March Madness Begins: NAIC’s New Draft Privacy Model

Ann Young Black, Patricia Carreiro
Carlton Fields
Contact
LinkedIn
Facebook
X
Send
Embed

Carlton Fields

The first round on the Insurance Consumer Privacy Protection Model Law (#674) started on March 21 as the NAIC’s Privacy Protections Working Group (PPWG) held its first open meeting to discuss the draft privacy model. The draft privacy model was exposed on February 1 and discussed in our article “A New Draft Privacy Model Blooms From the NAIC Privacy Working Group.” The meeting followed some initial play-in private discussions between stakeholders and the PPWG, as well as internal PPWG meetings. Later rounds will include biweekly meetings starting in mid-April. The PPWG anticipates scheduling a June two-day in-person meeting to discuss particularly thorny issues, including whether joint marketing relationships will continue their special treatment. The PPWG anticipates that the final round will occur at the NAIC Fall National Meeting, where it will present the privacy model for adoption. Key comments of the industry and consumer representatives are summarized below.

Consumer Advocate Comments:

  • Opt-in consent should be required for all but the most necessary of disclosures.
  • Third-party service providers should be held to the same standards as licensees.
  • Licensees should be required to disclose data collected from consumer reporting agencies and data broker resources.
  • Consumers should receive immediate notice of adverse underwriting decisions and have the ability to challenge the accuracy of such information.
  • The privacy model should incorporate data security provisions.

Industry Comments:

  • The draft privacy model proposes a significant shift from licensees’ existing practices and should instead reflect current state approaches to privacy to improve adoption rates and increase consistency across jurisdictions.
  • The draft privacy model is overly restrictive and unworkable.
    • The timing and number of notices required before personal information is collected is excessive and would overwhelm consumers.
    • It would impede research and actuarial work.
    • Requiring an opt-in for marketing purposes, including joint marketing relationships, would impede innovation, undermine long-standing practices, and limit consumers’ ability to learn about product offerings.
    • The proposed restrictions on cross-border transfers are unparalleled (e.g., even more demanding than the GDPR), unworkable for global insurers, and may conflict with international trade agreements.
    • A 90-day deletion period and confirming notice obligations on an individual basis are unmanageable and go against efforts to minimize notices (e.g., FAST Act).
    • The proposed third-party oversight requirements should only apply to new contracts.
  • A full HIPAA exemption should apply to avoid duplicative regulation.
  • Regulators should have exclusive enforcement powers (i.e., the optional private right of action should be removed).
  • Expanded third-party oversight requirements for existing contracts will require extensive renegotiations.
  • More flexibility is needed regarding data minimization and deletion requirements.

Next Steps

The PPWG clarified that the positions laid out in the exposure draft were meant to trigger discussion and it understood revisions to the privacy model would be necessary.

We will continue to monitor the PPWG meetings.

Written by:

Carlton Fields
Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide