Personal Information is Protected under the California Consumer Privacy Act

Topics: Cyber Liability Small Business

The U.S. does not yet have an extensive federal data privacy law similar to the The General Data Protection Regulation (GDPR), which covers the European Union (EU) and its residents. Currently, it is up to individual states to develop personal data legislation. California was the first state to implement a law in late 2018, known as the California Consumer Privacy Act (CCPA). Now, nine other states are considering their own versions of similar consumer privacy laws.

California Consumer Privacy Act

California passed the sweeping consumer privacy law that could force significant changes on companies that deal in personal data. The CCPA has already been amended once, but there are still aspects of the law that are being debated, adjusted and updated before it fully goes into effect on January 1, 2020. However, businesses should start preparing privacy notices and updating their policies, procedures and websites now in order to be ready.

Provisions of the New California Data Privacy Law

The CCPA gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:
  • Request the deletion of personal information
  • Opt out of the sale of personal information
  • Access the personal information in a “readily useable format” that enables the easy transfer of the data to third parties
Consumers under the age of 16 must opt-in to allow their personal information to be sold. A parent or guardian must receive and approve the consent for children under 13. Businesses must also post an easily accessible link on its homepage stating, “Do Not Sell My Personal Information” to allow consumers to easily opt out.

Who is Impacted by the CCPA?

The law technically is relevant only to California residents; however, businesses that are impacted by the law do not need to have a physical presence in California. A business should be concerned with the CCPA if they fall under one of the following stipulations: they must have a gross revenue over $25 million, receive and share the personal information of over 50,000 Californians annually or get at least 50 percent of its annual revenue by selling the personal information of California residents. Nonprofit businesses or companies that do not meet the above requirements do not have to comply with the CCPA.

Personal Information under the CCPA

According to The New Jersey Law Journal, the CCPA, similar to the GDPR, defines personal identifiable information (PII) broadly as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.” New to data privacy legislation, under the CCPA, information collected by a business does not have to be associated with a specific individual, but rather can identify a household. The CCPA excludes information that is publically available via federal state or local government records, as well as medical or health information collected by an organization governed by California’s Confidentiality of Medical Information Act or HIPAA.

CCPA Law Amendments and Compliance

Amendments to the law must be finalized to be in place when the law goes into effect in January 2020. Some of the amendments discussed include allowing California consumers to sue companies in mass class-action litigation if they are accused of violating the CCPA, requiring companies to inform users if their data is being sold to third parties and how much money their data is worth. Currently, the penalties from not complying with the law costs companies up to $7,500 per violation. Companies have 30 days to update their violations to be compliant before they are fined.

CCPA Impact on the Insurance Industry

The CCPA is both a challenge and an opportunity for the insurance industry. Insurance companies often need to process sensitive personal data to underwrite risks and provide claims handling and other insurance related services. Much of the personal data that insurers hold about individuals is sensitive in nature, particularly information about a person’s health or medical treatment. These “special categories” of personal data cannot be processed unless the individual has given explicit consent to that processing, or in certain other limited circumstances, none of which readily apply to the insurance industry.

California’s new law strengthens an individual’s rights to access and protect their personal data. These include a right for the individual to request that their data be deleted (the right to erasure), a right to object to processing and the right to data portability – in electronic form. This means that a policyholder could request a copy of all data that their insurer holds about them in a commonly used and machine-readable format so they can provide it to their new insurer. Also, individuals must be informed about any automated decision-making processes in the insurer’s privacy notice. Individuals will also have the right to object to automated decision-making, meaning that the insurer must have a non-automated alternative.

Learn More About How to Protect Personal Data

AmTrust Financial explored the impact of the GDPR and the California Consumer Privacy Act on small businesses, including the insurance industry in the U.S., in our recent white paper, “What is the GDPR? The Impact on the Insurance Industry and Small Businesses in the U.S.” Download a copy today to learn more about the many aspects of data privacy laws that impact how we share, store and control our own personal information.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones