NAIC proposes new California-style privacy model law for insurance

Michael Bahar, John Pruitt, Alexander Sand, Mary Jane Wilson-Bilik
Eversheds Sutherland (US) LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Eversheds Sutherland (US) LLP

On Wednesday February 1, 2023, the NAIC Privacy Protections Working Group (the Working Group) released a draft of a new model law for comment, the Insurance Consumer Privacy Protection Model Law (#674) (the Proposal), which proposes to substantially limit the ability of insurance licensees to use consumer personal information and expand the privacy rights and protections provided to insurance consumers.

The Proposal is the culmination of work at the NAIC on privacy spanning the last five years, during which regulators received input on privacy issues, including the benefits and challenges of various existing regulatory schemes. This suggests that the Working Group’s strict approach in drafting the Proposal is likely intentional.

These use limitations and rights provisions are similar to, and in some cases considerably more stringent than, those within the California Consumer Privacy Act (CCPA) and the UK/EU General Data Protection Regulation (GDPR). For example, the Proposal would:

  • Expand the definition of Personal Information and enhance disclosure requirements, rendering insufficient the Federal Model Privacy Form.
  • Require licensees to obtain the consumer’s consent to use a consumer’s personal information to market a product or service to the consumer, even where the licensee is directly marketing to its own existing customers.
  • Prohibit the use of sensitive personal information for marketing and would prohibit any sale of personal information, even with consumer consent (except as subject to and permitted under the Fair Credit Reporting Act (FCRA);
  • Prohibit the collection or processing of personal information with an entity outside the United States without the consumer’s consent, severely curtailing an insurers ability to use offshore service providers.
  • Require consent to use the Consumer’s personal information for actuarial studies, for research, or before using the information for an additional permitted transaction;
  • Require third party oversight and contracting requirements

The Working Group has indicated that the Proposed Model #674 would replace existing privacy model laws #670 and 672, versions of which have been adopted by all 50 states.

Comments on the Proposal are due by April 3, 2023, and the Working Group has acknowledged the likely need for revisions before finalizing the Proposal. The Working Group plans to have a revised proposal ready to be voted on by the Working Group during the NAIC’s Summer National Meeting in August.

Scope

The Proposal would apply to any identifiable personal information collected about an individual in connection with an insurance transaction or additional permitted transactions. Notably, data collected from internet cookies or another “information-collecting device” is expressly included in the definition of personal information.

Unlike current model #672, which implements the requirements of the federal Gramm-Leach-Bliley-Act (GLBA), the scope of the proposal is not expressly limited to personal lines insurance. However, the focus of the requirements is on individual consumers, so it is unclear whether the Working Group also intends for the Proposal to protect the personal information of individuals that may be collected in connection with a commercial lines insurance transaction.

Opt-In Requirements and Restricted Use of Personal Information

The Proposal provides a significantly more stringent and limited framework for collecting and using consumer personal information collected in connection with an insurance transaction. The current framework under Models 670 and 672 generally allow insurance licensees to do what they like with consumer data provided it is adequately disclosed and, in some cases, they provide an opt-out right. The Proposal, however, only permits data processing as needed to perform an insurance transaction or additional permitted transactions, and requires affirmative consumer consent before a licensee can use data for several defined purposes.

Similar to the CCPA and GDPR, the Proposal includes an obligation to minimize the amount of personal information insurance licensees collect, process, and retain. Specifically, the Proposal would prohibit licensees from collecting, processing, retaining, or sharing consumer personal information unless doing so is reasonably necessary and proportionate to achieve purposes related to a requested insurance transaction or additional permitted transaction. Personal information can also be used for certain specified permitted purposes, such as servicing an insurance policy, complying with legal obligations, and for fraud prevention. These restrictions would apply to all uses and disclosures of personal information, including affiliate sharing and disclosing information to service providers.

Additionally, affirmative consumer consent would be required in several circumstances. Most notably, the Proposal would require licensees to obtain the consumer’s express written consent to use a consumer’s personal information to market a product or service to the consumer, even where the licensee is directly marketing to its own existing customers. The Proposal would also prohibit the collection or processing of personal information with an entity outside the United States without the consumer’s prior express consent. This could significantly disrupt the ability of licenses to use offshore service providers. The Proposal would also require consent to use the Consumer’s personal information for actuarial studies, for research, or before using the information for an additional permitted transaction.

These consent requirements would significantly alter how licensees are able to operate, and would likely significantly disrupt current business operations, including how products are marketed and sold and the ability to use offshore resources to support business operations and customer support.

The Proposal also includes a flat prohibition on any licensee selling consumer personal information for any type of consideration. Under the Proposal, a licensee would be prohibited from selling consumer personal information, even if the consumer was willing to consent to the sale. The only exception provided from this prohibition is for selling information as subject to and permitted by the Fair Credit Reporting Act.

