ISO Claims Solutions & The California Consumer Privacy Act (CCPA) – Frequently Asked Questions

Updated as of December 16, 2019

Important: The following is provided for informational purposes only and is not intended as, and does not constitute, legal or regulatory advice. Please note that the following information is subject to change, particularly in response to CCPA final regulations to be issued by the California Attorney General’s Office. We encourage our business clients to consult with their legal or compliance resources concerning the potential impact of, or any applicable obligations under, the CCPA. This webpage is not for distribution beyond Verisk customers.

Q1. What is the California Consumer Privacy Act?

A1. The California Consumer Privacy Act (CCPA) is a new, comprehensive privacy law that goes into effect January 1, 2020.

Q2. To whom, or what, does the CCPA apply?

A2. The CCPA governs the personal information of California residents and households.

Q3. What is considered “personal information” under the CCPA?

A3. Personal information is broadly defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information does not include deidentified data or aggregate consumer information as such terms are defined by the CCPA.

Q4. What rights do individuals have under the CCPA?

A4. The law gives Californians certain rights with respect to their personal information. Subject to various exceptions and limitations, California residents have the right to:

access the personal information that is collected about them;
request the deletion of such personal information;
opt out of the sale of such personal information.

Q5. What is Verisk doing to comply with the CCPA?

A5. Verisk is a service provider to its customers, and, in such role, Verisk will not be collecting data directly from consumers whose personal information is subject to the CCPA. Rather, Verisk’s customers provide or make available such personal information to Verisk for the provision of products and services on behalf of such customers and/or their consumers. Verisk has been reviewing CCPA obligations applicable to its products and services and implementing policies, controls and processes to help ensure that obligations applicable to Verisk are properly addressed.

Q6. The California Attorney General’s office is charged with publishing regulations for the CCPA. Will Verisk be monitoring, reviewing, and responding to any additional requirements in the regulations?

A6. Yes. Verisk is closely monitoring the California Attorney General’s progress towards publishing regulations and will be carefully reviewing and preparing any necessary procedures in response to the final regulations.

Q7. What is Verisk’s position regarding the right of consumers to request the deletion of their personal information?

A7. The CCPA provides that either a business or a service provider may assert that personal information need not be deleted in response to a consumer’s deletion request if “it is necessary for the business or service provider to maintain the consumer’s personal information” to undertake one or more of the nine exceptions provided in the CCPA which include “to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity” and “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” [CCPA section 1798.105(d)(1)-(9)]

Should a consumer approach Verisk for deletion of records from ISO ClaimSearch or the Aggregated Medical Database (AMD); Verisk will refer the consumer to the Verisk business customer with which the consumer contracts directly. Verisk is available to support our business customers regarding any CCPA messaging to their consumers as it relates to Verisk’s roles as a service provider, and the applicable exemptions from the right to request deletion of personal information under the CCPA, including ISO ClaimSearch and the AMD.

Q8. What is Verisk’s position regarding the right of consumers to opt-out of the sale of their personal information?

A8. The CCPA indicates that a consumer may “direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” However, the CCPA does not provide consumers with an opt-out right regarding personal information that a business provides, or makes available, to its service providers. We have provided Verisk customers with a CCPA Service Provider Agreement (“Agreement”) in an effort to further ensure our relationship as a service provider to our customers complies with the CCPA. As we believe this document is beneficial to both Verisk and our customers, we ask that you review, sign and return the document to us as soon as possible. Other than addressing this aspect of the CCPA, the Agreement does not make any material changes to your product or service agreements with Verisk.

Q9. What is Verisk’s position regarding whether personal information provided by Verisk customers constitutes a “sale” as defined by the CCPA, particularly as it relates to Verisk’s contributory databases?

A9. Verisk would qualify as a service provider to its customers with respect to the personal information that customers provide, or make available to, Verisk in relation to the provision of associated products and services, which would include Verisk’s contributory databases, as applicable.

Verisk believes that the use and dissemination of personal information that is contributed by Verisk’s customers to its related contributory databases does not constitute a sale [CCPA section 1798.140(t)(1)-(2)(A)-(C)] of such data under the CCPA because it is provided by Verisk’s customers to Verisk for a business purpose, which the CCPA defines as the use of personal information for the business’s or the service provider’s operational purposes and includes, but is not limited to, such things as protecting against malicious, deceptive, fraudulent, or illegal activity and providing analytic services, or similar services, on behalf of the business or service provider [CCPA section 1798.140(d)]. The contributory nature of Verisk’s databases is an essential aspect of the effectiveness of the business purposes of the associated products and services.

As such, the contribution to, and sharing of data within, Verisk’s databases appear clearly within the ambit of the business purpose and, as such, in compliance with the CCPA, as such contribution and ability to share data is an inherent part of performing the specific services contracted for by Verisk’s customers.

Q10: Should I continue to submit all fields of information to ISO ClaimSearch and the Aggregated Medical Database?

A10: Yes, you should continue to submit all fields of information as you have done in the past. The CCPA does not restrict the nature or type of personal information that can be submitted to service providers to perform services on behalf of their business customers. ISO ClaimSearch and the Aggregated Medical Database maintain requirements for mandatory minimum fields of information to be submitted for a match to be produced. Additionally, the reporting of optional fields is recommended for more refined, targeted matches to be returned. ISO ClaimSearch maintains strong security standards. To request a copy of our audited security controls, please email ClaimSearchCompliance@iso.com.

Q11: Where should I direct my CCPA-related questions?

A11: Should you have any further questions, please reach out to privacy@verisk.com.