Coming to America – California Adopts GDPR-Like Privacy Regulation

After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front.  On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of 2018, which becomes effective in less than a year. If the GDPR challenge is any indication, firms are advised to start preparing now to bring their systems and processes up to speed to address California’s GDPR-like requirements.

Starting on January 1, 2020, consumers in California (defined as natural person residents of California) will have additional privacy rights including, among others:

  • The right to ask a business what personal information the business collects and why
  • The right to ask with whom the business shares or sells such personal information, and to opt out of such sharing or sale (with a prohibition on the business from discriminating against the consumer for exercising this right – subject to certain exceptions such as if there is a price difference related to the value of the data)
  • The right to request that the business delete the individual’s personal information from its records (although this is subject to an exception for businesses that are required to maintain the consumer’s personal information for other legal obligations (for example, recordkeeping requirements under the Advisers Act for SEC-registered advisers).

In addition, the definition of “personal information” is given broad scope under the law.

If your firm collects or maintains personal information about California consumers, we suggest reviewing the law’s requirements and starting preparations to meet its obligations, such as by:

  • Making at least two methods available to consumers for submitting information disclosure requests. One of the methods must be a toll-free telephone number, and if the business maintains a website, another method must be via a website address.
  • Including on the business website a link titled “Do Not Sell My Personal Information,” which links to a page where the consumer can opt out of such sale. Businesses can satisfy this requirement by maintaining a separate website for California consumers and including the link there and not on the general website.
  • Being prepared to produce requested information in response to a consumer’s request, and to deliver that information within 45 days of receipt of such request (a one-time extension of another 45 days is permitted if reasonably necessary and notice to the consumer of the extension is provided.

The California Consumer Privacy Act of 2018 applies to any business that collects personal information of California consumers and does business in California, and meets at least one of the following criteria:

  • Annual gross revenues in excess of $25 million (adjusted January of every odd-numbered year in relation to any increase in the Consumer Price Index)
  • Alone or in combination, annually buys, receives (for commercial purposes), sells, or shares the personal information of 50,000 or more consumers, households, or devices, or
  • Derives 50% or more of its annual revenues from selling consumer’s personal information.

Related Content

Latest Content

SEC and FINRA 2019 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2019. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Fees and expenses Disclosure Conflicts of interest Suitability Protecting senior investors Trading … Continued

SEC Reopened After 35-Day Government Shutdown

SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.” In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan. In a … Continued

FINRA Rolls Out New Central Registration Depository Functionality; Annual Verification Deadline Nears

FINRA first introduced enhancements to the Central Registration Depository (“CRD”) on October 1, 2018, which were rolled out in support of FINRA’s restructured qualification examination program as well as the adoption of consolidated FINRA registration rules. The new enhancements were intended to also more easily assist member firms with satisfying their reporting and compliance obligations. … Continued

SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for … Continued

SEC OCIE Issues 2019 Examination Priorities

Well ahead of the New Year, the SEC Office of Compliance Inspections and Examinations (OCIE) announced its 2019 examination priorities. In keeping with OCIE’s four “pillars” of promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy, the Dec. 20 release provides a preview of key areas where OCIE intends to focus its limited … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.