- Insurance renewal season is upon us. Now is the time to make sure your insurance coverages are aligned with your business needs over the coming year.
- Consumer privacy laws are changing and developing rapidly.
- Enhanced protections for consumers’ data, particularly biometric and sensitive personal information, have implications for a variety of businesses and industries.
- Colorado is and will likely continue developing laws that protect consumers’ personal information and may open businesses up to increased exposure to liability.
- Businesses must consider how these consumer privacy laws affect their operations, including aligning their insurance programs with their risk profiles.
As many businesses prepare to renew their insurance policies, considerations of consumer privacy rights ought to be top of mind.
The Colorado Privacy Act
Foley Hoag has previously written about the Colorado Privacy Act, or “CPA” (COLO. REV. STAT. ANN. §§ 6-1-1301 et seq), which was signed into law by Governor Jared Polis in July 2021 and goes into effect on July 1, 2023. See here and here. Many companies’ insurance programs for the 2023 policy year will be in place before the new law goes into effect. The CPA is meant to “empower consumers to protect their privacy and require companies to be responsible custodians of data.”
The CPA has significant implications for companies and their insurance programs. The law applies broadly to any entity that conducts business in Colorado (or “produces or delivers commercial products or services targeted to Colorado residents”), and meets one of the following two thresholds:
(2A) controls or processes the personal data of 100,000 consumers or more during a calendar year; or
(2B) derives revenues or receives a discount on the price of goods from the sale of personal data or controls the personal data of 25,000 consumers or more.
Consumer Rights and Compliance Obligations
Under the CPA, consumers have robust personal data rights that companies must help facilitate. Those rights include access to, and deletion of, consumers’ personal data; the right to correct inaccuracies; and the right to receive personal data in a way that makes it easy to transfer. The CPA requires companies to provide a privacy notice to consumers in “ways in which consumers normally interact” with i
t—such as having a notice on their website or through a mobile app. Companies must respond to any consumer data requests “without undue delay,” and within 45 days after the request is made, subject to a limited extension.
Companies have clear duties under the CPA regarding consumer privacy. They must take action to allow consumers to exercise their rights, employ security measures to protect the processing of personal data, and develop systems to notify consumers in case of a data breach. Companies must also specify the purposes for which they collect data. Data collection must be “adequate, relevant, and reasonably necessary in relation to the specified purposes.” Importantly, companies, as controllers of data, must take reasonable measures to secure personal data during both storage and use. In short, companies are accountable for the way they use and collect consumer data, as well as how they interact with and notify consumers regarding those processing activities.
As a practical matter, these requirements mean that companies subject to the CPA not already in compliance with the EU or UK General Data Protection Regulation (GDPR), or California’s privacy laws, will need to start taking steps to understand their data flows, build appropriate internal processes and governance mechanisms to locate and manage their data, and create compliant external and internal policies.
The CPA vests the Colorado Attorney General with rulemaking authority (similar to the CCPA and CPRA in California). In October 2022, the Colorado Attorney General submitted an initial draft of rules governing CPA implementation. Importantly, the draft rules require businesses to protect consumers’ biometric information by imposing both a consent requirement and a data minimization requirement: that is, permitting them to collect only that data reasonably necessary to fulfill the specific purpose for which a consumer has provided consent. 4 C.C.R. 904-3 (Rule 6.07). The comment period on the proposed rules will close on Feb. 1, 2023, at which point there will be a proposed rulemaking hearing. The rulemaking process could not only create additional specific obligations on organizations but also provide some insight into the Attorney General’s enforcement priorities.
And if companies do not comply? Although there is no private right of action, the law allows the state Attorney General and state district attorneys to enforce the law by bringing legal action in the name of the state.
Importantly, the CPA makes it clear that a violation of any of its provisions constitutes a deceptive trade practice and is thus actionable under the provisions of the Colorado Consumer Protection Act (“CCPA”). C.R.S. § 6-1-1311(1)(c). In Colorado, a person who engages in deceptive trade practices violates the CCPA and may be liable for a civil penalty of not more than $2,000 per violation, where a separate violation exists for each consumer whose rights have been violated. The upward limit stands at $500,000.
Impact on Insurance and Renewals
Colorado is among the vanguard of states creating comprehensive privacy laws to protect consumers’ personal information, including biometric data. With the enactment of the CPA and similar statutes around the country, businesses will inevitably face increased risk of liability. Insurance in the cyber and data security market is also evolving. While there remain many variations of cyber insurance available, some insurers are responding to minimize their exposure, such as by introducing exclusions relating to cyber incidents, including for violations of privacy or consumer protection data laws, increasing premiums and/or deductibles, imposing sub-limits, and non-renewing businesses altogether. In addition, underwriters are using increasingly stringent underwriting standards and imposing stronger risk management protocols on insureds as a condition of coverage. Therefore, as companies begin to assess their insurance needs over the coming months, questions concerning insurance coverage for possible data breaches and civil actions by the State, including for violation of the CPA and the CCPA, become an integral part of assessing and fortifying against risk.
What Can You Do?
- Work with a qualified independent insurance broker who understands your business and the ever-evolving cyber/data security marketplace.
- Start the renewal process early. Renewals often take longer than businesses expect.
- Affected businesses ought to inquire about cyber insurance coverage in the context of the CPA and other applicable laws and regulations. Consider what that insurance covers, the extent to which it may interplay with other insurance already provided under your insurance program, and understand the differences between first-party and third-party coverages provided.
- Gather a qualified team, including management, IT, risk management, finance, legal, and compliance, to assist with completely and accurately filling out the insurance application.
- Be prepared to fully and accurately answer insurance application questions and warranty statements. Insurers are asking detailed questions about data security, internal controls, and risk mitigation on the applications, which companies must understand and answer accurately to avoid jeopardizing coverage down the road.
- With the stakes of data breaches and related litigation increasing, expect increases in premiums, more onerous policy terms, higher deductibles, sublimits, and more insurance coverage disputes.
- Be on the lookout for new policy forms and endorsements being added during the renewal of existing policies.
- Be ready to negotiate terms to get a policy that works for your business, and don’t be afraid to shop around.
- Work with a qualified insurance coverage lawyer to help you navigate this process.