Prior to last week, chances are you may have not heard of Robinhood, the stock trading platform popular with millennials. That likely changed when the company’s name was ubiquitous in print and online media as part of the GameStop stock mania; first as an advocate for the “little guy” investor and quickly as a villain subservient to the whims of wealthy Wall Street investors (and the subject of a class-action lawsuit and an SEC investigation). From a data privacy standpoint, what quickly became clear is that Robinhood makes most of its money from selling their customers’ data to financial institutions, and may be operating in violation of the California Consumer Privacy Act (“CCPA”).
Robinhood was founded in April 2013 by Vladimir Tenev and Baiju Bhatt, who had previously built high-frequency trading platforms for financial institutions in New York City. In its 7 years since inception prior to the recent GameStop issue, Robinhood had raised $1.2B and has over 10M users; its value proposition is that you can trade for “free”.
Robinhood makes money primarily by selling users’ trading data to high frequency trading firms.
This practice is called “payment for order flow”, or PFOF for short. It’s a common practice among brokerages, and Robinhood’s revenues are said to be in excess of $150 million of revenue each year as a result of PFOF. Without diving too deeply into the mechanics of PFOF, suffice it to say that Robinhood and other providers receive a small payment (sometimes less than a penny!) for providing its customers data to these firms. Do it enough times and the money piles up, which is why Robinhood was recently valued at more than $20 billion.
CCPA has a concept called “Do Not Sell My Personal Information”, which provides California residents with the right to prevent companies from selling their personal information or data. Any company that is considered to be selling personal information is required to comply with obligations as laid out in CCPA.
Maybe. According to the CCPA, there is a carve out for “service providers”, in which a business can be exempt from being considered a seller of personal information where it shares consumer data under these conditions:
It would be hard to argue that transferring personal information as a part of PFOF isn’t vital for a business purpose performance (how else could the trade occur?), so Robinhood is likely OK on the first point. But the next two are less clear. First, there’s a reason that financial institutions pay Robinhood for this data: so that it can be used for their business purposes when assessing risk in the market or other issues. If these financial institutions include the personal information in their usage (rather than just the aggregate or pseudonymized data), then they may be in violation.Robinhood specifically outlines in their privacy policy that they share personal data with service providers, however in the policy they give as an example providing personal data with service providers that “identify and serve targeted advertisements or provide mailing services, tax and accounting services, contest fulfillment, web hosting, or analytics services”. No mention is made of PFOF, which is a primary reason why Robinhood exists and allows it to make hundreds of millions of dollars each year in revenue. That may be why Robinhood users felt blindsided and were outraged when the company admitted that it had engaged in deceptive practices on this subject and was subject to a $65 million SEC fine. Additionally, Robinhood does not have a “Do Not Sell My Personal Information” button on their website, as required by CCPA, so consumers can’t opt out of the sale of data even if they wanted to.
Many companies have been trying to skirt the CCPA by claiming the service provider exemption or by claiming they don’t sell personal information. We believe this is a narrow reading of CCPA, and one that will end up putting companies in a position of unnecessary financial risk due to the penalties that could result. Even if your company is not engaging in PFOF, or transferring personal data for straight cash, you may be considered to be “selling” data for purposes of CCPA. And if that’s the case, failing to implement CCPA-compliant mechanisms can result in significant financial penalties.
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.