Tag Archives: consumer privacy

Keeping an Eye on Consumer Privacy

The pandemic has caused many predictions for 2020 to be spectacularly wrong. One exception is that data privacy and compliance will become even more important, specifically because of the introduction of the California Consumer Privacy Act (CCPA). 

For carriers that work with consumers in California, the legislation created a list of compliance considerations. Californians now have the right to know what information companies have, request that it not be sold and request that it be deleted unless it is in conflict with another law (very important to note that last piece for our highly regulated industry). Businesses must also provide a link that says, “Do Not Sell My Information,” which enables the consumers to make their opt-out request. 

Let’s take a look at three of the many concerns related to CCPA:

  • Data Breaches: Protecting a consumer’s private and sensitive information should be a top priority, as data breaches have become more common and have resulted in damaging headlines and expensive settlements. Given the nature of our industry and the amount of personal information exchanged, insurers are a prime target for cyber attacks, and we will certainly see them fall victim to data breaches.
  • Identify Theft: Insurers need to be certain that they are not responding to these consumer requests without reasonable verification that the consumer making the request is the actual consumer in question and not a bad actor trying to steal consumer information.  
  • Compliance: Carriers should consider hiring a compliance vendor or outside counsel well-informed on CCPA to make these situations more navigable. These partners act as a referee, offering valuable third-party input to verify that a safe and compliant process is in place. This partnership can provide a paper trail (if needed) to document that the required data usage and privacy notices were communicated to consumers. If trouble arises, it can be advantageous to have an independent third party defending you.

See also: CCPA: First of Many Painful Privacy Laws  

Working With Technology Partners

Since CCPA’s initial rollout on Jan. 1, insurance carriers that conduct business with Californians have been trying to reach full compliance before enforcement actions are scheduled to begin on July 1. For most, working with a technology partner, especially a data-as-a-service (DaaS) company, can be monumental in navigating the ins and outs of the new compliance standards. Here at Jornaya, we recently extended our compliance product suite to assist companies in meeting the requirements of the CCPA, as well as potential future state and federal regulations.

As CCPA goes into effect, plenty of other states are looking to it as a blueprint for creating their own data privacy laws. Nevada, New York, Texas and Washington are just a few states where legislators are starting to follow California’s lead by introducing privacy bills.

Creating Better Customer Experience

These laws are trying to provide transparency about what data is being collected on a consumer and how it is being collected and allowing the consumer to be in the driver’s seat as to how that data is going to be used. 

Privacy regulations, like the CCPA, are simply about doing the right thing for the consumer. And the consequences of not paying attention and not doing the right thing by consumers with regard to their privacy can be devastating, not only in terms of potential legal action but also in the loss of consumer trust and associated sales. 

Disclaimer: Any and all content provided (material, information, graphics, etc.), and any other versions and variations of the content (e.g. in .pdf via email or otherwise) is provided only for general information. It is not intended to serve as, or as a substitute for, legal or compliance recommendations; to advise or infer to be used in any particular way by you or your company, and not intended to be used as a basis for making business/commercial decisions.

What CCPA Press Release SHOULD Say

On Jan. 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) is in effect. So, too, is the law governing so-called data brokers. To understand the CCPA, it is sometimes important to suspend belief. What follows is a parody, a form of communicating that seems particularly appropriate for the CCPA and its $55 billion compliance price tag.

California Attorney General Announces Issuance of Subpoenas Over Privacy Law Violations

Feb. 1, 2020

SACRAMENTO – The California Department of Justice today announced that North Pole Enterprises, LLC, dba “Santa Claus” has been issued an investigative subpoena to address concerns over widespread misuse and improper collection of personal information. The potential numerous violations of the California Consumer Privacy Act of 2018 (CCPA) include:

Improper collection of biometric data. Santa Claus is alleged to know when consumers are sleeping and when they are awake. When this biometric data, as defined in Civil Code § 1798.140(b) to include, “an individual’s physiological, biological or behavioral characteristics” is collected, upon information and belief, Santa Claus has shown a pattern and practice of failing to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used as required by Civil Code § 1798.100(b).

