The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information that is collected by a business, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. The California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. Existing law, the Insurance Information and Privacy Protection Act, establishes privacy standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents, and insurance-support organizations. The Insurance Information and Privacy Protection Act imposes various monetary penalties for violations of the act and makes a person who knowingly and willfully obtains information about an individual from an insurance institution, agent, or insurance-support organization under false pretenses guilty of a misdemeanor.
This bill would revise the Insurance Information and Privacy Protection Act to establish new standards for the collection, processing, retaining, or sharing of consumers' personal information by insurance licensees, surplus line insurers, reinsurers, and third-party service providers. The bill would authorize processing of a consumer's personal information for specified purposes, including in connection with an insurance transaction. The bill would require a licensee to provide a clear and conspicuous privacy notice that includes specified information to a consumer at specified times, and would prohibit the processing of a consumer's personal information unless it is consistent with and complies with that notice and is reasonably necessary and proportionate to achieve the purposes related to an insurance transaction or other purpose the consumer requested or authorized. The bill would also require a licensee to provide a privacy rights notice, as specified, to each consumer with whom the licensee has an ongoing business relationship. The bill would require a licensee, surplus line insurer, reinsurer, or third-party service provider to obtain a consumer's consent to take specified actions, and would set forth the means by which consent is obtained. The bill would authorize a licensee, surplus line insurer, or reinsurer to retain personal information, as specified, and would require a licensee, surplus line insurer, or reinsurer to develop a written records retention policy and schedule. The bill would require a licensee to provide specified information to a consumer if it makes an adverse underwriting decision, and would provide a process by which a consumer may correct, amend, or delete any personal or publicly available information about the consumer in the possession of the licensee or its third-party service providers. The bill would require a contract between a licensee and a third-party service provider to clearly govern the processing of personal information performed on behalf of the licensee. The bill would prohibit retaliation against a consumer because the consumer exercised or attempted to exercise their rights under the act. The bill would prohibit public disclosure of specified systems, processes, policies, procedures, and plans that are disclosed to the Insurance Commissioner. The bill would also make technical and conforming changes.
This bill would authorize a penalty of at least $5,000, not to exceed $1,000,000 in the aggregate for multiple violations of the act. The bill would increase the fine if a cease and desist order is violated to at least $15,000 for each violation, and would increase a fine to at least $50,000 for each violation if the commissioner finds the violations to be a general business practice. Under the bill, a person who knowingly and willfully obtains information about a consumer from a licensee, surplus line insurer, reinsurer, or third-party service provider under false pretenses would be guilty of a misdemeanor, punishable by a fine of up to $50,000, imprisonment in a county jail for up to 6 months, or both, thus expanding the applicability of a crime and imposing a state-mandated local program.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.

Statutes affected:
SB 354: 791 INS, 791 INS, 791.01 INS, 791.01 INS, 791.02 INS, 791.02 INS, 791.03 INS, 791.03 INS, 791.04 INS, 791.04 INS, 791.045 INS, 791.045 INS, 791.05 INS, 791.05 INS, 791.06 INS, 791.06 INS, 791.07 INS, 791.07 INS, 791.08 INS, 791.08 INS, 791.09 INS, 791.09 INS, 791.10 INS, 791.10 INS, 791.11 INS, 791.11 INS, 791.12 INS, 791.12 INS, 791.13 INS, 791.13 INS, 791.14 INS, 791.14 INS, 791.15 INS, 791.15 INS, 791.16 INS, 791.16 INS, 791.17 INS, 791.17 INS, 791.18 INS, 791.18 INS, 791.19 INS, 791.19 INS, 791.20 INS, 791.20 INS, 791.21 INS, 791.21 INS, 791.22 INS, 791.22 INS, 791.23 INS, 791.23 INS, 791.29 INS, 791.29 INS
02/12/25 - Introduced: 791.07 INS
03/18/25 - Amended Senate: 791.07 INS
04/15/26 - Amended Assembly: 791 INS, 791 INS, 791.01 INS, 791.01 INS, 791.02 INS, 791.02 INS, 791.03 INS, 791.03 INS, 791.04 INS, 791.04 INS, 791.045 INS, 791.045 INS, 791.05 INS, 791.05 INS, 791.06 INS, 791.06 INS, 791.07 INS, 791.07 INS, 791.08 INS, 791.08 INS, 791.09 INS, 791.09 INS, 791.10 INS, 791.10 INS, 791.11 INS, 791.11 INS, 791.12 INS, 791.12 INS, 791.13 INS, 791.13 INS, 791.14 INS, 791.14 INS, 791.15 INS, 791.15 INS, 791.16 INS, 791.16 INS, 791.17 INS, 791.17 INS, 791.18 INS, 791.18 INS, 791.19 INS, 791.19 INS, 791.20 INS, 791.20 INS, 791.21 INS, 791.21 INS, 791.22 INS, 791.22 INS, 791.23 INS, 791.23 INS, 791.29 INS, 791.29 INS
05/27/26 - Amended Assembly: 791 INS, 791.01 INS, 791.02 INS, 791.03 INS, 791.04 INS, 791.045 INS, 791.05 INS, 791.06 INS, 791.07 INS, 791.08 INS, 791.09 INS, 791.10 INS, 791.11 INS, 791.12 INS, 791.13 INS, 791.14 INS, 791.15 INS, 791.16 INS, 791.17 INS, 791.18 INS, 791.19 INS, 791.20 INS, 791.21 INS, 791.22 INS, 791.23 INS, 791.29 INS