A Deep Dive on the California Consumer Privacy Act for Financial Advisors

As is often the case with technology and regulation, the State of California has taken the lead by introducing the first comprehensive data regulation in the United States. The California Consumer Privacy Act, or more commonly just the CCPA, is intended to enforce standard business practices regarding the use of consumers' data. While there are key exceptions to the Act for the finance industry, it is expected to impact most firms.

What is the CCPA?

In response to events like the Cambridge Analytica scandal, the California State Legislature passed the California Consumer Privacy Act in 2018, and it will go fully into effect on January 1st, 2020. The Act is intended to clarify the business models of firms that collect and use information about persons and households on the internet. It introduces a set of rules meant to give California residents the right to:

  1. Know what personal data is being collected about them.

  2. Know whether their personal data is sold and to whom.

  3. Prohibit the sale of their personal data.

  4. Receive access to their data.

  5. Request deletion of the data collected from them.

  6. Receive equal price and service even if they prohibit the sale of their data.

It's a comprehensive list of rights and offers some new twists on privacy. The Act differs from existing privacy regulations, such as the European Union's GPDR, in that it covers information about households and the devices they use in addition to individual consumers. That makes it more comprehensive than any other privacy law. On the other hand, it targets business practices in general instead of specific tracking technologies such as the use of cookies. That means it shouldn't spread the sort of annoying pop-ups now common to sites serving the EU.

FMG suggests that the CCPA is a likely model for additional state laws, and its basic precepts are expected to appear in future national privacy laws. We are applying its protections to all customers, regardless of their state of residence, and you can use the compliance tools discussed below to do the same.

Is Your Firm Impacted?

First and foremost, the Act only applies to firms that do business in California. The Act has no direct effect if your firm doesn’t do so. In that case, clearly disclosing which states a financial services firm serves in the standard disclosure is a meaningful step to resolving the issue. 

For firms that do business in California, for-profit or otherwise, they are subject to the Act if they meet even one of three criteria. A business qualifies if it has information about at least 50,000 consumers/ households/ devices, has gross annual revenues above $25 million, or makes more than half its revenue from the sale of personal data. This exempts most Advisors' practices, which fits the Act's goal of minimizing the impact on small businesses.

However, the first two criteria include most of the Broker-Dealers and many of the RIAs with FMG customers. We anticipate that virtually all of our enterprise clients and nationwide firms in our retail program will need to comply with the Act, at least for their advisors and clients in California.

We recommend that firms consider offering the rights described in the Act to everyone they do business with, which is how FMG itself is responding. The support we are providing your CCPA compliance efforts is designed with this in mind. 

What is FMG's Role in Your Firm’s CCPA Compliance Program?

Whether your firm directly purchases FMG services through an enterprise contract or is granted supervisory access to retail accounts, we are your Service Provider. The contact data, content history, and supervisory records in each customer's accounts remain their property. The copies of this data provided to customers' affiliated firms remain those firms' property. That means your firm is free to implement your response to the CCPA, and we're providing tools to assist.

How Can Your Firm Comply with the CCPA?

Use FMG! We're here to make you a better marketer, and keeping everyone safe and compliant is essential. Since only a small amount of your overall client data is held within FMG's platform, we'll only be a portion of your firm's overall CCPA response. However, our role as a website provider means we can be a central place for you to offer necessary disclosures and collect the various consumer requests mandated by the CCPA. We already provide many of the tools you need to meet the requirements and will have additional changes ahead of the CCPA's introduction.

The policies and procedures your firm needs to adopt to comply with the CCPA can be organized by the consumer rights created under the Act. As detailed below, along with the support offered by FMG, these rights allow the consumer to:

Know what personal data is being collected about them.

The CCPA requires firms to identify what information is being collected regarding individuals and households, whether or not they are active clients of the firm. This data should be detailed by broad category, not by specifying a name or description for every element in your records. You’ll generally want to amend your privacy policy for this purpose.

These categories are listed below, along with a short description and a statement of whether this data is collected through FMG’s service. It is expected that every firm will collect data far beyond that gathered by or stored within your FMG account.

  • Personal Identifiers:  This is anything tied to a person or their household in a manner that could uniquely identify them. This includes the name, email, mailing address, and birthdate, which constitutes most of the information collected and used within your FMG account. Every firm will answer that they collect this information, and most will share it with a third party, such as custodians, BDs, RIAs, etc.

  • Customer Records Information:  This includes anything that identifies a specific account/transaction or the authorized individuals(s) on that account/transaction. It will often overlap somewhat with Identifiers. FMG does not store information of this sort for these purposes, but every financial institution will be collecting it in other software.  

  • Characteristics of Protected Classifications (Per CA Law):  This includes information about race, religion, sexual orientation, gender identity, gender expression, and age. Every firm will gather this information in some form, as age is a required part of financial records. Many will have additional information through more detailed financial planning documents. Your FMG account may contain Age records through the use of the Birthdate field.

  • Commercial Information:  This includes details of individuals’ personal property and the history of their purchases or transactions. Again, every financial institution firm has these. Such information is not collected through or stored in your FMG account.

