The California Consumer Privacy Act (CCPA) is a major new state law poised to affect the privacy landscape not just in California, but in the U.S. as a whole. It was signed into law by California Governor Jerry Brown on June 28, 2018, after being hastily introduced in the California Legislature just a few days prior.
z The Act gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information:
1) The right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
2) The right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
3) The right to have a business delete their personal information, with some exceptions; and
4) The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
The Act will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.
The law does not apply to information already regulated under the Health Insurance Portability and Accountability Act, the Graham-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act; it still applies to entities covered by these laws to the extent they collect and process other personal information about California consumers.
Matthew Smith, director of Government Affairs and general counsel for the Coalition Against Insurance Fraud.commented on new laws governing cyber, data privacy in an article that appeared in the Claims Journal. Two of the most significant laws, he said, came out of South Carolina and California.
“The California Privacy Law applies to insurers and all other businesses in the state and has very severe restrictions on the use of private data,” Smith explained.
“We’re looking at it from the standpoint of what impact it might or might not have on an insurer’s ability to even report fraud. We think we’re all right there, but we’re partnering with others to look to make certain that it does not infringe on the ability to report insurance fraud under the Privacy Act.”
Businesses will incur significant compliance costs in order to update procedures, policies and Web sites in accordance with the new law. Additionally, the Act’s grant of a private right of action means that companies will have to anticipate a possible flood of consumer-driven litigation.
It is expected that the state legislature will continue to refine and amend the Act’s privacy-related requirements before the final version of the law goes into effect on January 1, 2020.
Legal experts in the field of data privacy claim in an article published in a legal newsletter that “data privacy remains one of the most significant concerns facing the insurance industry. A flurry of new and evolving data security and privacy laws and regulations are re-shaping the regulatory landscape, making it more difficult for companies to avoid exposing themselves to regulatory and other legal risk:.
Companies should start formulating compliance strategies well before the law goes into effect January 1, 2020.