California Enacts New Privacy Law That Imposes New Disclosure Requirements on All Businesses - Including Mutual Funds

[31349]

August 24, 2018

TO: Chief Compliance Officer Committee
Chief Risk Officer Committee
Compliance Advisory Committee
Internal Audit Committee
Operations Committee
Privacy Issues Working Group
SEC Rules Committee
Small Funds Committee
Transfer Agent Advisory Committee RE: California Enacts New Privacy Law That Imposes New Disclosure Requirements on All Businesses - Including Mutual Funds

 

In July, California Governor Jerry Brown signed into law The California Consumer Privacy Act of 2018.[1] This Act takes effect January 1, 2020. 

The Institute strongly encourages all members to review the Act to determine whether it will impact their business and, if so, to begin the implementation process as soon as practicable. Due to the extensive impact it will have on those members that are subject to its provisions, the January 1, 2020 compliance date will likely present challenges in having the Act fully implemented by that date.

California’s Act will apply to every “business” – i.e., every fund – that collects information on a California consumer (i.e., shareholder) and that satisfies at least one of the following three thresholds:

1. Has gross annual revenues in excess of $25 million;
2. Sells or shares for commercial purposes the personal information of 50,000 or more California consumers; or
3. Derives 50% or more of its annual revenues from selling consumers’ personal information. 

Accordingly, any business, including any mutual fund, that has at least one California shareholder and that has gross annual revenues in excess of $25 million will be subject to the Act. Because the Act defines the term “business” to include any entity that controls or is controlled by an entity and shares common branding with that entity, a fund’s affiliates will also be subject to the Act. 

Generally speaking, the Act provides California consumers the “right” to: know – with specificity – what personal information a business collects about them; know to whom it is disclosed or sold and for what purpose; and opt out of the sale of their personal information. It imposes specific disclosure obligations on businesses to alert California consumers to their new rights and how to exercise them.

The sweeping and extensive obligations this new law will impose on mutual funds (and other businesses) include requiring funds to detail all information they receive on their California shareholders, the sources of that information, with whom such information is shared, and the purpose for the sharing. Because most of the requirements of the Act do not lend themselves to industry-wide solutions, ICI has established a “California Privacy Act” Resource Center on the password protected portion of our member website to assist members with implementing the Act.[2] This Resource Center, which is available at www.ici.org/ca_privacy, contains:

• A copy of the Act;
• A 14-page ICI whitepaper, California’s Consumer Privacy Act of 2018: A Summary of the Act’s Impact on Mutual Funds; and
• A five-page document ICI developed, Questions to Consider in Implementing California’s New Privacy Act. This document lists 13 questions that those funds that are subject to the Act should consider as part of the implementation process.

The Resource Center also includes an ICI whitepaper on the recordkeeping requirements under the federal securities laws. This document is to assist funds in knowing which records they are required by federal law to maintain to make sure that they are not deleted if a shareholder requests deletion of their records.

While the Act charges the California Attorney General with adopting rules to help businesses implement its provisions, we understand that there is a likelihood that such rules will not be adopted in advance of the Act’s compliance date. Notwithstanding this, as of now, businesses are expected to be fully compliant with the Act by January 1, 2020.

Members that have questions about the Act or need recommendations for privacy counsel familiar with the Act should contact the undersigned by phone (202-326-5825) or email (tamara@ici.org). 

 

Tamara K. Salmon
Associate General Counsel

 

endnotes

[1] See California Assembly Bill 375, which is available at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

[2] This information is only being made available to ICI’s members and should not be shared with anyone outside of your firm.