As is often the case with both technology and regulation, the State of California has taken the lead by introducing the first comprehensive data regulation in the United States. The California Consumer Privacy Act, or more commonly just the CCPA, is intended to enforce standard business practices regarding the use of consumers' data. While there are key exceptions to the Act for the finance industry, it is expected to impact most firms.
What is the CCPA?
In response to events like the Cambridge Analytica scandal, the California State Legislature passed the California Consumer Privacy Act in 2018, and it will go fully into effect on January 1st, 2020. The Act is intended to provide clarity regarding the business models of firms that collect and use information about persons and households on the internet. It introduces a set of rules meant to give California residents the right to:
1. Know what personal data is being collected about them.
2. Know whether their personal data is sold and to whom.
3. Prohibit the sale of their personal data.
4. Receive access to their data.
5. Request deletion of the data collected from them.
6. Receive equal price and service even if they prohibit the sale of their data.
FMG Suite suggests that the CCPA is a likely model for additional state laws, and its basic precepts are expected to appear in a future national privacy law. We are applying its protections to all customers, regardless of their state of residence, and you can use the compliance tools discussed below to do the same.
Is Your Firm Impacted?
First and foremost, the Act only applies to firms that do business in California. If your firm doesn’t do so, the Act has no direct effect. In that case, clearly disclosing which states are served by a financial services firm in the standard disclosure is a meaningful step to resolve the issue.
For firms that do business in California, for-profit or otherwise, they are subject to the Act if they meet even one of three criteria. A business qualifies if it has information about at least 50,000 consumers/ households/ devices, has gross annual revenues above $25 million, or makes more than half its revenue from the sale of personal data. This exempts most Advisors' practices, which fits the Act's goal of minimizing the impact on small businesses.
However, the first two criteria include most of the Broker Dealers and many of the RIAs with FMG Suite customers. We anticipate that virtually all of our enterprise clients and nationwide firms in our retail program will need to comply with the Act, at least for their advisors and clients in California.
We recommend that firms consider offering the rights described in the Act to everyone they do business with, which is how FMG Suite itself is responding. The support we are providing your CCPA compliance efforts is designed with this in mind.
What is FMG Suite’s Role in Your Firm’s CCPA Compliance Program?
Whether your firm directly purchases FMG Suite services through an enterprise contract or are granted supervisory access to retail accounts, we are your Service Provider. The contact data, content history, and supervisory records in each customers' accounts remain their property. The copies of this data provided to customers' affiliated firms remain those firms' property. That means your firm is free to implement your response to the CCPA, and we're providing tools to assist.
How Can Your Firm Comply with the CCPA?
Use FMG Suite! We're here to make you a better marketer, and keeping everyone safe and compliant is an important part of that. Since only a small part of your overall client data is held within FMG Suite's platform, we'll only be a portion of your firm's overall CCPA response. However, our role as a website provider means that we can be a central place for you to offer necessary disclosures and collect the various consumer requests mandated by the CCPA. We already offer many of the tools you need to meet the requirements and will have additional changes in place ahead of the CCPA's introduction.
The policies and procedures your firm needs to adopt to comply with the CCPA can be organized by the consumer rights created under the Act. As detailed below, along with the support offered by FMG Suite, these rights allow the consumer to:
Know what personal data is being collected about them.
These categories are listed below, along with a short description and a statement of whether this sort of data is collected through FMG Suite’s service. It is expected that every firm will collect data far beyond that which is gathered by or stored within your FMG Suite account.
- Personal Identifiers: This is anything tied to a person or their household in a manner that could uniquely identify them. This includes the name, email, mailing address, and birthdate, which constitutes most of the information collected and used within your FMG Suite account. Every firm will be answering that they collect this information, and most will be sharing it with a third party, such as custodians, BDs, RIAs, etc.
- Customer Records Information: This includes anything that identifies a specific account/transaction or the authorized individuals(s) on that account/transaction. It will often overlap somewhat with Identifiers. FMG Suite does not store information of this sort for these purposes, but every financial institution will be collecting it in other software.
- Characteristics of Protected Classifications (Per CA Law): This includes information about race, religion, sexual orientation, gender identity, gender expression, and age. Every firm will be gathering this information in some form, as age is a required part of financial records. Many will have additional information through more detailed financial planning documents. Your FMG Suite account may contain Age records through the use of the Birthdate field.
- Commercial Information: This includes details of individuals’ personal property and the history of their purchases or transactions. Again, every financial institution firm has these. Such information is not collected through or stored in your FMG Suite account.
- Biometric Information: This includes details of a person’s appearance or unique physical characteristics, such as fingerprints, that could be used to identify them. Many financial firms will not collect or store this sort of information, though it is not clear how the State of California views the details incidental to copies of identification documents or health records. FMG Suite is not used to collect or store this form of information regarding your contacts.
