CCPA Requirements for Producers (Agents and Brokers)

Beginning January 1, 2023, Chubb and its Agents and Brokers will have certain additional obligations when handling the personal information of California residents. These new obligations stem from updates to the California Consumer Privacy Act 2018 (the “CCPA”), which was amended by ballot measure in 2020 (the California Privacy Rights Act 2020 (the “CPRA”). Because the law contains prescriptive requirements applicable to organizations that share personal information, and to assist all parties involved in meeting their obligations, Chubb has created this CCPA requirements list. Chubb and its affiliates follow these requirements when handling personal information on behalf of our Agents and Brokers, and Chubb expects its Agents and Brokers to do the same when handling personal information on behalf of Chubb or its affiliates.

Notes:

• As of December 20, 2022, the California Privacy Protection Agency (the “Agency”), the regulatory body charged with enforcing the CCPA and CPRA, has not yet finalized its regulations. These regulations contain additional data handling requirements that must be put in place between Chubb and its vendors and TPAs. Thus, certain requirements listed below may change. Chubb will notify you of any material changes made to these requirements by posting the changes to this site. You can find the latest version of the draft regulations on the Agency’s site.
• While many organizations following the law will refer to the updated law as the CPRA after January 1, 2023, the Agency has indicated it will continue to call the law the CCPA. Where we use “CCPA” in the requirements we are following the Agency’s approach and are referring to the law as updated by the CPRA (i.e., as it will look on January 1, 2023).
• The concept of “personal information” under the CCPA is broad. When we refer to personal information in these requirements, we mean any information that identifies, or could identify, a specific individual. This means that personal information is not limited to SSNs, name, email address, etc. Unique identifying numbers, IP addresses, purchasing histories, and geolocation data are all examples of personal information covered by these requirements.
• These requirements only apply to the handling of California residents’ personal information, and only when such personal information is handled as part of a commercial insurance product/service. This means that the requirements do not apply to the handling of personal information as part of our personal insurance products/services. The CCPA’s Gramm-Leach-Bliley Act (“GLBA”) carveout is the basis for this position.
• These requirements also do not apply to the handling of protected health information (“PHI”) subject to the Health Insurance Portability and Accountability Act (“HIPAA”).
• To assist in understanding the basis for each requirement, we have provided citations to the relevant sections of the CCPA and/or the draft regulations. This is not intended as legal advice and should not be construed as such.
• You can view our Business Contact Privacy Notice (also required under the CCPA).
• If you have questions, comments, or concerns regarding these requirements, please contact CaliforniaPrivacyCompliance@chubb.com.

