Issue: Today’s economy runs on data, and the insurance industry is no exception. Increasing technology and computer processing capabilities, combined with the availability of unprecedented amounts of digital consumer information, has led to the extensive use of consumer data by a variety of commercial, financial and technology companies. That, coupled with action in the European Union (EU) and pressure on Congress to pass national data privacy legislation, raises concerns of preemption of state efforts and solutions that may not be appropriate for the insurance industry. State insurance regulators continue to raise questions about the benefits and harms arising from the innovative use of technology and consumer data in the insurance sector. They are also tracking the impact big data and automated, algorithm-based decision-making such as artificial intelligence (AI) including machine learning (ML) will have on the existing regulatory framework.  

Background: Data privacy refers to the amount of control consumers have over their personal data. There is now an incredible amount of data collected on individuals via smart phones, internet browsers and other digitally connected services including smart home devices. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and requires companies to allow consumers to “opt in” to the collection and use of personal data. In January 2020, the California Consumer Privacy Act (CCPA) went into effect. This requires for-profit companies operating in California to provide consumers with transparency and control of their personal data. Many states have recently enacted data privacy laws, and other states are actively considering similar legislation.  

The NAIC currently has a few model laws that deal with consumer data privacy:   

• The Health Information Privacy Model Act (#55) 
• The Insurance Data Security Model Law (#668) 
• The NAIC Insurance Information and Privacy Protection Model Act (#670).   
• The Privacy of Consumer Financial and Health Information Regulation (#672).   
• The Standards for Safeguarding Customer Information Model Regulation (#673) 

Every state adopted #672 to be in compliance with Gramm-Leach-Bliley Act requirements. However, as this model is several decades old, it does not reflect the technological advancements and proliferation of data collection in the digital era. The NAIC Privacy Protections (H) Working Group is currently drafting a new Privacy Protections Model Act (#674) to replace and modernize Models #670 and #672.  

Status: The Privacy Protections (H) Working Group is charged with drafting a new model law to replace the existing models. The group is currently engaged in the drafting process for the new Privacy Protections Model Act (#674). The model covers several topics including consumer rights, consent, and notification as well as third-party service agreements, data retention and deletion policies, and data sharing agreements. The working group is taking a collaborative approach to the drafting process and collecting feedback from various stakeholders, including consumer and industry representatives. The current draft of the model can be found on the exposure drafts tab of the working group’s webpage. The working group is re-evaluating the timeline for this project to carefully consider feedback from all interested parties.  

The NAIC will also continue to engage with state attorneys general and Congress regarding state and federal data privacy laws to identify ways to work together to enhance consumer protections in this area.