Strict new privacy proposal would limit how insurers could use data

[This story has been updated with clarifications provided by the NAIC]

A state insurance regulator group is proposing a sweeping overall revision of privacy rules that would significantly restrict what insurers could do with the private information of consumers.

Public comment is being accepted on the Consumer Privacy Protection Model Law through April 3. It was released publicly Feb. 1 by the Privacy Protections Working Group, a body overseen by the National Association of Insurance Commissioners.

If adopted, the new model is meant to update and replace both the Insurance Information and Privacy Protection Model Act and the Privacy of Consumer Financial and Health Information Regulation, the NAIC said. Those two model laws are about 40 and 30 years old, respectively.

Regulators created a tough new privacy model, say privacy experts at two large national law firms.

"The proposal provides a significantly more stringent and limited framework for collecting and using consumer personal information collected in connection with an insurance transaction," wrote lawyers with Eversheds Sutherland.

Spokespersons for both the American Council of Life Insurers and the pro-consumer Center for Economic Justice said it is too soon to comment on the privacy proposal. Both groups plan to submit comment letters, however.

California look

The privacy proposal has a lot in common with the California Consumer Privacy Act, Eversheds Sutherland wrote. California passed the first data privacy law, which contains the broadest consumer protections.

The state passed two separate laws: the California Consumer Privacy Act, which took effect on Jan. 1, 2020, and the California Privacy Rights Act, passed in November 2020 and taking effect on Jan. 1, 2023.

The former bill gives Californians the right to access personal information companies collect on them and prevent it from being sold. The latter law extends those rights to allow consumers to request the deletion of their personal data, which is not included in the NAIC model, the NAIC said.

Regulators have grappled with how to best and fairly tighten privacy regulations for several years.

The NAIC model borrowed from the California concepts. Some things included in the new model law include:

• Expands the definition of Personal Information and enhance disclosure requirements, rendering insufficient the Federal Model Privacy Form.
• Requires licensees to obtain the consumer’s consent to use a consumer’s personal information to market a product or service to the consumer, even where the licensee is directly marketing to its own existing customers.
• Prohibits the use of sensitive personal information for marketing and would prohibit any sale of personal information, even with consumer consent (except as subject to and permitted under the Fair Credit Reporting Act (FCRA);
• Prohibits the collection or processing of personal information with an entity outside the United States without the consumer’s consent, severely curtailing an insurers ability to use offshore service providers.
• Requires consent to use the Consumer’s personal information for actuarial studies, for research, or before using the information for an additional permitted transaction;
• Requires third party oversight and contracting requirements

Private right of action

The proposed privacy model includes a HIPAA safe harbor and optional private right of action, the law firm Carlton Field noted in a blog post.

The model law proposal would leave it to the states to decide whether or not to include a private right of action, the NAIC pointed out.

"The changes would, if finalized by the NAIC and then adopted by each state, require insurers to re-cultivate their policies and procedures," the law firm said.

These potential change areas could include revising privacy and document retention and destruction policies, updating workflows to reflect new rights and shortened time periods for processing requests, and determining and adjusting practices surrounding data sharing with entities located outside the U.S.

"At this point, however, the proposed model is only a draft that the working group expects to prune based upon insurance industry input," Carlton Fields concluded.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

© Entire contents copyright 2023 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.