1. Purpose and Use Limitation. When one party discloses personal information to the other party (i.e., the “disclosing party”), such disclosure is only for the limited purposes specified by the disclosing party. This means the party receiving the personal information (i.e., the “receiving party”) must not retain and use the disclosed personal information for its own purposes. This requirement does not apply to personal information the receiving party already had in its possession, even if it is identical to the personal information disclosed. This requirement also does not apply to personal information the receiving party obtained from a source other than the disclosing party and not at the direction of the disclosing party (e.g., independently from an individual). (Cal. Civ. Code Sec. 1798.100(d)(1) and 1798.140(ag)(1).)
2. Compliance with the CCPA. All parties handling personal information subject to the CCPA must comply with the applicable obligations under the CCPA and will provide the level of privacy protection as required by the law. (Cal. Civ. Code Sec. 1798.100(d)(2).)
3. Ensuring Compliance. When disclosing personal information to a receiving party, the disclosing party may take reasonable and appropriate steps to ensure that the receiving party uses the disclosed personal information in a manner consistent with the receiving party’s obligations under the CCPA. (Cal. Civ. Code Sec. 1798.100(d)(3).)
4. Notice if CCPA Compliance is Not Possible. If, after receiving personal information from a disclosing party, the receiving party determines it cannot comply with the CCPA, the receiving party will notify the disclosing party of this fact within five business days. (Cal. Civ. Code Sec. 1798.100(d)(4).)
5. Stopping Unauthorized Use of Personal Information. The disclosing party has the right to take reasonable steps to stop and rectify any unauthorized use of personal information by the receiving party. This may, for example, involve the disclosing party halting any ongoing data sharing, or requesting the receiving party update its privacy disclosures to ensure they are accurate. (Cal. Civ. Code Sec. 1798.100(d)(5).)
6. Sale/Sharing. The receiving party shall not use or disclose personal information received from the disclosing party for advertising purposes unless the parties have explicitly agreed to this use and such use is consistent with CCPA requirements. The receiving party will also not disclose personal information to other companies in exchange for money or other benefits (e.g., discounted, or free products/services). (Cal. Civ. Code Sec. 1798.140(ag)(1)(A).)
7. Use of Subcontractors. The receiving party may share personal information it receives from the disclosing party to other companies or individuals (e.g., vendors, contractors, consultants, etc.) to help the receiving party conduct its business. However, before sharing personal information, the receiving party must have an agreement in place with the other company/individual that requires that company/individual to protect the personal information. The agreement must require that the company/individual comply with any applicable CCPA requirements so that the protections afforded by the CCPA flow down the chain and are not lost simply because the personal information changed hands. (Cal. Civ. Code Sec. 1798.140(ag)(2).)
8. Notice of Subcontractors. To the extent required under the CCPA, the receiving party must inform the disclosing party of all other companies the receiving party uses to handle personal information on behalf of the disclosing party. This may, for example, be satisfied by sharing a link to a list of all these companies that is kept regularly updated. (Cal. Civ. Code Sec. 1798.140(ag)(2).)
9. Reasonable Security. Both parties will maintain reasonable and appropriate measures to protect personal information. The measures should be appropriate based on the sensitivity of the personal information and the risk of harm to both parties and to the individuals if the personal information fell into the wrong hands. This may, for example, involve the use of multi-factor authentication, encryption, limited access permissions for employees, etc. (Cal. Civ. Code Sec. 1798.130(a)(3)(A).)
10. Combining Data. If the receiving party receives personal information from the disclosing party as part of a request for the receiving party to provide services to the disclosing party, the receiving party will not combine that personal information with other personal information to create individual profiles for the purpose of marketing to those individuals. (Cal. Civ. Code Sec. 1798.140(ag)(1)(D).)
11. Assistance with Privacy Requests. As needed, both parties will help each other respond to privacy requests from individuals and from regulators. To clarify, however, it will be the responsibility of the party that has the primary relationship with the requestor or regulator to manage the response. To the extent the party managing the response can handle the response itself, it shall not rely on the other party. If the receiving party receives a request relating to personal information it handles on behalf of the disclosing party, the receiving party must notify the disclosing party within five days that it has received such a request and let the disclosing party manage the request from there. The receiving party will take steps to notify its own vendors of steps they need to take following a privacy request. (Cal. Civ. Code Sec. 1798.105(c)(3).)
12. Data Retention. When the receiving party no longer needs the personal information it received from the disclosing party, the receiving party will promptly delete or remove the personal information. However, the receiving party is entitled to keep a copy of the personal information for as long as needed under applicable laws provided it continues to protect that personal information. (Cal. Civ. Code Sec. 1798.140(ag)(1)(B) and (C).)
13. Deidentification. If the disclosing party provides the receiving party with personal information that has been deidentified, the receiving party will not attempt to re-identify that personal information. This requirement also applies to personal information the receiving party deidentifies itself after receiving it from the disclosing party. (Cal. Civ. Code Sec. 1798.140(m)(C).)
14. Audit Requirements. The disclosing party may, subject to an existing agreement between the parties, audit the receiving party’s compliance with these requirements only to the extent reasonably necessary (e.g., if the disclosing party has reason to believe the receiving party is not complying with these requirements, or the disclosing party has received an order to do so from a regulator). Audits may, among other options, take the form of questionnaires, teleconference discussions, or automated scans. The parties are limited to one audit every 12 months, unless otherwise required by law. (Cal. Civ. Code Sec. 1798.140(ag)(1)(D).)

