Connecticut has joined the growing number of U.S. states to enact a comprehensive privacy law, following California, Colorado, Virginia, and Utah.1 Although these laws require significant compliance activities for many companies, those in the insurance industry must contend with overlapping compliance considerations. Most are relatively easy to achieve, from an insurance industry perspective. And, as usual, California requires the most thought—particularly as that state proceeds through a regulatory overhaul with respect to the insurance industry.
Below is a snapshot of the current state-of-play following the enactment of these new, comprehensive state privacy laws.
The Relatively Easy Ones – From an Insurance Industry Standpoint
Four of the five state laws—Connecticut, Colorado, Virginia, and Utah—exclude entities that are “financial institutions” under Gramm-Leach-Bliley Act (“GLBA”) from their new privacy laws. Insurers and producers are almost universally considered financial institutions under GLBA, so the entity-level exclusion removes their operations entirely from the scope of these privacy laws. Additionally, Connecticut and Virginia exclude covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”); whereas Colorado and Utah solely exclude “protected health information” as defined under HIPAA. Health insurers meet the definition of financial institutions under GLBA, so this distinction does not create a substantive compliance issue for most health insurers. However, any insurer with a subsidiary that is not a financial institution will need to further evaluate compliance obligations under these laws.
California has a somewhat more complicated compliance landscape for companies subject to insurance regulation in the state. In 2018, California enacted the California Consumer Privacy Act of 2018 (the “CCPA”), which is widely recognized as the leading, comprehensive state privacy law in the United States. Like the other laws, the CCPA has a GLBA carve-out, but it is more nuanced: the CCPA does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal [GLBA], and implementing regulations, or the California Financial Information Privacy Act [(“FIPA”)].”2 Rather than an entity-wide exclusion, the CCPA excludes only the data regulated under GLBA or FIPA, requiring companies in the insurance industry to analyze whether their data collection, processing, sale, and/or disclosure is done wholly under either GLBA or FIPA. In addition to the CCPA, California also has a separate law and related regulations applicable to the insurance industry—the Insurance Information and Privacy Protection Act (“IIPPA”) and the Privacy of Nonpublic Personal Information (“PNPI”), respectively. IIPPA and PNPI are designed to provide consumer protections in a manner similar in key ways to the CCPA; however, neither is specifically recognized within the CCPA.
In November 2020, California passed an amendment to, and extension of, the CCPA, called the California Privacy Rights Act (the “CPRA”). The CPRA directed the California Attorney General to conduct a review of the California Insurance Code (the “Insurance Code”) and regulations to identify which, if any, provisions of the CPRA provide greater protection to consumers than those of the Insurance Code. To the extent that the Insurance Code does not provide greater protection to consumers, the California Privacy Protection Agency (the “Agency”), the entity granted rule-making authority under the CPRA, must adopt regulations for the insurance industry. The Agency requested comments on these regulations in 2021.
This proposed rulemaking, while providing clarification for potential conflict as between the Insurance Code and CPRA, may actually serve to complicate ongoing updates to IIPPA and PNPI, neither of which are addressed by the CCPA/CPRA. Speaking to this issue, California Insurance Commissioner Ricardo Lara responded via letter on November 8, 2021 (the “Commissioner’s Letter”), to the Agency’s request for comments. The Commissioner’s Letter noted that IIPPA and PNPI are set to be revised, likely in the next two to four years, and requested that the Agency work with Commissioner Lara prior to enacting any CPRA regulations applicable to the insurance industry. Indeed, IIPPA is based on the National Association of Insurance Commissioners (“NAIC”) Insurance Information and Privacy Protection Act: Model Law #670 (the “Model Law”), and PNPI is based on the NAIC Privacy of Consumer Financial and Health Information Regulation: Model Regulation #672, which are each in the initial stages of being revised. As discussed in the Commissioner’s Letter, IIPPA is likely to be amended in accordance with the amended Model Law, and PNPI regulations will be amended concurrently. The Commissioner’s Letter urged that these amendments proceed as anticipated, and that the Agency work together with Commissioner Lara to harmonize these processes.
The Commissioner’s Letter also requests that the Agency work with Commissioner Lara on cybersecurity risk assessments and audits in light of expected changes to the Model Law.
Additional Considerations: Nondiscrimination Action
Another area affecting companies in the insurance industry, often addressed hand-in-hand by regulators, pertains to nondiscrimination, where regulators have indicated increased interest. In California, the Commissioner’s Letter reiterates that the California Insurance Department is a member of the NAIC Special Committee on Race and Insurance. As such, Commissioner Lara argued that any regulatory action by the Agency consider “best practices for collection and nondiscriminatory use of race and identifying data of insureds and providers.”3 And on April 20, 2022, approximately two weeks before the enactment of the Connecticut privacy law, the Connecticut Insurance Department (the “CID”) issued an updated Notice Concerning the Usage of Big Data and Avoidance of Discriminatory Practices (the “Notice”). In the Notice, the CID recognizes the utility of Big Data in virtually every facet of the insurance life cycle, but reminds entities and licensed persons “to use technology and Big Data in full compliance with anti-discrimination laws.”4
In the Notice, the CID focused on three areas: internal data deployment, internal data governance, and risk management and compliance. Insurers and persons licensed in Connecticut must complete a data certification regarding these areas on or before September 1, 2022, and annually thereafter.
As states increasingly consider comprehensive privacy legislation, compliance efforts within the insurance industry are likely to be impacted. This adds an additional layer to a regulatory environment at the state level that is already in flux. Going forward, companies in the insurance industry—and their compliance operations—should carefully watch this space to ensure they meet their obligations.
1 For more information, see the Willkie Client Alert, “And Connecticut Makes Five: A Review of the Newest Comprehensive State Privacy Law” here.
2 California Civil Code Section 1798.145(e).
3 Ricardo Lara, Response to Invitation for Preliminary Comments re California Privacy Rights Act of 2020, 4 (Nov. 8, 2021), here.
4 Notice to all Entities and Persons Licensed by the Connecticut Insurance Department Concerning the Usage of Big Data and Avoidance of Discriminatory Practices, 1 (Apr. 20, 2022), here.