RED ALERT: Doing Business in CALIFORNIA? CCPA is Here to Stay

Story by Bill Haber / April 30, 2021

Bill Haber | CO-Founder 

Having recently returned from a trip The Golden State, there is so much to admire about its beauty, weather, and innovative leadership. There are also some well-known tradeoffs that Californians are discussing with increased frequency. We know its residents are well-accustomed to life in a state of  RED ALERT from the ever-present realities of earthquakes and wildfires, and now present legislation is impacting businesses who are unprepared… Compliance with California’s tough privacy laws.

What is the CCPA?

Many California companies are already painfully aware of the CCPA. Few outside the state doing business there are fully prepared for it. ALL will regret this. Insurance Professionals working with clients who are both California-based and doing business in California should be discussing compliance with clients urgently. 

The California Consumer Privacy Act (CCPA) of 2018 was passed on June 28 2018, and took effect on 1 January 1st, 2020. It provided privacy rights for consumers and forces companies that conduct business in the State of California to implement many fundamental changes to their privacy programs. For the many insured clients who may not even have so much as a privacy program in place, it’s mission-critical from a risk management perspective.

California consumers have been given rights that are similar to the rights provided in the European Union’s General Data Protection Regulation (GDPR). The CCPA identifies non-compliant businesses and imposes expensive fines, class-action lawsuits, and injunctions. Unaware clients face a high risk of violations, fines, and press exposure. This can affect reputation. Many recognizable brands should expect to see some very public, very expensive outings of violators begin to increase.

How the EU made Privacy Urgent

Penalties. When the EU introduced GDPR, they published guidelines and sizable potential fines well in advance, ensuring they would be taken seriously. These called for between 2-4% of global revenue and issued enormous fines to companies that didn’t comply. GDPR went into effect a year ago on May 25th, 2018. named regional entities would be able to monitor and report on violations, and they got to work immediately on investigations.

Fines. One of the first reported fines made public was relatively merciful. A breach taking place in Germany within weeks of GDPR resulted in smaller fines than allowable. On September 8th, 2018, a German social media platform reported a breach of Personally Identifiable Information (PII) including email addresses and password information that was posted online, and the record count was over 300K individuals. Investigators found the fault was due to an outdated storage method that should have been corrected. The organization took accounts offline and improved its security profile, which resulted in what the regulator called a Proportionate Penalty of 20,000 ($22,363 USD). They also kept their name out of the press.

What followed created certainty that the EU meant business. Fines began to pile up across Europe for all flavors of violations. One business in Austria was hit with sizeable fines for not marking its CCTV security cameras sufficiently. A Portuguese hospital for improper file management and controls came next, and fines increased. And then, to make sure the world was paying attention, the EU fined an entity from outside the EU, a global brand, with its biggest fine yet. In what the French Regulator CNIL termed vague consent agreements and poor transparency, they hit Google with a 50M fine in January 2019, announcing their findings publicly in English and French. it became clear that the EU means to enforce its policies aggressively, and has since made privacy demands upon companies including Facebook. To date the EU has seen over 90,000 complaints, companies reporting over 60,000 data breaches, and have gotten around issuing some 100 penalties and fines only. Regulators are already finding themselves understaffed, and much of the EU countries are not yet fully reporting.

What Does California Do to Businesses in Violation?

The CCPA model is different and has more flexibility, but has mirrored the patterns of the GDPR rollout. It allows for fines of up to $2,500 per violation and $7,500 per intentional violation.  California does not place a cap on the total amount of fines. Unlike the GDPR, the CCPA provides businesses with a period of 30 days to cure alleged violations of the law before a fine can be assessed. Many more details can be found here.

What can Insurance Agencies do?

You should assess risk and educate ALL of your clients. Most of them do some degree of business already with California companies or individuals. You should encourage technology risk mitigation practices and executive-led cybersecurity initiatives including educating the workforce, proactive process, and documented planning driven from the top. Of course, you should have a risk transfer strategy in front of each and every client, which offers a bench of talent to properly respond to incidents, remedy potential problems immediately, and provide for counsel to represent your clients’ interests.

Don’t leave your clients uninformed. Let us help you assess CCPA exposure, and suggest strategies that your clients can put into place before the deadline.