# CCPA — California Consumer Privacy Act ## What It Is The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, is California's comprehensive data privacy law. It gives California residents rights over their personal information and imposes obligations on businesses that collect, use, or share that information. ## Who It Applies To The CCPA applies to for-profit businesses that do business in California AND meet at least one of the following thresholds: 1. **Annual gross revenue** over $25 million 2. **Buy, sell, or share** the personal information of 100,000 or more California residents, households, or devices annually 3. **Derive 50% or more of annual revenue** from selling or sharing California residents' personal information ### Investment Fund Exemptions and Carve-Outs - **Gramm-Leach-Bliley Act (GLBA) exemption**: Personal information collected pursuant to GLBA (financial privacy) is exempt from CCPA. This covers information collected for financial transactions, including investor data collected under Regulation S-P. See [Regulation S-P](regulation-s-p.md). - **Securities-regulated data**: Investor information collected for SEC or state compliance purposes may fall under the GLBA exemption. ## How It Applies to Palace Fund ### Likely Not Applicable — But Plan Ahead A small fund with limited investors will almost certainly fall below all three CCPA thresholds: - Revenue under $25 million - Fewer than 100,000 California residents' data processed - Revenue is not derived from selling personal information Additionally, investor data collected for financial services purposes is likely covered by the GLBA exemption. ### When CCPA Could Apply - If the fund operates a website that collects visitor data (cookies, analytics) from California residents at scale - If the fund grows past $25 million in gross revenue - If the fund collects data outside the financial services context (marketing, events) ### Korean Investor Data - CCPA applies only to California residents. Korean investors residing in Korea are not covered by CCPA. - However, Korean investors residing in California would be covered. - Korea has its own privacy law (PIPA — Personal Information Protection Act) which may impose separate requirements on handling Korean residents' data. ## CCPA Rights (If Applicable) If CCPA applies, California residents have the right to: 1. **Know** what personal information is collected and how it is used 2. **Delete** their personal information 3. **Opt out** of the sale or sharing of their personal information 4. **Correct** inaccurate personal information 5. **Non-discrimination** for exercising CCPA rights 6. **Limit use of sensitive personal information** ## Action Items 1. **Assess applicability**: Confirm that the fund falls below CCPA thresholds. Document this assessment. 2. **Rely on the GLBA exemption**: Investor data collected for financial services purposes is exempt. Ensure that data collection practices align with Regulation S-P requirements. 3. **Privacy policy**: Even if CCPA does not apply, maintain a privacy policy that discloses what personal information is collected, how it is used, and how it is protected. This is required under Regulation S-P and is good practice. 4. **Website considerations**: If the fund has a website, assess whether it collects data from California residents (analytics, cookies). If so, provide a cookie notice and opt-out mechanism. 5. **Monitor growth**: If revenue approaches $25 million, revisit CCPA compliance. 6. **Korean privacy law (PIPA)**: Separately assess compliance with Korean data privacy requirements for Korean investor data. ## Key Takeaway CCPA is unlikely to apply to a small private fund, and investor financial data is further protected by the GLBA exemption. However, maintain a privacy policy and clean data practices from the start. The more relevant privacy obligation for investor data is Regulation S-P.