The New California Privacy Rights Act and its application to Investment Advisers

On January 1, 2023, the California Privacy Rights Act (“CPRA”) went into effect, amending the California Consumer Privacy Act – a groundbreaking privacy law that went into effect in 2020 (the “CCPA”). Enforcement is scheduled to begin on July 1, 2023, for violations on or after July 1, 2023.

It is important to note that the CPRA was drafted almost immediately after the 2020 law went into effect in response to outcries from privacy advocates who believed that the CCPA did not go far enough. In fact, some have referred to the CPRA as “CCPA 2.0”.

Thus, investment advisers, including financial planners, exempt reporting advisers, registered investment advisers and private fund managers, that were previously not subject to the CCPA should consider whether they must now comply with the CCCPA and the CPRA. Moreover, investment advisers that are already subject to the CCPA will have to make updates to their privacy regime, including to privacy notices to California residents.

Who does the CPRA applies to?

The CPRA Applies to any business with sufficient connection to California, including investment advisers.  In particular, the CPRA applies to any business (regardless of whether it is located in California) that had at least $25 million in gross annual revenue in the preceding calendar year (even if such revenue is not raised from California).

What is the Scope of CPRA?

CCPA and the CPRA now will reach prospective institutional investors/clients if the investors/clients have California employees or agents from whom the investment adviser collects personal information. Even investment advisers who have the personal phone number of a California representative would be in scope. It similarly encompasses service providers that have California employees from whom the investment adviser collects personal information.

The CPRA exempts any information that is “subject to” the Gramm-Leach Bliley Act (“GLBA”) or Regulation S-P. This GLBA exemption effectively covers all information that investment advisers collect about their existing investors/clients. However, because Regulation S-P does not reach information collected about prospective investors/clients prior to onboarding, such information will be subject to the CPRA.
 
How do I comply with the CPRA?^[1]

Create a robust compliance program which:

• provides consumers notice on how you, use and disclose personal information;
• honor privacy rights requests; and
• protect the integrity and security of personal information

Update your websites to include-

• a privacy notice specifically tailored to comply with the CPRA (also a good idea to include a short disclaimer notice on your emails);
• processes for handling requests from investors/clients or employees to access, delete or amend their personal information; and
• information security programs

Disclosure at the “Point of Collection” of Personal Information

• The key regulations that may have the largest operational impact on investment advisers relate to providing notice to investors/clients or employees “at collection” of their personal information and recognizing “global privacy controls” on websites, allowing visitors to opt out of cross-context behavioral advertising.

What happens if I don't comply with the CPRA legislation?

The California Attorney General will have full enforcement authority. In addition, a private right of action exists for certain data breaches involving consumers.

If you have any questions about this alert, or any other regulatory matters, do not hesitate to reach out to: Daniel Viola (Partner – Head of the Regulatory group) at 212.573.8038 or via email at dviola@sadis.com or to Vartika Naithani at 212.573.8148 or via email at vnaithani@sadis.com.