This blog post is our second post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on insurers’ compliance obligations under the CCPA. If you would benefit from a background discussion on the CCPA, please visit our first post in this series entitled “Part 1: The California Consumer Privacy Act – What Insurers Need to Know.”
The CCPA applies to insurers to the extent they qualify as “businesses” that “collect or determine the purposes and means of processing” the “personal information” of a California “consumer” and meet one of the following thresholds:
1. Annual gross revenue in excess of $25 million
2. Annually buy, receive, sell, or share the personal information of 50,000 or more consumer households or devices
3. Derive 50 percent or more of their annual revenue from selling consumer personal information
Limited Exemptions Exist Under the CCPA
The CCPA contains exemptions that apply to the insurance industry. Specifically, the CCPA exempts “medical information” governed by the Confidentiality of Medical Information Act and “protected health information” collected by a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Cal. Civ. Code Section 1798.145(c) also exempts health care providers and covered entities governed by HIPAA, to the extent that the provider or covered entity maintains patient information in the same manner as medical information and/or protected health information.
Similarly, the CCPA exempts entities to the extent that they are subject to the Gramm-Leach-Bliley Act (GLB), but that does not grant full exemption from the CCPA. GLB regulates financial institutions’ management of nonpublic personal information, which is defined in 15 U.S.C. Section 6809 as personally identifiable financial information: (1) provided by a consumer to a financial institution; (2) resulting from any transaction with the consumer or any service performed for the consumer; or (3) otherwise obtained by the financial institution. The CCPA’s definition of personal information is much broader and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” To the extent GLB-regulated entities collect information falling under personal information as defined by the CCPA, they will need to comply with the CCPA. (Cal. Civ. Code Section 1798.145(e)).
In addition, Cal. Civ. Code §1798.145(f) provides an exemption for personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act.
While this is only a partial list of possible exemptions, insurers will be subject to the requirements of the CCPA if they engage in information collection, processing, and the sale of information. For example, when insurers track website visitors’ IP addresses or geolocation information, the exemptions will not apply.
Proposed Amendment to Watch
Since signed into law on June 28, 2018, the CCPA has been met with significant criticism and proposed legislation seeking to amend and/or clarify its terms. Of note to insurers is Assembly Bill 981 (AB 981), which proposes to:
1. Eliminate consumers’ right to request that an insurer delete or not sell personal information when the insurer’s retention and/or sharing of that information is necessary to complete an insurance transaction on the consumer’s behalf
2. Amend California’s Insurance Information and Privacy Protection Act (IIPPA) to harmonize definitions and incorporate certain CCPA concepts
Specifically, AB 981 proposes to exempt from the CCPA “insurance institutions, agents, and support organizations” to the extent that those institutions are already subject to IIPPA, and harmonize IIPPA’s provisions that overlap in some respects with the CCPA.
AB 981 would also modify IIPPA to expand certain privacy requirements, such as notice requirements. AB 981 would further eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer. It bears noting, however, that even without this amendment, the CCPA provides exemptions to the request for deletion where the retention of the consumer’s personal information is necessary to provide a good or service requested by the consumer or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer (Cal. Civ. Code Section 1798.105 (d)(1)).
What Insurers Should Do to Comply
While the CCPA does not go into effect until January 1, 2020, insurers should begin compliance efforts now because requests for information under the CCPA are 12 months retroactive,–meaning requests for information on January 1, 2020 will require a response that identifies categories of personal information collected since January 1, 2019. The following is a suggested guide to jump-start to your compliance efforts:
1. Conduct data mapping to determine what information is collected, what information qualifies as personal information, how the data is used, and what may or may not be subject to exemptions. Data mapping will also help insurers quickly respond to requests for access and deletion.
2. Update privacy policies and notices and create a “Do Not Sell My Personal Information” link on your website’s homepage. The CCPA requires that a business update its privacy policies to include:
- A description of consumer’s rights under the CCPA
- One or more designated methods for submitting CCPA rights requests
- A list of categories of personal information it has collected about consumers in the past 12 months
- A list of the categories of personal information it has sold about consumers in the past 12 months
- A list of categories of personal information it has disclosed about consumers in the past 12 months
- A link to the “Do Not Sell My Personal Information” webpage
3. Establish at least two designated methods for submitting requests, including a toll-free telephone number and a website address.
4. Develop policies and procedures to respond to requests for access, information, and deletion. Insurers should designate a role with responsibility for CCPA compliance and oversight. Insurers will need to have processes in place to receive and track consumer requests regarding personal information. Insurers may wish to consider training, particularly for workers who will be handling individual requests.
5. Identify third-party and vendor contracts that you currently share personal information with and/or sell personal information to. Insurers will need to analyze the data flow in their third-party relationships and amend written agreements accordingly.
6. Review or develop an incident response plan that provides for detection, containment, and mitigation or curing of a data breach that can lead to a private right of action by a consumer against the company.