01 Revisions Made to California's New Privacy Act that Benefit Mutual Funds and Other Financial Institutions
[31407]
September 25, 2018 TO: Chief Compliance Officer CommitteeChief Risk Officer Committee
Compliance Advisory Committee
Internal Audit Committee
Operations Committee
Privacy Issues Working Group
SEC Rules Committee
Small Funds Committee
Transfer Agent Advisory Committee RE: Revisions Made to California's New Privacy Act that Benefit Mutual Funds and Other Financial Institutions
In late August, the Institute informed its members of a new privacy law in California, the California Consumer Privacy Act of 2018, which was enacted this summer. This Act imposes upon mutual funds and other businesses with California consumers very specific notice and disclosure requirements. The Institute recommended that its members visit a Resource Center[1] we created on our password-protected website to learn more about this law, its impact on our members, and steps they needed to take prior to its effective date of January 1, 2020.
Subsequent to the enactment of this new law, a technical bill was introduced in the California General Assembly to address some glitches with the original law. Fortunately, one of the glitches that was addressed in the technical bill was the exemption in Section 1798.145(e) of the law. Prior to being revised by the technical bill, this section provided an exemption from the law for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations,” but only if the federal law was in conflict with California’s new law. This provision appeared not to provide any relief from California’s law to those institutions that were subject to the privacy provisions of the Gramm-Leach-Bliley Act (the “GLB Act”) or the regulations adopted thereunder because California’s new requirements were not in conflict with the GLB Act. Instead, they were far more rigorous than the GLB Act requirements.
Fortunately, the technical bill revised Section 1798.145(e) to remove the “in conflict” clause. As a result, this provision now excludes most of the law’s application to any personal information collected, processed, sold, or disclosed pursuant to the GLB Act or the Securities and Exchange Commission’s Regulation S-P (“Reg. S-P”), which is the regulation the SEC adopted to implement those requirements of the GLB that apply to broker-dealers, investment advisers, and registered investment companies. Importantly, as revised, the one provision in the law that remains applicable to all businesses with California consumers – including those whose information is subject to the GLB Act – is Section 1798.150.[2] The technical bill was passed by the California General Assembly on August 31st and signed into law by Governor Brown on September 23, 2018. It took effect upon signing.
As a result of the revisions to California’s law, Reg. S-P, which was adopted by the SEC on June 22, 2000, will now govern the information funds hold that is excluded from the requirements of the California law.[3] As detailed in a white paper the Institute published on Reg. S-P in January 2001,[4] Reg. S-P applies to “nonpublic personal information.” This term is defined in Section 248.3(t)(1) of Reg. S-P to include (1) all personally identifiable information[5] and (2) any “list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.”[6] As explained in ICI’s White Paper:
‘Personally identifiable information’ comprises virtually all information that a consumer supplies or a financial institution otherwise obtains or generates in connection with providing a financial product or service to a consumer. Reg. S-P cites, as examples, the contents of a consumer application, account balance and transaction history, the existence of a consumer or customer relationship, information collected by way of a ‘cookie’ or other on-line device, and consumer reports. If a broker-dealer, fund, or registered adviser has determined that given information is relevant in providing a financial product or service to a consumer, then Reg. S-P deems such information to be ‘financial’ – even if, as in the case of medical or health information, it is not intrinsically so.[7]
In light of the recent revisions to California’s new privacy law, we strongly urge members to revisit your considerations regarding how the law will impact your interactions with California consumers. Due to the breadth of information covered by Reg. S-P, it is likely that the information you (i.e., “business”) collect on a California consumer falls within the scope of the information governed by the GLB Act. If this is, in fact, the case, the only provision of the California law that would appear to apply to your activities would be Section 1798.150, relating to civil liability. This section does not require you to take any affirmative action. Instead, it subjects a business to potential civil liability in the event a consumer’s information is hacked and stolen or exfiltrated from your organization. If, however, your business collects any information on California consumers that is not subject to the GLB Act or the regulations thereunder – such as Regulation S-P – the entirety of California’s law is likely applicable to such information.
Tamara K. Salmon
Associate General Counsel
endnotes
[1] The Resource Center is available at: https://www.ici.org/ca_privacy.
[2] This provision authorizes “any consumer whose unencrypted or non-redacted information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” to institute a civil action to recover damages, seek injunctive or declaratory relief, or to obtain any other relief the court deems proper. [Emphasis added.] Among other things, Section 1798.150 requires a consumer bringing such an action to provide the business thirty (30) days’ notice of its filing and provide the business an opportunity to cure the violation.
[3] Note that the exclusion in Section 1798.145(e) applies to the “personal information” – not to the type of institution that collects, uses, shares, or sells such information. By its express language, the GLB Act applies to information obtained by all “financial institutions.” This term means “any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.” See Section 248.3(n)(1) of Regulation S-P. With respect to SEC registrants, this includes any consumer information obtained by any broker, dealer, investment company, or investment adviser registered with the SEC. [Financial institutions not registered with the SEC may still be subject to GLB but the regulations governing their activities would have been adopted by the Federal Trade Commission and not the SEC.]
[4] See Privacy of Consumer Financial Information: Mutual Fund Compliance with Regulation S-P, ICI (January 2001) (“ICI’s White Paper”), which is available on the ICI Resource Center.
[5] “Personally identifiable information” is defined in Section 248.3(u) of Reg. S-P to mean any information: (i) a consumer provides to you to obtain a financial product or service from you; (ii) about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer. This definition goes on to list seven examples of information included within this definition.
[6] See ICI’s White Paper at p. 17.
[7] See ICI’s White Paper at pp. 17-18.