Experts agree the implementation of the California Consumer Privacy Act (CCPA) is a major regulatory event that is having a sweeping impact across many sectors of the U.S. economy and, given the size and influence of California’s consumer base, the effects are being felt nationwide and even across the globe.
According to a quartet of attorneys with the cybersecurity specialist law firm Squire Patton Boggs, the financial services industry is one of many business sectors that will feel the full brunt of the CCPA. For that reason, Glenn Brown, Lydia de la Torre, Elliot Golding and Ann LaFrance, all counsel or partners with the firm, say the financial services sector should remain engaged with the unfolding regulatory process surrounding the CCPA.
The most recent development in the CCPA saga, the quartet points out, came just this week, when the California attorney general announced several changes to the proposed regulations that set out the many standards and requirements of the CCPA. As the Squire Patton Boggs attorneys explain, the modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. Industry stakeholders have until February 25 at 5 p.m. PST to submit any comments.
On the read of the Squire Patton Boggs attorneys, this February 25 timetable indicates that the final rules will likely be in force before the July 1 deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the California attorney general to commence enforcement activity as soon as the rulemaking process concludes, the attorneys warn.
What Has Changed?
The Squire Patton Boggs attorneys suggest the modifications announced this week include multiple significant changes. For example, the modifications revisit the concept of “personal information,” basically by clarifying that the process of evaluating whether data constitutes personal information is based on whether the business links, or could reasonably link, the data to a particular consumer or household.
“For example,” the attorneys explain, “the modifications state that a business that operates a website that collects IP addresses from visitors need not consider the IP address to be personal information where the business does not associate that data with a particular consumer and could not reasonably do so.” According to the attorneys, this change “seems to indicate an intention to apply a more subjective analysis that focuses on whether the business could identify or link the data to a particular person, rather than whether the data is reasonably linkable to a particular person in general.”
Another modification is the addition of certain service provider rights to use data, such that in addition to performing services specified in a contract, service providers are permitted to process personal information for a number of reasons. These include for the retention and employment of subcontractors that meet the CCPA definition of “service providers,” for internal use by the service provider to build or improve the quality of its services, and to detect security incidents or protect against fraudulent or illegal activity, among other uses, such as to comply with a federal or state investigation.
Other modifications relax some of the formal requirements around CCPA privacy policies and notices at collection and clarify others, the attorneys explain, while still others eliminate the requirement that if a business receives a request to opt out, it must notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request.
Squire Patton Boggs’ recent blog post spells out all the modifications in detail—including a few that apply specifically to the retirement planning industry. Also of note, the modifications provide additional guidance on how to calculate the value of personal information, the time periods to respond to individual rights requests, accessibility requirements and how businesses should verify requests to access or delete household information.
What This Means for the Retirement Industry
David Levine, a principal with Groom Law Group who also has been closely following and working on CCPA issues as they pertain to the retirement planning industry, strongly encourages advisers, recordkeepers and other service providers to pay attention to the CCPA’s rollout. Levine is representing the SPARK Institute on CCPA matters, for example by working with SPARK on various CCPA comment letters submitted to the California attorney general.
Levine says the proposed modifications to the CCPA are generally favorable for the retirement planning industry, in large part because the modifications actually carve out “employment benefits” as a separate and distinct data usage category. Levine says this is a great development for the space and will prevent plan sponsors, advisers and providers from having to shoehorn their data usage activities under the generic consumer data rules set out by the CCPA.
Looking ahead, Levine says, the implementation of the CCPA within the employment benefits space will be far from a straightforward affair—not least because of the inevitable federal preemption issues that will arise with respect to the Employee Retirement Income Security Act (ERISA). He likens the CCPA implementation to the confusion that has emerged as individual states create their own fiduciary rules for advisers and brokers, raising the question of whether the Securities and Exchange Commission’s national Regulation Best Interest will preempt such rules.
“These issues are not settled and it will take some time for all the legal nuances to be worked out,” Levine says.
He notes that, even if ERISA ends up preempting the CCPA for purposes of employment benefit plan data usage, there are still potential issues to consider, such as whether the CCPA will apply to ancillary financial wellness programs or other services provided by third parties.
“When is the use of the data truly employment/retirement plan related, versus become a commercial relationship?” Levine asks. “This is an important consideration as providers diversify and move into different areas of products and services. Where does ERISA apply? Where does CCPA apply? Or is it all covered by one or the other? This is multiple, very complex areas of law coming together right now.”