  • Biometric Information:  This includes details of a person’s appearance or unique physical characteristics, such as fingerprints, that could be used to identify them. Many financial firms will not collect or store this sort of information. However, it is not clear how the State of California views the details incidental to copies of identification documents or health records. FMG is not used to collect or store this form of information regarding your contacts.

  • Internet or Other Electronic Network Activity:  This broad category covers any indication of online activity. Your firm likely gathers this in several ways, including in the form of Click/Open details in your FMG account. This only refers to information that is collected in a manner that identifies an individual or specific device, so it would not necessarily include all security logging.

  • Geolocation Data includes any information used to tie a person's activity to a real-world location, generally via IP tracking or GPS logging. Your FMG account does not gather or store such information concerning specific persons, nor do the third-party traffic tracking tools we recommend. (Such as Google Analytics)  You'll want to check with your other vendors to determine if this information is being gathered elsewhere, as it is a common feature of other software.

  • Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information:  This category generally refers to data gathered by physical security or medical imaging tools. FMG does not facilitate the collection or storage of this sort of information. Images of clients/contacts gathered by your firm would fall into this category.

  • Professional or Employment-related Information:  This includes details about your contacts' employment status, employer, or work history. FMG is not used to collect or store this data, but every financial institution will gather it as part of their Know Your Client responsibilities.

  • Education Information:  Anything gathered about a contact’s education falls into this category. FMG is not used to collect or store this information, but many financial firms will have it as part of financial planning or general Know Your Client record. 

  • Inferences or Derived Information:  This category includes any information your firm generates to categorize contacts into groups based on either a formal qualitative process or your staff's subjective determination. It is the least defined category but also cuts right to the heart of the CCPA's driving goal - guiding the practice of targeting people through the use of their data. Financial firms derive or infer data when they perform client segmentation for marketing purposes or profitability analysis. Suitability, goal, or risk rankings may also fall into this category so that every financial firm will have some data of this sort. Inferences within your FMG account may come in the form of contact groups, which may match some of your firm's segmentation practices.

  • Information About Minor Children:  Any of the above information, when it applies to someone under the age of majority in their state of residence, should be considered a separate category. The Age of Majority is currently 18 in California, but it varies by state, and CA law will apply if either the child or any of their guardians are residents. Most financial institutions will have information about Minor Children in beneficiary records or as part of financial plans. FMG is not intended for use in communicating with minors, but there is not a specific process for ensuring the age of contacts or whether their name is included in a contact record.  

Your firm should detail whether each category of information is being sold and whether it is being shared with or disclosed to a third party. Whereas most firms will not be selling data, virtually all financial institutions share it with custodians, other partner BDs, managing RIAs, etc. Usually, this is done as part of Know Your Client, Anti-Money Laundering, or other regulatory requirements. While you are not required to detail why each category of information is being disclosed to a third party, many firms choose to do so.

FMG’s Role:  Your FMG website offers options to host a Privacy Policy for each advisor or to link back to a BD/RIA document on another site. The best way to do this depends on your firm's policy and the relationship between the Branch and Home Office.

Know whether their personal data is sold and to whom

While this business practice is nearly absent in the financial industry, primarily due to industry privacy regulations, it is still vital for your firm to take a clear position in your privacy policy. If it didn't already, your Privacy Policy should be updated to include a simple "Yes" or "No" to whether your firm engages in the sale of data.

In this case, “sale” implies “exchange for value” instead of placing a simple monetary price on the transaction. If your firm exchanges data with another for the purpose of mutual benefit, this would count as a sale. However, this does not include circumstances where the data is not exchanged with another firm but is held for service. For instance, your firm is not exchanging data with FMG regarding your clients and prospects. 

FMG’s Role:  Your FMG website offers options to host a Privacy Policy for each advisor or to link back to a BD/RIA document on another site. The best way to do this depends on your firm's policy and the relationship between the Branch and Home Office.

Prohibit the sale of their personal data

Under the CCPA, every firm must collect “Opt Out” requests from clients who wish to prohibit the sale of their personal information. This applies even if your firm doesn’t currently sell data or has any intention to do so in the future.

Your firm will need to have a process for collecting requests, such as through your FMG website, verifying the requester's identity, responding to the requestor, and recording their Opt-Out status. If your firm does sell data, you will need to remove the requester's data from the process.

While there is some disagreement across the industry about the point, your firm may also want to consider the nature of your data-sharing agreements (and requirements) in response to these opt-out requests. Most financial firms automatically share a broad range of data with key partners. For instance, an introducing BD often shares data with a clearing BD, RIA custodian, RIA, and so forth for every account in certain categories. These agreements can't end as part of opt-out, ofttimes as part of regulatory requirements. You may wish to reiterate this in response to Opt-Out requests in the same way you would respond that certain (perhaps all) data is maintained under the law when someone asks for deletion.

FMG’s Role:  We are adding this as a standard option on all sites’ Contact Us forms. There will also be a new footer option to meet the requirement for a “Do Not Sell My Personal Information” link. It will lead to the Contact Form as well.  

