One of the greatest legal and compliance risks facing the insurance industry today is the everevolving landscape of privacy and data security laws. The California Consumer Privacy Act ("CCPA") is widely regarded as the most sweeping privacy law in the United States and will impact how insurers collect, store, sell and process the personal information of California consumers. Other states are likely to soon follow suit—there are currently at least 11 other states with pending privacy legislation that incorporate CCPA-like concepts and requirements.

In this Legal Update, we examine the history of the CCPA, its key provisions, its current legislative status (let's just say, "it's complicated") and practical takeaways for insurers and insurance regulators. Spoiler Alert: Insurers should not be delaying compliance efforts. Recent experience with the General Data Protection Regulation ("GDPR") of the European Union ("EU") has demonstrated that it takes time and forethought to prepare for compliance with broad changes to privacy regulation. Despite the remaining uncertainties in the law, insurers should be ramping up for CCPA compliance now. Likewise, state insurance regulators should take note as compliance with state privacy regimes may end up within their purview.

History of the CCPA

In 2017, California privacy advocates, responding to the Cambridge Analytica scandal and the GDPR, introduced a ballot initiative called "The Consumer Right to Privacy Act of 2018." Given the ballot measure's sweeping reforms and the challenge of amending laws passed in California through direct ballot initiatives, the California legislature agreed to pass very similar legislation in exchange for the ballot initiative's withdrawal. The CCPA was passed unanimously on the last day to withdraw a ballot measure and signed by Governor Jerry Brown the same day. Almost immediately the legislation, which was drafted and passed in haste, drew criticism from both the business community and the California attorney general. The California legislature is working to address criticisms of the CCPA in this legislative session, in advance of the law's January 1, 2020 effective date.

Key Elements of the CCPA

TO WHOM AND WHAT DOES IT APPLY?

The CCPA applies to "businesses" that "collect, or determine the purposes and means of processing," the "personal information" of a California "consumer."

Subject "businesses" include any legal entity that is organized or operated for the profit or financial benefit of its shareholders or owners that meets one of the below thresholds (Cal. Civ. Code §1798.140(c)(1)) or who controls or is controlled by a business meeting this definition and that shares common branding with the business (Cal. Civ. Code §1798.140(c)(2)).

  1. Gross revenue threshold. Annual gross revenue in excess of $25 million;
  2. Collection threshold. Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
  3. Sales threshold. Derives 50 percent or more of annual revenues from selling consumer personal information.

A "consumer" is any natural person who is a California resident (Cal. Civ. Code §1798.140(g)). As currently drafted, this includes California resident employees. Insurers that are used to viewing "consumers" through the lens of the Gramm-Leach-Bliley Act ("GLBA") and the Insurance Information and Privacy Protection Act ("IIPPA") will note that an individual does not need to seek or obtain a product or service from the business, or enter into a transaction with the business, to qualify as a consumer under the CCPA.

Personal information under the CCPA, as currently drafted, is much broader than under other privacy laws. Under the CCPA, personal information includes information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household" (Cal. Civ. Code §1798.140(g)), including but not limited to:

  • Identifiers such as real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number or "other similar identifiers";
  • Any categories of personal information already described under California law;
  • Characteristics of protected classifications under California or federal law (e.g., race, religion, sexual orientation, gender identity, gender expression and age);
  • Commercial information, including records of personal property, products or services purchased, obtained or considered or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • "Internet or other electronic network activity information," including, but not limited to, "browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement";
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory or similar information;
  • Professional or employment-related information;
  • Education information (as defined in the Family Education Rights and Privacy Act); and
  • "Inferences drawn from any of the information identified" above "to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."

WHAT DOES IT REQUIRE?

The CCPA creates a series of consumer rights that come with corresponding business obligations.

Right to Know. The CCPA gives consumers the right to request the categories and specific pieces of personal information collected, sold or disclosed (Cal. Civ. Code §1798.100(a)(c)). Correspondingly, a business must (1) at or before the point of collection, inform consumers about the categories of personal information collected and purposes of use (Cal. Civ. Code §1798.100(b)); (2) make methods available for consumers to submit a request for personal information (Cal. Civ. Code §1798.130(1)); and (3) in response to a consumer request, disclose and deliver the personal information "free of charge" within 45 days (Cal. Civ. Code §1798.130(2)).

Right to Opt Out. The CCPA gives consumers the right to opt out of a sale of their personal information to a third party (Cal. Civ. Code §1798.120(a)). Correspondingly, a business must (1) provide a clear link on its homepage and in its privacy policy titled "Do Not Sell My Personal Information" that sends the consumer to a website to opt out of sale of their personal information (Cal Civ. Code §1798.135(a)(1)), (2) respect the decision to opt out for at least 12 months before requesting that the consumer authorize the sale of personal information again (Cal. Civ. Code §1798.135(a)(4)), and (3) ensure all individuals responsible for handling consumer inquiries about the business's privacy practices be informed of the right to opt out and how to direct consumers to exercise the right (Cal. Civ. Code §1798.135(a)(3)).

Right to Delete. The CCPA gives consumers the right to request that a business delete personal information it has collected about the consumer (Cal. Civ. Code §1798.105(a)). Correspondingly, businesses must (1) disclose the right to delete on its website and in its privacy policy (Cal. Civ. Code §1798.105(b)) and (2) subject to applicable exceptions, delete the consumer's personal information from its records and direct any service provider to delete the consumer's personal information from their records (Cal. Civ. Code §1798.105(d)).

The CCPA also prohibits businesses from discriminating against any consumer for exercising their rights under the new law, including denying a consumer goods or services, charging a different price for a good or service or providing a lower quality of goods or services (Cal. Civ. Code §1798.125(a)).

To read the full article click here

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.