Five steps hedge funds should take to stay on top of CCPA compliance
By Alex Scheinman, ACA Aponix
Published: 21 March 2019
According to the US Department of Commerce, California is the world’s fifth-largest economy. So it is no surprise that California often takes the lead in paving the way for new legislation affecting not only civilians, but the business community in the US. With the recent wave of data breaches and misuses of data bringing data privacy to the forefront of the corporate agenda, in 2018, California passed the California Consumer Privacy Act (CCPA) to grant California residents increased control over their personal data, set to go into effect on January 1, 2020.
Under the CCPA, consumers will be able to find out what personal information of theirs has been collected, request that firms delete their data and opt out of having their information sold. Firms face hefty fines for non-compliance. The fine per civil violation is $2,500 to $7,500 for each violated data record, with the fine of $7,500 reserved for intentional acts of CCPA non-conformity. Further, if a data breach occurs, under the CCPA, the implicated firm could be held accountable for lawsuits.
When one hears about a regulation aimed at consumer data privacy, hedge fund compliance may not be the first thing that comes to mind. But hedge funds that put CCPA compliance on the backburner will find themselves scrambling to map out their affected data and comply ahead of the deadline for a variety of reasons.
Does GLBA override CCPA?
The first question that hedge funds might be asking themselves regarding compliance with the California Consumer Privacy Act is whether or not their data falls into scope. The question is one that has certainly been top of mind to the business community, lobbying to attain greater clarity on the regulation ahead of the law going into effect.
Following an amendment in September 2018, it was decided that GLBA-regulated data, which most core financial services data falls under, is indeed exempt. But hedge funds must be mindful that much of their data may not be considered ‘core’ by regulators.
The uptick in usage of alternative data by hedge funds has been a huge topic of industry discussion in recent years as hedge funds look to differentiate their investment strategies from traditional asset managers, facing increased competition from other managers offering multi-asset strategies. Statistics show that hedge fund spend on alternative data is skyrocketing. According to a recent report from Greenwich Associates, hedge funds are spending roughly $900,000 per year on alternative-data sources, and that amount is forecasted to hit $1 billion by 2020.
Indeed - the usage of alternative data by hedge funds may prove of significant interest to California state regulators, as they may not consider data sets often leveraged by hedge funds such as the below covered by GLBA, and thus, subject to CCPA compliance:
- Data from financial aggregators
- Credit card data
- Geospatial and location data
- Web scraping datasets
- Social media data
- App engagement data
- Ad spend data
- Point of sale data
- Shipping data from U.S. customs
- Data made available through APIs
- B2B data acquired from parties in the supply chain
- Location/foot traffic data from sensors and routers
- Satellite and drone data
- Pharmaceutical prescription data
Hedge funds must approach CCPA compliance strategically and with a firm goal of mapping which of their data falls in scope, which does not, where that data is located, and where it is being shared. Only once a data mapping exercise has been completed will hedge funds be able to create a compliance roadmap, following the below best practices:
- Obtaining executive buy-in — CCPA compliance is a broad effort that will affect many aspects of a hedge fund and will require significant staff hours and financial resources. In addition, failure to comply can have serious financial and reputational consequences. As a result, it is crucial to gain executive buy-in to facilitate the compliance process.
- Understanding data collection policies and procedures — It is essential to understand what a hedge fund’s current policies and procedures are for collecting, storing, and selling data on California consumers. Firms should prepare data maps, inventories, and other records that clearly illustrate what data the business collects and sells, and where it is sold.
- Performing a gap analysis — Reviewing CCPA requirements closely and comparing them with data discovery findings. Performing a detailed delta assessment between the firm’s status and where it needs to be for compliance.
- Developing a compliance roadmap — Developing a comprehensive compliance roadmap of necessary action steps based on the results of the gap analysis. Prioritizing tasks based on risk and level of effort.
- Implementing the compliance roadmap — Assigning leaders for the remediation effort, and delegating tasks to responsible parties. Following up on progress regularly. Developing all necessary updates and mechanisms (e.g., privacy policies, opt-out, opt-in, web updates, etc.). Testing and fixing all solutions as necessary. Updating due diligence policies regarding third-party vendors and vetting vendors for compliance as well. Including staff training as part of the overall compliance effort.
What’s next for hedge funds and CCPA compliance?
In fall of 2019, the business community and the California Chamber of Commerce are expected to push for another round of amendments to narrow the present scope of the CCPA. It is expected that they will seek to narrow the definition of personal data, exempt personal data collected in the B2B channel and perhaps limit or eliminate the inclusion of personal data related to employees (e.g., dependents and beneficiaries). A move like that is one that hedge funds should keep a mindful eye on, as it would certainly impact compliance strategies.
All things considered, however, the California Consumer Privacy Act should serve as a wake-up call for hedge funds to put robust data privacy programs in place, and perhaps even to appoint dedicated data privacy executives, such as a Chief Privacy Officer to focus solely on data privacy compliance, looking beyond SEC requirements. And as there has been much discussion around the CCPA marking a move towards a federal data privacy regulation, similar bills in the US continue to take hold in states like Washington, Hawaii and New York. Prudent hedge funds, already making significant changes to how they run their business to maintain alpha in a world of constant change, must also change their mindsets on data privacy, placing it at the top of their priority lists in 2019.
