Insurance companies, insurance producers, and other insurance intermediaries doing business in California should know the obligations imposed by the California Consumer Privacy Act before the 2020 compliance date.

The California Consumer Privacy Act of 2018 ("CCPA" or the "Act"), which mandates the most comprehensive consumer privacy protections yet adopted in the United States, is set to become effective January 1, 2020. See Cal. Civ. Code 1798.100 et seq.; full text available here. Insurance companies, insurance producers, and other insurance intermediaries doing business in California should acquaint themselves with the many varied regulatory obligations imposed by the Act before the 2020 compliance date. In this blog post, we provide a brief overview of the material requirements of the Act and a brief discussion of why we believe the Act will be so impactful.

The Act gives "consumers", defined therein as natural persons who are domiciled in California, rights in relation to their personal information, including:

  • the right to know and receive notice of prior to or at the point of collection, what personal information a business has collected about them, as well as to receive additional information upon request;
  • the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
  • the right to have a business delete their personal information, subject to certain exceptions; and
  • the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

The Act defines personal information more broadly than other state privacy laws. Under the Act, "personal information" means "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." See § 1798.140(o)(1).

The Act applies to for-profit businesses that collect consumers’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) annually buy, receive, share, or sell the personal information of 50,000 or more consumers, households, or devices; or (c) derive 50% or more of their annual revenues from selling consumers' personal information.

The Act can be regulated and enforced by the California Attorney General. Civil penalties can be up to $2,500 per violation, with the penalty for intentional violations up to $7,500 per violation. Importantly, the Act also provides a private right of action for consumers.

In a follow-up post we will discuss the regulations proposed on October 1, 2019, by the California Attorney General’s office, which are intended to “establish procedures to facilitate consumers’ new rights . . . and provide guidance to businesses for how to comply.”