Cyber Insurance Blog

Why California Businesses Need a CCPA Insurance Policy

Why California Businesses Need a CCPA Insurance Policy

Passed in June 2018, the California Consumer Privacy Act (CCPA) held businesses to a new standard when handling consumers’ data and information. On November 2, 2020, Proposition 24 was passed and changed the CCPA in several ways. Businesses and consumers need to know how this act, now called the California Privacy Rights Act of 2020 (CPRA), affects them.

Many business owners may now face more extensive exposure, including lawsuits and fines, resulting from the misuse of consumer data. It’s more important than ever that they protect their organizations with a cyber insurance policy that acts as a CCPA insurance policy.

Consumers’ Personal Information: Why It Matters

Close up of hand holding open brass padlock engraved with shape of California and text “CCPA California Consumer Privacy Act.”

Consumers’ information and data is a hot commodity, and used for a number of reasons. Many companies use it to tailor marketing campaigns, improve products, and more. However, in the past, many businesses sold or disclosed information they collected without consumer knowledge. For example, in a $300 million deal, genetics testing companies such as Ancestry and 23andMe sold personal information to GlaxoSmithKline to help GSK develop new drugs.

The use of consumers’ personal information is increasingly regulated. While this trend is considered a win for individual privacy, it also presents a number of challenges and exposures for business owners, and changes how insurance companies measure risk.

What Constitutes Personal Information?

The definition of personal information is somewhat broad. Personal information may include:

  • Name, physical address, and email address
  • Demographic information
  • Social Security number
  • Driver’s license or passport
  • Personal property records
  • Online activity and browsing history
  • Geolocation, employment, and education data

As consumers’ online activity evolves, the definition of personally identifiable information (PII) will continue to evolve as well.

CCPA vs. CPRA: What’s the Difference?

In order to understand the CPRA’s new regulations, we must first understand its predecessor, the CCPA.

California Consumer Privacy Act

The CCPA entitled any California customer to know what information a company had saved about them, including any information shared with third parties. In addition, consumers could sue companies when privacy laws were violated—even when no breach had occurred.

This law affected companies that served California residents and had at least $25 million in annual revenue, held personal data of at least 50,000 people, or received more than half of their revenues from the sale of personal data.

California Privacy Rights Act of 2020

Digital map of the United States composed of triangles and nodes, highlighting the state of California.

Following November 2020, companies face even larger fines and penalties. Previously, companies had a time period in which to remedy any issues before facing a potential lawsuit. But with the CPRA in effect, fines and penalties will be imposed immediately.

The burden is on the company to ensure it’s properly protecting consumer data, implementing appropriate security procedures, and being appropriately clear with consumers. Business owners must be transparent about how they collect, store, and use a consumer’s PII.

Under the CPRA, consumers have more control than ever over the ways businesses use their personal data. They’re entitled to know about—and opt out of—the sale of personal information, obtain a copy of their collected information, and sue for damages if unauthorized individuals access their information.

As businesses face more exposure, it’s important they have CCPA insurance to ensure protection against any potential claims.

CPRA Compliance

Open brass padlock on top of gold and green computer circuit board, illustrating cybersecurity concept.

Varonis offers recommendations on preparing and implementing steps to ensure CCPA compliance that also applies to the CPRA:


  • Identify and classify data assets.
  • Locate all personal information.
  • Check access permissions.


  • Adjust permissions as needed.
  • Limit those who have access to the data.
  • Archive or delete unnecessary data.
  • Create a program to monitor data against threats.

While businesses located outside California may think the CPRA doesn’t apply to them, they’re not entirely in the clear. Even if headquartered outside of California, any business collecting California residents’ personal data needs to make sure they’re compliant.

Three Tips to Keep Information Secure

Whether your clients are subject to the CPRA or not, data security should be a priority for every business owner. Steps your clients should take to protect themselves include:

  • Use Secure Passwords.
    Hackers use programs that can guess thousands of password combinations in seconds. A strong password has a combination of upper and lower case letters, numbers, and symbols. In addition, the longer the password, the more secure it will be.
  • Update All Software Regularly.
    Yes, these updates can be pesky and repetitive, but they’re happening for a reason. These updates patch known security flaws and strengthen your client’s network against attacks. It’s imperative all updates are completed the moment they’ve been made available.
  • Create a Culture of Cyber Awareness.
    Cyber attacks are all too often the result of human error. Ensuring all employees receive regular training and are reminded to stay vigilant will help your clients avoid phishing attacks and ransom demands.

Above all, your clients need to ensure they have cyber or CCPA insurance so they’re covered in the event their organization does suffer a cyber attack, which (unfortunately) is highly likely.

Protect Your Clients With ProWritersGlowing wireframe map of California composed of triangles and nodes, illustrating communication and internet technologies.

As you’ve now seen, the CPRA will affect the insurance industry in a number of ways because of the new exposures business owners now face. While social engineering attacks and ransomware demands have been at the forefront of cyber threats, CPRA compliance claims bring a new risk your clients will need to consider.

With cyber insurance coverage, your clients can be confident they’re protecting consumers and themselves from potential claims.

To help your clients better understand their exposure, download our FREE eBook, Cyber Exposure: What’s the Real Cost?

To speak with a ProWriters expert, contact us or call us at (484) 321-2335.

Subscribe to Our Monthly Newsletter!

    Retail vs. Wholesale Brokerage

    Experts Weigh In

    Get the eBook