The California Consumer Privacy Act (the “CCPA”) passed as law on June 28, 2019 and became effective on January 1, 2020. The CCPA affects all businesses who do business in California AND either (i) have at least $25 million of annual gross revenue; (ii) buy, sell, share or receive personal data the personal information of 50,000 or more California residents; or (iii) receive over half of their revenue from the sale of personal data of California residents. Fortunately, most financial services entities who do business in California will not meet any of these prongs.
As of July 1, 2020, the California Attorney General (“AG”) has the right to enforce CCPA against violators, not just in California, but across the nation. Under the CCPA, the AG may recover civil penalties up to $2,500 for each violation and up to $7,500 for each intentional violation. The CCPA also provides for a private right of action subjecting businesses to civil liability resulting from a data breach involving certain defined types of personal information. In fact, CCPA class action litigation has already started to fill the court system.
There are plenty of articles and information describing what measures are appropriate to ensure compliance with the CCPA. Updating privacy policies, implementing processes to respond to individual consumer requests, ensuring contracts are in place with third-party service providers are all great steps to take. While we recommend reviewing policies and processes early and often, do you know whether the CCPA even applies to your business?
CALCULATING ANNUAL GROSS REVENUE
In calculating the $25 million in annual gross revenue, the CCPA expands the definition of a “business” to entities who control or are in common control with another business and which share a common branding. In this case, the threshold is met when revenues exceed $25 million across all such entities and each entity is subject to the CCPA. Many financial service entities are part of a group of companies, generally controlled or owned by a holding company. For example, a broker-dealer, RIA, and insurance entity are an often used structure for a financial services firm that brands itself as a single corporate entity. In that instance, the revenues of the entities will need to be aggregated.
WHAT INFORMATION IS PERSONAL INFORMATION?
The CCPA broadly defines “personal information” to encompass information that identifies, relates to, describes, associates with, directly or indirectly, a particular institutional or prospective client. This information includes, without limitation, names, addresses, email addresses, social security numbers, driver’s license or state issued ID number and passport numbers. However, the CCPA exempts from coverage all data required to be obtained by the Gramm-Leach-Bliley Act (the “GLBA”). The GLBA protects nonpublic personal information that is provided by a consumer to a financial institution in connection with obtaining financial products/services from the institution.
The GLBA’s definition of nonpublic personal information differs from the definition of personal information under the CCPA, and is limited to individual investor information. Thus, while certain individual investor information may be pre-empted from the scope of the CCPA, personal information of entity investors, institutional investors and prospective investors is not within the scope of the GLBA and as such, will be covered by the CCPA.
50,000 CALIFORNIA RESIDENTS
Certain financial services firms may be subject to the CCPA if they have received personal information on more than 50,000 California residents. Firms such as online broker-dealers, mortgage brokers, or insurance entities often collect information on prospective clients and store that information on their servers. In fact, IP addresses, browsing history, and information regarding a consumer’s interaction with a website (often collected by cookies) is considered “personal information” that is subject to the CCPA. Accordingly, it is incumbent on firms to check how many California residents’ data they have received to be sure they are not subject to the mandates of the CCPA.
SELLING CONSUMER DATA
This is probably the easiest criteria to understand. Do you sell the data you collect from your customers and potential customers? If you do, there may be other privacy statutes you need to know about. In fact, the CCPA may not be your only regulatory hurdle to overcome. Nonetheless, you should take a long look at what percentage of revenue it comprises for your business. If it is more than half of your revenues, using even the most conservative definition of “revenues”, you will be subject to the CCPA.
WHAT TO DO WHEN SUBJECT TO THE CCPA
To the extent a firm collects personal information of clients or prospective clients that is subject to the CCPA, there are specific consumer rights that must be observed. Those rights include the right to request disclosure of information that is collected and shared, the right to delete personal information, and the right to non-discrimination. Compliance with the CCPA is not difficult, but does take some effort to get it right.
Whether a firm is subject to the CCPA is a fact specific analysis. If you are concerned about whether you are subject to the mandates of the CCPA, feel free to reach out the lawyers at Higgs Fletcher & Mack for the appropriate guidance.