A robust new California privacy law requiring transparency and disclosure on how insurance agencies and large broker-dealers collect and use personal data and how they delete that information will go into effect Jan. 1, 2020.
“Companies doing business with Californians, even those located outside California, may need to start planning to comply with the new law, even if they are already compliant with other U.S. and European privacy laws,” an alert from the law firm of Eversheds Sutherland warns.
The California Consumer Privacy Act of 2018 (CCPA) will affect more than half a million U.S. companies, according to the International Association of Privacy Professionals.
As Eversheds Sutherland notes, CCPA arrived on the heels of the expansive consumer protections offered by the European General Data Protection Regulation (GDPR), “and echoes key GDPR concepts such as enhanced transparency and disclosure obligations regarding personal data.”
CCPA was signed into law in late June, but companies are still figuring out how the complex law will apply to them.
Covered employers include companies in one of three categories: those with annual gross revenues of more than $25 million; those storing the personal information of at least 50,000 consumers, households or devices; or those earning at least half of their annual revenues from selling consumers’ personal information.
This could conceivably include large insurance agencies. It will also apply to all residents in California, in general, so employers should be prepared to apply protections to any employee who lives there, according to retirement industry professionals.
Members of the Insured Retirement Institute “take data privacy issues seriously,” Dan Zielinski, spokesman for the annuity trade group, told ThinkAdvisor on Friday. “The new California law is complex and the industry is studying the requirements and implications closely. We expect that the implementation process will contain opportunities for California regulators to make further clarification and refinement and we will be monitoring this effort.”
The California law could influence policies nationwide, as experts have noted.
The Senate has already begun considering the effect of the new law as well as the sweeping data management regulation instituted in the European Union by holding a hearing Oct. 10.
While CCPA currently covers California, “large companies will soon have to offer similar rights to all Americans,” said the chairman of Californians for Consumer Privacy, Alastair Mactaggart, who testified before a Senate Commerce Committee panel earlier this month.
“How on earth are they going to tell a New Yorker or a Texan that what’s good for a California consumer is out of reach for another state’s residents? It’s time for these companies to provide transparency and choice to all consumers, and if Congress is considering a national law, then California’s must be the minimum standard,” Mactaggart stated.
According to a summary of the legislative language of AB 375, consumers have the power to demand a business disclose the categories and specific pieces of personal information it collects about them, where the information comes from, the purposes for collecting it and selling it and the third parties with whom it is shared.
In addition, businesses would have to delete personal information upon request from consumers and allow them to opt out of the sale. The act also prevents discrimination or financial charge for any such request.
— Check out Have Questions about the GDPR? on ThinkAdvisor.