select
This is a tooltip for the edit command button
Elizabeth Tosaris, Esq.
Elizabeth Tosaris, Esq.
MICHELMAN & ROBINSON, LLP
(415) 882-7770
View Profile

CCPA REGULATIONS - AN UPDATE ON THE COMMENTS
AND PREDICTIONS FOR THE FUTURE

On February 7 and again on February 10, 2020,  the California Attorney General released revised regulations that make a number of changes to the originally proposed regulations.  A comparison of the original and revised regulations is available at:  www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf

It is likely that the insurance industry (as well as others) will have further concerns and comments concerning the revised regulations. Comments on the revised regulations were due February 25, 2020.  

On January 1, 2020, the landmark legislation known as the California Consumer Privacy Act of 2018 (“CCPA”) went into effect.  The CCPA provides groundbreaking protections for consumers in their ability to control the use of their personal data, and is intended to ensure the rights of Californians to (1) know what personal information is being collected about them; (2) know whether their personal information is sold or disclosed and to whom; (3) say no to the sale of personal information; (4) access their personal information; and (5) receive equal service and price, even if they exercise their privacy rights.  The California Attorney General is authorized to bring enforcement actions and set penalties pursuant to the law.  And, as part of the implementation -- and later enforcement -- of the law, the Attorney General is also charged with promulgating interpreting regulations on or before July 1, 2020.  The CCPA also provides a private right of action for consumers, with statutory damages, for violations of the security requirement that result in an unauthorized disclosure of personal information.  

Among other things, the CCPA applies to any entity doing business in California that has gross revenues in excess of $25 million per year.  This broad definition means that many insurers-- as well as other many other types of business-- fall within the scope of the law.   Although the CCPA also has an exemption for information that is already subject to certain federal laws, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (“HIPAA”), these other privacy laws and the CCPA are separate legal frameworks with different scopes, definitions, requirements, rights and remedies.   Accordingly, there are aspects of the CCPA that almost certainly will impose new or different requirements on insurers.  For this reason, the insurance industry hopes that the implementing regulations will give greater certainty to the standards and requirements of the CCPA. 

 

Last fall, the Attorney General released 24 pages of draft regulations (the “Regulations”) for comment.  Given the stakes, it is not surprising that the insurance industry, as well as many other industries, provided copious comments on the Regulations.  Insurer trade organizations were among the commentators, and these trades represented most lines of insurance business, including life, health, workers compensation, title and as well as property and casualty more generally.  Other related industries, such as insurance claims professionals, also submitted comments.   

Notably, comments across many industries, including insurance, pointed to the fact that the Regulations in many instances only raise more questions or issues about the interpretation and application of the law.  A common theme was that the Regulations, or even the CCPA itself, does not consider the specifics of how a particular industry operates.  These comments explained how the Regulations were at odds with standard business practices and pointed out how ambiguity will remain despite the Regulations.   This was a concern shared by many in the insurance industry. 

In some cases, insurance commentators thought the Regulations would exacerbate ambiguities in the CCPA.  For example, there were comments regarding the meaning of “consumer” as defined in the CCPA and a “typical consumer” as defined in the Regulations.   In some cases, the commentators suggested that additional regulations are needed to address areas that still lack clarity.  

Many commentators were concerned that the Regulations would create the threat of consumer harm.  For example, the health sector was concerned that the interplay between consumer rights under the CCPA and patient rights under other laws (such as HIPAA) would lead to confusion and adverse results for both patients and consumers.  The Regulations’ consumer notice requirements were of special concern in light of the many other notice requirements already in place for insurers.  Several comments on this issue asserted that the possibility of an overly lengthy and consumer unfriendly notices to insureds is very real, and also noted that the customers who are inundated with information tend simply to ignore it.   Another example of the potential for consumer harm was the Regulations’ instruction to treat customers as if they had opted out in cases where the notice of the customer’s right to opt out was not posted.  The unintended consequence could be that these consumers would no longer have certain products or services available to them. 

