With the California Consumer Privacy Act coming into effect January 1, 2020, private equity firms have a duty to educate themselves on how this law affects them. The California law is often compared to the EU’s General Data Protection Regulation, which was implemented in 2018.
While CCPA might have been inspired by GDPR, they have key differences and affect the future of US data privacy laws state by state. Daniel Silver, a partner with Clifford Chance answers questions regarding the two data privacy laws and their effect on private equity.
What are the broad differences between GDPR and CCPA?
California’s CCPA is the first US statute that seeks to broadly regulate the use of personal data. We do have state regulations around data breaches, as well as statutes designed to protect consumers from misleading practices, but the CCPA is the first legislative step by a state to regulate what firms can do with consumer data.
Of course, the GDPR does this in Europe, and even prior to its enactment, there were European regulations with a similar scope. So, Europe has been focused on these issues for some time.
In terms of differences between CCPA and GDPR, the first thing to keep in mind in the funds space is that not every fund or fund manager that’s regulated under one regime will necessarily be regulated by the other.
The two statues have different scopes in terms of their applicability. GDPR may apply even if you’re outside of the European Union. For instance, if you’re a US-based fund manager, GDPR will apply if you have a physical establishment or operations in the EU or if you offer goods or services to EU residents. It’s not crystal clear what the latter means in the fund context, but we usually interpret that as actively marketing a fund to EU investors and, in particular, to individual investors.
The CCPA, by contrast, applies to any kind of company, which would include a fund or fund manager that has more than $25 million in revenue per year and does business in the state of California. It’s also not crystal clear what “doing business in California” will mean, but it will likely apply if you have a physical presence in California or have California-domiciled investors.
What would fall under the definition of “personal data” for CCPA, and how is that different from the data that private equity firms have to keep track of, under GDPR?
The CCPA provides a very broad definition of “personal data,” similar in many respects to the GDPR definition, which is essentially any information that could identify a person. The CCPA actually goes a bit further and says a person or a household, though it remains unclear how “household” will be applied.
Both statutes broadly cover any kind of information that could identify a human being, including name, email address, date of birth and phone number. Given that the CCPA is scheduled to become effective in January 2020, regulations have not yet been promulgated that will define these terms and explain how they will be applied. The California Attorney General may promulgate regulations before January 2020 or even afterward, which may change the effective date of the legislation. When the process is completed, we would hope to have more clarity on these issues.
I should also note that there are a number of efforts underway to amend some facets of the CCPA before it comes into effect. We are seeing some debate, for example, about removing the “household” prong within the definition of personal data because it is vague, so it’s possible that this language will go away.
If the household prong gets taken out, how would that affect private equity firms, if at all?
PE funds would likely need to do a similar analysis as they did for GDPR, and funds that are already GDPR-compliant would have a significant head start in complying with CCPA.
Under CCPA, we’d be talking about investor subscription documentation, particularly for individual investors, and information regarding employees may also be covered. Those are the two main categories of natural person information. In addition, you could read CCPA to cover individuals who work at institutional investors because their data would, in a sense, be collected by a fund manager as well. But that’s likely going to be a lower risk area.
If each state adopts a data privacy law, how would that affect private equity firms? Are there any technology implications, since everything is stored on the cloud nowadays?
We see a potential conflict between different states adopting differing standards for regulating personal data.
In fact, we already have that to some degree with respect to data breaches. All 50 states have their own data breach requirements, and they are different in certain respects. It’s incredibly burdensome to have to navigate that because, as you mentioned, no company segregates data based on which state the person resides in.
So, it would be similarly burdensome if states started adopting similar, but still different, statutes modeled on the California approach. In that instance, we would have to advise clients to comply globally with the most rigorous regulations.
That would have to be the approach because there’s just no practical way to treat the personal data of California residents one way while treating data of Illinois residents, for example, a different way – when they’re both investing in the same fund. What we do see sometimes is state-specific disclosure language, for example, in a subscription agreement, but even where you do include state-specific language you will still need to adopt a rigorous global approach in terms of how you collect and maintain data.
What’s the difference between Reg S-P and CCPA? And are there any overlapping conflicts or overlapping regulatory rules between the two?
Where they overlap is that both Reg S-P and CCPA require you to keep investor data safe and secure and have procedures in place to ensure adequate security.
The CCPA goes beyond that by imposing additional restrictions on what you can do with personal data. For example, it requires that you give consumers the right to opt out of the sale of their data and also provide a detailed disclosure as to how you plan to use that data. This is far more aligned with the GDPR approach, and, as I mentioned, we therefore anticipate an increased compliance burden for fund managers that are not already GDPR-compliant because they will need to overhaul their policies and provide additional disclosures in order to come into compliance with CCPA.
For most fund managers, we don’t expect a drastic operational impact except in the use of large data sets, which poses higher risks. For example, fund managers that use large data sets to conduct macro analysis will need to closely scrutinize that data in light of CCPA; if they are purchasing personal data sets from third parties who may not have employed proper procedures to collect and transfer that data, that could potentially trigger disclosure requirements.