Alerts

The Latest Revisions to the California Consumer Privacy Act Regulations: Key Considerations for Private Fund Managers

March 10, 2020

Although the California Consumer Privacy Act (“CCPA”) went into effect on Jan. 1, 2020, the California Attorney General’s regulations are not yet final, and likely will not go into effect until July 2020. Nonetheless, the most recent version of the proposed regulations, which were issued in February (“Proposed Regulations”),[1] addresses some of the questions fund managers raised during initial compliance with the law.

An IP Address Alone Is Not Personal Information. The Proposed Regulations clarify that information is only “personal information” if it is reasonably capable of being associated with, or could be reasonably linked with, a particular consumer.[2] Therefore, a manager would be able to collect the IP address of visitors to its website and avoid CCPA obligations for such collection as long as it does not link the IP address to a specific person or household.

No Interactive Web Form Requirement. The CCPA requires that a covered manager provides a toll-free number and a web-based form for CCPA-related requests.[3] The Proposed Regulations allow covered managers to satisfy the web-based form requirement by simply providing an email address.[4] (Unfortunately, the requirement of a toll-free number remains.)[5]

Consumer Requests — Limits on Searching Data. The Proposed Regulations ease the potential burden on fund managers who receive a “right to know” request (i.e., a request for specific details about the manager’s collection and use of a California resident’s personal information).[6] Specifically, a covered business would not be required to search for information if the business:

Does not maintain the personal information in searchable or “reasonably accessible” format;
Maintains the personal information solely for legal or compliance purposes;
Does not sell the personal information or use it for a commercial purpose; and
Describes to the consumer who submitted the request the categories of records it maintains that may contain personal information, but that it did not search, consistent with the above criteria.[7]

Some private fund managers may be able to satisfy these conditions, but all managers should be prepared to respond to a “right to know” request.

Consumer Requests — Response Prohibitions. The Proposed Regulations prohibit a business from disclosing, in a response to a “right to know” request, a consumer’s Social Security number, driver’s license number or other government-issued ID number, financial account number, any health insurance or medical ID number, an account password, security questions and answers or unique biometric data generated from measurements or technical analysis of human characteristics.[8] For example, a manager might be required or permitted to disclose that it has collected a person’s bank account number but would not be allowed to reveal the actual number in the disclosure.

Identifying Categories of Information Collected. Some managers have asked whether, for brevity, it is sufficient to list the categories of personal information based on how the statute categorizes personal information. The Proposed Regulations specify that disclosures regarding the “categories” of information collected “provide consumers with a meaningful understanding” of the type of information collected, the source thereof or the third party with whom the information is shared.[9] This is typically best achieved by including examples along with the categories delineated in the statute, as shown in the sample below:

Category	Examples
Identifiers	A real name, alias, email address, postal address, account name, Social Security number, driver’s license number, passport number or other similar personal identifiers.
Other personal information categories, as listed in the California Customer Records statute	A signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.
Protected classification characteristics under California or federal law	Age (40 years or older), race, citizenship, marital status, sex, veteran or military status.

Fund managers should, of course, tailor these generic examples so that they match the actual information the manager is collecting.

Service Providers — Greater Flexibility to Process Data. The CCPA permits service providers to process and disclose personal information solely for the services specified in a written contract. The Proposed Regulations loosen this requirement, permitting service providers to process personal information for the following additional purposes:

Engaging a different service provider as a subcontractor;
Using the data internally to build or improve the quality of its services (to the extent that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source);
Detecting data security incidents or protecting against fraudulent or illegal activity; or
Consistent with the CCPA’s exemptions for legal compliance, law enforcement and legal defense.[10]

Questions Remain Unanswered. While the Proposed Regulations, as recently revised, provide helpful clarifications for fund managers, ambiguities of importance to managers remain unaddressed. Most notably, the CCPA applies to businesses in California that have annual gross revenue over $25 million.[11] There is currently no guidance on what constitutes “revenue” and how revenue is calculated, including whether revenue must be aggregated with revenue of affiliated entities and whether revenue should be measured based on revenue in California, the United States or worldwide. This raises particular challenges for fund managers.[12]

Authored by Brian T. Daly, Marc E. Elovitz, Edward H. Sadtler and Kelly Koscuiszka.

If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.

[1] This Alert is based on the Proposed Regulations issued on Feb. 10, 2020, which update the regulations issued by the Attorney General on Oct. 11, 2019, based on public comment and contain minor corrections to a prior revision issued on Feb. 7, 2020. The Attorney General’s website provides the complete text and updates on the rulemaking process for the Proposed Regulations. See our Dec. 6, 2019 Alert for a more general overview of CCPA-related considerations for private fund managers.

[2] CCPA Proposed Text of Regulations (as issued on Feb. 10, 2020), 11 C.C.R. § 999.302(a).

[3] California Consumer Privacy Act, CAL. CIV. CODE § 1798.130(a)(1)(B).

[4] Proposed Regulations, 11 C.C.R. § 999.312(a)-(c).

[5] CAL. CIV. CODE § 1798.130(a)(1)(A).

[6] Our Feb. 18, 2020 Alert discusses training of staff to respond to “right to know” requests.

[7] Proposed Regulations, 11 C.C.R. § 999.313(c)(3).

[8] Id. § 999.313(c)(4).

[9] Id. §§ 999.301(d), 999.301(e) and 999.305(b)(1).

[10] Id. § 999.314(c).

[11] CAL. CIV. CODE § 1798.140(c)(1)(A).

[12] For example, the CCPA applies to businesses in California that have annual gross revenue over $25 million. CAL. CIV. CODE § 1798.140(c)(1)(A).

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2020 Schulte Roth & Zabel LLP.