The California Consumer Privacy Act (CCPA) is a new law that came into effect on January 01, 2020, which protects the rights of Californian consumers. As the strictest state-level privacy and data protection law in the US, the CCPA law sets a new bar for businesses that collect and share the personal data of Californian consumers.
The CCPA permits any Californian consumer to see what personal information is collected, used, shared or sold by businesses, in addition to a full list of all the third parties with whom that personal data is then shared. Consumers have the right to delete any personal information held by businesses or third-party service providers, and they’re also able to opt-out of the sale of personal information.
Children under the age of 16 are also given extra protections under the new bill. Minors must provide opt-in consent for businesses to sell their personal information, and those under 13 must have the consent of a parent or guardian. Anyone who exercises a privacy right under the CCPA, regardless of age, cannot be discriminated against in terms of price or service as a result of their privacy-related choice.
Who is impacted by the CCPA?
Not all companies are impacted by the CCPA. The law only pertains to for-profit companies that collect or control any information about California residents and meet any of the following criteria:
Importantly, the CCPA doesn’t just affect businesses in the region where the law is passed. It has the potential to impact any business serving customers in California, no matter where they are based.
How does the CCPA define ‘personal information’?
The CCPA has a broader definition of personal information than other existing privacy laws, even the infamously strict European General Data Protection Regulation (GDPR). The CCPA defines personal information as any data that “identifies, relates to, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.” It includes things like names, nicknames, addresses, passport numbers or social security numbers, as well as geolocation data, employment or education-related information and physical and behavioral characteristics.
What happens if a company breaches the CCPA?
The CCPA has two main penalty mechanisms – one where the government can come after a business for violating the law’s requirements and another where individuals affected by a data breach can sue the impacted company. Companies can be fined up to $7,500 per violation, and in the case of theft of data, companies are liable for fines of up to $750 per consumer, per accident.
What does all of this have to do with insurance?
The CCPA, although a force of good for Californian consumers, opens up various new avenues of exposure for businesses. Those that are deemed not in compliance with the strict privacy law could face lawsuits and/or significant fines. Therefore, many are seeking insurance coverage – primarily, cyber insurance coverage - to protect against any unforeseen or unintended breaches of the law. As Michael Palotay, chief underwriting officer for Tokio Marine HCC’s cyber and professional lines group, pointed out: “If the history of other professional lines of business is a judge, more regulations generally equal more risk and thus a bigger need for insurance.”
As stated above, the fines for intentional violations of the CCPA can reach up to $7,500 per violation. If you’re a company dealing with millions of consumer records and you’re deemed to be acting in violation of the CCPA, the potential for a big loss is great. Palotay explained: “A company could theoretically have millions of violations, so if insurers are providing a $1 million limit or a $5 million limit, but a company has $50 million-plus in exposure, it can quickly turn into a situation where we just basically have to give them the limit. And they end up managing the defense on their own because they have way more to lose than what we have up on the limit. It’s a weird dynamic that doesn’t happen very much in my world, but my claims department has been warning that that can happen.”
How will the CCPA impact cyber insurance?
The law’s definition of ‘personal information’ is broad and will likely throw up some language / definition challenges in the cyber insurance space. Steven Robinson, area president, technology and cyber for Risk Placement Services (RPS) told Insurance Business: “Many [cyber insurance policies] today still narrowly define personally identifiable information or private information as the initial [of a] first name, account number, financial information – anything that can uniquely identify someone. But oftentimes, they’ll say that a breach of private information is defined by a particular state law, and so the question starts to come around: ‘what happens if there’s a breach of what we would consider to be confidential information that maybe doesn’t meet a certain state’s statutory definition, and how does the cyber policy deal with that?’ What this does is it expands beyond what has been considered the foundational covered philosophy of a lot of cyber insurance policies, by expanding what they define as consumers’ personal information.”
In a positive for the cyber insurance market, this new privacy law could also spur an uptick in companies buying standalone cyber insurance policies, and not just buying an endorsement. Standalone cyber insurance policies have broad policy wording that can adapt to changing privacy needs and cyber exposures through time.
What’s next with the CCPA?
The law came into effect on January 01, 2020, but there’s a six-month grace period to enable companies to become compliant. As for the rest of the US, California is often a front-runner when it comes to legislation, so it will be no surprise if the CCPA acts as a game-changer for the privacy landscape across the country in years to come.