Regulation of Big Data Use and Personal Data Privacy: The SEC and California Make Data a Priority Focus in 2020

2020 is not just an election year; it is also a year where regulators are signaling their intent to continue to increase their focus on big data and the privacy of personally identifiable information (PII). The recent announcement by the Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) that it will focus on registered advisers' use of alternative data during examinations is an indication that use of such data may soon be subject to additional regulatory constraints and oversight.

In addition, to the extent big data includes PII about California residents that is not regulated under the federal Gramm-Leach-Bliley Act or the federal Fair Credit Reporting Act, the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, imposes new requirements and constraints on investment advisers (and other companies, including an investment adviser's portfolio companies) that collect such data. These entities consequently need to be aware of some of the important legal developments described below.

OCIE 2020 Examination Priorities that Include Big Data

On January 7, 2020, OCIE released its 2020 Examination Priorities. These annual examination priorities identify and provide insight into the SEC's view on "key risks, trends, and examination priorities" as part of OCIE's overall effort to promote and improve compliance through its examinations of investment advisers, investment companies and other market participants, as well as to protect investors.¹ Many of their examination priorities this year were similar to those released in prior years.

OCIE also discussed its focus on registered firms' use of "alternative data." These "alternative data" or "big data" sets may be used by registered firms to assist in their investment decision-making. Specifically, OCIE plans to "focus on firms' use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions."² While the SEC has not yet provided a comprehensive definition of "alternative data," it seemingly uses the term to refer to techniques that derive information from data sets to drive investment decisions and services as opposed to traditional corporate and market due diligence techniques that firms may use, such as fundamental corporate capital structure analysis or use of market and research information.

Chairman Jay Clayton applauded OCIE's efforts to focus on new market developments, saying, "OCIE's 2020 examination priorities identify key areas of risk, both existing and emerging, that we expect self-regulatory organizations (SROs), clearing firms, investment advisers and other market participants to identify and mitigate." OCIE Director Pete Driscoll also emphasized the importance of refining OCIE's priorities to evolving market risks, and that the 2020 priorities provide the "transparency [that] helps firms evaluate and improve their compliance programs, which ultimately helps protect investors."³

Given these new examination priorities, firms that use alternative data to inform their investment processes should expect increased SEC scrutiny of their internal controls and due diligence policies. To be prepared to meet these expectations, firms should take steps to ensure that their compliance functions are operating appropriately and consistently with the current state of the law regarding the use, and vetting of, alternative data sources and their own internal policies.

Firms should also expect that OCIE may ask questions relating to a firm's (i) evaluation of an underlying vendor's policies to prevent collection of PII, (ii) internal policies to screen incoming data, either from third parties or from proprietary collection methods, for PII, and (iii) internal policies on how to respond if such personal information is detected. Firms that collect such data on a proprietary basis should ensure that such collection is compliant with applicable law. Any evaluations, determinations and policies the firm makes or adopts should be documented in writing in order to evidence the firm's methods of complying with applicable law and its own policies during an OCIE examination. Firms may also consider whether it is appropriate to include periodic testing of such policies, and sampling of such documentation, as part of its annual Rule 206(4)-7 testing program. 

During an examination, and to the extent relevant to a firm's due diligence and investment processes, OCIE may ask questions about the firm's policies for vetting, selecting, and periodically reviewing third-party service providers that supply the firm with alternative data. It would not be surprising if OCIE staff also looks for firms to demonstrate these assessments through contemporaneous documentation and memorialization of the terms on which such data is provided to the firm through its contracts with these third-parties. In addition, firms should be prepared to explain how they gained comfort with how a third-party vendor acquired and provided the firm with information, as required by the US Investment Advisers Act of 1940, as amended.⁴ For example, they should be prepared to explain how they prevent the acquisition or misuse of information that might be considered material and/or nonpublic, or acquired through misappropriation or a breach of duty.

The SEC's Previous Discussions of Alternative Data Usage in Financial Markets

Over the past few years, the SEC has signaled an increased focus on the growing role of alternative data to inform and drive investment decisions. In September 2018, then-Commissioner Kara Stein recognized that "companies, governments, and even individuals, have radically enhanced their ability to extract, use, and manipulate data in new and increasingly value-added ways[]" that have "provoke[ed] new and complicated questions about data ownership, use, availability, and protection."⁵ However, Commissioner Stein focused more on data protection and cybersecurity than on diligence and compliance efforts. Despite raising questions about data collection, use, and privacy, the policy goals Commissioner Stein discussed in her remarks related more to other topics, including the SEC's plans to advance regulatory technology to keep pace with marketplace developments and to protect data in its possession from hacking or cyberattacks.

