On January 1, 2020, many companies doing business in California (regardless of their physical location) will become subject to the California Consumer Privacy Act of 2018 (the "CCPA"), which imposes a number of obligations related to the privacy of natural persons who are California residents (or "consumers"). Though the law will have the biggest impact on consumer-focused businesses, the CCPA also has implications for private fund managers, who should begin determining the application of the CCPA to their businesses to allow sufficient time to implement necessary policies and procedures prior to the CCPA effective date. While this article focuses on CCPA considerations for private fund managers, CCPA obligations and liability should also be considered with respect to individual portfolio companies and deal due diligence (which we covered in a previous article).
Application to Private Fund Managers
The CCPA will generally apply to private fund managers doing business in California that have gross annual revenue in excess of $25,000,000, and collect, process, use or share "personal information"1 from consumers. The CCPA does not specify what constitutes "doing business" in California, and in the absence of further guidance, it is a fact-specific determination that is likely to be construed broadly (e.g., soliciting California investors, entering into contracts with California service providers, etc., regardless of the physical location of the private fund manager). Similarly, there is no definitive guidance as to whether "revenue" distinguishes between different types of revenue; whether revenue must be aggregated with revenue earned by certain affiliated entities (such as management fees and carried interest earned by management companies and general partners, respectively); or whether revenue is limited to California revenue, nationwide revenue or global revenue. While there are potential arguments for limiting revenue calculations under a narrow reading of the statute, without explicit limitations or guidance, it is prudent to read the thresholds broadly.
The CCPA generally requires covered businesses to make disclosures to consumers regarding the collection and use of their personal information, and generally gives consumers the right to opt out of the sale, and demand the deletion, of such information. While the CCPA contains an exemption for personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act (the "GLBA") with which most private fund managers already comply,2 the scope of the CCPA is broader than that of the GLBA (and certain other existing privacy regulations) in some respects — most notably, the breadth of personal information subject to the law. For example, the CCPA could apply to the following types of personal information that are generally not covered under the GLBA:
- business contact information, such as that contained in Customer Relationship Management (CRM) databases, including current and prospective portfolio company contacts and individual representatives of institutional investors and third-party vendors;
- data gathered from certain website and data site visitors (e.g., IP address, cookies and similar identifiers); and
- employees and job applicants of private fund managers.3
Therefore, the GLBA exemption is not a blanket exemption from the CCPA for private fund managers.4
The CCPA is enforced by the California Attorney General, although it also provides consumers with a private right of action, including the ability to bring class actions in certain circumstances, with statutory damages ranging from $100 to $750 per consumer per incident, or actual damages if they are greater. The California Attorney General can bring civil enforcement actions and assess penalties up to $7,500 per violation depending on the nature of the violation.5
Compliance Preparation for Private Fund Mangers
Private fund managers subject to the CCPA should take the following steps in preparation for compliance.
- Data Mapping. The initial critical step for private fund managers subject to the CCPA is "data mapping," which generally refers to a process designed to identify the type of personal information that is being collected from California consumers, and the sources, processing, use, sharing and storage of such personal information on a firmwide basis (portfolio companies should be evaluated separately as noted above).6 Many private fund managers went through a similar exercise last year in connection with the implementation of policies and procedures to comply with the European Union General Data Protection Regulation. To the extent private fund managers have not yet completed data mapping, or have not done full and up-to-date data mapping, it may be advisable to involve operational CCPA compliance consultants to help complete the analysis. Data mapping will ultimately help to guide the implementation of the compliance measures set forth below.
- Privacy Policies and Notices. Update privacy policies and procedures, including website and investor privacy notices. Businesses that do not "sell" personal information, which is broadly defined, will have to make a disclosure to that effect in their notices.
- Consumer Requests. Develop processes for responding to California consumer requests about data collection practices. Under the CCPA, individuals have a right to request a report regarding, and deletion of, their personal data.
- Data Security. Maintain up-to-date data security reasonably designed to prevent any unauthorized access to, or use of, personal information (e.g., systems, protocols, and privacy and cybersecurity policies and procedures), and consider conducting periodic testing.
- Vendors. Review applicable vendor and service agreements to ensure that they contain adequate language to protect the private fund manager from data-related liabilities, including restrictions on the use of personal information by vendors and a requirement for vendors to provide notice in the event of a data breach.
Future Amendments, Guidance and Planning
While there is the potential for future amendments to the CCPA, as well as expected implementing regulations, the central requirements of the law are not expected to change significantly.7 Therefore, covered private fund managers should begin taking the steps above while continuing to monitor future developments before formally enacting updated policies and procedures closer to the effective date of January 1, 2020.8
1. The CCPA broadly defines "personal information" to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.↩
2. Regulation S-P implements the GLBA for designated financial institutions, including SEC-registered advisers.↩
3. A proposed amendment currently under consideration by the California legislature would generally exclude personal information gathered from job applicants, employees and contractors (in such capacities) from certain provisions of the CCPA, or delay the application of the CCPA to such information.↩
4. The GLBA exception also does not apply in the event of a data breach or other unauthorized access (e.g., to the extent that any information collected, processed, sold or disclosed pursuant to the GLBA is subject to a data breach, a business would remain liable for statutory damages under the CCPA, as described further below).↩
5. It is unclear at this time whether California regulators or courts will interpret a "violation" as affecting only a single consumer's personal information (thus a single incident of non-compliance affecting 100 consumers could result in a $750,000 fine).↩
6. Private fund managers should also consider whether they oversee a centralized system for portfolio company accounting or other functions that gives them access to personal information of portfolio company consumers, which could impose additional regulatory burdens.↩
7. Lobbying and several proposals for future amendments to the CCPA are ongoing. The California Attorney General also is required to adopt implementing regulations on or before July 1, 2020 that are expected to clarify certain aspects of the CCPA.↩
8. Note that the CCPA includes a look-back provision requiring businesses to provide consumers with access to their personal information collected up to 12 months prior to the date of the consumer's request. As such, personal information collected beginning on January 1, 2019 could be subject to a request for access.↩
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.