The violations of this part of the CCPA may also extend to biometric information indicating when California consumers are naughty or nice, are bad or good or are pouting or crying.

Improper collection of geolocation data. Santa Claus delivers gifts on Christmas Eve to consumers throughout California. To do this, Santa Claus has developed a comprehensive data base of consumers’ residential locations. This is within the definition of “personal information” as defined in Civil Code § 1798.140(o)(1)(G). Santa Claus obtains this personal information through soliciting and receiving “Christmas Lists” from California consumers, which generally contain attestations that the consumer has been “nice,” which is, and noted above, also biometric information.

See also: Vast Implications of the CCPA  

To the extent these lists and the personal information contained therein are generated by traffic through the Santa Claus website, upon information and belief there are no posted online privacy policies to advise consumers of their rights under the CCPA. This is a violation of Civil Code § 1798.130(a)(5).

Failure to provide notice of right to opt out. The gifts Santa Claus delivers on Christmas Eve are allegedly crafted in a workshop at the North Pole. Upon information and belief, the workshop is a cooperative corporation, “Santa’s Co-op Workshop” (SCW), located just outside Alturas in Humboldt County. As such, Santa Claus is selling personal information, as defined in Civil Code § 1798.140(t), to a third party without giving California consumers notice of their rights to opt out of the sale of their personal information. This is a violation of Civil Code § 1798.120 and Civil Code § 1798.130.

In addition, if Santa Claus is selling the personal information of California consumers to third parties, it is acting as a data broker and as such has failed to register with the Department of Justice as required by Civil Code § 1798.99.82.

To the extent Santa Claus is selling the personal information of minors to third parties, additional violations of the CCPA may have taken place. The Department of Justice reserves the right to revise its charges once there is compliance with the subpoena.

It should be noted that there is an allegation by the members of SCW that they are operating exclusively for and under the control of Santa Claus and as such are employees of Santa Claus per Assembly Bill 5 (Gonzalez). (See: “Potential Labor Law Violations”, below)

Denial of goods or services. Upon information and belief, Santa Claus may be engaged in a pattern of discrimination against California consumers who have not attested to being “nice” in their Christmas Lists as noted above. If Santa Claus is discriminating against California consumers because they have exercised their right not to disclose personal information, this may be a violation of Civil Code § 1798.125.

Potential labor law violations. Upon information and belief, SCW may not be a bona fide business, as that term is used in Labor Code § 2750.3(e). As such, per the Supreme Court’s decision in Dynamex Operations West, Inc. v. Superior Court of Los Angeles (2018) 4 Cal.5th 903, and Assembly Bill 5 (Gonzalez), the Division of Labor Standards Enforcement (DLSE) has opened a concurrent investigation of Santa Claus for possible wage and hour violations and failure to maintain workers’ compensation insurance.

See also: How CCPA Will—and Won’t—Hit Insurance  

California takes its consumers’ privacy seriously, as it does the violations of its laws protecting workers. Potential penalties under the CCPA, if not cured, could reach $2,500 per violation. Because each California resident has had its personal information collected by Santa Claus, total penalties could be as high as $100 billion, assuming no violations were intentional.

We will keep you informed as events develop.

Directive Communication Systems’ Lee Poskanzer

Lee Poskanzer, CEO and Founder of Directive Communication Systems, talks with ITL CEO Wayne Allen about the growth of digital assets and why access to these are at risk of being lost in estate planning without specific legally compliant steps to protect them for heirs. DCS, he says, aims to make this process easier for individuals to decide which assets—from social media, cloud storage, bank accounts and more—should be passed on and to whom..before it’s too late.

View more Innovation Executive videos

Learn more about Innovator’s Edge

Keys to California’s Consumer Privacy Act

On June 26 of this year, Connecticut Gov. Ted Lamont signed HB 7424, the state budget bill. Among the provisions in this over 200-page piece of legislation: “The bill repeals the state’s information security program law, replacing it with provisions substantially similar to the National Association of Insurance Commissioners (NAIC) insurance data security model law.”

