Insurance agencies take note: the California Consumer Privacy Act (CCPA) came into effect on January 01, 2020, setting a new bar for businesses that collect and share the personal data of Californian consumers. While some agencies’ commercial insureds should be paying attention to this law, agents themselves also have to understand how they could be impacted by the CCPA.
“[The CCPA] affects any business holding data on California citizens, plus they have to meet one of these three criteria. They have to be doing at least $25 million in annual revenue, have personal data on at least 50,000 California citizens, or collect more than half their revenue from the sale of personal data,” explained Becky Schroeder, chief marketing officer at Insurance Technologies Corporation (ITC). “What that means is you don’t have to be located in California to be affected by this law. As long as you’re doing business in California and have data on at least 50,000 of the state’s citizens, or if you collect more than half the revenue from the sale of data, you have to comply with this.”
What’s interesting in the law is its definition of selling data – it doesn’t just concern the exchanging of money for data. It’s selling, renting, releasing, disclosing, disseminating, making data available, transferring or otherwise communicating it orally, or by electronic or other means. This is a very broad definition that could impact insurance agencies, so their leaders should understand what the law defines as personal data.
“Names, emails, phone numbers, home addresses, security numbers, driver’s license numbers, [and] also IP addresses can be defined as personal data,” said Schroeder. “Just having 50,000 California citizens look at your website classifies you to comply with this law, so if it’s part of your marketing strategy to drive traffic to your website, just having them visit – not even filling out a form – counts towards it.”
The CCPA allows any Californian consumer to see what personal information is collected, used, shared or sold by businesses, as well as a full list of all the third parties with whom that personal data is then shared. Consumers have the right to delete any personal information held by businesses or third party service providers, and they’re also able to opt-out of the sale of personal information.
In light of this, there are a few things insurance agencies should be doing. Because this law creates the right to know, the right to delete, and the right to opt out, if a consumer calls an agency and says, “I want to know how you are collecting and using my data, where you’re getting it from, and who you’re sharing it with,” you have to respond to that request within 45 days, Schroeder told Insurance Business.
“Agencies need to create a process of how they’re going to receive these requests, how quickly they’re going to respond to these requests, and where they’re going to get all this information to provide to that consumer,” she continued. “Once you give them that information, the consumer then has a choice to [have] you delete that data. Now, you don’t necessarily have to delete it if you need that data to supply the agreed upon product or service.”
For insurance, if an agency needs that data to provide the policy, they don’t have to delete it, but the agent does have to make sure they’re communicating to the customer that they need the information to provide the insurance that has been requested.
Insurance agencies should also update their privacy policies if they have one on their website by making it clear what data they’re gathering and including the description of the rights that California’s citizens have under the CCPA. Moreover, they have to have a webpage on their website that gives consumers the ability to notify the agency that they are opting out of the sale of their data.
“For anybody who wants to request any of this information, provide a toll free number, provide a form on your website to make sure that you are giving them a way to contact you to get this information,” said Schroeder.
