Guidance on California Consumer Privacy Act for Venture Capital and Private Equity Fund Managers
The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. Enforcement by the California Attorney General is set to begin on July 1, 2020, and in the interim, the Attorney General has issued a set of proposed regulations that include additional requirements.1 Although private funds, having limited interaction with consumers, are not the primary target for the CCPA, most fund managers that collect personal information from California individuals (including through a website) will still be required to take steps to comply with the CCPA. Furthermore, the CCPA requires funds to provide new notices to California-based employees regarding the collection and use of their personal data. This client alert highlights the parts of the CCPA most likely to apply to private funds and outlines the steps required for compliance.
What steps do funds need to take to comply?
All funds will need to inventory what personal information they collect, how that information is used, and with whom that information is shared. Furthermore, funds will need to take the following steps to comply:
- Update website privacy policies and investor privacy notices. The CCPA requires funds to notify California individuals before collecting their personal information. Funds must state in their privacy policies the categories of data they collect and how they use and share that data. They must also recite each of the basic rights granted to California individuals under the CCPA and, where applicable, allow California individuals to exercise those rights:
- Notice: Funds must disclose what data has been collected and for what purposes, whether that data is disclosed or sold and, if so, to whom;
- Access: Individuals have the right to request all data collected about the individual in a portable format and funds must provide appropriate contact information for this;
- Opt Out: Individuals can opt out from the sale2 of their personal information to third parties;
- Erasure: Individuals can request deletion of any collected data, except that funds may retain information if necessary to provide the services requested or if the data is only used for internal analytical purposes, or if another exception applies (for example, if retention is necessary to complete a transaction or otherwise to comply with a legal obligation, which is often the case for investor information); and
- Nondiscrimination: Funds may not discriminate against any individuals who have exercised any of the above consumer rights.
- Create an employee, contractor, and job applicant privacy notice. There is currently a 1-year moratorium on the application of a number of provisions of the CCPA to employees. However, as of January 1, 2020, employees still have a right to receive certain information and disclosures that must be in writing in the form of a privacy notice.
- Enter into data addenda with service providers that receive personal data. Funds should review vendor agreements and enter into addenda as necessary to ensure that service providers are subject to appropriate restrictions on their use of personal information. This helps funds adequately ensure that they can meet their CCPA obligations.
- Audit security practices and implement any changes required to meet the standard of reasonable security. At a minimum, funds should ensure that they are meeting CIS SANS 20 controls, which have been endorsed by the California Attorney General as “reasonable security measures.” Failure to meet this standard may result in greater liability in the event of a data breach.
In the event that your fund undertakes any unconventional uses of information or is involved in any other business outside of investing (for example, running an incubator or providing services to portfolio companies), you may be subject to additional requirements that are not on this list. If this applies to you, please reach out to a member of your Gunderson Dettmer team so we can help do a customized analysis based on your situation.
Which funds are subject to the CCPA? The CCPA applies to any fund manager that conducts business in California (which does not require a physical establishment in California), collects personal information from California residents, and meets or exceeds at least one of three thresholds:
- Has annual gross revenues of at least $25,000,000;
- Collects, receives, sells, or transfers personal information of at least 50,000 individuals, households, or devices; or
- Derives at least 50% of its annual revenues from sales of individuals’ personal information.
Any fund manager that has a physical presence in California, employs California residents, solicits California-based investors, or even transacts with California-based service providers may be considered “doing business” in California. Funds that maintain a public website and collect Internet Protocol (IP) addresses of at least 50,000 visitors that can be linked to California-based individuals or households will also likely meet threshold #2.
What are the penalties for non-compliance? The California Attorney General may levy fines up to $2,500 for each unintentional violation (calculated on a per consumer basis) and $7,500 for each intentional violation, with uncapped total liability. Additionally, the CCPA establishes individuals’ right to private action for data breaches, with statutory damages ranging from $100–$750 per individual per incident, or actual damages if greater. Currently, the CCPA provides a 30-day cure period (following notice of non-compliance) — but note that data breaches usually cannot be cured.
Does the CCPA apply to information collected from institutional investors? There is currently a moratorium on the application of CCPA in the business to business context. The moratorium provides that, at least until January 1, 2021, businesses providing other businesses with services are largely exempt from the CCPA when collecting personal information from another business and using such information solely within the context of providing or receiving a product or service from such business. Most institutional investors will fall into this exception, so the rights enumerated above only need to apply to individual investors and website visitors. However, this moratorium does not apply to personal information collected and processed in the context of marketing and cold calling, and funds should be prepared to comply with individuals’ rights under the CCPA with respect to such information (for example, a fund’s email marketing list or prospect information purchased from a data broker).
FREQUENTLY ASKED QUESTIONS ON CCPA IN THE PRIVATE FUND CONTEXT
Is the CCPA the only state-specific privacy law of concern?
No. At least ten state legislatures across the United States introduced privacy and data security bills in 2019. Several states — such as Washington, Massachusetts, New York, Nevada and Maine — have drafted or enacted laws similar to the CCPA in terms of breadth and potential impact.
I am GDPR compliant. Does that mean I’m already compliant with the CCPA?
Unfortunately, no. While some provisions of the CCPA are similar to the GDPR, the requirements of the CCPA differ in several significant ways, including new requirements that are not part of the GDPR. Funds that have undertaken steps to comply with the GDPR will need to complete additional steps to become compliant with the CCPA.
I am GLBA compliant. Does that mean I am exempt from the CCPA?
Funds should not assume that because they comply with the federal Gramm-Leach-Bliley Act (“GLBA”) that there is a blanket exemption for them with respect to the CCPA. The scope of the CCPA is much broader than the GLBA — particularly with respect to the type of personal information that is subject to the law. For example, the CCPA applies to the following types of personal information that are generally not covered under the GLBA:
- business contact information (including portfolio company details and individual representatives of institutional investors and third-party vendors);
- a fund’s email marketing list (e.g., for events and newsletters);
- data gathered from certain websites and website visitors (e.g., IP address, cookies and similar identifiers that can be tied to California individuals or households); and
- employees, prospective employees and other job applicants of private fund managers.
For this reason, we recommend that all funds undertake steps to comply with CCPA, even if they are already GLBA compliant.
If you have any questions regarding this client alert, you may contact your GD fund formation attorney.
1 The California Attorney General’s proposed regulations will likely not be finalized until very close to the start of enforcement. As a result, compliance is an ongoing process: funds should begin work now to comply with the CCPA’s current requirements, but with an understanding that future changes may be required. The most recent draft of the regulations was published on February 10, 2020.
2 Since most private funds are generally not engaged in the sale of individuals’ personal information, the right to opt out likely does not apply. However, note that “sale” is defined very broadly under the CCPA and does not require monetary consideration. For example, a mutual exchange of contact lists with an outside partner (for each party’s benefit) may be considered a sale. Embedding cookies from certain third parties on your website may also be considered a sale, depending on what data those cookies collect and what the third parties do with that data. Any fund that believes it may exchange individuals’ personal information for valuable consideration should reach out to a member of its Gunderson Dettmer team to evaluate if additional obligations apply due to its use of individual information.