We are pleased to introduce a new Ropes & Gray podcast series, California Law for Asset Managers, which explores California state laws of importance to asset managers.
This series will examine California state privacy, lobbying, fee disclosure and other laws that are relevant to asset managers that are, or are thinking about becoming, active in the state. California’s privacy laws can implicate a wide range of managers—from those based in the state to those that simply have California investors. And given the importance to many sponsors of partnerships with state and local pension plans, two episodes will focus on lobbying and fee disclosure issues that asset managers must grapple with when dealing with these plans. We will look to provide updates on these matters and insights into other relevant California law matters for asset managers in later podcasts.
On this opening episode, asset management counsel Catherine Skulan is joined by data, privacy & cybersecurity counsel Kevin Angle to discuss recent developments in California privacy law. Catherine and Kevin delve into the implications for asset managers of the California Consumer Privacy Act (CCPA) of 2020 and its amending legislation, the California Privacy Rights Act (CPRA), which becomes enforceable for violations on or after July 1, 2023.
Catherine Skulan: Hello, and welcome to this Ropes & Gray podcast. I’m Catherine Skulan, counsel in the Ropes & Gray asset management group in San Francisco. I’m excited to have you join us for this first installment of our podcast series on California law considerations for asset managers. With me today is Kevin Angle to talk about developments in California privacy law. Kevin is counsel in our data, privacy & cybersecurity group and advises many of our asset management clients on compliance with federal and state data protection laws. This includes, of course, the Gramm-Leach-Bliley Act’s privacy and safeguards rules, but also state privacy laws that contain increasingly onerous compliance requirements. Kevin, what is happening in California?
Kevin Angle: Catherine, this is a great time to provide an update on this topic. The California Consumer Privacy Act (CCPA) has been in operation since January 2020. We’ll come back in a moment to how it applies to asset managers—but as of January 1 of this year, amendments to the CCPA put in place by the California Privacy Rights Act (CPRA) have gone into operation, and on July 1, they will become enforceable. Among other things, they require expanded notices, and in some instances, new contractual terms with service providers. They also impose additional restrictions on the use of personal information and create new privacy rights among many other things.
Catherine Skulan: Thanks, Kevin. So, certainly a timely topic, and it’s worth flagging these developments. But as you mentioned, for our current audience, it’s important to understand what all this means for asset managers—for example, the CCPA includes an exception for most investor information that is collected by funds and their sponsors. Can you explain how the CCPA applies to asset managers?
Kevin Angle: That’s correct, and we don’t want to overstate its application in this space. The CCPA does put outside of its scope of application information that is subject to the Gramm-Leach-Bliley Act, which could include most information asset managers collect about their “natural person” investors (that is, real people, not institutional investors). But there is still important information that asset managers collect that is subject to the law. For example, information collected about some prospective investors prior to their admission to a fund. It would also likely include some information the asset manager collects online. Also, information about “natural persons” (again, that’s individuals) that is not subject to the GLBA, like information about trust beneficiaries. And, importantly, the CPRA undid some exceptions that previously applied for information related to employees and business contacts. That means information about an organization’s own employees will be in scope now, as will information about employees of other entities with which the asset manager interacts, like information about the owners of institutional investors a fund may collect for their KYC purposes, as one example.
Catherine Skulan: And the law also sets up parameters as to which asset managers it applies.
Kevin Angle: That’s right, the CCPA has scoping criteria that you need to pay particular attention to. The CCPA only applies to for-profit institutions that “do business in California,” collect and process personal information about California residents, and meet one of three thresholds, the most obviously applicable being having more than $25 million in revenue.
Catherine Skulan: Let’s take each of those requirements in turn. First, the “doing business” prong. This prong is important because even if a business has no physical location in California, it could still be subject to the CCPA if it is found to be “doing business” in the state. Now, the Act does not define “doing business,” although it does provide some examples of what would not constitute doing business in California. For example, it provides very narrowly that businesses collecting or selling consumer personal information, where every aspect of that commercial conduct takes place wholly outside of California, are not subject to the Act’s requirements. Has there been any guidance from the California Attorney General on what this prong means since the Act came into force?
