Data Privacy and the CCPA
At the 2019 WCIRB Annual Meeting, a session discussed data privacy concerns under the strong data privacy laws in California.
The speakers were:
- Jeremy Merz – American Property Casualty Insurance Association
- Nicholas Roxborough – Roxborough Pomerance Nye & Adreani
- Mark Webb – Prop 23 Advisors
The 2018 California Consumer Privacy Act (CCPA) takes effect in January 2020. This will significantly impact any company that does business in California. It is the most extensive Consumer Privacy legislation in the United States.
For insurance companies this creates significant risks. In particular, carriers need to be reviewing how they are collecting and using claims data. They also need to know who has access to their data and what it is being used for. Depending on the regulations, these changes could require carriers to provide notices to injured workers giving them the opportunity to opt out their data in certain circumstances.
Carriers can also be held liable for data they may provide to their service providers and this could be limited and require consent from the injured worker.
Other insurance industry concerns include how these laws impact carrier regulatory requirements on document retention. What happens if a consumer requests that their data be deleted, but the carrier is required to retain that data under Department of Insurance regulations.
It should be noted that the law specifically excludes the California State Fund, Public Entities, and self-insured pools including JPAs. Thus, this is focused on private insurance carriers.
The law carries both administrative penalties and civil liability.
The regulatory process has not begun yet with regard to creating the rules to go with CCPA. This won’t start until fall, which means the regulations for a law taking effect January 2020 will likely not be in place by that time.
There are two pending pieces of litigation worth monitoring:
AB 25 – This is a CCPA clean up bill. They are taking out an employee’s information held by their employer and are also discussing a business to business exception to the law. This will eventually pass and be signed into law.
AB 981 – This is an insurance industry sponsored bill that seeks to exempt insurance carriers from the CCPA. One reason for this is that there is already extensive privacy regulations in place for the insurance industry which is regulated by the Department of Insurance. This bill is not moving forward.