Part 3: Coverage Considerations Under CGL Policies for CCPA Violations
This blog post is our third in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA).
Imagine this: You own a successful string of sporting goods stores across California. Not only do you sell goods directly, but you also finance large purchases to well-qualified buyers and have a generous rewards program.
When customers log in to your website, you gather personal information (e.g., name, email address, cell number, etc.). In order to participate in the rewards program and/or obtain financing, customers must provide certain personal information (e.g., home address and phone, name of employer, Social Security number, etc.). In order to increase revenue, your business sells some of this customer data to various affiliates that are sporting organizations so they can contact your customers about upcoming events and promotions.
You are able to continue selling customer data because you complied with the CCPA’s opt-out and website requirements before the effective date of January 1, 2020. Unfortunately, after January 1, you accidentally sell all of your customers’ data, including those who opted out, and they all received email, mail, and/or texts regarding upcoming sporting events in their area.
In the anticipation of backlash from customers due to your accidental sale, you locate your business’s Commercial General Liability (CGL) policy and begin reading. Are you covered?
The CCPA subjects violators to two types of penalties. First, under Cal. Civ. Code Section 1798.155(b), the California attorney general may impose a civil penalty of not more than $2,500 per violation ($7,500 if intentional), pursuant to Section 17206 of the California Business and Professions Code (Unfair Competition Law or UCL). Second, under Cal. Civ. Code Section 1798.150, the CCPA grants consumers a private right of action to obtain:
- Damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater
- Injunctive or declaratory relief; and/or
- Any other relief the court deems proper
Most CGL policies likely will not cover penalties sought by the California attorney general because, as a matter of public policy, California prohibits insurers from providing coverage for any claims brought under the UCL.
California courts may also preclude coverage for penalties sought under sections 1798.155 and/or 1798.150 to the extent they do not constitute damages, as required by a CGL policy.
A typical CGL policy covers, in relevant part, sums an insured becomes legally obligated to pay as damages because of: bodily injury or property damage caused by an occurrence (Coverage A), and personal and advertising injury caused by an offense (Coverage B).
Even if the statutory penalties could constitute damages, the accidental sale of personal information likely would not constitute bodily injury or property damage (although creative plaintiffs’ counsels may disagree). More likely, policyholders will argue that it constitutes personal and advertising injury, defined in part as the “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
In the event the accidental sale constitutes a publication that violated customers’ rights to privacy, the “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, found in Coverages A and B, likely applies to bar coverage, among other exclusions. Specifically, this exclusion precludes coverage for “‘personal and advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate…[a]ny federal, state or local statute, ordinance or regulation…that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
On its face, this exclusion appears to apply to CCPA claims. However, it is still too early to tell how the courts in California will interpret the CCPA. For example, whether this exclusion applies to preclude coverage for violations of Illinois’s Biometric Information Protection Act is currently being litigated.
Should you have any questions
concerning CCPA coverage issues, please contact the authors for additional
information. Read Part One of
this post here and Part Two here.
Goldberg Segalla offers a comprehensive CCPA Compliance Package tailored to
your specific business. For more information on how Goldberg Segalla can help
you comply with the CCPA, please contact partner Marc S. Voses,
chair of the Cybersecurity
and Data Privacy Practice Group.
 See Cal. Ins. Code Section 533.5; see also Mt. Hawley Insurance Co. v. Lopez, 215 Cal. App. 4th 1385, 1389 (2013); Allen v. Steadfast Ins. Co., CV 14-1218 JC, 2014 WL 12569527.
 See Big 5 Sporting Goods Corp. v. Zurich Am. Ins. Co., 957 F. Supp. 2d 1135, 1155 (C.D. Cal. 2013), aff’d, 635 Fed. Appx. 351 (9th Cir. 2015) (holding that the civil penalties available under the Song-Beverly Act (Cal. Civ. Code Section 1747.08) to the California Attorney General and private citizens do not constitute damages under a CGL policy).
 See Big 5, 635 Fed. Appx. 351 at 353 (precluding coverage for violations of the Song–Beverly Act under a similar “Statutory Violation Exclusion”).
 See Zurich Am. Ins. Co. v. Omnicell, Inc., 18-CV-05345-LHK, 2019 WL 570760 (N.D. Cal. Feb. 12, 2019).