Alerts
The California Consumer Privacy Act Training Requirements: Tips for Private Fund Managers
February 18, 2020
Private fund managers that have prospective natural person investors, employees or even job applicants in California need to consider how the California Consumer Privacy Act (“CCPA”), which went into effect on Jan. 1, 2020, may apply to them. In addition to required disclosures, which were an important part of initial compliance, the CCPA also contains a training requirement.
What Training Is Required?
The CCPA requires covered businesses to ensure that all individuals responsible for handling consumer inquiries about privacy practices or CCPA compliance are “informed” of the rights of California “consumers” under the statute and “how to direct consumers to exercise their rights.”[1] As we discussed in our Dec. 6, 2019 Alert, prospective investors, employees, independent contractors and job applicants are among the individual persons who could be considered “consumers” under the CCPA.[2]
A training program for personnel at covered managers should discuss how — under the CCPA — California consumers have the following rights:
- The Right to Know. California consumers have the right to obtain specific information about the collection, use and sharing of their personal information and the purpose.
- The Right to Request Deletion. California consumers have the right to request deletion of their personal information.[3]
- The Right to Nondiscrimination. California consumers have the right to not be discriminated against because they exercised their rights under the statute.[4]
- The Right to Opt Out. California consumers have the right to request that a business not sell their personal information to third parties.[5] This is not applicable to most fund managers, as most do not sell personal information.[6]
How Are Consumer Requests Submitted?
To comply with the CCPA, fund managers must include at least two ways of submitting a request in the required disclosures, including, at a minimum, a toll-free telephone number.[7] Other methods should be determined based on how the manager primarily interacts with investors, and may include an interactive form accessible through the business’s website, a designated email address or a form submitted in person or by mail.[8]
Who Should Be Trained?
All personnel who could receive inquiries from individual California consumers (including personnel who monitor requests made through the manager’s website or via the email address or telephone number provided in a California privacy notice) should be trained to identify such requests and know the person(s) to whom such requests should be sent for review and response (likely legal and compliance officers). Training also should be customized for particular functional areas, including the following:
- Legal and Compliance Officers. Officers or other representatives charged with legal and compliance matters should be trained on the CCPA’s requirements (although the knowledge gained in preparing for CCPA effectiveness may obviate this for current legal and regulatory personnel).
- Investor Relations Staff. The investor relations team should be the most important focus of training. This team, in particular, should be trained on the manager’s policies for disseminating disclosures to prospective investors (e.g., by adding required disclosures to marketing materials or including a link to your California privacy notice in emails sent to investors).
- HR Staff. HR staff should be trained to ensure disclosures are disseminated to employees, independent contractors and job applicants who reside in California when their personal information is collected.
- Senior Management. Regulatory agencies have emphasized the need for senior management to actively oversee compliance with data security requirements. Therefore, senior management should have at least a general awareness of the CCPA’s requirements.[9]
- Independent Contractors. Training requirements should extend to independent contractors and other service providers acting on your behalf who are involved in the collection, use, sharing or disposal of personal information about California residents.[10]
Private fund managers should be aware that they need to address all requests, even ones not made through the designated channels in their disclosures. Therefore, anyone who could receive a consumer request should be trained. Managers should also monitor continuing developments as the regulations are finalized and additional changes to the law are expected and determine if additional training is warranted.
How Should Compliance Be Documented?
Fund managers should document their compliance with the training requirements of the CCPA. While there are different ways this can be done, distributing written training materials or adding guidance regarding CCPA compliance to employee handbooks and independent contractor agreements can be key elements of training, as are live training sessions.
Recordkeeping and Verification of Requests
The Proposed Regulations require businesses to maintain records of the consumer requests received, including details such as the date and manner in which the request was made, as well as how the business responded or the basis for denying a request, for at least 24 months.[11]
Fund managers should also bear in mind the requirements with respect to verifying consumer requests. For example, a covered business must:
- Confirm receipt of a request within 10 business days[12];
- Promptly take steps to determine whether a request is verifiable and respond to the request within 45 days[13];
- Verify the identity of the person making the request by matching the information provided in the request with the personal information already maintained, or through the use of a third-party verification service; and[14]
- Provide a general description of the process used to verify consumer requests in their privacy policies.[15]
Right-To-Know Requests
To satisfy any right-to-know requests, managers will need to identify the personal information they have collected on the California consumer making the request and how it has been used for the preceding 12-month period.[16] For most managers, this information will be relatively easy to identify through reviewing the contents of CRM systems and compliance archives to identify emails through which personal information was sent and received. However, private fund managers will need to think about any personal information they collect but do not enter into such systems (e.g., personal information in paper files that does not also reside in electronic systems).
