Surety bond agencies and carriers hold a lot of their customers’ personal information. California presents the largest surety premium opportunity in the country with 2018 GWP of $902 million, dwarfing the next largest state by surety bond premium volume. Why do these two fairly obvious facts matter? Because the new privacy law in California expands requirements on businesses beyond anything previously seen by executives in the U.S.. Moreover,  the far reaching applications of the new law are extremely important for businesses who interact with California consumers to understand and abide by. . Now that the new California law is in effect, the Suretypedia team decided to dig into the new law for any implications for surety bond agents and carriers.

The California Consumer Privacy Act (“CCPA”), designed to boost the privacy rights of California consumers, was passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018. The CCPA is considered the strongest privacy law in the country and will have a far reaching impact on businesses including those based in other states.

Companies subject to CCPA are technically required to implement its requirements as of January 1, 2020 when the law became effective. However, the final compliance deadline is somewhat of a moving target. Enforcement actions by the California attorney general will be barred until six months after the publication of the final regulations or July 1, 2020, whichever is earlier. Further, California lawmakers began amending the CCPA almost immediately after its passage. As it currently stands there are many proposed amendments making their way through the California legislature.

Surety producers and carriers may hold personal information of their customers that falls within the scope of the CCPA. The Suretypedia team seeks to provide answers to many of the important questions facing the Surety industry since the passing of this law. 

Is my business subject to the CCPA?

The CCPA essentially applies to every for-profit business that collects and sells “consumer” personal information from California residents or discloses personal information for a business purpose with certain exceptions.

In consideration of the disproportionate impact compliance would cost small businesses, the law establishes certain thresholds that must be exceeded before a business must comply with the CCPA’s requirements. For the law to apply, a business must either have $25 million or more in annual revenue, possess the personal data of more than 50,000 “consumers, households, or devices” or earn more than half of its annual revenue selling consumers’ personal data. If any one of the three is true for your agency or carrier, then your business must meet the requirements of the law.

While the CCPA excludes some personal information covered by other California laws, such as the California Financial Information Privacy Act, and federal law, including the Gramm-Leach-Bliley Act , the CCPA expands existing laws to cover personal information disclosed/obtained during a commercial transaction. The point being, it is vastly important for surety agents and carriers to be knowledgeable of the laws surrounding data privacy to ensure they remain in compliance. 
 

As a surety operation, my end customers are usually businesses, so the law doesn’t apply to me, right?

Not necessarily. The CCPA’s definition of personal information is extremely broad and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This means that some information you may collect from a customer or client may be considered “personal information” covered under by the CCPA. Agents and carriers generally collect broad types of information about customers and clients that go beyond the information that is excluded from CCPA coverage, which will subject  them to the CCPA’s requirements. 

Please note the CCPA has been met with significant criticism and proposed legislation seeking to change or clarify its terms. Of specific interest to insurers and surety bond producers is Assembly Bill 981, which looks to eliminate a consumer’s right to request that an insurer delete or not sell personal information when the use of  this information is necessary to complete an insurance transaction on the consumer’s behalf. AB 981 would exempt insurance companies, agents and support organizations covered by the Insurance Information and Privacy Protection Act (“IIPPA”) from the CCPA, but the bill proposes integrating certain CCPA requirements into the IIPPA. Should the bill be passed, the effect of these laws would have important implications for the data surety agents, brokers and carriers can retain as they shop new and renewal quotes for their customers. 

Who is considered a “consumer” for purposes of the CCPA?

A “consumer” is defined as a natural person (not a legal entity) who is a California resident. This means that if you hold the personal information of other owners or officers of the business, spouses and co-signers, your list of California consumers is likely many multiples of your current and former list of bonds in-force. Also, the CCPA includes every individual in the state for other than a temporary purpose and every individual who is domiciled in the state who is outside the state for a temporary purpose. You read that right – the law covers California residents while traveling in other states giving the law very broad application. Moreover, even businesses domiciled outside of California providing services to California consumers are required to comply with CCPA unless they are exempt. 

What “personal information” is covered by the CCPA?

Personal information is defined very broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” It includes:

- Personal identifiers, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;

- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement;

- Geolocation data;

- Biometric information;

- Audio, electronic, visual, thermal, olfactory, or similar information;

- Professional or employment-related information; and

- Education information.

Yikes! You don’t have to run and retain credit reports or background checks for this law to apply. However, as discussed above certain information you collect may be excluded from personal information covered by the CCPA.

What are the main requirements of the CCPA?

To sum it all up, businesses should be aware of (and adhere to) the following requirements if the CCPA applies to them:

- If a covered business collects any “personal information” as defined by the CCPA it must be disclosed in a clear privacy policy available on the business’s website.

- If requested by a consumer, companies must delete a consumer’s personal information (with exceptions).

- If a consumer wants to know what data is being collected, the company must provide the consumer such information.

- Businesses are required to provide equal service and pricing even if consumers exercise their privacy rights under the Act regardless of consumer’s preferences about how their personal information is handled by the business

- Companies that sell consumer information must provide a clear and conspicuous link on the business’s homepage, titled “Do Not Sell My Personal Information” allowing consumers to opt-out of allowing a business to sell their information.

Is there any customer information my business can retain ?

Businesses are able to retain some information on behalf of the customers they service. Keep in mind, there are specific criteria a business has to meet to qualify for this exemption. The law states businesses can maintain personal data of their customer in the following circumstances:

- Personal information is needed to complete the transaction the information for which the information was provided, perpetuate the ongoing business relationship, or perform a contract between the business and consumer

- To detect security incidents or protect against malicious, deceptive, fraudulent or illegal activity

- Debug to identify and repair errors that impair existing intended functionality.

- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

- Comply with a legal or regulatory obligation.

- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

With this being said, surety agents, brokers and carriers should be able to maintain personal data as long as the information is needed to complete the transaction it was originally intended for or to comply with regulatory requirements. This would include processing quotes, underwriting accounts, sending renewal terms or any other service anticipated within the context of business’s ongoing relationship with the customer. 

What should I do to prepare if the CCPA applies to my business? 

If your business currently does not provide consumers with a privacy policy, make sure you include one on your website that meets the CCPA’s requirements (Sec 7, 1798.130 Paragraph 5). If you already have a privacy policy, ensure it is revised to include any of the new requirements that must be disclosed. 

To meet the law’s requirements, your business also needs to maintain a data inventory, which tracks the business’s processes, third parties, products, devices, and applications that process consumer personal data.

Your business must make available at least two designated methods for submitting requests for information to ensure consumers can exercise their rights to:

(1) request that the business delete any personal information collected
(2) request information about what information the business collects and what it does with the information; and
(3) not be discriminated against, 

At a minimum, your company must make available a toll-free telephone number and, if your business has a website, a website address.

The CCPA also requires covered businesses to protect personal data with “reasonable” security. As such, your business may have to take certain measures to address security threats to the confidentiality and availability of consumer personal data. 

Finally, the law requires that businesses properly train employees handling consumer inquiries so they are  informed of all of its requirements.