Private fund manager and investment adviser entities, even those located outside of California, may not be aware that they may now, as of January 1, 2023, have compliance obligations under the California Consumer Privacy Act (CCPA), which broadly protects California residents with respect to the privacy of their personal information. Until now, the CCPA, which first became effective in 2020, exempted from most of its requirements for "businesses" (the entities subject to the statute) personal information about a business's employees or business-to-business (B2B) contacts. But as of January 1, 2023, those exemptions have expired—at the same time as amendments to the CCPA that were adopted pursuant to a 2020 ballot initiative, the California Privacy Rights Act of 2020 (CPRA) became effective. As a result, fund managers and investment advisers with investors or employees residing in California now may face obligations not only under the original provisions of the CCPA, but also under the very substantial new obligations imposed under the CPRA amendments to the CCPA. For some private fund managers and investment advisers, the impact could be significant.
Many Private Fund Managers Are Subject to the CCPA
The CCPA establishes rights of California consumers over their personal information and, in turn, creates obligations for "businesses," which are entities, including fund managers and investment advisers, that: (1) have annual gross revenues in excess of $25,000,000 at the fund manager, general partner or investment adviser entity level (not the amount of gross revenues earned by investments at the fund level) in the previous calendar year; (2) collect personal information (as defined below) about consumers (which includes investors and employees); and (3) conduct business (essentially, any commercial activity) in California. "Personal information" under the CCPA is broadly defined as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California] consumer or household." Thus, subject to certain exceptions, almost any identifiable information about a California resident is within the CCPA's scope. Fund managers and investment advisers who meet the definition of a "business," regardless of their location, must comply with the CCPA (now including the amendments adopted pursuant to the CPRA) to the extent they collect the personal information of California residents.
How the CCPA Exemptions Affect Private Fund Managers
The CCPA includes a number of exemptions, including a broad exemption (still in effect) that is highly relevant for fund managers and investment advisers that service individual clients for personal, family and household investment purposes. The personal information that fund managers and investment advisers collect about these clients, which may be "nonpublic personal information" subject to the federal Gramm-Leach-Bliley Act (GLBA) (i.e., personally identifiable financial information of "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes"), is exempt from the CCPA. In light of this exemption and the pre-2023 exemptions for personal information of employees or B2B contacts, many fund managers may have concluded that the CCPA simply did not apply to them.
Now that the employee and B2B exemptions have expired, all fund managers and investment advisers that are "businesses" under the CCPA have compliance obligations under the CCPA. Although the GLBA exemption remains in place, because that exemption does not cover the personal information of California B2B contacts and because there is no longer an exemption for personal information of California-resident employees, fund managers and investment advisers may have substantial new CCPA obligations.
Key Practical Note: Fund managers and investment advisers who have been operating under the assumption that they were entirely exempt from the CCPA should now reassess whether and the extent to which they will be required to implement CCPA compliance measures.
General Compliance Obligations
Compliance requirements under the CCPA are set out in detail both in the statute as well as regulations promulgated under the authority of the California Attorney General and the California Privacy Protection Agency (CPPA), the new regulatory and enforcement body established under the CPRA. Generally, compliance requirements may be categorized broadly as obligations to: (1) provide consumers notice on how the business collects, uses and discloses personal information; (2) honor privacy rights requests; and (3) protect the integrity and security of personal information.
In light of the expiration of the employee and B2B exemptions, fund managers and investment advisers that are "businesses" under the CCPA should therefore assess (or implement): (1) privacy notices to be provided on their websites, by mail, email or other means; (2) processes for handling requests from investors or employees to access, delete or amend their personal information; and (3) information security programs. These measures will help ensure that fund managers are compliant with the CCPA.
In taking these actions, fund managers and investment advisers should be mindful that the CPPA will soon be releasing final regulations implementing most of the CCPA amendments adopted pursuant to the CPRA. Those regulations are anticipated to become effective in the spring of 2023. The key regulations that may have the largest operational impact on fund managers and investment advisers relate to providing notice to investors or employees "at collection" of their personal information and recognizing "global privacy controls" on websites allowing visitors to opt out of cross-context behavioral advertising.
Do Not Sell/Do Not Share Obligations
Some CCPA obligations are more challenging than others and deserve special consideration. A particularly important issue facing fund managers and investment advisers is compliance with the obligation to provide consumers with a "do not sell/do not share personal information" mechanism, which can be onerous to implement and maintain. Businesses do not need to provide this "opt-out" mechanism if they do not "sell" or "share" personal information. However, the CCPA defines "sell" broadly to mean "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration." Therefore, a business may be "selling" personal information by merely engaging a third-party vendor, such as customer contact management platform or payroll provider, if the compensation provided by the business to the vendor is less than it would be if the personal information did not itself have value for the vendor.
"Sharing" under the CCPA (which, as noted, is also subject to a consumer opt-out right) has a specific, relatively narrow meaning: disclosing personal information for the purpose of cross-context behavioral advertising, which does not arise often in the context of employee or B2B personal information or other personal information collected by fund managers and investment advisers. Nevertheless, fund managers and investment advisers subject to the CCPA will want to assess their marketing programs to determine whether they engage in such advertising and, as mentioned above, take steps for their websites to recognize global privacy controls.
A business will not be deemed to be either "selling" or "sharing" personal information with another entity if that entity meets the definition of either a "service provider" or a "contractor" under the CCPA. To meet either definition, a vendor must commit in writing to not do any of the following with respect to personal information processed on behalf of the business: (1) sell or "share" the personal information; (2) use the personal information for any purpose other than the services being provided to the business; (3) use the personal information outside of business relationship with the business; or (4) combine the personal information obtained from the business with personal information obtained elsewhere. "Contractors" must additionally commit to permit the business to monitor the contractor's compliance, including by annual audit. Fund managers and investment advisers that are subject to the CCPA should, therefore, revisit and amend, as necessary, contracts with their service providers and contractors to avoid having to offer consumers "do not sell/do not share" opt-out mechanisms.
Responding to Rights Requests
The CCPA requires businesses to respond to consumers' requests to exercise certain rights over their personal information, such as the right to access or obtain copies of personal information the business has collected and the right to have such information corrected or deleted. With the expiration of the employee and B2B exemptions, fund managers subject to the CCPA should expect to see these kinds of requests in the near future. Not infrequently, businesses subject to the CCPA have received such requests from current or former California-resident employees seeking to leverage these rights in an attempt to obtain information for the purposes of commencing litigation. Fund managers and investment advisers subject to the CCPA and with California-resident employees should ensure that they understand their compliance obligations in responding to such requests, including the exceptions they may be able to utilize.
Conclusion
Although the CPRA amendments to the CCPA will not be enforced until July 1, 2023, the employee and B2B exemptions have already expired and thus private fund managers and investment advisers that are "businesses" under the CCPA have immediate compliance requirements. Arnold & Porter is available to consult about these requirements as applied to fund managers and investment advisers as well as to advise on the forthcoming regulations implementing the CPRA amendments to the CCPA.
* Shlomo Amar contributed to this Advisory. Mr. Amar is a graduate of the Hofstra University School of Law and is employed at Arnold & Porter's New York, NY office. Mr. Amar is not admitted to the practice of law in New York.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.