Do Not Sell My Personal Information” page, and a listing of the categories of third parties who will receive the personal information, including identification of financial incentives offered by the business.

While the law exempts most personal information collected and used pursuant to the Gramm-Leach-Bliley Act (which is currently applicable to most private fund managers), the definition of “personal information” under the CCPA is much broader than the definition of nonpublic personal information under the GLBA. Therefore, the CCPA is likely to apply to at least some of the data collected by financial institutions irrespective of the GLBA. As such, financial institutions would remain subject to the provisions and requirements of the CCPA for all activities falling outside of the GLBA, which could include activities conducted by their wealth management businesses and information they collect online.

The CCPA has a 12-month look-back period, and consequently organizations need to start putting the people, processes, procedures and technology in place immediately to address CCPA requirements.

On the whole, the CCPA has a broad reach that impacts organizations large and small, financial and all others. The well-intended exceptions are not as broad as they were intended to be. At minimum, even if not collecting consumer data to provide a service, organizations need to be mindful of how they are managing and protecting the data of their employees, who are also considered consumers under the law. Furthermore, if an organization does not have operations in California, but collects consumer data nevertheless, whether through a website or ingested through social media, a concerted effort should be made to comply with CCPA as to that data. Finally, as for the rest of the country, for the time being California is the high-water-mark state — the proverbial tail wagging the dog. It is only a matter of time before other states catch on, so setting up people, processes, procedures and technology now in anticipation of the privacy wave will keep organizations ahead of the curve.