Can Violations of the California Consumer Privacy Act Be Insured?

By Kathryn Ashton | February 4, 2020

The California Consumer Privacy Act of 2018 (CCPA) took effect on Jan. 1 and compliance departments across the United States now have some work to do. This is especially relevant for insurance companies that insure countless businesses for regulatory liability risks.

Kathryn Ashton

With CCPA, Californians are guaranteed the right to know what personal information is being collected from them, whether such information is sold or disclosed and to whom, the right to request deletion of their personal information, and the right to opt out. There is much talk about how insurers will comply with this law as businesses that collect personal information, but insurers may also be asking whether they can or should be insuring their clients against CCPA violations. Because it may be difficult for some companies—especially large businesses that have numerous established data systems—to achieve CCPA compliance, this could translate into costly claims for insurers.

Enforcement of the CCPA will be done by the California attorney general, who may seek financial penalties and mandate a stop to any practice deemed to be in violation of the act. Perhaps the biggest unknown is whether carriers will be allowed to insure clients against the attorney general’s enforcement efforts. This is worth some analysis and consideration, especially because, as a matter of public policy, the state of California already prohibits insuring actions brought by its attorney general to recover fines, penalties, or restitution from a policyholder for violations of the Unfair Competition Law (UC) or the False Advertising Law (FAL), both of which are consumer protection acts. This prohibition extends to the insurer’s right and duty to investigate, defend, settle, negotiate, or pay any aspect of such claims, as specified under California Insurance Code section 533.5(c). Currently this statute is limited only to precluding insurance for actions brought by state agencies under the UCL or FAL. But, as a consumer protection act, will the CCPA eventually be added to Section 533.5 or will the statute be construed so as to preclude insuring enforcement measures by the A.G.?

Section 533.5 was passed in an attempt to address problems the Attorney General’s Office encountered in attempting to enforce the UCL and the FAL. These problems could foreshadow similar concerns with the CCPA; specifically, according to the A.G.’s report advocating for Section 533.5, in instances where the state agencies sought to enforce the UCL and FAL against non-compliant businesses, such businesses simply tendered the actions to their insurers. “The public entity then found itself litigating with an insurance company, ‘rather than the individual whose conduct violated provisions of the Business & Professions Code.'” (Mt. Hawley Ins. Co. v. Lopez, 215 Cal.App.4th 1385, 1403 (2013), quoting Office of the Attorney General Statement on AB 3920 before the Assembly Committee on Finance and Insurance (1989-1990 Reg. Sess.) Apr. 19, 1988.)

Such cases, according to the Office, “became ‘impossible to settle because the defendants refuse[d] to make restitution of unlawfully obtained property or to pay any civil penalty out of their own funds,’ and law enforcement agencies would not accept any settlement ‘paid by the insurer because such a settlement does not impose any penalty for unlawful conduct directly on the defendant…'” (Ibid) Section 533.5 was enacted to hold individuals personally accountable and to prevent the action from becoming a dispute between a public entity attempting to deter certain behavior, and the insurer of the non-compliant business, leaving such business as a negligible participant in the proceeding with little to no personal risk.

California courts recognize that where a statute or law is intended to serve a deterrent purpose, permitting insurance to pay sums intended to modify behavior undermines the legislature’s goals. Moreover, where a penalty is imposed, such sum is not damages intended to compensate for loss incurred, but rather a sum imposed to curb behavior. Accordingly, if the attorney general can only seek penalties and injunctive relief against businesses that violate the CCPA, it is reasonably foreseeable that Section 533.5 could be amended or construed by a court to extend to such enforcement actions, thereby, prohibiting coverage for such risks.

The bottom line: While Section 533.5 does not presently preclude coverage for enforcement of the CCPA, that could change if the attorney general finds its efforts hampered or less effective because of insurance.

Although California often leads in these types of consumer protection laws, other states are beginning to follow suit, making compliance with such laws by companies conducting business on a national level much more challenging. Furthermore, the present version of CCPA may not be the last; there is a ballot initiative in California seeking to impose a far more arduous version of CCPA.

While California has long recognized the freedom of parties to contract as they see fit, it has also consistently prohibited parties from contracting around its own public policy objectives. The CCPA is untested and as businesses evolve to comply with its mandates, the insurance industry will similarly have to navigate through unknown territory. In choosing whether to insure such risks and deciding how to respond to actions under the CCPA against policyholders, insurers should bear in mind the tension in California law between an individual’s freedom to contract and the Legislature’s public policy objectives.

About Kathryn Ashton

Ashton is a partner at the international law firm Clyde & Co. in San Francisco.

Was this article valuable?

Here are more articles you may enjoy.