In a little over two months, many companies with customers in California will need to be compliant with the California Consumer Privacy Act (CCPA), or face potentially steep penalties. The CCPA goes into effect on January 1, 2020 and is similar in purpose to Europe’s GDPR (General Data Protection Regulation), both laws aimed at giving consumers greater control over the data collected on them.
Since the CCPA focuses on consumer privacy rights, cyber liability insurance enters the discussion—and so do we.
More About the California Consumer Privacy Act (CCPA)
When Does CCPA Go Into Effect?
The bill was passed in September 2018 and goes into effect on January 1, 2020. Enforcement of this Act will begin on July 1, 2020 and there is a 30-day period for companies found not in compliance to prove that they have rectified any problems.
Which Companies Need To Be In Compliance With CCPA?
The CCPA applies to any organization that collects personal data of consumers residing in California—from IP Addresses or email addresses to social security numbers—and satisfies at least one of the following criteria:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Note that this law applies to businesses around the world that interact with or collect data on California residents. Even if your current customer reach doesn’t touch California, other versions of this act are being drawn up in many other states to keep people in control of their private information. In fact, Nevada has also enacted a similar privacy law that went into effect in October 2019.
How Does CCPA Protect Consumers?
Any company subject to CCPA will be expected to offer certain services that grant individuals in California more transparency and more control around their personal data. There are six enhanced privacy rights, including:
- The right to know what information is being collected about them.
- The right to know whether their personal data is sold or disclosed and to whom.
- The right to opt out of the sale of their personal data.
- The right to access their personal data.
- The right to be forgotten, or the right to request a business to delete any of their personal information it has collected.
- The right to not be discriminated against for exercising their privacy rights.
In a time when data is king and organizations are collecting enormous amounts of consumer data, California and other states are taking this step to empower the individual by requiring organizations to revisit their data policies.
Although there are exemptions for certain industries for certain of the 6 protections listed above, it is best to check with your legal team to determine if any apply to your organization.
Fines, Penalties, and Statutory Damages
Fines and damages could reach astounding levels with CCPA. Businesses that violate CCPA could be subject to a fine of up to $7,500 per record in violation.
As mentioned above, there is a 30-day period for companies to prove that they have fixed the aspect of their business not in compliance. We have yet to see, however, how that would be applied in the case of a data breach when unfortunately the damage is done and private information has been exposed.
With CCPA, consumers are now granted an important asset in the form of statutory damages in their class action lawsuits against companies which have suffered a data breach. In the past, these class action cases have largely been dismissed as actual damages were difficult to prove. However, with statutory damages granted to California consumers, these cases will now be allowed to proceed. And if the suit goes in favor of the class, they could collect actual damages or statutory damages between $100 and $750 per incident (read “per record”). This is a significant shift in the amount of risk a company faces as a result of a data breach.
Will My Cyber Liability Insurance Cover CCPA?
Good news. Over the past several years, well-brokered cyber policies have been expanded with laws like these in mind. At Woodruff Sawyer, cyber liability coverage has, as a rule, expanded to cover fines, penalties, or statutory damages connected with CCPA or other similar regulations.
You still need to know, however, that, just like any wave of increasing claims against insurance, this will likely impact how carriers approach pricing and limits over the next few years. As companies face fines related to CCPA, it can create significantly higher losses for carriers. Naturally, the market will respond, either by scaling back coverage or raising prices. This is certainly a development we will be watching closely over the next 12–18 months.
As we head into 2020, the CCPA and similar regulations impose a major impact on businesses—from website updates to staffing to reexamining how your organization actually approaches data protection. Cyber coverage is here to make this transitionary period more palatable and mitigate the risks of non-compliance and data exposure.