Cal. Civ. Code Sec. 1798.100(d)

A business that collects a consumer's personal Information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor, that:

(1) specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;

(2) obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title;

(3) grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under this title;

(4) requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title;

(5) grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

Cal. Civ. Code Sec. 1798.105(c)(3)

A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete, and shall notify any of its own service providers or contractors to delete, personal information about the consumer collected, used, processed, or retained by the service provider or the contractor. The service provider or contractor shall notify any service providers, contractors or third parties who may have accessed such personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer's personal information, unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer's personal information in its role as a service provider or contractor to the business.

Cal. Civ. Code 1798.130(a)(3)(A)

(a) In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

…

(3) (A) A business that receives a verifiable consumer request pursuant to sections 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent pursuant to sections 1798.110 or 1798.115 to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business's response to a verifiable consumer request, including but not limited to by providing to the business the consumer's personal information in the service provider or contractor's possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information, or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) through (f) of Section 1798.100, taking into account the nature of the processing.

Cal. Civ. Code Sec. 1798.140(m)

"Deidentified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, provided that the business that possesses the information:

(A) takes reasonable measures to ensure that the information cannot be associated with a consumer or household;

(B) publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision; and

(C) contractually obligates any recipients of the information to comply with all provisions of this subdivision.

Cal. Civ. Code Sec. 1798.140(ag)

(1) "Service provider" means a person that processes personal information on behalf of a business and which receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from:

(A) selling or sharing the personal information;

(B) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title;

(C) retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business; and

(D) combining the personal information which the service provider receives from or on behalf of the business, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this Section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.

(2) If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

Cal. Code Regs (DRAFT) Sec. 7051 (Current as of 10/24/22)

a. The contract required by the CCPA for service providers and contractors shall:

1. Prohibit the service provider or contractor from selling or sharing personal information it Collects pursuant to the written contract with the business.
2. Identify the specific Business Purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with the business, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified Business Purpose(s) set forth within the contract. The Business Purpose shall not be described in generic terms, such as referencing the entire contract generally. The description shall be specific.
3. Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that is Collected pursuant to the written contract with the business for any purpose other than the Business Purposes(s) specified in the contract or as otherwise permitted by the CCPA and these regulations. This section shall list the specific Business Purpose(s) identified in subsection (a)(2).
4. Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it Collected pursuant to the written contract with the business for any commercial purpose other than the Business Purposes specified in the contract, unless expressly permitted by the CCPA or these regulations.
5. Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it Collected pursuant to the written contract with the business outside the direct business relationship between the service provider or contractor and the business, unless expressly permitted by the CCPA or these regulations. For example, a service provider or contractor shall be prohibited from combining or updating personal information that it Collected pursuant to the written contract with the business with personal information that it received from another source or that it Collected pursuant to the written contract with, unless expressly permitted by the CCPA or these regulations.
6. Require the service provider or contractor to comply with all applicable sections of the CCPA and these regulations, including—with respect to the personal information that it Collected pursuant to the written contract with the business–providing the same level of privacy protection as required of businesses by the CCPA and these regulations. For example, the contract may require the service provider or contractor to cooperate with the business in responding to and complying with consumers’ requests made pursuant to the CCPA, and to implement reasonable security procedures and practices appropriate to the nature of the personal information the business to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5.
7. Grant the business the right to take reasonable and appropriate steps to ensure that service provider or contractor uses the personal information that it Collected pursuant to the written contract with the business in a manner consistent with the business’s obligations under the CCPA and these regulations. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of the service provider’s system and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.
8. Require the service provider or contractor to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and these regulations.
9. Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the service provider’s or contractor’s unauthorized use of personal information. For example, the business may require the service provider or contractor to provide documentation that verifies that they no longer retain or use the personal information of consumers that have made a valid request to delete with the business.
10. Require the service provider or contractor to enable the business to comply with consumer requests made pursuant to the CCPA or require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with, and provide the information necessary for the service provider or contractor to comply with the request.

b. A service provider or contractor that subcontracts with another person in providing services to the business for whom it is a service provider or contractor shall have a contract with the subcontractor that complies with the CCPA and these regulations, including subsection (a).

c. Whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations. For example,  depending on the circumstances, a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or  contractor intends to use the personal information in violation of the CCPA and these  regulations at the time the business disclosed the personal information to the service  provider or contractor.