Use of Sensitive Personal Information for Marketing Prohibited

The Proposal also broadly prohibits the use of certain sensitive personal information for marketing purposes. Sensitive personal information is defined to include things like precise geolocation, racial or ethnic origin, religious or philosophical beliefs, and union membership, among others. Many of these factors are commonly used today to target more effective and tailored marketing.

The Proposal would also prohibit sharing a consumer’s sensitive personal information in connection with an additional permitted transaction.

Strict Privacy Notice Requirements

The Proposal provides for stricter and more expansive privacy disclosures than currently required under either Models #670 or #672. In addition to what is currently required, the Proposal would also require disclosure of the specific purposes for which personal information is collected, processed, retained, and shared, as well as the approximate period for which personal information will be retained.

The Proposal would also require that privacy notices be provided to every consumer prior to collecting or processing any personal information about the consumer, no longer tying the delivery of privacy notices to forming a customer relationship or allowing for delayed delivery of privacy notices in any circumstance. Additionally, the Proposal would require annual delivery of the privacy notice to each consumer with an ongoing business relationship, regardless of whether any of the licensee’s privacy practices have changed. Any material changes to privacy practices would also be required to be conspicuously identified. The notice would also have to be posted on the licensee’s website.

While Model #672 provides a safe harbor for using the Federal Model Privacy Form defined under GLBA, the Proposal does not define a template privacy notice to satisfy its requirements and using the Federal Model Privacy Form would not satisfy the Proposal’s requirements.

Consumer Data Access and Correction Rights

The Proposal provides consumers with rights to access and correct personal information collected in connection with an insurance transaction that are largely consistent with existing rights under Model #670. However, it does adjust some of the language and timelines compared to the current model, including tightening the deadlines for responding to such requests and removing the ability to charge a reasonable fee for responding to consumer requests.

Similar to Model #670, the Proposal provides consumers with the right to request a list of the specific third parties with which the licensee has shared the consumer’s personal information within the current calendar year and the previous three years (increased from 2 years under the current model law).

Deletion and Limited Retention of Personal Information

Notably, the Proposal does not provide a right for consumers to request that a licensee delete their personal information, a right that is provided under current Model #670.

Instead, the Proposal would create a new obligation for licensees to affirmatively and securely delete any consumer personal information that is no longer necessary to perform certain defined permissible purposes within 90 days. Permitted purposes include retaining information as necessary to service an insurance policy, comply with legal obligations, and to align with statute of limitation periods.

Once there is no longer a permitted purpose to retain a consumer’s personal information, the Proposal would also require the licensee to affirmatively notify the consumer that it will no longer retain the consumer’s personal information nor send the consumer an annual privacy notice.

Oversight of Third Party Service Providers Required

The proposal includes new obligations for licensees to oversee third party service providers that have access to consumer personal information. It also prohibits engaging a third party service provider to collect, process, or retain consumer personal information or sharing consumer personal information with a third party service provider unless there is a written agreement in place that requires the third-party service provider to comply with the limitations and obligations of the Proposal and the licensee’s own privacy practices. Contracts with third-party service providers must also prohibit the third-party service provider from further sharing or processing a consumer’s personal information other than as specified in the agreement with the licensee.

Optional Private Cause of Action

The Proposal would also provide state legislators with the option to include a private right of action to pursue actual damages and equitable relief resulting from a violation of the obligations and restrictions of the Proposal. As defined, monetary damages would be limited to actual damages plus costs and reasonable attorney fees. Importantly, the Proposal would prohibit class action litigation based on the Proposal’s cause of action.

Relationship to Other Privacy Laws

The Proposal does provide some relief from its obligations and restrictions where other federal law applies, including providing limited exemptions where data is processed or disclosed in compliance with FCRA or the Health Insurance Portability and Accountability Act (HIPAA).

Data-level exemptions provided under the CCPA and similar laws for data governed by GLBA would continue to apply to data subject to the requirements of the Proposal. However, being able to rely on those exemptions would be cold-comfort, since complying with the requirements of the Proposal would be just as, if not more, challenging in many regards.

Conclusion

The NAIC Proposal is another example of regulatory convergence, if not one-upmanship, among US and global privacy regulators. Insurance licensees may want to consider not only watching this Proposal carefully, but also:

  • Look to start enhancing their disclosures (especially in light of the CCPA’s only limited exemption for GLBA/FCRA/HIPAA data);
  • Limit the non-essential collection of personal information;
  • Age off data that is no longer useful;
  • Enhance oversight of service providers and placing strict contractual limitations on their use of personal information; and
  • Enhance consumer consents, especially for marketing purposes.

_____________

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Eversheds Sutherland (US) LLP
Contact
more
less

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide