Understanding California Proposition 24’s implications for businesses and insurers

Did you know your company’s privacy obligations may have changed? Privacy laws are continuing to develop in the United States.  California is the latest state to pass changes to its privacy legal framework.  

Proposition 24: California Privacy Rights and Enforcement Act

On November 3, 2020, California residents passed Proposition 24, also known as the California Privacy Rights and Enforcement Act of 2020 (“CPRA”).  The CPRA builds on California’s existing privacy laws and expands the regulations.  The ballot initiative does this by amending the California Consumer Privacy Act (“CCPA”).  For reference, the CCPA was recently passed in 2018 and went into effect on January 1, 2020.  The CCPA added to California’s existing data security breach notification laws.  The CCPA was landmark legislation which created numerous regulatory obligations for businesses and established a variety of privacy rights for residents. 

The newly passed CPRA changes the existing laws in many ways.  It changes which entities are covered by the law, and the time period for businesses to fix violations before penalty.  The new law adds provisions prohibiting covered businesses from retaining personal information for longer than reasonably necessary.  It also allows consumers to prevent covered businesses from sharing personal information, to correct inaccurate personal information, and to limit businesses’ use of “sensitive personal information”.  Additionally, the CPRA creates the California Privacy Protection Agency which will impose fines for violations and further enforce California’s privacy laws.  Previously, enforcement was via the California Attorney General. 

This is just a high level overview of the changes the CPRA makes and substantially greater detail is required to fully describe the complexities of the new law.  The CPRA added entirely new provisions and considerably changed the CCPA’s language with the amendments.  Eventual litigation should help clarify the interpretation of certain provisions and language.   

Implications for Insurers and Businesses

Insurers may be impacted as covered entities themselves.  However, insurers will also likely see an increase of claims from insureds related to compliance violations.  Policies may or may not provide coverage for cyber claims related to privacy violations.  Cyber insurance policies, as well as more traditional property and liability policies, may be implicated by violations of the laws, though specific policy language will govern.

Businesses will undoubtedly be impacted by CPRA.  While many businesses completely changed their privacy policies for the CCPA, they will need to comply with the new CPRA provisions as well.  For example, a covered business will need to ensure that appropriate consent is obtained in order to collect certain data.  Impacted businesses will also need to provide opt-out options for disclosing sensitive personal information for advertising or marketing purposes. Compliance is especially necessary due to the development of the CPRA’s enforcement agency, which will likely increase enforcement actions with respect to all of California’s privacy laws.  Though compliance measures will come with costs, violations may be met with severe penalties.

Thus, entities in California or which do business in California need to be aware of their cybersecurity and privacy obligations.  Businesses can contact counsel regarding their CPRA obligations, as well as the implications of new privacy laws generally.

In summary

Privacy laws are seemingly ever-changing and constantly in flux, and the CPRA is just the latest and most wide reaching example.  We can expect the CPRA to set a standard for other states, especially given California’s influence on the technology industry.  Therefore, businesses and insurers involved in the field should continually evaluate the legal landscape and adapt their practices accordingly.