This blog post is our third in a
multi-part series addressing what insurers need to know about the California
Consumer Privacy Act (CCPA).
Imagine this: You own a
successful string of sporting goods stores across California. Not only do you
sell goods directly, but you also finance large purchases to well-qualified
buyers and have a generous rewards program.
When customers log in to your
website, you gather personal information (e.g.,
name, email address, cell number, etc.). In order to participate in the rewards
program and/or obtain financing, customers must provide certain personal
information (e.g., home address and
phone, name of employer, Social Security number, etc.). In order to increase
revenue, your business sells some of this customer data to various affiliates
that are sporting organizations so they can contact your customers about
upcoming events and promotions.
You are able to continue selling
customer data because you complied with the CCPA’s opt-out and website requirements
before the effective date of January 1, 2020. Unfortunately, after January 1, you
accidentally sell all of your customers’ data, including those who opted out,
and they all received email, mail, and/or texts regarding upcoming sporting
events in their area.
In the anticipation of backlash
from customers due to your accidental sale, you locate your business’s Commercial
General Liability (CGL) policy and begin reading. Are you covered?
The CCPA subjects violators to
two types of penalties. First, under Cal. Civ. Code Section 1798.155(b), the
California attorney general may impose a civil penalty of not more than $2,500
per violation ($7,500 if intentional), pursuant to Section 17206 of the
California Business and Professions Code (Unfair Competition Law or UCL).
Second, under Cal. Civ. Code Section 1798.150, the CCPA grants consumers a
private right of action to obtain:
in an amount not less than $100 and not greater than $750 per consumer per
incident or actual damages, whichever is greater
or declaratory relief; and/or
other relief the court deems proper
Most CGL policies likely will not
cover penalties sought by the California attorney general because, as a matter
of public policy, California prohibits insurers from providing coverage for any
claims brought under the UCL.
California courts may also
preclude coverage for penalties sought under sections 1798.155 and/or 1798.150
to the extent they do not constitute damages, as required by a CGL policy.
A typical CGL policy covers, in
relevant part, sums an insured becomes legally obligated to pay as damages
because of: bodily injury or property damage caused by an occurrence (Coverage
A), and personal and advertising injury caused by an offense (Coverage B).
Even if the statutory penalties could
constitute damages, the accidental sale of personal information likely would
not constitute bodily injury or property damage (although creative plaintiffs’
counsels may disagree). More likely, policyholders will argue that it
constitutes personal and advertising injury, defined in part as the “[o]ral or
written publication, in any manner, of material that violates a person’s right
In the event the accidental sale
constitutes a publication that violated customers’ rights to privacy, the “Recording
And Distribution Of Material Or Information In Violation Of Law” exclusion,
found in Coverages A and B, likely applies to bar coverage, among other
exclusions. Specifically, this exclusion precludes coverage for “‘personal and
advertising injury’ arising directly or indirectly out of any action or
omission that violates or is alleged to violate…[a]ny federal, state or local
statute, ordinance or regulation…that addresses, prohibits, or limits the
printing, dissemination, disposal, collecting, recording, sending,
transmitting, communicating or distribution of material or information.”
On its face, this exclusion
appears to apply to CCPA claims.
However, it is still too early to tell how the courts in California will
interpret the CCPA. For example, whether this exclusion applies to preclude
coverage for violations of Illinois’s Biometric Information Protection Act is
currently being litigated.
Should you have any questions
concerning CCPA coverage issues, please contact the authors for additional
information. Read Part One of
this post here and Part Two here.
Goldberg Segalla offers a comprehensive CCPA Compliance Package tailored to
your specific business. For more information on how Goldberg Segalla can help
you comply with the CCPA, please contact partner Marc S. Voses,
chair of the Cybersecurity
and Data Privacy Practice Group.
 See Cal.
Ins. Code Section 533.5; see also Mt.
Hawley Insurance Co. v. Lopez, 215 Cal. App. 4th 1385, 1389 (2013); Allen v. Steadfast Ins. Co., CV 14-1218
JC, 2014 WL 12569527.
 See Big 5 Sporting Goods Corp. v. Zurich Am.
Ins. Co., 957 F. Supp. 2d 1135, 1155 (C.D. Cal. 2013), aff’d, 635 Fed.
Appx. 351 (9th Cir. 2015) (holding that the civil penalties available under the
Song-Beverly Act (Cal. Civ. Code Section 1747.08) to the California Attorney
General and private citizens do not constitute damages under a CGL policy).
 See Big
5, 635 Fed. Appx. 351 at 353 (precluding coverage for violations of the Song–Beverly
Act under a similar “Statutory Violation Exclusion”).
Zurich Am. Ins. Co. v. Omnicell, Inc., 18-CV-05345-LHK, 2019 WL 570760 (N.D.
Cal. Feb. 12, 2019).