Hro Banner
June 23, 2023

Latest Developments on New NAIC Consumer Privacy Model Law

Following the Spring National Meeting, the National Association of Insurance Commissioners (“NAIC”) Privacy Protections (H) Working Group (“PPWG”) held a series of private and public meetings in which interested parties and consumer advocates provided feedback on the initial exposure draft of the new Consumer Privacy Protections Model Law (Model 674).[1] Two series of meetings were held in both May and in early June. At the conclusion of the meetings, the PPWG announced that it will fully rewrite Model 674 with the goal of publishing a new draft by the end of June. Rather than the normal 60-day comment period, the PPWG will incorporate comments on a rolling basis and release periodic redlines as revisions are made. It will host regular open meetings every two weeks starting in early July and discuss additional comments and revisions at the Summer National Meeting. The PPWG is targeting adoption no earlier than the Fall National Meeting.

I.          May Meetings

 

During the May meetings, a significant topic of debate involved the proposed restrictions on the retention of consumer data. As drafted, Model 674 contains certain permitted purposes that would allow insurers to retain consumer data; provided that, upon the expiration of the permitted purpose, the insurers would be required to delete the consumer data from their systems within ninety (90) days. While the insurance industry strongly opposed the 90-day deletion window noting challenges with legacy systems, regulators and consumer groups were more supportive, emphasizing the importance of prioritizing the protection of consumer data and the need to develop forward-thinking systems.

II.         Early June Meetings

 

In early June, the PPWG continued its discussion of Model 674, and held a series of in-person interim meetings with industry participants as well as consumer advocates in an effort to collaborate on revisions to Model 674 and to obtain constructive feedback from the industry on existing standards and practical arrangements that can be used to protect consumers’ personal information.

III.        Key Feedback and Takeaways

 

Third-Party Service Providers. PPWG is seeking measures to ensure that licensees are only sharing information with third-party service providers that have a sufficient threshold of security measures to safeguard that information, whether as a contractual obligation or legal requirement. It is evaluating whether a business associate regime similar to HIPAA would be appropriate given the sensitivity of information used in marketing. Interested parties urged the PPWG to consider using a risk-based, rather than a prescriptive, approach.

Definitions of Insurance Transaction and Additional Permitted Transactions. Industry participants encouraged the PPWG to broaden the definitions of “Insurance Transaction”[2] and “Additional Permitted Transactions.”[3] Industry participants voiced concerns that these definitions are overly restrictive and that it is impractical to include a finite list of permissible activities. At a minimum, industry representatives suggested expanding these definitions to include business purposes, product development and transactions with affiliates. Furthermore, they requested that other services and products provided by insurers, such as securities planning and brokerage investment and advisory products, be included as Additional Permitted Transactions.

Definition of Marketing. The PPWG is considering using the definition of “marketing” under HIPAA in Model 674 (e.g., a communication about a product or service that encourages recipients of the communication to purchase or use the product or service).

Inclusion of Joint Marketing Agreements. Joint marketing agreements (“JMAs”) were not included in the initial draft Model 674, but the PPWG included it as a topic for discussion due to industry feedback. Industry participants suggested including the JMA provisions from the Privacy of Consumer Financial and Health Information Regulation (Model #672) in the next draft stating that JMAs are critical to the manner in which insurance business is currently conducted and in marketing to disadvantaged or underserved communities.

Consent to Marketing. While opt-in or opt-out marketing regimes were discussed, the bulk of the conversation on this topic focused on the extent to which “sensitive personal information,” a term that industry participants argued was too broad, is disclosed through marketing. The industry groups advocated against the proposed opt-in consent regime stating it would put the insurance industry at a disproportionate disadvantage as compared to other business sectors. It was noted by industry groups that companies are still operationalizing compliance with current privacy legislation, such as the California Consumer Privacy Act. A significant amount of time was spent on the use of targeted versus non-targeted advertising practices for insurance companies.

Content of Privacy Notices. As drafted, Model 674 requires licensees to provide notice of consumer information practices, which includes the “specific types of personal information of the consumer that the licensee or any of its third-party service providers has or may collect, process, retain, or share.” Several industry participants urged the PPWG to replace “specific types” with “categories,” indicating that the disclosure requirements are overly specific as drafted. Industry participants also voiced concerns that licensees should not be required to provide a list of third parties upon a customer’s request, as this could tarnish the relationship between vendors and insurers.

Delivery of Privacy Notices. Under Model 674, licensees are required to provide an initial and annual privacy notice to each consumer with whom the licensee has an ongoing business relationship. Industry participants argued that notices should only be required annually if there has been a material change from the initial privacy notice noting significant expense and environmental concerns. In response to industry feedback on defaulting to electronic delivery, the PPWG noted that this may conflict with certain state laws including those in California, and voiced concern that some consumers do not have computers or internet access.

Click here to download this article.


[1]       Exposure Draft of the New Consumer Privacy Protections Model Law #674, NAIC (February 1, 2023), available at https://content.naic.org/sites/default/files/inline-files/Exposure%20Draft-Consumer%20Privacy%20Protection%20Model%20Law%20%23674%201-31-23.pdf.

[2]     “Insurance Transaction” is defined as “any transaction or service by or on behalf of a licensee involving:  (1) The determination of a consumer’s eligibility for or the amount of insurance coverage, rate, benefit, payment, or claim settlement; (2) The servicing of an insurance application, policy, contract, or certificate, or any other insurance product; (3) Provision of “value-added services or benefits” in connection with an insurance transaction; (4) Any mathematical-based decision that involves a consumer’s personal information; or (5) Any actuarial or research studies for rating or risk management purposes conducted by or for the benefit of the licensee using consumers’’ personal information.” Section 3(U).

[3]     “Additional Permitted Transactions” is currently defined as “collecting, processing, retaining, or sharing a consumer’s personal information, with the consumer’s consent, for: (1) Marketing purposes; or (2) Research activities not related to rating or risk management purposes for or on behalf of the licensee.” Section 3(B).