The California Consumer Privacy Act (CCPA) imposes sweeping obligations on a diverse array of businesses, but investment advisers subject to Regulation S-P (adopted pursuant to the federal Gramm-Leach-Bliley Act (GLBA)) are treated somewhat differently. The CCPA does not provide a blanket exemption for investment advisers with retail clients, although the CCPA’s exception for personal information covered by the GLBA takes the edge off the CCPA. In addition, two late amendments to the CCPA also reduce the scope of the CCPA for investment advisers during the year 2020.
The CCPA applies to some personal information that investment advisers routinely handle. Therefore, it’s important that investment advisers examine the compliance burdens they may have under the CCPA. This checklist is intended to help investment advisers track their CCPA compliance obligations for 2020 and 2021.
The CCPA provides California residents with expansive rights with respect to their personal information, such as the right to
Also, under the CCPA, a business may not afford an individual less favorable economic or service terms by virtue of the individual having exercised one of these rights (the “non-discrimination” right).
Finally, the CCPA gives individuals the right to sue a business in a private action, with the potential to win statutory damages, if the business has suffered a data breach of personal information in certain circumstances (the “private right of action”).
Many compliance officers are familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective in 2018. While some rights under the CCPA are similar to those granted under the GDPR (such as the access and deletion rights), the CCPA and the GDPR differ in important ways. For example, unlike the CCPA, the GDPR does not include a specific right to opt of the sale of an individual’s personal information. On the other hand, the GDPR includes concepts that are not addressed in the CCPA. Although compliance with the GDPR is not sufficient to comply with the CCPA, investment advisers that have policies and procedures designed for GDPR compliance have a head start for compliance with the CCPA.
Although the CCPA became operative on January 1, 2020, during the year 2020, the CCPA only applies to certain subsets of personal information processed by investment advisers. 2020 is an opportunity for investment advisers to prepare for 2021, when certain exemptions expire and the full breadth of the CCPA’s requirements kick in.
Three considerations are key in the analysis of whether and how the CCPA applies to investment advisers:
(1) Does the investment adviser meet the revenue threshold to be considered a “business” covered by the CCPA (annual gross revenue in excess of $25 million)?
If the investment adviser does not meet this threshold, it is not covered by the CCPA.
(2) What is carved out by the CCPA’s exception for personal information “collected, processed, sold, or disclosed” under the GLBA?
The CCPA’s GLBA exception carves out the personal information of individuals who are investing primarily for personal, family or household purposes, which includes family offices and retail investors. However, the CCPA does apply to other personal information that investment advisers routinely handle. For further discussion of personal information that falls outside the CCPA’s GLBA exception, please see our article about people, activities and information that could fall outside of the GLBA.
(3) What types of personal information are carved out by the CCPA’s temporary exemptions for 2020?
During 2020, covered businesses have the benefit of exemptions that take two types of personal information out of the scope of most of the CCPA’s individual rights (such as the access right and the deletion right).
These two exemptions expire on January 1, 2021, when businesses may, depending on what the California legislature enacts during 2020, become subject to the CCPA’s full array of obligations for these two types of personal information.
After considering the GLBA exception and the two temporary exemptions for 2020, investment advisers are left with certain subsets of individuals to address in their CCPA compliance program in 2020. These subsets of individuals whose personal information is processed by investment advisers include:
Investment advisers should confirm that they have prepared the following for 2020:
Investment advisers should focus on the following compliance action items in time for 2021:
 The CCPA includes a number of exceptions to the deletion right; for example, a business is not required to comply with a consumer’s request to delete personal information if it is necessary for the business to maintain such information in order to comply with a legal obligation. Recordkeeping obligations imposed on investment advisers under applicable law fall within this exception to the deletion right.
 Kristen Mathews and Adam Fleisher, Bloomberg Law, “Financial Institutions Find Some Relief Under the CCPA”.
 Specifically, information that is connected to a written or verbal communication or a transaction between the business and an individual acting as an employee, owner, director, officer, or contractor of another entity, where the communication or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, the other entity.
 Specifically, information about employees, independent contractors, job applicants, owners, directors or officers (or their emergency contacts or recipients of employment benefits), where such information is collected and used solely in the context of such person’s role within the business.
 These individuals may not be eligible for the B2B exemption because the investment adviser is not yet providing a product or service to them. Moreover, if they are not covered by GLBA, they would not be eligible for the GLBA exception either.
 These individuals are not eligible for the B2B exemption because, although they may provide services to investors, they do not provide services to the investment adviser and the investment adviser does not provide services to them.