Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?

With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides new privacy rights to California consumers, including:

  • The right to know what categories and items of their personal information is collected, used, shared, or sold;
  • The right to delete that personal information;
  • The right to opt-out of the sale of their personal information, and
  • The right to non-discrimination for price and services when invoking such rights

The CCPA applies to companies who do business in California and who either:

  • Have gross annual revenues in excess of $25 million (in total, not limited to California);
  • Buy, receive, or sell the personal information of at least 50,000 consumers, households, or devices annually; or
  • Derive at least 50% of annual revenue from the sale of personal information of California consumers.

As such, a number of financial institutions are finding themselves subject to the CCPA’s requirements, which include providing specific privacy notice disclosure to California consumers that expands upon typical privacy notice provisions (including disclosure about the additional rights of California consumers under the CCPA). Also included in the requirements are development of policies and procedures for handling consumer requests to exercise data privacy rights under the CCPA, along with mapping an inventory of where personal information of consumers is stored in order to facilitate responding to deletion requests.

The CCPA does include a number of exemptions, such as for data subject to HIPAA and the Gramm-Leach-Bliley Act (GLBA), as implemented under Regulation S-P for SEC registrants. A consumer’s right to request deletion of personal information can be refuted if such information is required by law to be kept by the SEC registrant. However, many investment advisers collect and store personal information that is outside the scope of the GLBA, including data about their own employees and data about individual contacts at their third-party service providers, for example. The CCPA provides a one-year extension, until January 1, 2021, for some of the requirements applicable to employee data and business-to-business data collected as part of due diligence. And advisers to private funds who have not had Regulation S-P on their radars may find themselves with additional requirements with respect to the personal data they collect about individual investors in the funds they advise. Firms who collect cookies via their websites may quickly find that they, too, are within the scope of the CCPA, as cookies are included among the definition of “personal information” under the CCPA.

The CCPA is effective January 1, 2020, and enforcement of the CCPA is expected to occur by the earlier of July 1, 2020 or six months following publication of the law’s implementing regulations by the California Attorney General. Penalties for noncompliance can be steep, as each consumer can request damages of up to $750 if a company does not cure violations within 30 days, on top of the up to $7,500 in fines per data record for intentional violations.

And California’s first-in-the-nation comprehensive data privacy law is likely the first of many states who are expected to follow suit.


For assistance in conducting a cybersecurity risk assessment, data mapping, and updating your cybersecurity procedures to align with the California Consumer Privacy Act, please contact us to find out how our Shield cybersecurity services can help.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers. The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID … Continued

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued