Kansas urges state regulator group to abandon data privacy proposal

State insurance regulators indefinitely delayed last week a controversial data privacy proposal that would strictly limit what insurers can do with consumers' private information.

The insurance industry overwhelmed the Privacy Protections Working Group with comments on the proposal, said Katie Johnson of the Virginia Bureau of Insurance, who chairs the working group.

LeAnn Crow, director of consumer assistance for the Kansas Insurance Department, urged her colleagues to abandon the data privacy effort.

"As far as Kansas can tell, the model would only add costs to the business of insurance, costs that would ultimately be passed on to the customers," she said during a Monday meeting at the National Association of Insurance Commissioners' summer meeting in Seattle.

"Some would say that limiting data sharing may even harm or take away benefits from consumers," Crow added. "The path we have taken and seem intent on pushing does not reflect commercial realities and seems to be regulation for regulation's sake."

The only other comment during the meeting, from an Indiana regulator, supported continued work on the model despite "some concerns."

If adopted, the new model is meant to update and replace both the Insurance Information and Privacy Protection Model Act and the Privacy of Consumer Financial and Health Information Regulation, the NAIC said. Those two model laws are about 40 and 30 years old, respectively.

'Much stricter'

The working group exposed previous drafts of the new model for comment in a process that has not yielded much progress, said Alexander Sand, counsel with Eversheds Sutherland.

"This was viewed as sort of one step forward two steps back in terms of responding to the concerns that had been made very clear and apparent in comment letters and a number of working sessions," Sand said on a Thursday webinar. "The model continues to take a very consent-focused approach to any use of personal information [and is] much stricter than existing models."

Sand and Eversheds Sutherland prepared a 10-page comment letter for the Committee of Annuity Insurers, outlining several areas of concern.

The model as written "would dramatically change the equilibrium that has been struck among insurance, banking and securities regulators regarding consumer privacy rights by placing much stricter limitations on insurance licensees’ ability to process their consumers’ data relative to the banking and securities sectors," the letter reads. "This would put CAI members and all insurers at a competitive disadvantage in the broader marketplace for financial products."

Tougher than California?

The privacy proposal has some things in common with the California Consumer Privacy Act, Eversheds Sutherland previously wrote. California passed the first data privacy law, which contains the broadest consumer protections.

The state passed two separate laws: the California Consumer Privacy Act, which took effect on Jan. 1, 2020, and the California Privacy Rights Act, passed in November 2020 and taking effect on Jan. 1, 2023.

The former bill gives Californians the right to access personal information companies collect on them and prevent it from being sold. The latter law extends those rights to allow consumers to request the deletion of their personal data, which is not included in the NAIC model, the NAIC has said.

The NAIC model allows a narrow use of personal data and requires consent for anything else, Sand said. He called it more restrictive that the California law.

"There's been a lot of concerns on that approach, both from what the impact on that will be to the ability to market, the ability to compete in the broader financial services landscape," he explained, "particularly where there's other financial service products that are competing with insurance products [that] may not be subject to the same restrictions."

Inconsistent data privacy rules

NAIC model laws go to state insurance departments and legislatures for adoption. The existing data privacy model has little chance of passing in many states, Crow said, including Kansas.

"We have only heard strong opposition to the draft policy protection models that have been exposed," she said. "If there was just one point of opposition I think we could continue refining the model and get it over the finish line. But the opposition is multifaceted and consistent."

The working group received about 35 comment letters, Johnson said, and will go through them all in the coming weeks before continuing work on the model.

"Consumers and companies need consistent privacy rules providing equal protection across the country," the American Council of Life Insurers wrote. "A patchwork quilt of differing state-by-state or sector-specific privacy regulations is confusing, frustrating, and not helpful to consumers."

Senior Editor John Hilton covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

© Entire contents copyright 2023 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.