The Working Group heard comments from multiple trade associations which uniformly criticized the current draft as unworkable, failing to reach the right balance between insurance licensees’ need to collect and retain data and consumer’s preferences to restrict insurer’s use of their data. Of particular note, is the intentional exclusion by the Working Group of a joint marketing exemption, a point explicitly reaffirmed by regulators when raised by industry representatives.

The contours of an exemption or safe harbor for insurance licensees who either comply with or are subject to HIPAA appears likely, though the exact form of such an exemption or safe harbor is to be determined.

While the Working Group Chair, Virginia Commissioner Katie Johnson, emphasized that the exposed version is only a first draft, at this stage, we can report some foundational decisions by the Working Group critical to the likely shape of the final model act. First, the model will not directly regulate third-party service providers, but will rely upon state insurance regulators’ authority to regulate licensees’ contracts with third-party service providers. Second, in recognition of insurance licensees’ heightened need to retain consumer information the Working Group is rejecting a “right to be forgotten” choosing instead information retention standards. Similarly, the Working Group rejected prior consent requirements for collecting consumer data but would impose restrictions on selling or transferring consumer data and correcting inaccurate data alongside mandates to de-identify and aggregate data that is deemed no longer necessary to retain. Lastly, the Working Group chose to include adverse underwriting decisions within the draft model.