The California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020, is intended to protect consumer information and improve privacy rights. Enforcement by the California Attorney General begins July 1, 2020.
In order to understand the impact of CCPA on the insurance industry, more detailed aspects of the act are reviewed below.
Does your business meet the criteria of the CCPA?
The CCPA regulates covered businesses that collect, sell, or disclose consumers’ personal information in California, whether or not the business is physically located in the state. In addition, the business must meet one of the following criteria:
- Have annual gross revenue $25 million or more;
- Annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices; or
- Derive 50% or more of its annual revenues from selling consumers’ personal information.
What are the rights granted to consumers under the CCPA?
Consumers will have the right to request from businesses collecting their information:
- To disclose the categories and specific pieces of personal information collected
- The business purpose for collecting and selling their information
- The types of third parties the information is shared
- To delete any personal information
- To opt-out of the sale of their personal information
Implications on insurance business
The fundamental transactions of an insurance business require the collections, use, and processing of personal information to underwrite policies, handle claims, investigate fraud, and even set rates. Since the enactment of California’s Insurance Information and Privacy Protection Act (IIPPA) in 1980, insurers were required to protect the personal information of policyholders. Furthermore, in 2003, the California Department of Insurance expanded its privacy regulations to require insurers to provide privacy and opt-out notices to policyholders.
The CCPA further regulates and expands consumers’ rights to protect personal information, including the right to request businesses to delete personal information. How can insurers process the fundamental transactions if consumers request for personal information to be deleted? Well, the IIPPA was recently amended to excuse insurers, to the extent required to complete an insurance transaction, from complying with policyholders’ requests to delete and to opt-out of the sale of personal information.
The California legislature intends to synchronize the consumer privacy protection regulations of the CCPA with the requirements of transacting insurance business and the existing protections in the IIPPA. Never the less, insurers conducting business with California consumers are encouraged to become familiar with the CCPA and to evaluate and conform policies and procedures to the requirements of the CCPA.
How do to comply with the CCPA?
Complying with the CCPA will require a diligent review of processes and procedures. Initial undertakings may include the following implementations:
- Updating privacy notices and policies to include the new California consumer rights, including timely notifying consumers the categories, purpose, and use of the personal information collected. Insurers conducting business in multiple states should consider either a universal or distinguished by state privacy notices.
- Updating database fields to categorize and track consumers’ personal information shared with third-parties, such as a specialty consumer reporting company that collects property and casualty claim information.
- Implementing procedures for consumers to exercise their rights. Businesses are required to provide at least two request-submission methods (at a minimum a toll-free number and a web address), promptly verifying consumer requests and responding to requests within 45 days.
- Educating employees about the CCPA and training them to properly manage consumers’ personal information and requests.
- Performing penetration and vulnerability scans to prevent data breaches in the IT infrastructure to ensure the safeguarding of consumers’ personal information.