Menu

Expect Focus Life, Annuity, and Retirement Solutions, August 2022

Learn From Lemonade’s Privacy Lemon: Sweeten Compliance to Lessen Litigation Bitterness

Cybersecurity and Privacy   |   Life, Annuity, and Retirement Solutions   |   Life, Annuity, and Retirement Solutions   |   Financial Services Regulatory   |   September 8, 2022
Download Download   
Share Share Page

Lemonade Inc.’s recently proposed settlement of class action claims alleging that it failed to sufficiently disclose, and secure necessary consent for, its collection and use of biometric information is a prime example of the privacy risks facing insurers. Here are some tips for keeping the seeds out of your privacy program.

  1. More is not always better.

    Data is essential to all parts of an insurer’s operation, including underwriting and claims. Collecting more data, however, may come with increased compliance obligations and resulting costs. Just like lemons in lemonade, data is essential but should be limited.

  2. Don’t underestimate how sour privacy lemons can be.
    1. Don’t over-rely on a Gramm-Leach-Bliley Act exemption. Financial services companies often place great reliance on entity-level GLBA exemptions. Illinois’ Biometric Information Privacy Act (BIPA) provides a private right of action and includes a GLBA entity-level exemption. While BIPA’s GLBA exemption has helped insurers face less BIPA litigation than many other industries, bitterness remains. Lemonade recently agreed to pay $3 million of a $4 million settlement to a subclass of 5,000 Illinois consumers, leaving the other $1 million to be split between 110,000 consumers in other states; that is $600 per Illinois consumer versus $9.09 per consumer in other states, even with BIPA’s GLBA exemption.
    2. Don’t forget common law claims. In New York, for instance, consumers claimed that Lemonade’s alleged actions violating BIPA were breaches of express and implied contract and GLBA notice requirements, as well as instances of unjust enrichment and unfair trade practices. While the court recently dismissed the unjust enrichment claims because the parties did not dispute having a valid contract, it denied Lemonade’s attempts to dismiss the other counts.
  3. Stir well.

    Consider clarifying and coordinating existing privacy notices. Insurers often use a multitude of privacy notices to meet the requirements of the various privacy laws to which they are subject (e.g., a Notice of Health Information Policies, Standards, and Procedures to address NAIC Model 55, a Notice of Insurance Information Practices to address NAIC Model 670, a GLBA notice, a California Consumer Privacy Act notice, etc.). The risk highlighted by the pleadings against Lemonade is that consumers may argue that any one of those notices misled or confused them because they thought that the particular notice was comprehensive or because of any inconsistency across notices. To lessen risk, consider reviewing privacy notices to ensure consistency and clarity, for example:

    1. Building into privacy notices a statement that the notice is “in addition” to other privacy notices that may be provided to the consumer; and/or
    2. Ensuring that an overarching comprehensive privacy notice exists that explains how various privacy notices come together into a cohesive whole.

    Care is particularly needed if these steps are taking place when process considerations or marketing partnerships are in flux.

  4. Adjust to taste.

    Privacy notices require frequent adjustment as insurers’ data practices change, new distribution channels or data partners are added, laws develop, or marketing techniques are expanded, and insurers have varying risk tolerances and consumer experience goals. To avoid surprise lip-puckering, ensure your privacy approach is consistent with the amount and type of data you use and your company’s taste for risk.

 


©2022 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.