Some commentators referenced the chilling effect that the Regulations could have on their business as a whole.  These commentators pointed out that the Attorney General had acknowledged that the Regulations would impose a number of significant reporting, recordkeeping and other requirements on the businesses subject to the CCPA.  As further support for this point of view, insurance commentators pointed to the Attorney General’s own Standardized Regulatory Impact Analysis (SRIA) which estimated the cost of businesses to operationalize the Regulations in the millions if not billions of dollars. 

Other commentators asserted that the Regulations as drafted exceeded the Attorney General’s authority.  There were several theories supporting these objections.  One theory was that the Regulations imposed rules beyond what is contemplated in the CCPA, and examples of this were the imposition of an opt-out requirement even on businesses that do not sell consumer personal information.   Another example was the expanded record-keeping requirements on business that buy or receive personal information from more than four million consumers annually, a requirement that several commentators thought surpassed the mandate in the CCPA.  The lack of authority objection was also based upon extraterritoriality theories.  An example of this was the statement that the revenue thresholds for the application of the CCPA should be limited only to California revenues.  Finally, one commentator on workers compensation issues noted that the regulations should give deference to the workers compensation laws already adopted by the Legislature and the regulations promulgated under this plenary authority. 

In the Notice of Proposed Rulemaking, the Attorney General asserted that he had determined that there were no existing regulations that address the specific subject matter of the proposed Regulations. One insurance commentator questioned the accuracy of this assertion, noting that California Department of Insurance (“CDI”) regulation already covers much of the subject matter of the Regulations.  This commentator suggested it would be more effective to charge regulators that already oversee industries with enforcement of the rules relating to that industry.   In particular, the commentator suggested that the CDI should retain oversight of the insurance industry.

Businesses expect the Attorney General will respond to the comments by issuing revised regulations prior to July 1, 2020. Many commentators raised concerns about the timing of the implementation of the regulations, noting that the regulations might take effect simultaneously with or extremely close in time to the Attorney General’s ability to enforce.  These commentators were concerned that the timing would lead to an impossibly short ramp up time for insurers to make the sweeping technology and other operational changes that might be required in order to comply with the Regulations.  One insurer trade association suggested it would be reasonable to incorporate a two-year period from the finalization of the regulations to the date that compliance was required.  Another trade floated the notion of an effective date set 18 months from the final issuance of the regulations.

The California Administrative Procedure Act (“APA”) sets out the steps for finalizing a regulation.  Pursuant to the APA, once the Attorney General has finalized the Regulations, they are submitted to the Office of Administrative Law (“OAL”).  The OAL will review the rulemaking record to ensure that the agency satisfied the requirements of the APA and OAL’s Regulations and then either approve or disapprove the rulemaking action.  In the past, interested parties have launched challenges to the OAL’s review of rulemaking files.  Any challenges at this point in the process could halt the implementation of the Regulations in the first place.   Even after OAL approval and filing with the Secretary of State, the APA still provides several grounds for challenging a regulation in court.  Court challenges to the Regulations would likely be based on a failure to comply with the APA’s standards for necessity, authority, clarity, consistency, reference or nonduplication.

The number of comments on the Regulations, and the complexity of the issues these comments raise, hint strongly that serious issues will remain even if the Attorney General issues a new set of Regulations before July.  This possibility raises the very real specter of litigation to address the concerns.  There is certainly precedent for this in California:  CDI regulations on various topics over the years have been challenged, even where the CDI regulations were limited to just one line of business, or at most, to the insurance industry.  The Regulations cover multiple industries doing business in the state, and quite a few industries raised concerns in their comments, which only increases the chances of a challenge.  If some business outside the insurance industry challenges the Regulations, the challenges could still impact every industry that is subject to the Regulations, including insurers.

In the past, even in the more limited context of CDI regulations, some of the court challenges to regulations resulted in years of litigation and multiple amendments to the regulations.  During the pendency of such litigation, the courts have authority to suspend the regulation pending a decision on the merits.  If past is prologue, then it could be years before the CCPA regulations can truly be considered settled.  Insurers should prepare themselves not only for whatever version of the regulations are in effect on July 1, 2020, but also for the likelihood that even then the rules will be far from certain.

 

 

 

References