Last Updated: 3/16/2024
Issue: Today’s economy runs on data, and the insurance industry is no exception. Increasing technology and computer processing capabilities, combined with the availability of unprecedented amounts of digital consumer information, has led to the extensive use of consumer data by a variety of commercial, financial and technology companies. That, coupled with action in the European Union (EU) and pressure on Congress to pass national data privacy legislation, raises concerns of preemption of state efforts and solutions that may not be appropriate for the insurance industry. State insurance regulators continue to raise questions about the benefits and harms arising from the innovative use of technology and consumer data in the insurance sector. They are also tracking the impact big data and automated, algorithm-based decision-making such as artificial intelligence (AI) including machine learning (ML) will have on the existing regulatory framework.
Background: Data privacy refers to the amount of control consumers have over their personal data. There is now an incredible amount of data collected on individuals via smart phones, internet browsers and other digitally connected services including smart home devices. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and requires companies to allow consumers to “opt in” to the collection and use of personal data. In January 2020, the California Consumer Privacy Act (CCPA) went into effect. This requires for-profit companies operating in California to provide consumers with transparency and control of their personal data. Many states have recently enacted data privacy laws, and other states are actively considering similar legislation.
The NAIC currently has a few model laws that deal with consumer data privacy:
- The Health Information Privacy Model Act (#55)
- The Insurance Data Security Model Law (#668)
- The NAIC Insurance Information and Privacy Protection Model Act (#670).
- The Privacy of Consumer Financial and Health Information Regulation (#672).
- The Standards for Safeguarding Customer Information Model Regulation (#673)
Every state adopted #672 to be in compliance with Gramm-Leach-Bliley Act requirements. However, as this model is several decades old, it does not reflect the technological advancements and proliferation of data collection in the digital era. The NAIC Privacy Protections (H) Working Group is currently drafting a new Privacy Protections Model Act (#674) to replace and modernize Models #670 and #672.