A landmark consumer privacy law - the California Consumer Privacy Act of 2018 (CCPA) - will force U.S. organizations and businesses to change how they deal, manage and collect personal data of California residents.

Effective January 1, 2020, CCPA gives California residents the right to know what personal information of theirs is being collecting by organizations, where it was sourced from, what it’s being used for, whether it’s being disclosed or sold and to whom. It allows residents the right to “opt out” of allowing an organization to sell their personal information to third parties and the right to have organizations delete their personal information (with some exceptions).

CCPA applies beyond California’s physical borders to any company that collects, stores or processes a California resident’s personal information. Under CCPA, personal identifiers are broadly defined to include name, alias, postal address, web browsing history, purchasing tendencies, Internet Protocol address, email address, account name, social security number, driver’s license number and passport number.

CCPA compliance is required of organizations - including parent companies and/or subsidiaries - that meet one or more of following criteria:

  • Have annual gross revenues of $25 million
  • Obtain personal information of 50,000 or more California residents, households or devices annually
  • Generate 50 percent or more annual revenue from selling California residents’ personal information

Intentional violations will accrue penalties of up to $7,500 per violation, while unintentional violations not remediated within 30 days of notice can lead to fines up to $2,500 each. Most significantly, companies that fall victims of data theft or an incident that leads to unauthorized access of personal information can be targeted in civil lawsuits, with statutory damages as high as $750 per California resident, or actual damages, whichever is greater.

Start preparing now for CCPA compliance

With under a year to meet CCPA compliance requirements, the time is now for businesses to acclimate their internal policies and procedures for soliciting and using personal information of California customers.

  1. Develop a formal data governance plan. Include data maps, inventories of all personal information pertaining to California residents, information sources, storage locations and data access privileges.
  2. Update privacy policies to allow for to data access requests, deletion and portability requests, consent for data sharing and opt-out requests from parents and minors.
  3. Provide a “Do Not Sell My Personal Information” link on the organization’s website that will direct users to a web page enabling them to affirmatively opt out of the sale of their personal information.
  4. Consider updating technology systems and processes to facilitate compliance.
  5. Transfer your risk with cyber insurance. Not all cyber insurance policies will address the risks CCPA compliance poses. Make sure your policy includes coverage for:
    • Legal fees associated with a regulatory investigation.
    • Costs incurred by deploying seasoned breach response teams.
    • Compensation claims, such as class action lawsuits.
    • Public relations costs incurred to mitigate the impact of a data breach and/or CCPA non-compliance.
    • Fines imposed by regulators (where insurable by law).

Contact your HUB Cyber Insurance Specialist for more information on instituting these best practices and transferring your risk to cyber insurance.