As businesses everywhere rush to comply with the California Consumer Privacy Act (“CCPA”), which became effective January 1, 2020, insurance companies find themselves in a particularly precarious position because of the sheer amount of information they collect. All aspects of insurance—from accepting an application to underwriting to handling a claim—involve processing, transferring, and storing consumer information. While life and health insurance companies may collect different information than say property and casualty insurers, the collection and dissemination of consumer information permeates the industry, which makes the CCPA and its extensively broad definition of protected “personal information” troublesome for all insurance businesses.

CCPA compliance may be especially problematic for those insurance companies looking to take advantage of the efficiencies that Big Data and new technology have to offer, as they may collect information that is not covered by other privacy laws. This distinction is important because information collected pursuant to laws that have traditionally applied to insurance companies, such as the Gramm-Leach-Bliley Act (“GLBA”), the California Financial Information Privacy Act (“CFIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Fair Credit Reporting Act (“FCRA”), is exempt from the CCPA. The CCPA does not, however, provide insurance companies with an industry-wide exemption or provide financial institutions subject to the GLBA with an entity-wide exemption,[1] which means that insurance companies that meet certain threshold requirements and collect personal information from California residents in certain situations will have to comply with the law in some form or fashion. Understanding the scope of the applicable exemptions will be critical for insurance companies to recognize their compliance responsibilities under the CCPA.