California Consumer Privacy Act of 2018 (CCPA) – Update to the LMA Model Wording Notice

In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act of 2018 (CCPA) and added new additional privacy protections with effect from 01 January 2023. This has resulted in a revision of the notice previously published.

Underwriters should carefully review the LMA9191A to confirm it is accurate for their placements on which it will be used. The key items that are new to the amended CCPA are as follows:

Business-to-business data. Personal information collected in business-to-business communications or transactions was largely exempt from CCPA prior to the law’s amendment. Such information, which could include information about the owner, employees, or agents of a commercial insurance applicant, is now fully subject to the law.

Information collected online. The LMA9191 did not address personal information that Underwriters may have collected through their website or other online interactions with California consumers.

“Sales” and “sharing” of personal information. The term “sale” is defined broadly under CCPA and covers any transfer of personal information to a third party where the third party’s use of the information is not restricted by written contract. A common example is the use of third-party cookies on websites. “Sharing” is making personal information available to a third party for cross-context behavioural advertising, for example, through online advertising cookies. Underwriters should confer with their brokers and cover-holders to assess whether they engage in any activities that might be considered “sales” or “sharing” of personal information. If they do, they will need to explain (i) that the Underwriter sells or shares personal information and (ii) how a consumer can opt-out of the sales or sharing. Underwriters who do sell or share personal information should also work with their brokers and cover-holders to ensure that they are able to comply with the other sales and sharing requirements of CCPA, including having a functioning method for receiving and processing requests to opt-out of sales and sharing.

Sensitive personal information. California consumers have the right to limit the use and disclosure of sensitive personal information. If an Underwriter will use or disclose sensitive personal information for purposes beyond those described in the “Personal Information We Disclose” section, they will need to update to (i) state that sensitive personal information will be used or disclosed for other purposes and (ii) explain the right to limit the use and disclosure of sensitive personal information in the “Your Rights” section. Most Underwriters likely use and disclose sensitive personal information only for the purposes described in the “Personal Information We Disclose” section and will not need to make changes.
Those Underwriters who do use or disclose sensitive personal information for other purposes can use the following language to describe the right to limit:

Right to Request to Limit Use and Disclosure of Sensitive Personal Information. You have the right to request that we limit our use and disclosure of sensitive personal information.

Underwriters who do use or disclose sensitive personal information for other purposes should work with their brokers and cover-holders to ensure they are able to comply with the other sensitive personal information requirements of CCPA, including having a functioning method for receiving and processing requests to limit.

Retention. Businesses are required to explain in their privacy policy either (a) the length of time that the business intends to retain each category of personal information that it collects or (b) the criteria used to determine the retention period. LMA9191A includes a generic description of criteria commonly used to determine retention periods. This description should be reviewed and updated as appropriate to ensure it is accurate.

Brokers and/or Managing Agents endorsing LMA9191A to Binding Authority Agreements should recommend to the cover-holder that the California Privacy Notice – LMA9191A, or any amended document or documents relating to the collection and sharing of personal information, as described, is added to their website. In addition, the cover-holder should be made aware that the notice must be provided to any prospective insured prior to the binding of any contract of insurance.

The LMA9191A should be endorsed to relevant, live Binding Authority Agreements as soon as possible, back dating to inception is not required.

Ron Monfries
Executive, Technical Underwriting
ron.monfries @lmalloyds.com

Carla Wise
Manager – Delegated Authorities & Claims Operations
carla.wise@lmalloyds.com