This is remarkable for two reasons. The first is Connecticut doing something no state west of the Mississippi has done – adopt the NAIC Model Law. The second is the Connecticut legislature actually repealed outdated laws before it adopted the new ones. Clearly, these people have never been to California.

Which brings us to the California Consumer Privacy Act of 2018, or what is now affectionately known as the CCPA. Insurance companies are anxiously anticipating the outcome of several assembly bills amending the CCPA that are awaiting action by the Senate, now that the legislature has returned from summer recess. Regardless of the changes, it remains likely – even though unnecessary – that the CCPA will “go live” on Jan. 1, 2020.

Given the number of cans kicked down the road by the legislature this year on important CCPA issues, it will be difficult for regulators to provide much needed clarity by the July 1, 2020 rule-making deadline. What regulations are adopted will likely be subject to quick change once the Jan. 1, 2021, iteration of the CCPA takes shape during next year’s legislative session. It will also be difficult for the attorney general to provide advice to businesses or third parties on how to comply with the CCPA, a requirement the attorney general feels, correctly, is a bit at odds with his obligation to enforce the CCPA. Maybe that, too, will be part of the 2020 agenda.

In the meantime, insurance companies are faced with an increasing number of privacy and data security requirements not associated with the CCPA. For insurers doing business in New York or states that have adopted a form of the NAIC Insurance Data Security Model Law, compliant practices are being developed right now. In the case of New York and its Cybersecurity Requirements for Financial Institutions, 23 NYCRR 500, the “go-live” date was March 1 of this year. The New York regulation became effective one year after publication but also had a two-year transitional period before full compliance was required. That implementation process could have been emulated for the CCPA. Instead, there appears to be a hard effective date of Jan. 1, 2020 even as key amendments are still being negotiated.

And remember, while the attorney general cannot bring an enforcement action until the earlier of July 1, 2020, or the adoption of regulations, lawsuits can happen right away. More accurately, lawsuits can commence after the 30-day notice and right-to-cure provisions are triggered.

The CCPA has a series of “data exceptions” that are evolving. While entities such as insurance companies are not exempt from the new law, certain personal information (PI) of “consumers” is. Among those exemptions is PI collected that is also subject to the Gramm-Leach-Bliley Act (GLBA), 1999 legislation that ushered in privacy protections and rules for the safeguarding of PI by financial institutions when the merger of banks, investment firms and insurance companies became authorized. GLBA also required states to undertake certain actions in terms of privacy of PI; if they did not, the information practices of insurers (and others) would be subject to federal regulation. States could provide greater protections than the federal law but not diminish them.

See also: First of Many Painful Privacy Laws  

So, the NAIC and the California Department of Insurance sprang into action. California adopted portions of NAIC model regulations governing privacy of financial and health information, and additional regulations governing the safeguarding of that information. While the Department of Insurance was adopting portions of these models, it also provided additional privacy protections and conformed the new privacy regulations to already existing statutory protections in the Insurance Information and Privacy Protection Act (IIPPA). In addition, the legislature adopted the California Financial Information Privacy Act (CFIPA) as part of providing greater privacy protections for California residents and customers of financial institutions (including insurers) than required under GLBA.

As part of the expansion of privacy protections beyond those contained in the federal law was the characterization of a workers’ compensation claimant as a “consumer” under certain circumstances. While this activity was going on, the Federal Trade Commission (FTC) adopted the Privacy Rule – relating to information practices and providing the ability for consumers to “opt out” of having their information shared. It also adopted the Safeguards Rule, requiring a financial institution to develop, implement and maintain a comprehensive information security program.

