‘Tis The (Insurance Renewal) Season! What Enhanced Consumer Data Protection Laws Mean For Your Business – Privacy Protection

Key Takeaways:

• Insurance renewal season is upon us. Now is the time to make
  sure your insurance coverages are aligned with your business needs
  over the coming year.




• Consumer privacy laws are changing and developing rapidly.




• Enhanced protections for consumers’ data, particularly
  biometric and sensitive personal information, have implications for
  a variety of businesses and industries.




• Colorado is and will likely continue developing laws that
  protect consumers’ personal information and may open businesses
  up to increased exposure to liability.




• Businesses must consider how these consumer privacy laws affect
  their operations, including aligning their insurance programs with
  their risk profiles.

As many businesses prepare to renew their insurance policies,
considerations of consumer privacy rights ought to be top of
mind.

The Colorado Privacy Act

Scope

Foley Hoag has previously written about the Colorado Privacy
Act, or “CPA” (COLO. REV. STAT. ANN. §§
6-1-1301 et seq), which was signed into law by Governor Jared Polis
in July 2021 and goes into effect on July 1, 2023. See here and here. Many companies’ insurance programs
for the 2023 policy year will be in place before the new law goes
into effect. The CPA is meant to “empower consumers to protect
their privacy and require companies to be responsible custodians of
data.”

The CPA has significant implications for companies and their
insurance programs. The law applies broadly to any entity that
conducts business in Colorado (or “produces or delivers
commercial products or services targeted to Colorado
residents”), and meets one of the following two
thresholds:

(2A) controls or processes the personal data of 100,000
consumers or more during a calendar year; or

(2B) derives revenues or receives a discount on the price of goods
from the sale of personal data or controls the personal data of
25,000 consumers or more.

Those familiar with California’s comprehensive consumer
privacy laws (CCPA or CPRA) will note that there is no financial
threshold in Colorado’s law, thus narrowing its scope by
comparison. Companies should nevertheless be mindful that they
could quickly meet the personal data processing threshold merely
through the use of cookies on their websites. If the law does
apply, exceptions exist for protected health information, the
retention of de-identified data, and publicly known
information.

Consumer Rights and Compliance Obligations

Under the CPA, consumers have robust personal data rights that
companies must help facilitate. Those rights include access to, and
deletion of, consumers’ personal data; the right to correct
inaccuracies; and the right to receive personal data in a way that
makes it easy to transfer. The CPA requires companies to provide a
privacy notice to consumers in “ways in which consumers
normally interact” with i

t—such as having a notice on their website or through a
mobile app. Companies must respond to any consumer data requests
“without undue delay,” and within 45 days after the
request is made, subject to a limited extension.

Companies have clear duties under the CPA regarding consumer
privacy. They must take action to allow consumers to exercise their
rights, employ security measures to protect the processing of
personal data, and develop systems to notify consumers in case of a
data breach. Companies must also specify the purposes for which
they collect data. Data collection must be “adequate,
relevant, and reasonably necessary in relation to the specified
purposes.” Importantly, companies, as controllers of data,
must take reasonable measures to secure personal data during both
storage and use. In short, companies are accountable for the way
they use and collect consumer data, as well as how they interact
with and notify consumers regarding those processing
activities.

As a practical matter, these requirements mean that companies
subject to the CPA not already in compliance with the EU or UK
General Data Protection Regulation (GDPR), or California’s
privacy laws, will need to start taking steps to understand their
data flows, build appropriate internal processes and governance
mechanisms to locate and manage their data, and create compliant
external and internal policies.

Upcoming Regulations

The CPA vests the Colorado Attorney General with rulemaking
authority (similar to the CCPA and CPRA in California). In October
2022, the Colorado Attorney General submitted an initial draft of
rules governing CPA implementation. Importantly, the draft rules
require businesses to protect consumers’ biometric information
by imposing both a consent requirement and a data minimization
requirement: that is, permitting them to collect only that data
reasonably necessary to fulfill the specific purpose for which a
consumer has provided consent. 4 C.C.R. 904-3 (Rule 6.07). The
comment period on the proposed rules will close on Feb. 1, 2023, at
which point there will be a proposed rulemaking hearing. The
rulemaking process could not only create additional specific
obligations on organizations but also provide some insight into the
Attorney General’s enforcement priorities.

Enforcement

And if companies do not comply? Although there is no private
right of action, the law allows the state Attorney General and
state district attorneys to enforce the law by bringing legal
action in the name of the state.

Importantly, the CPA makes it clear that a violation of any of
its provisions constitutes a deceptive trade practice and is thus
actionable under the provisions of the Colorado Consumer Protection
Act (“CCPA”). C.R.S. § 6-1-1311(1)(c). In Colorado,
a person who engages in deceptive trade practices violates the CCPA
and may be liable for a civil penalty of not more than $2,000
per violation, where a separate violation exists
for each consumer whose rights have been violated. The upward limit
stands at $500,000.

Impact on Insurance and Renewals

Colorado is among the vanguard of states creating comprehensive
privacy laws to protect consumers’ personal information,
including biometric data. With the enactment of the CPA and similar
statutes around the country, businesses will inevitably face
increased risk of liability. Insurance in the cyber and data
security market is also evolving. While there remain many
variations of cyber insurance available, some insurers are
responding to minimize their exposure, such as by introducing
exclusions relating to cyber incidents, including for violations of
privacy or consumer protection data laws, increasing premiums
and/or deductibles, imposing sub-limits, and non-renewing
businesses altogether. In addition, underwriters are using
increasingly stringent underwriting standards and imposing stronger
risk management protocols on insureds as a condition of coverage.
Therefore, as companies begin to assess their insurance needs over
the coming months, questions concerning insurance coverage for
possible data breaches and civil actions by the State, including
for violation of the CPA and the CCPA, become an integral part of
assessing and fortifying against risk.

What Can You Do?

• Work with a qualified independent insurance broker who
  understands your business and the ever-evolving cyber/data security
  marketplace.




• Start the renewal process early. Renewals often take longer
  than businesses expect.




• Affected businesses ought to inquire about cyber insurance
  coverage in the context of the CPA and other applicable laws and
  regulations. Consider what that insurance covers, the extent to
  which it may interplay with other insurance already provided under
  your insurance program, and understand the differences between
  first-party and third-party coverages provided.




• Gather a qualified team, including management, IT, risk
  management, finance, legal, and compliance, to assist with
  completely and accurately filling out the insurance
  application.




• Be prepared to fully and accurately answer insurance
  application questions and warranty statements. Insurers are asking
  detailed questions about data security, internal controls, and risk
  mitigation on the applications, which companies must understand and
  answer accurately to avoid jeopardizing coverage down the
  road.




• With the stakes of data breaches and related litigation
  increasing, expect increases in premiums, more onerous policy
  terms, higher deductibles, sublimits, and more insurance coverage
  disputes.




• Be on the lookout for new policy forms and endorsements being
  added during the renewal of existing policies.




• Be ready to negotiate terms to get a policy that works for your
  business, and don’t be afraid to shop around.




• Work with a qualified insurance coverage lawyer to help you
  navigate this process.