At first glance, data privacy may seem unrelated to securities laws. However, this couldn't be further from the truth. An example of where data privacy laws and securities intersect is when investors and businesses are required to provide certain personal information, such as their social security number and financial history, to crowdfunding portals in order to participate in regulation crowdfunding offers. Currently, there are no federal data privacy laws within the United States. Rather, it's a field of law mostly governed by the States. As shown later in this article, data privacy laws are constantly evolving and erode and more States are adopting their own legislation. Thus, the question is not a matter of if data privacy laws apply to crowdfunding transactions, but when will data privacy laws apply to crowdfunding.
As we discuss data privacy laws, it is important for you to understand the different types of information that can be considered ‘data.’ Data can refer to credit card numbers, real names, postal addresses, social security numbers, demographics, income, online browsing and search history, age, commercial information, political affiliations, educational information, religious affiliation, unique personal identifier/account name/online identifier, driver’s license number, geolocation data, biometric data, IP addresses, passport number, and more. Now keep this in mind as you go through the following information about U.S. data privacy laws.
Data Privacy Laws in the U.S
Data privacy law is a type of protection concerning the handling of consumer data. There are a number of data privacy laws currently being introduced across the U.S. Specifically, California and Virginia are the first States to create their own data privacy legislation, and as such, their privacy laws have become a foundation for other States. California’s privacy laws are modeled after the laws of the European Union (EU) which you will learn more about in our next blog. Data privacy laws are designed to protect consumer rights by creating rules for how businesses control, share, collect, and use consumer, business or investor data.
The current California Consumer Privacy Act (CCPA) passed in 2018 and came into effect in 2020. It regulates “companies that conduct business in California and generate yearly revenues greater than $25,000,000.” In 2020, California voters approved the California Privacy Rights Act (CPRA) which expanded the CCPA and included new requirements as further described below. The CPRA will go into effect in January 2023 and will replace the CCPA. Currently, the CCPA requires a business to have at least one of the following: (1) annual revenues in excess of $25 million; (2) buys, sells, processes, or shares personal data of 50,000 or more California consumers (including businesses and investors); or (3) has 50 percent or more of its revenue attributed to selling residents’ personal information. On the contrary, the CPRA will change the threshold for businesses with greater than $25 million in annual revenues by considering its preceding calendar year annual revenues instead. The new CPRA bill will also expand the requirement of 50,000 California residents to 100,000.
In March 2021, the Governor of Virginia signed into law the Virginia Consumer Data Protection Act (VCDPA). This Act will become effective in January 2023. The Virginia bill is modeled after the proposed Washington Privacy Act as well as California’s data privacy laws. Similar to CCPA and CPRA, the VCDPA also has threshold requirements for businesses to meet before the law becomes applicable to them. For instance, a company that conducts business in Virginia, provides products or services to residents in Virginia, or collect information from Virginia investors will be bound by the VCDPA if it: (1) controls or processes personal information of at least 100,000 consumers (including information from businesses and investors) in Virginia; or (2) controls or processes data of at least 25,000 residents (including incorporated businesses and investors) and receives 50 percent of its revenue from the sale of that data.
Likewise, Colorado will be the third State to pass data privacy legislation in the U.S. SB21-190, also known as the Colorado Privacy Act (CPA), takes effect in January 2023. The bill passed through the Senate and is currently awaiting the Governor’s signature. This Act is modeled after Washington proposed Washington Privacy Act and Virginia’s VCDPA with some differences. Here, the CPA will apply to data controllers who conduct business in Colorado, or “provide products or services that are intentionally targeted to residents of Colorado and either:” (1) control or process data of 100,000 or more Colorado residents each year; or (2) obtain revenue or receive discounts on the price of goods or services for selling that personal data, and process or control the data of at least 25,000 residents.
In New York, the New York Privacy Act (NYPA) is currently being reintroduced for approval. Similar to Colorado, the NYPA’s threshold resembles that of California and Virginia. For instance the Act applies to businesses that provide goods and/or services to New York residents and that satisfy at least one of the following: (1) has revenues of $25 million or more; (2) collects personal data of 100,000 or more residents; (3) gathers information from 500,000 consumers (including businesses and investors) nationwide with at least 10,000 of those consumers being from New York; or (4) receives 50 percent of its revenue from the sale of personal data while collecting the data of at least 25,000 residents. The NYPA requires applicable businesses to obtain consent from consumers prior to collecting their data.
In 2020, the Illinois Data Transparency and Privacy Act (IDTP) was passed and will take effect in July 2021. The IDTP also has similarities to California’s CCPA. This Act applies to businesses that: (1) collect and sell consumer data from at least 50,000 Illinois residents; and where (2) at least 50 percent of its revenue is derived from selling consumer data. The IDTP gives Illinois residents the right to know what data is being used and how. Like the other State legislations, residents of Illinois have the right to opt-out of the disclosure of their personal information.
Data privacy laws intersect securities laws in a number of ways. This includes situations where investors provide business issuers or crowdfunding portals their financial data so that they may invest online. It also includes situations where businesses provide portals with details surrounding their crowdfunding offering so that investors may properly invest in the business. Likewise, these laws intersect when crowdfunding portals collect financial and contact information from investors and business issuers so that they may facilitate crowdfunding offers and sales between these businesses and investors.
As a result, the business and crowdfunding portal will have to abide by data privacy laws in order to ensure legal compliance of securities transactions. Businesses and crowdfunding portals should focus on taking all the necessary precautions to minimize risk related to the mishandling of investors data - think about TikTok’s $92 million dollar settlement.Because of the nature of online crowdfunding where a business is collecting data from individuals all over the U.S., these data privacy laws are likely to apply. Ultimately, the laws will vary by State and, the overarching question remains, which State data privacy law applies? All of them or only a select few? There is no easy answer. Although, using California and Virginia as a guide would be beneficial.
Still, this is such a new and evolving area of law. It is necessary to consult a licensed attorney to assist you in this process. To learn more about how data privacy laws and securities laws intersect, stay tuned for Part II of this series.
*with contributions and additions by Elizabeth L. Carter, Esq., Managing Attorney