On January 1, 2020, the California Consumer Privacy Act (CCPA) will become effective for all businesses that, among other things, have at least $25 million in annual revenue and collect or use any personal information of natural persons who are California residents. The revenue test generally will apply to any private fund manager if any managed fund has gross revenues of at least $25 million (even if the fund manager’s own revenues are less than $25 million). “Personal information” is broadly defined to include email addresses and telephone numbers, as well as other information more commonly understood to be private.
The CCPA imposes certain obligations on businesses and grants certain rights to California residents whose personal information is not otherwise exempt from the CCPA in whole or in part.
As the CCPA becomes effective, fund managers subject to the CCPA may need to do all of the following:
- Inform California residents at or before the point of collection as to the categories of personal information that will be collected and the purposes for which those categories of personal information will be used (including prospective investors).
- Inform California residents of their rights under the CCPA (such as the right to know what personal information has been collected about them, the right to request the fund manager to delete that information and the right to opt out if their information is being “sold” to a “third party”) and deliver a notice to current California-resident investors.
- Add a summary of privacy practices and rights applicable to California residents to the fund or manager’s website (if any).
- Consider adding disclaimers to signature blocks of emails or other documents so that a description of rights is delivered prior to collecting information.
- Consider if any third party that
possesses the personal information of California residents, such as
administrators and other vendors, could be deemed to have been
“sold” the personal information (as that term is
broadly defined under the CCPA) and either:
- Include certain statutorily mandated limitations in contracts with those third parties or
- Include a “do not sell” button on its website—which satisfies all of the requirements proposed under the CCPA—to permit California residents to opt out of such sale.
- Conduct a mapping of the personal data received from investors so that the fund manager can identify what information has been collected, from whom, with whom that information has been shared and where the information is stored.
- Prepare to respond to California resident’s requests under the CCPA through training of fund manager employees and formulation of procedures for verifying the identity of investors that exercise their rights.
- Implement and maintain reasonable security measures to identify and protect the personal information of investors and meet the other requirements of the CCPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.