Similarly, in July 2019, Chief Economist and Director of the Division of Economic and Risk Analysis, S.P. Kothari, discussed how advancements in big data capabilities have led to a "technology arms race between trading firms that are striving to get the best technology and the best personnel" and that institutions are "increasing their use of AI, machine learning, and related tools."⁶ These comments again showed the SEC's increased focus on registered firms' advancements in data utilization technology and how such data may be used to drive investment decisions.

Additionally, in May 2019, the SEC hosted a full-day FinTech Forum to discuss topics including distributed ledger technology and digital assets. Here, speakers, including SEC Chairman Jay Clayton, Commissioner Hester Peirce, and OCIE Director Peter Driscoll, addressed technology's massive impact on financial markets, capital formation, and investor risk, but did not explicitly discuss the ways firms are using alternative data to shape investment decisions.⁷ Nevertheless, this forum represented an effort by the SEC to better understand the role of technology in financial markets, especially in relation to the ways the SEC currently regulates data use and the activities of firms that are registered investment advisers.

CCPA Compliance Creates Regulatory Risk for Investment Firms and Other Companies

Registered firms and other corporations, including a firm's portfolio companies, should consider preparing for queries relating to alternative data and CCPA compliance. The CCPA, which took effect January 1, 2020 and will be enforced starting on July 1, 2020, imposes extensive disclosure requirements on "businesses" that collect "personal information" about individuals (and households) residing in California (a California resident is termed a "consumer" under the law). "Personal information" under the CCPA is broadly defined as data "that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This broad definition means that PII that is not anonymized, or that is anonymized but is reasonably capable of being de-anonymized, would generally fall within the CCPA's ambit, meaning, that firms should assess their possession and use of personal information as it relates to any California portfolio company information or information provided by alternative data providers that is not appropriately anonymized.

A "business" under the CCPA means any for-profit entity that:

• does business in the state of California;
• collects consumers' personal information or has information collected on its behalf;
• either alone or jointly with others, uses or processes that data; and
• meets at least one of the following elements: (i) has annual gross revenue in excess of $25 million; (ii) alone or in combination buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices on an annual basis; or (iii) derives 50 % or more of its annual revenues from selling consumers' personal information.⁸

An entity that "does business" in California is one that interacts with California residents; it does not need to be physically located within the state. Under these criteria, registered firms could become subject to the CCPA, and consequently liable thereunder, for (among other things) the actions of any third-party data aggregators it makes use of and for any data collection activities it may conduct in-house.

Unless a statutory exemption applies (including the exemptions available for personal information that is "nonpublic personal information" under the Gramm-Leach-Bliley Act or "consumer report" information under the Fair Credit Reporting Act), covered businesses that "sell" consumers' personal information are required to (i) post a clear and conspicuous notice on their home pages that consumers have the right to prevent the sale of such information, and (ii) provide a link to an "opt-out" mechanism whereby a consumer may exercise his or her right to prevent such sale. Covered businesses also must provide consumers, before or at the point of collecting their personal information, a notice describing the types of personal information that will be collected, disclosed, and/or sold. Additionally, the CCPA grants consumers the right to access their personal information and to request its deletion, subject to certain limitations.

As described in a previous Arnold & Porter Advisory, the California Office of the Attorney General (OAG) proposed regulations to implement the statute, which are anticipated to be issued in final form within the next few months. The text of the CCPA is in many ways confusing if not internally contradictory, and the proposed regulations have provided some helpful clarification on certain points of ambiguity. However, there are still open statutory interpretation questions that, if not resolved by the final regulations, will ultimately leave covered businesses with no choice but to develop their own reasonable interpretations and await such clarification as may be further provided or afforded by the enforcement priorities of the OAG.

*                    *                    *

By making alternative data use an examination priority, OCIE has indicated that this is an area where the SEC expects firms to (i) have designed appropriate compliance functions to address the acquisition, vetting and handling of such information, including adequate policies, procedures, processes and documentation, and (ii) abide by the expectations and controls set forth in the applicable regulatory guidance and firm policies. For investment advisers that purchase data from third-party vendors, when examined, they should anticipate OCIE staff probing into how the firm vets, acquires, and uses the data. Consequently, firms should regularly review and augment their internal controls and due diligence policies to account for changes in the law and the nature of the data sets they procure, receive and use in their investment decision-making. Failure to do so could expose firms to an increased risk of OCIE issuing a deficiency letter at the end of an examination or, where substantive deficiencies are identified,  referring their case to SEC enforcement.

Similarly, while conceptually distinct, the CCPA—and the quagmire of practical and regulatory considerations that it may entail—reflects focus by state regulators on the potential risks inherent in data collection techniques that would have been largely unimaginable a few decades ago. Consumer privacy considerations, and the use by investment firms of technologies and data that may implicate such considerations even when the data is aggregated and anonymized, are likely to continue to take on greater prominence in the priorities of legislators and regulators at the state and federal level. Firms should remain vigilant in monitoring developments in this area and should manage their data usage (and collection) practices in-line with the expectations of their regulators and other relevant stakeholders.