January 1, 2020, will mark the beginning of a new era of big data collection risk for many businesses. This is when the California Consumer Privacy Act of 2018 (CCPA) becomes effective, and imposes several onerous compliance requirements for certain businesses that collect and process personal information of California residents. Ultimately, the CCPA will empower California residents with more control over what information is collected about them and who has access to it. With enactment only a few months away, businesses subject to the CCPA will need to take steps now to address the many requirements to meet compliance.
Is My Business Subject to the CCPA?
The CCPA will apply to the following, with some limited exceptions.
- For-profit entities doing business in the state of California that:
- (a) Have annual gross revenues in excess of $25 million subject to adjustment
- (b) Handle data of more than 50,000 people or devices
- (c) Have 50% or more of revenue coming from selling personal information
- Businesses that control, are controlled by or have common branding with a business that satisfies the above.
What Is Required?
Notice: At or before the time of collecting personal information, the business must provide notice of the categories of personal information to be collected, and the purposes for which they will be used.
Disclosure: Upon request of a consumer, the business must disclose the following:
- Categories and specific pieces of the consumer’s personal information the business has collected
- Categories of sources from which personal information is collected
- Business or commercial purpose for collecting or selling personal information
- Categories of third parties with whom the business shares personal information
Delivery of Personal Information: Upon request of a consumer, up to twice in a 12-month period, the business must deliver to the consumer all of the consumer’s personal information collected.
The Right to Be Forgotten: Each business must notify consumers of their right to request the business to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Nondiscrimination: With some limited exceptions, businesses are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the CCPA, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
What Happens If I Am Found Noncomplaint With the CCPA?
The California attorney general can bring regulatory actions and impose civil penalties of $2,500 per violation and $7,500 per individual if the act is considered intentional. There is also the possibility of class actions where plaintiffs may bring claims under California’s Unfair Competition Law for CCPA violations. Defendants could be ordered to pay statutory damages between $100 to $750 per California resident, or actual damages, whichever is greater.
What Should I Do Between Now and January 1, 2020?
Organizations that must meet the obligations of the CCPA will need to devote significant time and resources to meet the January 1, 2020 effective date. As such, we suggest immediate focus on the following action items:- Understand how the CCPA defines personal information and analyze what types of personal information is collected or otherwise obtained.
- Understand the life cycle of the data. How and when is personal information processed? To whom is it transmitted? Who can access it? Where it is stored?
- Draft the required notices and disclosures with the help of legal counsel.
- Build an efficient process for responding to consumer demands. This may include requests for data and proper protocols for deleting data upon request.
- Establish a vendor management program that follows a formal review of vendor contracts with third-party service providers. The focus should encourage vendors to comply with CCPA requirements.
- Read and understand all of the requirements and exceptions of the CCPA. Be aware that there are over 20 pending bills seeking to amend the CCPA in some way, so that it is subject to change between now and January 1, 2020.
- Keep a close eye on regulatory developments in other states. There are at least 15 states drafting similar consumer privacy laws as of this writing.
How Might Cyber Insurance Help?
For those businesses that find themselves in the crosshairs of a regulator or plaintiff attorney stemming from an alleged violation of the CCPA, it will be important to seek risk transfer wherever possible. There are several factors that may impact insurance coverage. We suggest you review all potential insurance policies that might respond. In particular, your cyber insurance policy could focus on the following coverages:
Crisis Management—Companies could draw the attention of regulators when they become victims of a cyberattack in which a significant number of individuals’ personal information is impacted. Costs to retain external vendors, including privacy attorneys that are experienced in regulatory investigations, may be covered.
Privacy Liability—After a network intrusion, plaintiffs could try to tie legal liability to regulatory requirements, including the CCPA. Litigation costs and settlements may be covered under these policies.
Be mindful that there are many potential pitfalls in insurance policies, and they may not all respond to all costs incurred. Some potential exclusions to consider:
- Many jurisdiction will not allow coverage for punitive damages.
- Intentional acts of employees could be excluded.
- Regulatory investigations, lawsuits and fines in the absence of a data breach may not be covered.
Therefore to attain optimal risk transfer, it is imperative to align your organization with a skilled and experienced cyber insurance broker to navigate the dynamic and competitive cyber insurance market.
Interested in learning more?
Join our upcoming webinar as we discuss emerging privacy requirements and related risks driven by CCPA and best practices for compliance and implications for your cyber insurance program.
About the author.
John Farley is an industry-recognized subject matter expert in cyberrisk management. He is also a frequent guest speaker and a published author with a 27-year track record in the insurance industry. John leads Gallagher’s Cyber Liability practice, developing and executing insurance coverage across all lines in the U.S. and working closely with our teams across the world in our Global Cyber practice. He provides thought leadership on a variety of cyberrisk management best practices. He assists clients across all industries in navigating the dynamic cyber insurance markets as a means to cyberrisk transfer while providing guidance on emerging regulatory risk, cyberattack techniques, cyberrisk prevention and data breach cost mitigation strategies.
John Farley
Managing Director, Cyber Liability Practice