3 areas insurers must address for California Consumer Privacy Act compliance

The California Consumer Privacy Act of 2018 (CCPA), which becomes effective on Jan. 1, 2020, is one of the most comprehensive and far-reaching of the new privacy rules proliferating at the international, national and state levels. Through CCPA and similar initiatives, regulators want businesses, including insurers, to be able to protect the privacy and security of consumers’ data.

The implementation of CCPA compliance initiatives presents insurers with several data and operating challenges. With the act going into effect in just a few months, insurers need to focus on addressing three specific areas in particular:

1. Over-retention of data. The legacy of over-retention of consumer information is presenting insurers with challenges in consistently and effectively disposing of consumers’ personally identifiable information. As part of a broader review of information life cycle management programs, insurers should review their data retention policies to align with CCPA requirements. A key question is whether data retention periods align with legal requirements or are based on other business rationales. Under CCPA, insurers are able to retain some information for legal or regulatory needs, but if they wish to keep other data for longer periods, they must be able to demonstrate a legitimate business reason for doing so.
2. Third-party data. Understanding the flow of personal information across supply chains and securing collaboration among third-party partners to dispose of consumer information is proving to be a time-intensive process. The requirements of CCPA dictate that insurers be able to contact suppliers and other third parties with access to consumer data and direct them to dispose of such information when a legitimate request is made. This can be a challenging operational problem for many insurers that have complex supply chains. They need to establish contractual obligations with suppliers to enable insurers to respond to their legal obligations. Insurers with large networks of agents or independent brokers (which can number in the thousands) may face a major undertaking to determine what consumer information has been shared. This is all predicated on establishing a reliable inventory of third parties that may be difficult given the complexity of the agent population, but it is fundamental to any subsequent analysis to determine which information has been shared with which third-party.
3. Data discovery. Insurers need to know where consumer data is within their organization, including how it is stored and how it can be obtained on demand. This requires a clear line of sight into where structured and unstructured data (from sources such as telematics and scanned policy documents) is kept. Scanning should be automated and systematic, with an eye to establishing a clear audit trail of locations and integration with other enterprise data management solutions such as data governance tools. Insurers also need to determine whether to configure existing technologies, which may be more location-centric in their scanning capabilities, rather than consumer-centric (which may require further investment).

Given the operational complexity of most insurers and the large quantities of data that insurers use in conducting their everyday business, the CCPA requirements may seem daunting. And, indeed, companies in all industries are pushing hard to meet the Jan. 1, 2020, deadline for CCPA implementation. However, insurers taking a holistic approach to CCPA and other privacy-related regulatory initiatives — redesigning processes and bringing effective workflow and discovery into play — can address regulators’ concerns while helping themselves move towards compliance with the ongoing emergence of similar regulations at the state–and national-level.

Related:

• California’s toughest-in-U.S. privacy law may get even stricter
• New privacy laws taking shape worldwide
• P&C Legislative Round-Up: August 2019

Ben Shorten (benjamin.j.shorten@accenture.com) is the North America compliance transformation lead for Accenture‘s finance and risk practice. The views expressed here are the author’s own.