Part 1: The California Consumer Privacy Act — What Insurers Need to Know
Assembly Bill No. 375, better known as the California Consumer Privacy Act (CCPA), is likely the most robust and sweeping privacy law in the United States. This is not surprising as California is notoriously at the forefront of passing privacy legislation, even though close to 20 other states are also taking steps to pass similar legislation.
The CCPA, which becomes effective January 1, 2020, creates a number of consumer rights regarding the collection, storage, selling, and processing of personal information, as well as corresponding business obligations. Cal. Civ. Code Sections 1798.100; 1798.105; 1789.120; 1798.125; 1798.130; 1798.135. The CCPA’s definition of personal information is very broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code Section 1798.140(o). Further complicating the matter are additional definitions that are ambiguous and sometimes conflicting.
All for-profit companies, including insurance companies, are required to comply with the CCPA if they have one of the following:
1. Have annual gross revenue in excess of $25 million
2. Annually buy, receive, sell, or share the personal information of 50,000 or more consumer households or devices
3. Derive 50 percent or more of their annual revenue from selling consumer personal information.
Although the CCPA has a number of exceptions that apply to insurance companies, they are only partial and insurers will remain subject to the CCPA if they engage in conduct outside of the scope of these exceptions, which they likely do. Some exceptions include: Cal. Civ. Code Section 1798.145(c) (health/medical information under the Confidentiality of Medical Information Act and Health Insurance Portability and Accountability Act); Cal. Civ. Code Section 1798.145(e) (personal information governed by the Gramm-Leach-Bliley Act (GLBA) and the California Financial Information Privacy Act); and Cal. Civ. Code Section 1798.145(f) (the Driver’s Privacy Protection Act).
Since being signed into law on June 28, 2018, the CCPA has been met with significant criticism and proposed legislation seeking to amend and/or clarify its terms. Of note to insurers is Assembly Bill 981, which proposes to:
1.Eliminate a consumer’s right to request that an insurer delete or not sell personal information when the insurer’s retention and/or sharing of that information is necessary to complete an insurance transaction on the consumer’s behalf
2. Amend California’s Insurance Information and Privacy Protection Act (IIPPA) to harmonize definitions and incorporate certain CCPA concepts.
Not only does the CCPA stand to affect insurers from a business compliance standpoint, but it also may affect their obligations to provide coverage for insureds that allegedly violate the CCPA. As the CCPA creates a private right of action in the event of unauthorized access, theft, or disclosure of nonencrypted or nonredacted personal information as a result of a business’s failure to maintain reasonable security, and subjects violators to fines, penalties, and enforcement actions as a result of same, the CCPA could result in a surge of consumer protection/rights lawsuits, and a corresponding uptick from sued companies to its insurers demanding coverage.
Cyber policies are intended to mitigate risks associated with the use of technology to process consumers’ personal information, including data breaches, system failures, and cyber extortion. However, they may not provide for coverage against the risks associated with violations of the CCPA.
For example, a policy may or may not provide coverage for:
1. Statutory damages, fines and/or penalties
2. Violating disclosure requirements
3. Failing to delete data upon request
4. Regulatory claims.
Other considerations include how cyber policies interact with other insurance policies that may respond, and whether other traditional third-party and first-party insurance policies will respond to claims alleging CCPA violations.
Given the sweeping nature of the CCPA, insurers are analyzing compliance requirements and the potential damages arising out of a CCPA violation. Likewise, insurers must evaluate the extent to which the market is requesting coverage for these claims and resulting damages with their appetite to provide coverage.
This is the first post in a multi-part series on what insurers need to know about the CCPA. Subsequent posts will provide more in-depth analysis on compliance by insurers and coverage considerations under particular insurance policies, as well as how insurers can prepare on both fronts.
The full text of the CCPA can be found here. Goldberg Segalla’s CCPA fact sheet can be found here, prepared by partner Marc S. Voses, chair of the Cybersecurity and Data Privacy Practice Group. Please contact the authors with any questions or requests for additional information.