Receive access to their own personal data

Perhaps the most challenging aspect of the CCPA, from both a security and logistical perspective, is the right of your contacts and clients to request a copy of their personal data from your records. Your firm needs to have a process to gather these requests, verify the identity and authority of the requester, and respond with appropriate details. Given the scope of data maintained by financial services firms and the potential risk of identity theft it involves, this is expected to be somewhat burdensome.

The CCPA applies to all data collected by your firm, regardless of its source. The material collected by and used within your FMG account is only a small portion of this information. The CCPA does not mandate a particular format for the delivery of the data, so you have leeway in determining how to provide it.  

 FMG’s Role:  We are adding this as a standard option on all sites’ Contact Us forms. It will be essential to undertake a verification process before responding to these requests. We also offer multiple methods to retrieve the information stored in your FMG account, either individually or in bulk.

Request deletion of the data collected from them.

While the CCPA does not introduce a "Right To Be Forgotten," as seen in the European GDPR, it does give consumers the right to request that unneeded data be deleted. Firms may maintain data as required by legislation, security requirements, legal needs, and other "internal, expected, and lawful" purposes. The CCPA's goal here is to keep firms from retaining data that clients want to be deleted if they don't have a good reason they are willing to disclose, primarily combating some of the abuses and neglectful practices seen in the social media industry. 

Giving your contacts a way to request deletion, enact a procedure for tracking these requests, and create a standard response to their receipt is important. As with requests to opt out of data sales or receive copies of personal information, you'll need to develop a process for verifying the identity of requesters and recording their status.

All of the data collected or logged for your contacts are categorized as related to current or potential financial transactions and covered via our 17a-4 compliant archival process. That means it's all exempt from deletion, though we recommend that deletion requests should, at the very least, cause your firm to restrict the use of the data by placing the contact on appropriate do not contact lists. Under the CCPA, you must tell your contacts that information is retained in archives as mandated by legislation when responding to a deletion request.

FMG’s Role:  We’re adding this as a standard option for all sites' contact forms. This will allow visitors to request your firm’s representatives appropriately. If we receive any request directly from a contact, we will follow the requirements to forward them to the customer.

Receive equal price and service even if they prohibit the sale of their data.

The CCPA prohibits any business practice that requires consumers to allow the sale of personal data to receive a discount or other favorable terms. This was becoming a standard part of many technology firms' Terms of Service. There was anticipation that it could one day become a common pricing methodology for certain firms, including some providers of financial services. Under this new regulation, firms need to avoid this sort of pricing. We suggest that you may wish to state that there is no such option in your firm's Terms of Service.

FMG’s Role:  We don’t have a part in this aspect of your CCPA response. We have never offered pricing options of this sort for our services.

What ISN’T the CCPA?

It’s easy to find contradictory information about the CCPA. Some of this may be due to how it has been amended since its original passage or how the State of California has waited to the last minute to finalize the exact wording of business regulations written to fulfill the Act. Some might be confusion between the CCPA and other well-known regulations, like the Eurozone’s GDPR. The rest seems to be motivated by commercial interests - we’ve seen a lot of misinformation delivered by businesses hoping to profit from the Act.

As a result of this confusion, it’s worth taking a look at a few of the things the CCPA doesn’t cover.

The CCPA does not provide a "Right to be Forgotten."

European legislation has introduced rules requiring online providers to remove information about individuals upon request. This "Right to be Forgotten"  is an essential aspect of the GDPR, and many writers incorrectly assumed that the CCPA would introduce a similar mechanism. However, American courts have seen these sorts of requests conflicting with the principles of free speech, and there is no such provision in the CCPA. This is seen as a reason for an exception to deletion requests, and firms may use them specifically to protect the rights of one person to share information about another.

The CCPA does not conflict with financial regulations

Data that is otherwise covered by existing financial regulation, in particular, the Gramm-Leach-Bliley Act, is exempted from most aspects of the CCPA. This means that the State of California recognizes the value of existing consumer privacy protections offered by the industry and provides a safe harbor where retention and discoverability requirements would otherwise conflict with consumer deletion requests. Every data element in your FMG account, from simple contact names to the retargeting data used in your marketing campaigns, are part of the information used to review, approve, and document communications with the public regarding financial transactions. This communication has the potential to become part of the record regarding future realized transactions. That means all the information we store is subject to GLBA and exempt from much of the CCPA.

Financial firms are not (totally) exempt from the CCPA

On the other hand, the previous point doesn’t mean that financial firms are exempt. While most of the misinformation we’ve encountered has made the CCPA seem more onerous than it is, the idea that it simply doesn’t apply is a dangerous misconception. Financial firms still need to ensure that California consumers receive the rights established in the CCPA.

Where can you get more information?

The State of California has a public website dedicated to its privacy efforts. The original Act and an amendment made later in 2018 make for a somewhat dry reading. The organization (Californians for Consumer Privacy) behind the ballot initiative that led to the CCPA offers more information on its goals but not a lot of advice on its implementation or details on how it will affect everyday business. Given the scope of your firm’s requirements, it’s recommended to seek the advice of a privacy expert or consultant.