When the GDPR went into effect on May 25, 2018, more than $8 billion worth of lawsuits were filed in one day against Facebook and Google alone. Ticketmaster soon followed with a $6.5 million suit of their own. While all of the above suits have yet to be sorted out, literally “gobs” of money hang in the balance.
Shortly after the GDPR took hold, California announced it would be launching its own privacy protection act in 2020, now just a couple months away. The California Consumer Privacy Act goes into effect on January 1, 2020, and the attorney general starts enforcing it on July 1, 2020.
Failure to comply could cost up to $7,500 per infraction. That may not sound like much, until you consider the fact that each user profile held in violation of the CCPA could cost you that amount. If you inadvertently have information on 100 people you shouldn’t, you would be on the hook for 100 times the fine, or $750,000. Considering that even smaller advisory firms today carry a “subscriber” list of several thousand, fines could easily reach into the millions. So what does that mean for you? Does your firm need to worry about the California Consumer Privacy Act? The short answer is “probably not,” but read on to make sure.
Who Does the CCPA Apply To?
The California Consumer Privacy Act (CCPA) doesn’t just apply to advisors based in California – it also applies to you if you have any clients or prospective clients who live in California (or have a second home there) – but only if you meet any of the following three criteria:
- Your annual gross revenue is more than $25 million.
- Your organization receives, shares, or sells personal information of more than 50,000 people (who are California residents).
- Your company earns 50% or more of its annual revenue from selling personal information of consumers (who are California residents).
Number 1 is really the only one that could apply to advisors. Some advisors might fall under number 2 as well, but most won’t. Number 3 does not apply to advisors. While the CCPA is designed to apply to anyone who has clients and customers (or prospective ones) in California, it is also designed to apply only to larger companies – specifically those with revenue greater than $25 million, as it says above. So if your AUM doesn’t at least begin with a “b,” you’re probably in the clear. But even if none of those apply to you, it’s worth knowing what the law entails. California is often the legal trend-setter for the rest of the country, and many states have already started drafting their own versions of privacy protection laws based on the CCPA (in fact, Nevada’s version already went into effect on October 1, 2019, albeit with some significant differences). In other words, you’ll likely need to meet the requirements of the CCPA at some point in the near future.
What Does the CCPA Require?
The CCPA is basically California’s way of bringing the guidelines of the GDPR across the pond to help protect the private information of California residents. In short, the law requires businesses to:
- Provide annual disclosures, free of charge, of what information you have on all website visitors;
- Be transparent regarding any user info collected at the time of collection;
- Be transparent regarding any info sold or shared with other sites by allowing easy access to a box on the homepage that allows visitors to opt out of having their info shared;
- Be liable in the case of a security breach that exposes any personal information you hold on clients and non-clients alike.
Let’s break those points down.
1. Provide annual disclosures of all information to users
If requested, businesses will be required to provide all information they have on a particular user. There’s a little grey area here as the law was just updated in September to say only information “reasonably capable of being associated” needs to be disclosed. Before, it was just anything capable of being disclosed, which could be pretty much anything. Not that adding the word “reasonably” clarifies things much, but it appears to give a little more wiggle room.
2. Be transparent regarding any and all info collected
You’ll need to add a cookie consent box to your homepage for all first-time visitors telling them how you will use their data and asking them to accept the terms. In addition, the consent box needs to link to a page where visitors can decide what information they are okay with sharing. I know, it sounds like a lot, but there are several plugins and third-party solutions to help you become compliant (see “How Can I” section below).
3. Be transparent regarding info shared or sold
This one shouldn’t apply to many firms – hopefully you make enough as an advisor that you’re not resorting to selling user information to bring in a little extra money! And you likely aren’t sharing info, either.
4. Be liable in case of a security breach
Ethics 101: If you’re collecting personal information, you have to be able to protect it. Still, every month seems to bring the latest story of a large-scale hacking. Security breaches happen. Constantly. Lord willing, your firm will never be exposed. But the hacking of large companies like Equifax and Target proved that no company is too big to be hacked. If and when it does happen, the CCPA says you need to be able to prove that you have done your best to prevent it. If you experience a data breach and are determined to not be properly protecting your users’ information, you could be subject to pretty sizable fines. In short, if your firm is hacked and you don’t notify anyone within 48 hours and prove that you are making substantial strides toward getting everything under control, you could be in trouble.
How Can I Make Sure My Firm’s Website is CCPA-Compliant?
As I said above, plenty of plugins exist to help you get in compliance with the CCPA. Many of these are built to help you kill two birds with one stone – bringing you into compliance with the CCPA and GDPR. If you run your website on WordPress, consider checking out CookiePro, which comes at a cost of $45 per domain per month or less. There’s also the Ultimate GDPR Plugin, which seems to be able to meet many if not all of the requirements of the California Consumer Privacy Act.
If you’re not on WordPress – or even if you are – then you may want to look into solutions like Cookiebot, Truyo or LogicManager (among many others). But keep in mind: These requirements are far from set in stone. Keep your eyes on the headlines and stay ahead of the curve to make sure you avoid any unnecessary fines! Interested in other tech resources? Check out our “Growing Advisor’s Guide to Must-Have Tech.”