The California Consumer Protection Act took effect Jan. 1 and sets a high bar for data privacy -- and has potentially significant impacts for insurers and policyholders.
According to the bill, any company that collects, shares or sells the information of more than 50,000 people and generated revenue of more than $25 million in the preceding year, has to comply with the new law.
Furthermore, companies don’t have to be based in California to fall under the rules, they simply have to do business in the state.
Plenty of insurers meet the criteria, said Joanna Storey, lawyer with the San Francisco-based firm Hinshaw & Culbertson, and could be stymied by the rules. Most significantly, the rules threaten the tripartite relationship between the law firm, its client (the insured), and the client’s insurance carrier, she explained.
In certain scenarios, the rule language covering "Service Providers" -- such as law firms representing an insurance carrier subject to the CCPA -- could make it impossible for the law firm to use in defense of a lawsuit any personal information that the carrier obtained during the claims review process. Or any information obtained prior to the suit being filed, Storey said.
The law firm would seemingly be prohibited from sharing information provided by the carrier with experts and consultants necessary to defend the insured, she added.
"How do they defend actions if they can't share information?" Storey said in an InsuranceNewsNet interview. "I think personally this is an unintended consequence. I don't think this is what they intended to do. But its a consequence nonetheless."
Hinshaw & Culbertson is among those who submitted comment letters to California Attorney General Xavier Bacerra.
Three additional concerns in the law firm's letter include:
CCPA exceptions -- when exercising or defending legal claims and when compliance would violate an evidentiary privilege under California law -- only apply to a covered "Business." Since law firms acting as a service provider on behalf of a covered insurance carrier are not exempted anywhere in the regulations, the proposed CCPA regulations could impair the ability of a business to defend legal claims through law firm service providers.
CCPA "Processing" definition. It is currently unclear whether storing personal information in the cloud, or using electronically stored personal information for discovery purposes would constitute "Processing" under the current regulatory scheme.
Clarification of intent. Hinshaw is asking the attorney general to clarify the meaning and intent of rule language that provides that the obligations imposed on a business by the CCPA shall not "restrict" a business's ability to comply with federal, state, or local laws, comply with subpoena or regulatory inquiries or investigations, or to exercise or defend legal claims.
While the California statute took effect Jan. 1, enforcement won’t begin until July 1. And the law as it stands now may change — the Legislature has already passed a number of amendments to clarify and refine the law’s requirements, and the state Attorney General’s Office is still formulating regulations and guidance about the law.
Meant To Protect Consumers
The law aims to protect consumers from having their information sold without their knowledge or consent. It was passed by the California Legislature in June 2018, and modeled on the European Union’s General Data Protection Regulation, which took effect in May 2018.
The California law was enacted amid increasing concern about companies sharing consumer data, especially after it was learned that the data firm Cambridge Analytica improperly accessed Facebook user information.
The California law gives consumers the right to know what personal information companies collect from them, and what businesses do with it — whether they share, transfer or sell it, and who is the recipient of the information. Under a key provision, companies must give consumers the option to have their information deleted from databases.
The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records and information from GPS apps and programs.
Companies subject to the law must ensure their systems and websites are in compliance. Many without in-house technology staffs have hired companies to install software that among other things creates the website buttons and links that allow consumers to see their information and opt out of having it stored.
"This is all clear as mud because it's so confusing," Storey said. "The regulations go beyond what the statute said."
'Trust' Is The Key
The National Association of Insurance Commissioners discussed data privacy at their Summer Meeting in Boston in August. Iowa Insurance Commissioner Doug Ommen said he is not a fan of the California approach.
Trust is the key to good business relationship between carriers and consumers, said Ommen, who sits on an NAIC big data working group. More regulations can just get in the way of developing that trust, he added.
"I don't know if regulation is the answer because as regulators, we may have our opinion of what is good and bad," Ommen said during a Boston session. "But it gets back to the very basics of the relationship between the consumer and the carrier that's providing that peace of mind."
InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.