Expect Focus Life, Annuity, and Retirement Solutions, September 2021

Diving Into IoT Data? Here Are Some Privacy Considerations

Cybersecurity and Privacy   |   Life, Annuity, and Retirement Solutions   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   September 16, 2021

Many insurers contemplate using data from internet- connected devices, including wearables, for a deep dive into wearers’ lifestyles and invaluable insights for automated underwriting. Before diving into the deep end, there are numerous privacy considerations. To ensure your IoT data does not plunge you into trouble:

  1. Adjust your data map.
    1. Begin by drawing out all the actors that will collect, use, access, transfer, or disclose consumer data.
    2. Write in what type of data each of them will collect, use, access, transfer, or disclose.
    3. Draw arrows to show the flow of data between these actors and add the purposes for which each arrow/“data flow” occurs.
    4. To make sure you have captured everything, practice running different scenarios through your data map (consumer applies through X, application is approved, application is denied, etc.).
    5. Be sure to get each relevant department within your organization’s approval that the data map is correct and complete. Ask questions and test answers.
  1. Make sure your contracts with third parties won’t sink you.
    1. Contracts with third parties with whom you will share data (or vice versa) should align with the data map. Ensure your contracts appropriately reflect what data the third party will receive, who is responsible for obligations associated with that data (e.g., who is responsible for providing X notice or securing Y consent), and what the third party can and cannot do with that data.
    2. Evaluate each sharing as a potential “sale” under the CCPA. Ways to avoid the CCPA’s “sale” obligations include:‚Äč
      1. GLBA or CalFIPA Data. Personal information “collected, processed, sold, or disclosed pursuant to” the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA) is exempt from most of the CCPA. For other data, a separate exemption is needed.
      2. Service Providers. If the data might not be GLBA or CalFIPA data, the next best “out” of the CCPA’s “selling” obligations is sharing with a “service provider.” To qualify as a “service provider,” however, specific contractual terms must be included in the insurer third-party contract.
    3. Don’t forget contractual “floaties” requiring your third-party partners to appropriately protect the data, notify you in case of an actual or suspected breach, indemnify you in case of such breaches, process consumer requests, and assist in demonstrating compliance to regulators. Also, given privacy laws’ springboard of activity, including the NAIC’s Working Group, seek a commitment from your partners to comply with new legal requirements.
  2. Watch out for the deep end, as privacy obligations in your third-party contracts may be submersed in hyperlinks included in the contract or their standard terms of use. Understand these obligations and how they can change with or without notice to you. Consider whether your partner requires consumers to complete a particular form, whether you are required to specifically disclose that partner and link to its terms of use in your notices, whether you are agreeing to comply with an entirely different privacy law that you are not otherwise subject to, etc.
  3. As with any new data, update your privacy notices and authorizations to cover this new data collection and its associated uses, sharing(s), and purpose(s). Multiple federal and state laws are likely to govern the notices, consents, registrations, and processes required. As the recently filed class action suits against Lemonade reflect, your notices must accurately reflect your practices.

With proper analysis and planning, your program could win gold.


©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.