Prior to last week, chances are you may have not heard of Robinhood, the stock trading platform popular with millennials. That likely changed when the company’s name was ubiquitous in print and online media as part of the GameStop stock mania; first as an advocate for the “little guy” investor and quickly as a villain subservient to the whims of wealthy Wall Street investors (and the subject of a class-action lawsuit and an SEC investigation). From a data privacy standpoint, what quickly became clear is that Robinhood makes most of its money from selling their customers’ data to financial institutions, and may be operating in violation of the California Consumer Privacy Act (“CCPA”).
What is Robinhood?
Robinhood was founded in April 2013 by Vladimir Tenev and Baiju Bhatt, who had previously built high-frequency trading platforms for financial institutions in New York City. In its 7 years since inception prior to the recent GameStop issue, Robinhood had raised $1.2B and has over 10M users; its value proposition is that you can trade for “free”.
How Does Robinhood Make Money?
Robinhood makes money primarily by selling users’ trading data to high frequency trading firms.
This practice is called “payment for order flow”, or PFOF for short. It’s a common practice among brokerages, and Robinhood’s revenues are said to be in excess of $150 million of revenue each year as a result of PFOF. Without diving too deeply into the mechanics of PFOF, suffice it to say that Robinhood and other providers receive a small payment (sometimes less than a penny!) for providing its customers data to these firms. Do it enough times and the money piles up, which is why Robinhood was recently valued at more than $20 billion.
What are the CCPA Implications?
CCPA has a concept called “Do Not Sell My Personal Information”, which provides California residents with the right to prevent companies from selling their personal information or data. Any company that is considered to be selling personal information is required to comply with obligations as laid out in CCPA.
Is Robinhood Running Afoul of CCPA?
Maybe. According to the CCPA, there is a carve out for “service providers”, in which a business can be exempt from being considered a seller of personal information where it shares consumer data under these conditions:
- The data is vital for the performance of a business purpose;
- The service provider does not further collect, sell, or use the personal information; and
Why Does This Matter?
Many companies have been trying to skirt the CCPA by claiming the service provider exemption or by claiming they don’t sell personal information. We believe this is a narrow reading of CCPA, and one that will end up putting companies in a position of unnecessary financial risk due to the penalties that could result. Even if your company is not engaging in PFOF, or transferring personal data for straight cash, you may be considered to be “selling” data for purposes of CCPA. And if that’s the case, failing to implement CCPA-compliant mechanisms can result in significant financial penalties.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.