In the U.S., there are numerous federal and state data privacy and protection laws and regulations governing the collection, use, disclosure, protection, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. For example, the California Consumer Privacy Act of 2018 (the “CCPA”), which became effective in January 2020, created new privacy rights for consumers residing in the state of California and imposes obligations on companies that process their personal information, including an obligation to provide certain new disclosures to such residents. Specifically, among other things, the CCPA creates new consumer rights and imposes corresponding obligations on covered businesses relating to the access to, deletion of, and sharing of personal information collected by covered businesses, including California residents’ right to access and delete their personal information, opt out of certain sharing and sales of their personal information, and receive detailed information about how their personal information is used. The law exempts from certain requirements of the CCPA certain information that is collected, processed, sold, or disclosed pursuant to the California Financial Information Privacy Act, the federal Gramm-Leach-Bliley Act, or the federal Driver’s Privacy Protection Act. The definition of “personal information” in the CCPA is broad and may encompass other information that we maintain beyond that excluded under the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, or the California Financial Information Privacy Act exemption. Further, the CCPA allows for the California Attorney General to impose civil penalties for violations and provides a private right of action for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. In addition, it remains unclear how various provisions of the CCPA will be interpreted and enforced. California voters also recently passed the California Privacy Rights Act (“CPRA”), which will take effect on January 1, 2023. The CPRA significantly modifies the CCPA, including by imposing additional obligations on covered companies and expanding California consumers’ rights with respect to certain sensitive personal information, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Some observers have noted that the CCPA (and the CPRA) could mark the beginning of a trend toward more stringent privacy legislation in the United States, and multiple states have enacted, or are expected to enact, similar or more stringent laws. For example, in 2020, Nevada passed SB 220 which restricts the “selling” of personal information and, in 2021, Virginia passed the Consumer Data Protection Act (“CDPA”), which is set to take effect on January 1, 2023 and grants new privacy rights for Virginia residents. Additionally, we are subject to the federal Telephone Consumer Protection Act, which restricts the making of telemarketing calls and the use of automatic telephone dialing systems. There is also discussion in Congress of a new comprehensive federal data protection and privacy law to which we likely would be subject if it is enacted. Such new laws and proposed legislation, if passed, could have conflicting requirements that could make compliance challenging, require us to expend significant resources to come into compliance, and restrict our ability to process certain personal information. The effects of the CCPA and other similar state laws subsequently enacted, as well as possible future state or federal laws, are potentially significant and may require us to modify our data collection and processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation.
In the event of a data breach, we are also subject to breach notification laws in the jurisdictions in which we operate, including U.S. state laws, and the risk of litigation and regulatory enforcement actions. In addition, a number of federal and state laws and regulations relating to privacy affect and apply to the insurance industry specifically.
We may also face particular privacy, data security, and data protection risks in connection with requirements of the European Union’s (“E.U.”) General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom (“UK”) GDPR and UK Data Protection Act 2018 (which retains the GDPR in UK national law) and other data protection regulations in the E.U. and UK. Among other stringent requirements, the GDPR restricts transfers of data outside of the E.U. to third countries deemed to lack adequate privacy protections (such as the U.S.), unless an appropriate safeguard specified by the GDPR is implemented. A July 16, 2020 decision of the Court of Justice of the European Union invalidated a key mechanism for lawful data transfer to the U.S. and called into question the viability of its primary alternative. As such, the ability of companies to lawfully transfer personal data from the E.U. to the U.S. is presently uncertain. Other countries have enacted or are considering