- Internet or Other Electronic Network Activity: This is a rather broad category covering any indication of online activity. Your firm likely gathers this in several ways, including in the form of Click/Open details in your FMG Suite account. This only refers to information that is gathered in a manner that identifies an individual or specific device, so it would not necessarily include all security logging.
- Geolocation Data: This includes any information used to tie a person's activity to a real-world location, generally via the use of IP tracking or GPS logging. Your FMG Suite account does not gather or store such information concerning specific persons, nor do the third party traffic tracking tools we recommend. (Such as Google Analytics) You'll want to check with your other vendors to determine if this information is being gathered elsewhere, as it is a common feature of other software.
- Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information: This category is generally used to refer to data gathered by physical security or medical imaging tools. FMG Suite does not facilitate the collection or storage of this sort of information. Images of clients/contacts gathered by your firm would fall into this category.
- Professional or Employment-related Information: This includes details about your contacts' employment status, employer, or work history. FMG Suite is not used to collect or store this data, but every financial institution will gather it as part of their Know Your Client responsibilities.
- Education Information: Anything gathered about a contact’s education falls into this category. FMG Suite is not used to collect or store this information, but many financial firms will have it as part of a financial planning or general Know Your Client record.
- Inferences or Derived Information: This category includes any information generated by your firm to categorize contacts into groups based on either a formal qualitative process or your staff's subjective determination. It is the least defined category but also cuts right to the heart of the CCPA's driving goal - guiding the practice of targeting people through the use of their data. Financial firms derive or infer data when they perform client segmentation for marketing purposes or analysis of profitability. Suitability, goal, or risk rankings may fall into this category as well, so every financial firm will have some data of this sort. Inferences within your FMG Suite account may come in the form of contact groups, which may match some of your firm's segmentation practices.
- Information About Minor Children: Any of the above information, when it applies to someone under the age of majority in their state of residence, should be considered as a separate category. The Age of Majority is currently 18 in California, but it varies by state, and CA law will apply if either the child or any of their guardians are residents. Most financial institutions will have information about Minor Children in the form of beneficiary records or as part of financial plans. FMG Suite is not intended for use in communicating with minors, but there is not a specific process for ensuring the age of contacts or whether their name is included in a contact record.
Your firm should detail whether each category of information is being sold and whether it is being shared with or disclosed to a third party. Whereas most firms will not be selling data, virtually all financial institutions share it with custodians, other partner BDs, managing RIAs, etc. Usually, this is done as part of Know Your Client, Anti-Money Laundering, or other regulatory requirements. While you are not required to detail why each category of information is being disclosed to a third party, many firms are choosing to do so.
Know whether their personal data is sold and to whom.
In this case, “sale” is intended to imply “exchange for value” as opposed to placing a simple monetary price on the transaction. If your firm exchanges data with another for the purpose of mutual benefit, this would count as a sale. However, this does not include circumstances where the data is not exchanged with another firm but is instead held for service. For instance, your firm is not exchanging data with FMG Suite regarding your clients and prospects.
Prohibit the sale of their personal data.
Under the CCPA, every firm is required to collect “Opt Out” requests from clients who wish to prohibit the sale of their personal information. This applies even if your firm doesn’t currently sell data or have any intention to do so in the future.
Your firm will need to have a process for collecting requests, such as through your FMG Suite website, verifying the identity of the requester, responding to the requestor, and recording their Opt-Out status. If your firm does sell data, you will need to remove the requester's data from the process.
While there is some disagreement across the industry about the point, your firm may also want to consider the nature of your data sharing agreements (and requirements) in response to these opt-out requests. Most financial firms are automatically sharing a broad range of data with a set of key partners. For instance, an introducing BD is often sharing data with a clearing BD, RIA custodian, RIA, and so forth for every account in certain categories. These agreements can't end as part of opt-out, ofttimes as part of regulatory requirements, and you may wish to reiterate this in response to Opt-Out requests in the same way you would respond that certain (perhaps all) data is maintained under the law when someone asks for deletion.
FMG Suite’s Role: We are adding this as a standard option on all sites’ Contact Us forms. There will also be a new footer option to meet the requirement for a “Do Not Sell My Personal Information” link. It will lead to the Contact Form as well.
Receive access to their own personal data.
Perhaps the most challenging aspect of the CCPA, in both a security and logistical perspective, is the right for your contacts and clients to request a copy of their personal data from your records. Your firm needs to have a process to gather these requests, verify the identity and authority of the requester, and respond with appropriate details. Given the scope of data maintained by financial services firms and the potential risk of identity theft it involves, this is expected to be somewhat burdensome.
