In 2018, California residents passed the California Consumer Privacy Act (CCPA), which was the first comprehensive privacy regulation in the United States, borrowing many concepts from the European Union’s General Data Protection Regulation (GDPR). Included on the November 2020 ballot in the State of California was Proposition 24, or the California Privacy Rights Act of 2020 (CPRA). The recently passed CPRA will both change current definitions in the CCPA and add new consumer rights to the previously existing law.
California Consumer Privacy Act Overview:
The CCPA officially went into effect on January 1, 2020 with an enforcement date of July 1, 2020. Some key provisions in the CCPA include the consumer’s right to opt out of the sale of their personal information, request access to their personal information in a readily usable format, request the deletion of their personal information, as well as the right to not be discriminated against if they do exercise their rights under the CCPA. The CCPA is enforced by the California Attorney General, although consumers do have the private right of action if their confidential Personal Information (PI) has been involved in a data breach. A company is deemed to be subject to the CCPA if they either 1) have $25M+ in annual revenue derived from their business activities in the State of California 2) buy / sell or receive / share the Personal Information (PI) of 50,000+ California based consumers, households, or devices for commercial purposes, or 3) derives at least 50% of annual revenue from the selling of California based consumer PI. If a company is found to be in violation of the CCPA, they may be subject to the below fines:
- $2,500 for each unintentional violation of the CCPA, or $7,500 for each intentional violation of the CCPA (i.e. per each consumer whose data is mishandled); these fines would be brought by the California Attorney General
- A consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted or nonredacted personal information that is subject to a data breach
California Privacy Rights Act Overview:
Now that the CPRA has been passed by Californian voters, it will officially go into effect in January 2023 and will begin to be enforced in July 2023. The intent of CPRA is to clarify certain points within the CCPA and strengthen the overall law to better protect California consumers. Below is a summary of some of the key changes CPRA makes to the existing CCPA regulation:
CPRA Provision |
How this differs from CCPA |
|
Definition of Business |
|
The new definition under the CPRA both narrows and expands the types of businesses that must comply with CCPA. It narrows the number of businesses subject to the CCPA by increasing the consumer threshold from 50,000+ consumers or household to 100,000+ and by removing the inclusion of “devices”. The CPRA expands the number of businesses that must comply by mandating that any business that derives revenue from selling and / or sharing consumer PI is subject to the regulation, where previously only companies who sold data were subject to the CCPA. |
Enforcing Authority |
The CPRA created a new data protection agency, the California Privacy Protection Agency, or “the Agency”. The Agency will work alongside the California Attorney General to enforce the CPRA and will take over all rule making responsibilities from the California Attorney General. |
Prior to CPRA, the California Attorney general was the sole enforcement body for the CCPA and had all rule making responsibilities. |
Sensitive Personal Information |
Newly defined in CPRA, “sensitive personal information” includes government identifiers (such as Social Security numbers and driver’s licenses), financial account and login information (such as credit or debit card number together with login credentials), precise geolocation, race, ethnicity, religious or philosophical beliefs, or union membership, content of nonpublic communications (mail, email and text messages), genetic data; biometric or health information; and sex life or sexual orientation information. This information is subject to new disclosure and purpose limitation requirements. |
Sensitive Personal Information was covered under the scope of the CCPA but was not expressly defined or treated as separate from any other PI. |
Cross Contextual Behavioral Ads |
The CPRA creates a distinction between “Cross-Context Behavioral Advertising” and “Non-Personalized Advertising.” Cross-Context Behavioral Advertising is defined as the targeting of advertising to a consumer based on the consumer’s PI obtained from the consumer’s activity across business and “Non-Personalized Advertising” is advertising based solely on a consumer’s PI derived from the consumer’s current interaction with the business. |
The intent of distinguishing these two types of advertising is to clarify that any information specifically used for cross contextual behavioral advertising is explicitly regulated under the CCPA and is subject to the same opt-out rights consumers have under other sections of the law. |
Service Providers / Contractors |
Amends the definition of Service Provider to include contractors who receive and process PI on behalf of a business. With this new distinction, the CPRA creates additional obligations these contractors must comply with to ensure they are meeting the same privacy requirements to which the contracting business is subject. |
This is an expansion of the current definition of Service Provider under CCPA. |
Right to Correction |
Consumers have the right to request any correction of their PI if that information is not accurate. |
This was not a granted right under CCPA. |
Right to Opt-Out of Automated Decision Making (AI) Technology |
Consumers have the right to opt-out of the use of Automated Decision-Making technology that is used in connection with the consumer’s personal preferences, interest, behavior, location, or economic status. |
This was not a granted right under CCPA. |
Right to Access Information about Automated Decision Making (AI) Technology |
Consumers can also request information about the how the above referenced Decision-Making technology comes to a decision and what the likely outcome may be based on that process. |
This was not a granted right under CCPA. |
Right to Restrict Sensitive PI |
Consumers can restrict businesses from using their Sensitive PI for secondary purposes, such as disclosing the Sensitive PI to third parties. |
This was not a granted right under CCPA. |
Audit Obligations |
Businesses subject to the CCPA under the new CPRA provisions must undergo mandatory risk assessments and cybersecurity audits for any high-risk activities. |
This was not a granted right under CCPA. |
Modified Right to Delete |
Upon the consumers request, business must notify third parties to delete any consumer PI the third party bought or otherwise received from the business. |
Previously under CCPA, businesses were not required to notify third parties with whom they have shared consumer PI to delete the consumer’s data. |
Expanded Right to Opt-Out |
Expands the consumers right to opt-out to include the right to opt-out of business sharing PI for cross-contextual behavioral advertising. |
CCPA allowed for the right to opt-out but did not previously cover sharing of PI in conjunction with Cross-Contextual Behavioral Advertising. |
Strengthened Opt-In Rights for Minors |
Extends the right to opt-in to explicitly include the sharing of PI for behavioral advertising purposes. |
CCPA already contained opt-in rights for minors. CPRA extends this right to evolve together with other areas of CCPA. |
*The above is a high-level summary and is not an exhaustive list of the changes by the CPRA
Cyber Insurance Policy Implications:
Similar to the GDPR, it is not anticipated that the fines levied against a business for their violation of the CCPA (as amended by the CPRA) will be deemed to be insurable by law[1]. Nevertheless, a Cyber insurance policy may likely cover the defense costs associated with any regulatory proceedings or actions, which can be costly given the depth and scope of such regulatory action. Each insurance carrier takes a different approach to how they recognize coverage for costs related to state or foreign Privacy Regulations. Some policy forms have broad definitions of Cyber Incident / Privacy Event that includes the Insured’s failure to properly handle, store, manage, destroy, use, or otherwise control Personal Information, whereas other insurers policy forms are limited to the Insured’s failure to protect Personal Information. Insurers who fall into the latter category may be able to add a policy endorsement that specifically broadens the necessary definitions so that any violation of a Privacy Regulation, such as the GDPR or the CCPA, triggers the policy. Within these endorsements, it is critical to ensure that there is language that denotes that any amendments of Privacy Regulations (whether generally or by specifically by name) are included, so that amendatory regulations such as the CPRA are automatically contemplated within the scope of coverage.
By Erin Brodbeck
Senior Broker, Aon’s Cyber Solutions
erin.brodbeck@aon.com
Sources
[1]White and Williams LLP, Financial Lines Alert, August 14, 2019
