Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?

With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides new privacy rights to California consumers, including:

  • The right to know what categories and items of their personal information is collected, used, shared, or sold;
  • The right to delete that personal information;
  • The right to opt-out of the sale of their personal information, and
  • The right to non-discrimination for price and services when invoking such rights

The CCPA applies to companies who do business in California and who either:

  • Have gross annual revenues in excess of $25 million (in total, not limited to California);
  • Buy, receive, or sell the personal information of at least 50,000 consumers, households, or devices annually; or
  • Derive at least 50% of annual revenue from the sale of personal information of California consumers.

As such, a number of financial institutions are finding themselves subject to the CCPA’s requirements, which include providing specific privacy notice disclosure to California consumers that expands upon typical privacy notice provisions (including disclosure about the additional rights of California consumers under the CCPA). Also included in the requirements are development of policies and procedures for handling consumer requests to exercise data privacy rights under the CCPA, along with mapping an inventory of where personal information of consumers is stored in order to facilitate responding to deletion requests.

The CCPA does include a number of exemptions, such as for data subject to HIPAA and the Gramm-Leach-Bliley Act (GLBA), as implemented under Regulation S-P for SEC registrants. A consumer’s right to request deletion of personal information can be refuted if such information is required by law to be kept by the SEC registrant. However, many investment advisers collect and store personal information that is outside the scope of the GLBA, including data about their own employees and data about individual contacts at their third-party service providers, for example. The CCPA provides a one-year extension, until January 1, 2021, for some of the requirements applicable to employee data and business-to-business data collected as part of due diligence. And advisers to private funds who have not had Regulation S-P on their radars may find themselves with additional requirements with respect to the personal data they collect about individual investors in the funds they advise. Firms who collect cookies via their websites may quickly find that they, too, are within the scope of the CCPA, as cookies are included among the definition of “personal information” under the CCPA.

The CCPA is effective January 1, 2020, and enforcement of the CCPA is expected to occur by the earlier of July 1, 2020 or six months following publication of the law’s implementing regulations by the California Attorney General. Penalties for noncompliance can be steep, as each consumer can request damages of up to $750 if a company does not cure violations within 30 days, on top of the up to $7,500 in fines per data record for intentional violations.

And California’s first-in-the-nation comprehensive data privacy law is likely the first of many states who are expected to follow suit.

For assistance in conducting a cybersecurity risk assessment, data mapping, and updating your cybersecurity procedures to align with the California Consumer Privacy Act, please contact us to find out how our Shield cybersecurity services can help.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued

EU Position Limits: Born in the USA?

This is the second installment of Regulatory Guidance Expert Greg Hotaling’s blog on position limits, this time addressing EU-listed commodity derivatives and related products.  As always, keep in mind that these limits can apply to asset managers, and other market participants, regardless of where they are based. In 2009, the European Union’s first comprehensive position … Continued