Data privacy has become an increasing area of focus for many of our insurtech clients as they work to ensure they are in compliance with the EU General Data Protection Regulation and the California Consumer Privacy Act, which will go into effect on January 1, 2020. Although many insurtechs are exempt from most of the provisions in the CCPA, they should still expect increased data privacy regulation to be coming down the road as many insurance regulators are concerned that their current data privacy laws are not equipped to adequately address the increasing size, complexity and scope of the data used in the insurance industry. In that regard, the National Association of Commissioners recently formed the Privacy Protections (D) Working Group to look into updating the insurance data privacy laws.
Currently, insurance-related data is principally protected through the federal privacy provisions of the Gramm-Leach Bliley Act and the various state laws implementing these GLBA provisions, most of which are based on the NAIC’s Model Privacy of Consumer Financial and Health Information Regulation. These laws generally require insurance companies and agencies to develop privacy policies governing how they handle a consumer’s non-public personal information (e.g. name, address, account numbers, etc.) and to disclose these privacy policies to their consumers. Under these laws, consumers have the right to access, correct and/or delete any inaccurate personal information. Insurance companies are also required to provide consumers with the ability to opt out of the sharing of their nonpublic personal information with any non-affiliated third parties for those third parties’ own purposes that are unrelated to providing the insurance company’s services to their consumers. A couple states, including Vermont and California, require that consumers provide an opt-in for such information sharing.
Companies whose processing of personal information is regulated by the GLBA and related state statutes, which includes any licensed insurance producers or carriers, are exempt from the requirements of the CCPA. However, the GLBA only applies to information provided by consumers to obtain a financial product for personal or household purposes, such as information included in an application for insurance. Information collected by an insurance carrier not connected to an application for insurance (e.g. newsletter sign-ups, social media posts, information automatically collected from the company’s website, etc.) might not fall under the GLBA exemption. Furthermore, if these insurance companies fail to comply with the GLBA, consumers can still pursue a private civil action against the companies under the CCPA. Other states are also beginning to pass new data privacy legislation that could apply to insurtechs, such as Illinois, which just passed a law banning the use of genetic testing information to set health or accident rates, or Maine, which passed a law banning internet providers from selling personal information without the consumer’s consent. New York even considered, but did not pass, a law imposing a fiduciary duty on companies to protect their consumer data.
As states across the country are looking to update their privacy laws, the NAIC formed the Privacy Protections (D) Working Group on October 1, 2019 to coordinate such efforts in the insurance sphere. The working group is currently examining the state of data privacy regulations across the 50 states, as well as how such data is currently used in the insurance industry. The working group hopes to determine if any amendments are necessary to update the NAIC’s existing model data privacy laws by March 2020 and will then aim to draft and adopt any such model amendments by the NAIC Summer National Meeting in August 2020.
Hopefully, any model amendments that are passed by the NAIC and adopted by the various states will help ensure that insurtechs continue to remain subject to clear and consistent regulations across the 50 states. Our biggest concern is that each state will adopt their own unique data privacy regulations, significantly increasing our clients’ cost of ensuring that they are in compliance with the laws across the 50 states. We are monitoring the situation closely to see if the states will continue to generally follow the NAIC’s model regulations, or will choose to go it alone. In the meantime, we recommend that all our clients should determine if they are subject to CCPA, and if they are working to ensure they are in compliance with the law as soon as possible. Even if they are currently exempt, they should expect updates to the insurance data privacy laws in the future.