After this great rush of legislative and regulatory activity in Sacramento and Washington, D.C., during 2000-2002, the pace of new regulation of privacy practices of insurers slowed. Newer iterations of the NAIC model regulations were not adopted in California, and neither was the later iteration of the IIPPA. The legislature continued to push out privacy-related bills at a dizzying pace, including the California Online Privacy Protection Act (COPPA), 2003 legislation requiring operators of websites and online services that collect PI about the users of their site to conspicuously post their privacy policies on the website and comply with them. The COPPA has been amended several times to keep up with technology. It is not in conflict with the existing requirements of entities that fall under GLBA. Indeed, analyses of Assembly Bill 68 (Simitian), 2003 legislation creating the COPPA, suggest that part of the intent of this legislation was to have other businesses operating on the internet adopt the same policies and practices as financial institutions under GLBA.

The CCPA does not amend the COPPA, or even refer to it. Instead, the CCPA adds even more content on business’ websites so the new rights allowed under it can be exerted by consumers. Both the CCPA and COPPA want their notices to be “conspicuous” and on the business’ home page. It’s going to get crowded on home pages.

In March of this year, the Federal Trade Commission (FTC) announced it was proposing to revisit both the Privacy Rule and the Safeguards Rule under GLBA. The changes as they relates to the Safeguards Rule will closely track the NAIC Insurance Data Security Model Law and the New York Cybersecurity Regulation. Once adopted, the changes may result in more action from the NAIC. None of this will occur in 2019, and maybe not even in 2020, but the landscape for privacy protection and data security for insurers and insurance organizations will be in a state of flux at least through 2021.

The authors of the CCPA acknowledged that, within the patchwork of state and federal laws governing PI, some safeguards are adequate. The initiative measure upon which the CCPA is based provided data exceptions for PI covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These data exceptions were expanded to include other laws, including GLBA and the CFIPA, during the legislative negotiations in 2018 that resulted in the initiative being withdrawn. In the rush to forestall an initiative and pass something to send to then-Gov.r Jerry Brown before the end of June last year, the California legislature did what it all too often does: add new laws without regard to existing ones addressing the same issues but in a different way.

Because only certain PI is exempted from the requirements of the CCPA, businesses that collect and disclose exempt data must nevertheless maintain the architecture of the CCPA for non-exempt data. Consumers who seek to exercise their rights – assuming they will read properly crafted notices on business websites – will access a series of links only to be told that the PI they are seeking to control or delete really isn’t PI, even though it includes the consumer’s name, address, Social Security number, etc. It’s just not CCPA PI. Well, that’s certainly enlightened public policy, isn’t it?

See also: In Race to AI, Who Guards Our Privacy?  

It is difficult to claim the current and evolving laws and regulations governing consumer control over and data security of PI collected by insurers is inadequate. Yes, there have been security breaches among financial institutions covered by GLBA. That, however, is not the exclusive measure of effective security. The CCPA acknowledges that “reasonable” security efforts will protect a business from liability if unencrypted or unredacted PI is improperly accessed. Clearly, that also sends a message as to what the legislature thinks is a minimum standard for what is “reasonable.”

Not good enough.

The IIPPA, GLBA, the Privacy and Safeguards Rules of the FTC, the Department of Insurance Privacy Regulation and continuing initiatives by the FTC and the NAIC demonstrate a decades-long history of developing strong laws to protect the privacy of insurance consumers. Advocates for the CCPA would do well to remember that not every business is unregulated when it comes to information practices and give the IIPPA and subsequent laws a level of earned deference in today’s digital debate. Or, to quote Jacob McCandles (John Wayne) in the movie “Big Jake,” “If you can’t respect your elders, I’ll just have to teach you to respect your betters.”

The CCPA gathers headlines because it is intended to empower individuals and their efforts to control their own PI. When PI is shared, policymakers want to make certain it is shared transparently and securely regardless of where the PI goes. This is a response to the use of PI by very large international companies that occupy an outsized space in what is purported to be a competitive digital marketplace. They are also the companies most able to afford the increasingly complex data security environment throughout the world and who can pay very large penalties for non-compliance. Good for them. This new and complex environment is where policymakers in Sacramento should focus for the remainder of 2019 and next year, when CCPA 3.0 will roll out. Unfortunately, they won’t.