Cyber Liability Insurance and the California Consumer Privacy Act
By TJ Schmakel | 07/29/2020
In an age of technology, business, banking, shopping, and connecting is done digitally. As consumers use the online space in their day-to-day lives, businesses create microdata profiles that document clicks, purchases, and shares to build better sites, ads, and campaigns. In the past several years, consumer pushback against business use of consumer data profiles has increased in response to several large organizational data breaches.
Recently, the state of California passed the California Consumer Privacy Act (CCPA) to protect consumer rights and implement business guidelines for online privacy and data collection. Understanding the new legislation is critical for businesses that operate in California and rely on consumer data. Read on to learn more about how small business insurance mitigates your exposure.
What is the California Consumer Privacy Act?
On June 28, 2018, the California Consumer Privacy Act (CCPA) was signed into law. Although the law has been effective since January 1, 2020, enforcement did not begin until July 1, 2020. This is the first law in the United States that directly addresses consumer privacy online. Under the CCPA, certain consumer privacy rights are explicitly outlined and businesses must adhere to specific guidelines on how they can collect and use consumer information.
Consumer Rights Protected Under CCPA
1. Businesses must inform consumers of their intent to collect personal information.
Whether your business plans to use consumer data internally or share collected data externally, the intent of your business’s data collection must now be shared with consumers.
You may notify consumers that your business is collecting personal data by including a disclaimer in the footer or at the bottom of your website or by using a pop-up alert.
2. Consumers have the right to know.
If your business serves residents of California, you must comply with consumer requests to access both your business’s data on the specific consumer and how that data was collected. The CCPA also grants consumers the ability to see the consumer profile your business created as a result of personal data collection.
Jerry, a dad from Pasadena, added several charcoal grills to his online shopping cart over several weeks. Rainforest, the online marketplace, used cart behavior and clickthrough data to infer that Jerry may be interested in other outdoor cooking equipment, and categorized him as a “grill enthusiast”. Under the CCPA, Rainforest must fulfill Jerry’s request to access his consumer profile from Rainforest.
Consumers have the right to know what personal information has been collected, where the data was collected, how it will be used, and with whom it is shared.
3. Consumers have the right to prevent businesses from selling their personal information to third parties.
Many businesses collect data on consumers and sell it or share it to third parties for targeted advertising purposes. The CCPA empowers consumers to prevent this transaction.
Martha, a resident of Santa Monica, regularly visits Delicious, an online cooking magazine, to discover new recipes. Delicious sells Martha’s data profile to KitchenMaster, a cookware company who believes Martha is an optimal target for their ads. Martha now has the right to stop Delicious from selling her profile and any other personal information to KitchenMaster.
4. Consumers have the right to have their personal data deleted.
Under the CCPA, your business must inform consumers of their right to have their data and personal information deleted from your database. Your business is required to provide at least two methods to submit a deletion request. It’s a good idea to tailor these methods to your current interaction with your customers. For example, if you primarily do business over the phone and on your website, provide a phone number for deletion requests as well as a request page on your company website.
Additionally, businesses may offer an option for partial data deletion to the consumer if, and only if, an option for total data deletion is also available.
Steven of Napa is tired of receiving emails from retailers where he no longer shops. Though Steven will unsubscribe from each email list, he also feels uncomfortable that his personal information is available to so many retailers. Steven visits each business’s website and submits an information deletion request as is his right under the CCPA.
Deletion is not required if the covered business needs the personal information to complete the transaction for which it was collected; to comply with a legal obligation, such as a record retention requirement; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality.
5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer has exercised their privacy rights.
Businesses may not penalize consumers if they choose to exercise the rights outlined in the CCPA. However, businesses may offer special incentives or promotions to encourage consumers to share or re-share their information.
Who must comply with the California Consumer Privacy Act?
If you operate in the state of California and meet one of the following criteria, your company must conform with CCPA:
- Annual gross revenue is more than $25 million.
- Your organization receives, shares, or sells the personal information of more than 50,000 individuals.
- Your company earns 50% or more of its annual revenue from selling the personal consumer data.
Will businesses outside of California be affected by the CCPA?
Yes. Under the CCPA, if you have customers or potential customers in the state of California, you must comply.
How is the CCPA Enforced?
Enforcement of the CCPA currently falls to the office of the California Attorney General. Lawmakers are pushing to create an independent regulatory agency to handle CCPA adherence. Californians have the right to bring a lawsuit against any company that fails to comply with the CCPA regulations.
How can insurance help protect my business?
The CCPA empowers consumers to bring lawsuits against companies who fail to comply with data storage and deletion practices. As a result, businesses have increased exposure to legal fees associated with compliance and settlement.
Having Cyber Liability Insurance protects your company against first- and third-party cyber-related threats and expenses. This includes data breaches, legal defense costs, notification costs, and system disruption. A good Cyber Liability policy addresses nearly every aspect of total cyber exposure. You can purchase a Cyber Liability policy entirely online with Layr, and adjust coverage limits to protect your business, and it binds instantly.
[get_started] Protect Your Business With A Cyber Liability Policy Today [/get_started]
Having Cyber Liability insurance with appropriate coverage limits is a great way to protect your business. Ensuring you have the right policies to protect your entire operation gives you confidence to operate coast-to-coast. With Layr, you can do both. Read our e-book, Cyber Liability Insurance, to learn more about what cyber liability covers and why you should have it.