CIPR Homepage
Key Initiative
Data Use, Privacy, and Technology

Last Updated 10/16/2020


Today’s economy runs on data and the insurance industry is no exception. Increasing technology and computer processing capabilities combined with the availability of unprecedented amounts of digital consumer information has led to the extensive use of consumer data by a variety of commercial, financial, and technology companies. That coupled with action in the European Union (EU) and pressure on Congress to pass national data privacy legislation raise concerns of preemption of state efforts and solutions that may not be appropriate for the insurance industry. State insurance regulators continue to raise questions about the benefits and harms arising from innovative use of technology and consumer data in the insurance sector and the impact of Big Data and automated, algorithm-based decision-making such as Artificial Intelligence (AI) will have on the existing regulatory framework.

Data Privacy: Data privacy refers to the amount of control consumers have over their personal data. There is now an incredible amount of data collected on individuals via smart phones, internet browsers, and other digitally connected services. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and requires companies to allow consumers to “opt in” to collection and use of personal data. In January 2020, the California Consumer Privacy Act (CCPA) went into effect. This obliges for-profit companies operating in California to provide consumers with transparency and control of their personal data. Illinois, Maine, and Nevada also recently enacted data privacy laws and many other states are considering similar legislation.

The NAIC currently has two model laws that deal with consumer data privacy: The NAIC Insurance Information and Privacy Protection Model Act (#670) and the Privacy of Consumer Financial and Health Information Regulation (#672). The Privacy Protections (D) Working Group is charged to review current state insurance privacy protections to assess whether enhancements are needed and make recommendations.

Data Technology: With the explosion in data in the 21st century, technologies have also been developed, complemented by significant increases in processing power and speed, to process, manage, and utilize data in new ways. Cloud storage and software-as-a-service (SaaS) technologies have driven costs of data storage down and contributed to a significant increase in computing capacity. Data can be processed in new ways using artificial intelligence, machine learning (ML), and natural language processing (NLP) techniques to extract new insights. Blockchain technology creates shared, immutable records, making processing transactions less error-prone and enabling process and organizational efficiencies. All these technologies are currently in use to conduct insurance business around the world, creating challenges and opportunities for state insurance regulators.

Regulators are interested in and engaging with these new uses of data and technologies in a variety of ways. The NAIC has compiled a list of contact persons for each state insurance department to engage on innovation and technology issues. NAIC members and regulators regularly engage with the insurtech community and are open for collaboration and discussion around these issues and their regulatory implications particularly around consumer protections.

Data Use: Data technologies are dependent on the availability of and access to huge amounts of data. Insurers are producing and gathering their own data by allowing consumers to opt-in to telematics, wearables, or other Internet of Things (IoT) programs. IoT devices generally collect data about an insurance consumer’s behavior, such as physical activity or driving habits to inform underwriting, or to monitor property, such as moisture sensors in buildings to catch water damage early. This can be used to assess and mitigate risk as well as offer insights into consumer behaviors. Insurers also collect data from publicly available sources like government agencies, GIS, and social media to utilize techniques like AI or ML to inform various insurance processes.

The Big Data (EX) Working Group is charged with reviewing existing regulatory frameworks used to oversee insurers’ use of consumer and non-insurance data. The Accelerated Underwriting (A) Working Group is also engaged in the area of data use. Its charges for 2020 include examining the use of external data and data analytics in accelerated life underwriting to determine if additional regulatory action or guidance is needed.


Many NAIC groups are focused on issues relating to data use in the insurance industry. The Innovation and Technology (EX) Task Force is charged with coordinating the efforts of these groups and considering the need for overall regulatory guidance on insurer use of consumer data and industry practices around data technologies. In 2020, the Artificial Intelligence (EX) Working Group developed AI principles for the insurance industry. These were adopted by the NAIC membership at the 2020 Summer National Meeting.

The NAIC will also continue to engage with state attorneys general and Congress regarding state and federal data privacy laws to identify ways to work together to enhance consumer protections in this area.