Kevin Angle: The California AG has not directly addressed the question under the CCPA, but we are able to look at related statutes and judicial decisions, particularly under California’s Revenue and Taxation Code and the California Corporations Code. Both of those statutes use the “doing business” concept and are good touchpoints. They suggest that “doing business” is “continuous and active engagement” rather that activity that would be considered only “incidental” contact with the state. To be clear, the California AG could ultimately interpret the statute differently. What “active engagement” means is really a fact-based determination. Soliciting investors in California is one example of conduct that might be considered actively engaging in the state. But, again, it’s a fact-specific analysis and each asset manager will need to evaluate the question on a case-by-case basis.
Catherine Skulan: Next, it’s crucial to understand what “personal information” is. Importantly, that the term is very broadly defined. It’s not just things like social security numbers—it’s any information that relates to an identifiable California resident, even something like an IP address. So, it’s extremely easy to fall within this prong.
Kevin Angle: That’s absolutely right.
Catherine Skulan: Finally, the threshold requirement. Kevin, you mentioned that having an annual gross revenue of over $25 million is the factor that is most likely to be relevant for asset managers. “Gross revenue” isn’t defined, and unlike other threshold prongs, does not appear to have a geographical limit. How should asset managers think about this number—is it basically all revenue streams, including carry, management fees, transactional fees, earned by an asset manager globally?
Kevin Angle:That’s right, the revenue threshold is generally understood as global—it is not limited to revenue generated in California or from California residents. It get’s at the size of the business and the resources it has to comply.
Catherine Skulan: Now, having worked through each of those prongs, and assuming it is in scope, what should an asset manager do to comply with the Act?
Kevin Angle: Compliance is really a process; you’re not going to achieve compliance all at once—there’s no silver bullet. Since the CCPA came into effect in January 2020, in-scope businesses have had to deal with principles common to many data privacy rules such as notice requirements, consumer data subject rights and vendor management requirements. The CCPA also has some unique requirements relating to disclosure of whether the business sells personal information (and an opt out mechanism, if so) along with implementing reasonable security standards. What we’re discussing today is the development of a lot of these concepts under the CPRA (California Privacy Rights Act), which, as I said, amended the CCPA from the start of this year.
Let’s start with notices, which is really low-hanging fruit in a lot of ways as far as compliance goes. You’re supposed to supply a website privacy notice with information about how you collect and use personal information both offline and online—it’s more comprehensive than most website privacy notices have historically been and should also inform people about their privacy rights.
In addition to the website privacy notice, which, like I said, is really low-hanging fruit in many ways, you’re also supposed to supply a so-called “notice at collection”—that’s a notice you supply to individuals at or before the point where you collect their personal information, which can be a challenge for individuals like your business contacts at institutional investors. One way I’ve tried to incorporate that notice is to include it as part of a generally applicable investor privacy notice with a requirement to supply the notice at collection to other individuals whose information the investor will provide to the asset manager. But that’s not the only way to do it—it’s just one option, and asset managers may find it more or less attractive.
Catherine Skulan: I suppose doing so has the advantage of putting your privacy disclosures to investors and their employees in one place. One downside, though, is that you are adding some complexity to a notice otherwise intended only for individual, not institutional investors.
Kevin Angle: That’s right, you could also email a copy of the notice or draft a separate notice as part of your sub-doc. Like I said, there’s no one-size-fits-all solution.
Catherine Skulan: What are some other obligations?
Kevin Angle: I think an important one to keep in mind has to do with record retention. We’re hearing a lot about record retention these days with the SEC focused on retaining text messages and other information arguably falling within its recordkeeping rules. That’s all about preserving information. These rules under the CPRA are really about the opposite—they’re about deleting personal information when you no longer have a reasonable business purpose for keeping it. Only keeping personal information for as long as you have to and have procedures around that.
California isn’t alone in trying to address this issue—it also comes up in other privacy laws, and the FTC’s recent updates to its safeguards rule, which is applicable to private funds, and is now in operation, also address it.
Catherine Skulan: That sounds like a challenge to implement. How are managers dealing with these countervailing considerations?
Kevin Angle: It really requires a balance. Managers obviously need to keep information that they are required by law to retain—the laws are clear on that—but they should move away from the mind set that they should retain all information indefinitely. If there’s not a legal or other business need to keep personal information about individuals, asset managers should have processes for its deletion. It’s also a practical way to avoid some data breaches and other privacy issues—if managers don’t have sensitive personal information, it can’t be subject to a data breach.
Catherine Skulan: That makes sense. Now, it’s not just notice considerations and information retention issues that are going to become more pointed for managers as these items become enforceable under the CPRA. Separately, I’m seeing a lot of new contractual requirements in agreements I’m reviewing.
