Insurers should be prepared to address policyholder demands for coverage in response to CCPA claims.
On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will take effect, intended to guarantee Californians the right to know what personal information is being collected from them, whether such information is sold or disclosed and to whom, and the right to access their own personal information.
Personal information under the CCPA means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information, as defined in the Act, includes but is broader than personally identifiable information.
Businesses subject to the CCPA include for-profit businesses that: (1) earn $25 million or more in annual gross revenue; (2) buy, receive, sell or share, for commercial purposes, the personal data of at least 50,000 California consumers, households, or devices; or (3) derive 50% or more of their annual revenue from selling the personal information of California consumers.
As presently drafted, the CCPA provides for a limited private right of action for consumers whose nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of a business’ failure to implement and maintain reasonable security. The Act also authorizes the California Attorney General to bring an enforcement action against those businesses subject to the CCPA which fail to comply with its terms.
The CCPA, as one of the first major data privacy laws in the US, will no doubt lead many businesses to query whether their present insurance program provides coverage for the consumer claims and regulatory actions brought under the Act. However, insurers of all types of policies should be prepared to address policyholder demands for coverage in response to CCPA claims.
Read the rest of our insurance predictions here.