& Programs

Contact an Expert

How the California Consumer Privacy Act Will Impact Your Business

Oct 10, 2019 Scrabble tiles spell out the word privacy

If your company does business with consumers who live in the Golden State, you need to familiarize yourself with a new consumer protection law.

Called “GDPR Light” by some who have compared it to the European Union’s General Data Protection Regulation, the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, although it appears the state doesn’t expect to begin active enforcement until July.

CCPA’s intent is to give the state’s residents knowledge of what information companies have about them and how that information may be sold or otherwise disclosed. It provides the right to access that data, prevent its sale, and request its deletion from the company’s records. Special consent is required to keep data for minors age 16 or younger. Company websites must include a link to allow consumers to prevent the sale of their information, as well as contact information for requesting information.

Its rules apply to any company that does business in California; collects personal data of consumers; and either has at least $25 million in annual gross revenues; holds personal information from at least 50,000 consumers, households, or devices; or collects more than half of its revenue by selling that personal information.

A key difference between CCPA and GPDR is that under the European law, people have to opt-in to give organizations permission to use their personally identifiable information. Under CCPA, companies must give individuals the ability to opt-out. In addition, while GDPR rules apply only to individual data, CCPA covers all data from the person’s household.

Companies violating CCPA’s provisions face fines of up to $7,500 for each intentional violation (or $2,500 if the violation was deemed unintentional). If a company is a victim of a data breach, it may be liable through civil litigation for as much as $750 per California resident affected. Consumers may sue companies for violating CCPA directly or through class actions (even if their data hasn’t been breached) or for simply failing to display the required website disclosures.

Although the law’s start date is fast approaching, the rules have not yet been finalized. Lawmakers drafted the original act in just seven days to meet a deadline and are now scrambling to fix technical issues through amendments. For example, insurance companies and agents are now to be exempt from CCPA because the state’s insurance information laws already provide similar protections. Final regulations are expected soon.

Even if your company doesn’t do business in California, it’s worth paying attention, because consumer protections initiated there often find their way into the rest of the nation’s statutes. You can find detailed information about the law at the State of California’s website.

The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.

Author Julian Sylvestro, Hylant Cyber Risk Advisor