What advisors are doing given new privacy law

'If you’re subject to the law, it doesn’t really matter if you’re in or outside of California.'

Even if you’re far from California, the state’s new privacy law can reach you. You may have clients, contractors, employees or affiliates in the Golden State. Or the state may spark others to pass tougher privacy laws.

“Don’t turn a blind eye [to the new privacy law] because the rest of the country will probably follow. California tends to lead the way,” says Darren Mooney, deputy CCO with Partner Fund Management in San Francisco.

The law formally took effect January 1. Enforcement won’t begin until July at the earliest.

A little friendlier

“It’s much more business friendly than when it was originally constituted,” said David Stauss, a partner with Husch Blackwell in Denver, of the current version of the California law. State lawmakers added exemptions for employee data held by firms and for business-to-business dealings, he added.

Another change that’s helpful to SEC RIAs is an exemption for firms subject to the Gramm-Leach-Bliley Act, says Casey Jennings, associate, Seward & Kissel in Washington, DC. This exemption would extend to information collected from investors, such as names, addresses, email addresses, social security and tax ID numbers, and more.

A new one-year exemption now exists for certain employee data. For now, you must alert California-based employees of the data you collect on them and state why you do so, but staff don’t have a right to have certain data stricken. The legislature has one year to decide what happens next.

But, as of this month, California residents for whom you collect private data have the right to request that that data be expunged, or the right to be forgotten, as Stauss describes it.

Firms covered by the law must disclose the personal information of California residents they collect, the business purposes for the information, the category of third parties to whom they share such information and alert residents that they have the right to have their data erased, adds Stauss.

A lack of clarity

“The rules themselves are not terribly clear,” says a CCO at a southern California advisory firm covered by the law. He struggles to understand what data are covered by the law. He’s worked extensively with IT to map where the advisor houses its data “because as a compliance professional, I don’t know what information we actually store and where.”

The mapping has proved more difficult than anticipated, he added. The RIA has amended its disclosures on its website’s prospective employee-applicant page to match the new law.

Mooney says his firm has updated its website’s privacy policy to reflect the new law. Don’t forget to include data maintained by your service providers, he adds.

Many advisors, even in California, may be exempt from the law because they don’t produce annual revenues (including outside the state) of more than $25 million. Mooney believes even these smaller advisors may adopt the law’s mandates because investors will expect them to do so. Of if they sense they’re close to that revenue threshold, they will comply for fear they may unknowingly cross it.

More best practice tips

If you’re covered by the law, segregate your California-based clients so you can find them quickly in your database, suggests Guy Talarico, CEO of Alaric Compliance in New York. Send them your revised privacy policy and set up a process to be able to scrub the data of residents who request it, he adds. Don’t create a separate privacy policy for California. Talarico recommends you simply augment your existing one to incorporate the new California law.

A person is considered a California resident if they spend more than six months in a year in the state, notes David Hearth, a partner with Paul Hastings in San Francisco. You needn’t ask your clients to count the days. Simply ask them if they “are primarily resident” in the Golden State, he suggests.

“If you’re subject to the law, it doesn’t really matter if you’re in or outside of California,” contends Jennings.

Waiting on enforcement

“The attorney general’s office can’t enforce the statute until it publishes final regulations,” reports Stauss. “We’re waiting for them to publish their final regulations.”

When enforced, the law can carry fines from $2,500 to $7,500, depending on the type of violation. The real worry concerns breaches.

“For the first time, a state has said that if there’s a data breach and it involves certain types of information,” California residents can sue for damages beginning at $100 per incident, states Stauss.

While advisors could be targeted, Jennings believes state lawmakers eyed bigger fish. “This law was not created with advisors in mind but rather Google and Facebook,” he said.

Colorado already is rumbling about adopting a similar privacy law, notes Talarico. Such moves will heighten the push for a national policy, contends Stauss. “A 50-state solution to privacy law in this country is untenable,” he says. “It’s impossible to even conceive of.”

This article first appeared in sister publication Regulatory Compliance Watch