If you are doing business in California you might be unaware that the consumer privacy laws are becoming more stringent espcially if you are not domiciled there. Failure to adhere to these rules could lead to penalties of up to $7,500 per day. The good news is that it looks like companies will have until January 1, 2020 to comply.
The most common question I am getting from clients is how does this differ from GDPR? I am no expert so I will defer to the law firm of Cooley who have done a great synopsis on the Act that can be found here. Here is what they say are some of the differences:
- “Obtaining consent under Act differs from the methods required in the GDPR. The GDPR requires affirmative opt-in consent. Under CCPA, consumers need not opt in, but they can opt out of the sale of their personal information. The Act requires new opt-in consent only for the sale of personal information of individuals under the age of 16.
- ‘The GDPR requires companies to establish a legal basis for processing personal information. The CCPA does not require businesses to establish a legal basis in order to process personal information, and all processing is legally permissible (subject to some limitations such as opt-in for sale of information).
- ‘The CCPA requires a particularized disclosure process beyond what the GDPR requires. This means that compliance with the GDPR’s disclosure process would not necessarily constitute compliance under the CCPA.
- ‘The GDPR imposes limitations on cross-border data transfers and requires a legal basis for such transfer. The CCPA does not have any similar requirements.”*
What I see as one of the most important things to be aware of is that Cooley expects regulatory action in the US to be enforced at a more robust level then what we are currently seeing in the EU.
The interesting thing will be how Cyber Insurance carriers handle this. Will they increase deductibles for regulatory matters in CA much like we have seen with EPL? Will carriers offer a lower sub-limit for regulatory action? Will they have exclusions specific to CA or certain regulatory actions? All of this is to be determined but it is something to be aware of as this could become as the renewal process starts for early 2019 expirations. If you are doing business in CA your broker should be having these conversations with you.
*Cooley FAQ on CA Consumer Privacy Act – https://cdp.cooley.com/2018/08/02/california-consumer-privacy-act-faqs-1/#section-3