Not long ago a law was passed that fundamentally changes consumer privacy expectations. It forces companies to reveal what data they collect. It gives users the right to delete that data and prevent its sale. Companies will be required to explain how they handle user data and list the categories of personal information that the company has collected, disclosed or sold within the previous year. For those of you thinking GDPR, General Data Protection Regulation, think again. The law I’m referencing is the California Consumer Privacy Act (CCPA), set to begin Jan. 1, 2020, and about to turn privacy regulation in the United States on its head.

Privacy advocates, and those who deal with privacy issues, see the California law as marking a sea change in the way privacy will be regulated in the United States going forward. In a recent article in Insurance Journal, Judy Selby, principal at Judy Selby Consulting LLC, an insurance and privacy advisory services firm,  explains “One of the reasons the CCPA will be a big game changer is because it applies to an unexpectedly broad range of data, even when compared with other privacy regulations… .” For example, under the CCPA, personal information is defined as information that can be linked, directly or indirectly, with a particular consumer or household. “That information includes browsing history, products and services purchased or considered, inferences that create a profile reflecting personal abilities, aptitudes and attitudes, audio, electronic, visual, thermal, olfactory information and a variety of other types of information not previously captured by US privacy laws,” Selby said. Cyber Alert: New Era in Privacy Liability to Begin. California’s Data Privacy Law Could Be Game-Changer.

Importantly, the law gives people the opportunity to opt out of the sale of their data. It requires companies to stop selling people’s data upon request at any time. Moreover, it rips apart the time- honored method of burying rights in a privacy policy, stating there must be a “clear and conspicuous” place to click on a website titled: “Do Not Sell My Personal Information.”

The law broadly defines what is meant by “sell.” It covers numerous actions including “disclosing, disseminating, making available, transferring” personal data, and more. That means companies that defend themselves by saying they do not sell user data will need to change their practices as well.

One other little point to note, the penalties imposed under the law are to be used to fully offset the costs incurred by the state courts and Attorney General in connection with enforcement of the law. That provides a rather substantial rationale for being aggressive in going after companies and is likely to be precisely what happens.

As you might expect, the law will likely be a windfall for lawyers and insurers (assuming they get their rates right). It will also in the near term make litigation and settlement costs far less predictable. But its biggest impact may be in how it affects what other states do, and ultimately, whether it forces interest in a substantive national privacy regulation, as a patchwork approach through individual states becomes too unworkable for businesses. Keep an eye on this.

By Tom Davis, SDI Cyber Risk Practice

July 30, 2019