Kevin Angle: Right, so the CCPA requires that businesses enter into contractual terms with their service providers, contractors, and third parties that they sell or share personal information to for purposes of cross-context behavioral advertising, putting restrictions on their secondary uses and disclosures of personal information. Let’s focus on service providers for the moment, because that’s probably the most applicable. With some exceptions, service providers are supposed to be restricted by contract from using personal information for purposes other than providing their services. In addition, they must agree to assist in responding to data subject rights requests, and even provide the right to audit compliance in some circumstances.
Catherine Skulan: How are you seeing that play out?
Kevin Angle: Unfortunately, there’s still a great deal of confusion—these are all new concepts that people are grappling with, and vendors are still struggling to get it right. Audit rights are a good example. The statute requires that businesses be permitted to “take reasonable and appropriate steps to ensure that the service provider is using personal information in a manner consistent with the business’s obligations under the CCPA”—but what does that mean in practice? There are some examples in the regulations, like possibly having contractual rights to conduct manual reviews and automated scans of the service provider’s systems, but many service providers are pushing back on those kinds of requirements for the obvious reason that they can be quite intrusive.
Catherine Skulan: This sounds like another area where managers and vendors may take different approaches until further guidance comes out, which, unfortunately, might not be until there is an enforcement action by the California authorities on this requirement.
Let’s move on—let’s cover one final obligation. You also mentioned that the CPRA created new privacy rights. Can you describe what’s happening there?
Kevin Angle: Of course. There’s a new right to correct inaccurate personal information and to limit uses of certain sensitive personal information. Probably what’s most significant for asset managers, though, are rights that were actually already available but are now applicable to more data because of the roll off of those employee and business contact exceptions. Previously, amendments to the CCPA carved out of its scope information related to employees, contractors, and most business contact information, but the CPRA did away with those exceptions starting January 1 of this year. That means that the rights to access personal information (also called the “right to know”)—to get a copy of the personal information you have about someone (that’s another way of describing that concept)—and second, the right to delete personal information, now apply to those categories of information, along with the new rights that I just mentioned, like the right to correct personal information. To be clear, these rights are not absolute—there are exceptions to these rights. For example, just because someone says, “Delete my data,” an asset manager is not necessarily required to do so—the manager might have legal reasons why it needs to keep it, for example, and in that situation, may continue to hold onto it.
Catherine Skulan: On July 1, these amendments to the CCPA we’ve been discussing will become enforceable for violations on or after July 1, 2023. Can you touch briefly on what that means in the context of this California privacy law regime?
Kevin Angle: Absolutely. The CPRA created a new agency, the California Privacy Protection Agency, that is specifically charged with enforcing the law. It is the first such agency in the United States specifically charged with enforcing privacy law, so we expect it to be an active regulator. With that said, the agency is still staffing up and is stating publicly that it is not expecting to launch into aggressive enforcement immediately. But the fines that are applicable can be quite significant: up to $2,500 for each violation or $7,500 for each intentional violation or a violation involving children. Regulators will typically argue that each individual impacted by alleged non-compliance constitutes a separate violation, so those fines can add up very quickly if the regulator chooses to be aggressive. It’s also worth noting that the Attorney General will still have enforcement authority, not just the CPPA, and the Attorney General has already been aggressive in conducting investigations under the statute. The primary targets are likely to be consumer-facing businesses rather than asset managers, but it is certainly possible that an aggrieved employee or other individual could spark regulatory interest. In addition to all this, there is a private right of action for certain data breaches involving consumers, and that creates significant risk in relation to data breaches. The potential statutory penalties there are up to $750 per individual impacted by the data breach, so again, that can add up very quickly if a company unfortunately does experience a data breach.
Catherine Skulan: Thanks, Kevin. That’s a lot to unpack—we covered quite a bit today—hopefully this has been a helpful update to our asset manager listeners. If anyone has any questions on this or any related topic discussed today, please don’t hesitate to reach out. Also, for more information on these or other topics of interest in the asset management or the data, privacy and cybersecurity areas, please visit our website at www.ropesgray.com. If you enjoyed today’s discussion, please subscribe and listen on Apple, Google, Spotify or your preferred podcast service to other installments in this series on California law considerations for asset managers. Thank you again for listening.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find our more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.