The CCPA applies to all data collected by your firm, regardless of its source. The material collected by and used within your FMG Suite account is only a small portion of this information. The CCPA does not mandate a particular format for delivery of the data, so you have leeway in determining how to provide it.
FMG Suite’s Role: We are adding this as a standard option on all sites’ Contact Us forms. It will be very important to undertake a verification process before responding to these requests. We also offer multiple methods to retrieve the information stored in your FMG Suite account, either individually or in bulk.
Request deletion of the data collected from them.
While the CCPA does not introduce a "Right To Be Forgotten", as seen in the European GDPR, it does give consumers the right to request that unneeded data be deleted. Firms may maintain data as required by legislation, security requirements, legal needs, and other "internal, expected, and lawful" purposes. The CCPA's purpose here is to keep firms from retaining data that clients want to be deleted if they don't have a good reason they are willing to disclose, primarily combating some of the abuses and neglectful practices are seen in the social media industry.
It is important to give your contacts a way to request deletion, to enact a procedure for tracking these requests, and create a standard response to their receipt. As with requests to opt-out of data sales or receive copies of personal information, you'll need to develop a process for verifying the identity of requesters and recording their status.
All of the data collected or logged for your contacts are categorized as related to current or potential financial transactions and covered via our 17a-4 compliant archival process. That means it's all exempt from deletion, though we recommend that deletion requests should, at the very least cause your firm to restrict the use of the data by placing the contact on appropriate do not contact lists. Under the CCPA, it is important that you tell your contacts that information is being retained in archives as mandated by legislation when you respond to a deletion request.
FMG Suite’s Role: We’re adding this as a standard option in our contact forms for all sites. This will allow visitors to make the appropriate requests to your firm’s representatives. In the event that we receive any request directly from a contact, we will be following the requirements to forward them to the customer.
Receive equal price and service even if they prohibit the sale of their data.
The CCPA prohibits any business practice that requires consumers to allow the sale of personal data to receive a discount or other favorable terms. This was becoming a standard part of many technology firms' Terms of Service, and there was anticipation that it could one day become a common pricing methodology for certain firms, including some providers of financial services. Under this new regulation, it is important for firms to avoid this sort of pricing. We suggest that you may wish to state that there is no such option in your firm's Terms of Service.
FMG Suite’s Role: We don’t have a part in this aspect of your CCPA response. We have never offered pricing options of this sort for our own services.
What ISN’T the CCPA?
It’s easy to find contradictory information about the CCPA. Some of this may be due to the way it has been amended since its original passage or the way the State of California has waited to the last minute to finalize the exact wording of business regulations written to fulfill the Act. Some of it might be confusion between the CCPA and other well-known regulations, like the Eurozone’s GDPR. The rest seems to be motivated by commercial interests - we’ve seen a lot of misinformation delivered by businesses hoping to profit from the Act.
As a result of this confusion, it’s worth taking a look at a few of the things the CCPA doesn’t cover.
The CCPA does not provide a "Right to be Forgotten."
European legislation has introduced rules requiring online providers to remove information about individuals upon their request. This "Right to be Forgotten" is an important aspect of the GDPR, and many writers assumed, incorrectly, that the CCPA would introduce a similar mechanism. However, American courts have seen these sorts of requests as conflicting with the principles of free speech, and there is no such provision in the CCPA. In fact, this is seen as a reason for an exception to deletion requests, and firms may use them specifically to protect the rights of one person to share information about another.
The CCPA does not conflict with financial regulations
Data that is otherwise covered by existing financial regulation, in particular, the Gramm-Leach-Bliley Act, is exempted from most aspects of the CCPA. This means that the State of California both recognizes the value of existing consumer privacy protections offered by the industry and provides a safe harbor where retention and discoverability requirements would otherwise conflict with consumer deletion requests. Every data element in your FMG Suite account, from simple contact names to the retargeting data used in your marketing campaigns, are part of the information used to review, approve, and document communications with the public regarding financial transactions. This communication has the potential to become part of the record regarding future realized transactions. That means all the information we store is subject to GLBA and exempt from much of the CCPA.
Financial firms are not (totally) exempt from the CCPA
On the other hand, the previous point doesn’t mean that financial firms are totally exempt. While most of the misinformation we’ve encountered has made the CCPA seem more onerous than it actually is, the idea that it simply doesn’t apply is a dangerous misconception. Financial firms still need to ensure that California consumers receive the rights established in the CCPA.
Where can you get more information?
The State of California has a public website dedicated to its privacy efforts. The original Act and an amendment made later in 2018 make for somewhat dry reading. The organization (Californians for Consumer Privacy) behind the ballot initiative that led to the CCPA offers more information on its goals, but not a lot of advice on its implementation or details on how it will really affect everyday business. Given the scope of your firm’s requirements, it’s recommended to seek the advice of a privacy expert or consultant.