On January 1, 2023, the California Privacy Rights Act (“CPRA”) went into effect, amending the California Consumer Privacy Act – a groundbreaking privacy law that went into effect in 2020 (the “CCPA”). Enforcement is scheduled to begin on July 1, 2023, for violations on or after July 1, 2023.
It is important to note that the CPRA was drafted almost immediately after the CCPA went into effect in response to outcries from privacy advocates who believed that the CCPA did not go far enough. In fact, some have referred to the CPRA as “CCPA 2.0”.
Thus, investment advisers, including financial planners, exempt reporting advisers, registered investment advisers and private fund managers, will have to make updates to their privacy regime, including to privacy notices to California residents.
To whom does the CCPA/CPRA apply?
In general, the CCPA/CPRA to a “business” that:
A. Is for profit and does business in the State of California;
B. Collects California resident personal information (or on behalf of which such information is collected);
C. Alone or jointly with others determines the purposes or means of processing of that data; and
D. Satisfies at least one of the following:
Annual gross revenue in excess of $25 million. The California Attorney General clarified in comments to questions concerning CCPA regulations that this revenue threshold is not limited to revenue generated in California or from California residents. The CPRA further clarified that a business determines whether it satisfies the threshold on January 1 of a year by looking to annual gross revenues in the preceding calendar year.
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices. The CPRA modified this prong to read “alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.”
Derives at least 50 percent of its annual revenue from selling consumers’ personal information. Under the CPRA, the “sharing” of personal information also counts toward the qualifying threshold.
Businesses located outside of California— the “long arm” of the CCPA/CPRA. A business need not be located in California to be subject to the CCPA/CPRA. While the CCPA/CPRA does not expressly address this, a business may be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, even if there is no physical location in the state.
What is the Scope of the CCPA/CPRA?
CCPA and the CPRA now will reach prospective institutional investors/clients if the investors/clients have California employees or agents from whom the investment adviser collects personal information. Even investment advisers who have the personal phone number of a California representative would be in scope. It similarly encompasses service providers that have California employees from whom the investment adviser collects personal information.
The CPRA exempts any information that is “subject to” the Gramm-Leach Bliley Act (“GLBA”) or Regulation S-P. This GLBA exemption effectively covers all information that investment advisers collect about their existing investors/clients. However, because Regulation S-P does not reach information collected about prospective investors/clients prior to onboarding, such information will be subject to the CPRA.
How do I comply with the CCPA/CPRA?
Accompanying this alert is a revised privacy policy that is designed to comply with the CPRA (the “CPRA Compliant Policy”).
As of July 1, 2023, we recommend that you update your websiteto include a link to the CPRA Compliant Policy;
As of July 1, 2023, any emails containing marketing materials (flipbooks, analyses, performance information, etc…) or offering documents that are sent to prospective investors or clients should include the following disclaimer, along with a link to the CPRA Compliant Policy.
Updating subscription documents
In connection with timely updates of your subscription documents after July 1, 2023, you should include the CPRA Compliant Policy as an exhibit. We will, of course, do that for you if we are retained to update your offering documents.
What happens if I don't comply with the California privacy legislation?
The California Attorney General will have full enforcement authority. In addition, a private right of action exists for certain data breaches involving consumers.
If you have any questions about this alert or any other regulatory matters, do not hesitate to reach out to: Daniel Viola (Partner – Head of the Regulatory Group) at 212.573.8038 or via email at dviola@sadis.com or to Vartika Naithani at 212.573.8148 or via email at vnaithani@sadis.com.