Deletion Requests
While individual California consumers have the right to request that their personal information be deleted, in many instances fund managers will be prohibited from complying with such requests due to legal recordkeeping obligations under the Investment Advisers Act or similar regulatory regimes.[17] In these cases, managers will need to assess requests on a case-by-case basis and be flexible in formulating responses to requests. If a business is unable to delete the information, the business must still respond to the consumer’s request for deletion and must indicate the basis for the denial of the consumer’s request.[18]
How Often Should Training Be Conducted?
Neither the CCPA nor the Proposed Regulations specify how often CCPA training should occur; however, as the CCPA requires businesses to update their CCPA disclosures annually,[19] fund managers should put CCPA training on their annual compliance checklists and consider the need for additional training no less than annually.
Authored by Brian T. Daly, Marc E. Elovitz, Edward H. Sadtler and Kelly Koscuiszka.
If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.
[1] California Consumer Privacy Act, CAL. CIV. CODE § 1798.130(a)(6). The regulations proposed by the Attorney General (“Proposed Regulations”) go even further, requiring that relevant personnel be informed of all the requirements of the CCPA and the Proposed Regulations. Proposed Regulations, 11 C.C.R. § 999.317(a). This Alert is based on the revised regulations issued on Feb. 7, 2020; the regulations are expected to be finalized and effective no earlier than July 1, 2020. The Attorney General’s website provides the complete text and updates on the rulemaking process for the Proposed Regulations.
[2] Due to a one-year moratorium on the application of these rights to certain persons, businesses are not required to respond to “right to know,” deletion and opt-out requests from employees, independent contractors, job applicants and certain B2B contacts until Jan. 1, 2021. A more limited disclosure obligation applies for employees, independent contractors and job applicants. See our Dec. 6, 2019, Alert for further discussion on this point.
[3] CAL. CIV. CODE § 1798.105(a).
[4] Id. § 1798.125.
[5] Id. § 1798.120(a).
[6] Sale is defined broadly to include any disclosure or dissemination of personal information “for monetary or other valuable consideration.” Id. § 1798.140(t).
[7] Id. § 1798.130(a)(1); Proposed Regulations, 11 C.C.R. § 999.312(a)-(c). The only exception to the toll-free number requirement is for a business that operates exclusively online. Id. § 999.312(a).
[8] Proposed Regulations, 11 C.C.R. § 999.312(a)-(c).
[9] In a Jan. 27, 2020 report, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) underscored the importance of involving senior leadership in establishing and overseeing cybersecurity programs. See Cybersecurity and Resiliency Observations, Jan. 27. 2020.
[10] CAL. CIV. CODE § 1798.105(c).
[11] Proposed Regulations, 11 C.C.R. § 999.317(b).
[12] Id. § 999.313(a).
[13] CAL. CIV. CODE § 1798.130(a)(2). This 45-day period may be extended by an additional 45 days “when reasonably necessary,” provided the consumer is provided notice of the extension during the initial 45-day period. Id.
[14] Proposed Regulations, 11 C.C.R. § 999.323.
[15] Id. § 999.308(c)(1)(c).
[16] The CCPA provides the consumer the right to request the following information specifically: (i) the categories and “specific pieces” of personal information collected, (ii) the sources from which personal information is collected, (iii) the commercial purpose for collecting personal information and (iv) the categories of third parties with whom personal information may be shared. CAL. CIV. CODE § 1798.110; Proposed Regulations, 11 C.C.R. § 999.313(c). In addition, CAL. CIV. CODE § 1798.115 requires business to respond to requests by consumers with respect to the sale of their personal information.
[17] CAL. CIV. CODE § 1798.105(d).
[18] Proposed Regulations, 11 C.C.R. § 999.313(d).
[19] CAL. CIV. CODE 1798.130(a)(5).
This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2020 Schulte Roth & Zabel LLP.
All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.