Lemonade Inc.’s recently proposed settlement of class action claims alleging that it failed to sufficiently disclose, and secure necessary consent for, its collection and use of biometric information is a prime example of the privacy risks facing insurers. Here are some tips for keeping the seeds out of your privacy program.

1. More is not always better.

   Data is essential to all parts of an insurer’s operation, including underwriting and claims. Collecting more data, however, may come with increased compliance obligations and resulting costs. Just like lemons in lemonade, data is essential but should be limited.

2. Don’t underestimate how sour privacy lemons can be.
   1. Don’t over-rely on a Gramm-Leach-Bliley Act exemption. Financial services companies often place great reliance on entity-level GLBA exemptions. Illinois’ Biometric Information Privacy Act (BIPA) provides a private right of action and includes a GLBA entity-level exemption. While BIPA’s GLBA exemption has helped insurers face less BIPA litigation than many other industries, bitterness remains. Lemonade recently agreed to pay $3 million of a $4 million settlement to a subclass of 5,000 Illinois consumers, leaving the other $1 million to be split between 110,000 consumers in other states; that is $600 per Illinois consumer versus $9.09 per consumer in other states, even with BIPA’s GLBA exemption.
   2. Don’t forget common law claims. In New York, for instance, consumers claimed that Lemonade’s alleged actions violating BIPA were breaches of express and implied contract and GLBA notice requirements, as well as instances of unjust enrichment and unfair trade practices. While the court recently dismissed the unjust enrichment claims because the parties did not dispute having a valid contract, it denied Lemonade’s attempts to dismiss the other counts.
3. Stir well.

   Consider clarifying and coordinating existing privacy notices. Insurers often use a multitude of privacy notices to meet the requirements of the various privacy laws to which they are subject (e.g., a Notice of Health Information Policies, Standards, and Procedures to address NAIC Model 55, a Notice of Insurance Information Practices to address NAIC Model 670, a GLBA notice, a California Consumer Privacy Act notice, etc.). The risk highlighted by the pleadings against Lemonade is that consumers may argue that any one of those notices misled or confused them because they thought that the particular notice was comprehensive or because of any inconsistency across notices. To lessen risk, consider reviewing privacy notices to ensure consistency and clarity, for example:

   1. Building into privacy notices a statement that the notice is “in addition” to other privacy notices that may be provided to the consumer; and/or
   2. Ensuring that an overarching comprehensive privacy notice exists that explains how various privacy notices come together into a cohesive whole.

   Care is particularly needed if these steps are taking place when process considerations or marketing partnerships are in flux.

4. Adjust to taste.

   Privacy notices require frequent adjustment as insurers’ data practices change, new distribution channels or data partners are added, laws develop, or marketing techniques are expanded, and insurers have varying risk tolerances and consumer experience goals. To avoid surprise lip-puckering, ensure your privacy approach is consistent with the amount and type of data you use and your company’s taste for risk.