Expect Focus Life, Annuity, and Retirement Solutions, December 2021

When Congress Freezes Up, the NAIC’s Privacy Protections Working Group Lights a Fire

Life, Annuity, and Retirement Solutions   |   Cybersecurity and Privacy   |   Financial Services Regulatory   |   Securities & Investment Companies   |   Life, Annuity, and Retirement Solutions   |   January 11, 2022

On November 18, calling frozen federal legislative efforts “an opportunity” for state insurance regulators to “update state privacy protections … and potentially forestall or mitigate the impacts of any preemptive federal legislation,” the NAIC’s Privacy Protections (D) Working Group lit a fire by issuing an exposure draft of its report on consumer data privacy protections. The draft report, in addition to summarizing existing privacy protections and the Working Group’s discussions, recommends that the NAIC:

  1. Further consider ways in which the NAIC’s existing privacy models (models 55, 670, and 672) could be amended, or a new model added, “to meet the consumer data privacy challenges presented by the public use of technology and data by insurers in today’s business environment”; and
  2. Update the NAIC’s Market Regulation Handbook and IT Examiners’ Handbook “to provide guidance to state insurance regulators so they can verify insurers’ compliance” with privacy protections.

The Working Group envisions using existing privacy laws as kindling for its fire, relying on laws such as the European Union’s General Data Protection Regulation and recently enacted comprehensive state privacy laws as potential templates for its work. The Working Group will emphasize “data transparency, customer control, customer access, data accuracy, and data ownership and portability.”

The Working Group’s initial draft report culminated in a policy statement describing “what the NAIC currently supports as the minimum consumer data privacy protections that are appropriate for the business of insurance.” And while some of the policy statement’s provisions were industry standard privacy practices, others seemed like rogue sparks. For example, one provision undercut state Fact Act relief efforts by requiring redelivery of a privacy notice at least annually.

In response to comments, the Working Group reconstructed its draft policy statement with a more controlled “Report on Consumer Data Privacy Protections.” The report is “designed to address improvements needed for data privacy protections and to highlight issues needing further discussion.” It removes more controversial provisions and simply summarizes the Working Group’s “recommendations” based on existing NAIC privacy models. These recommendations include providing consumers with:

  • A clear privacy notice, including periodic notice of any substantive changes during the relationship;
  • Specific reasons for adverse decisions based on data gathered from sources other than the consumer;
  • The ability to limit personal information sharing with third parties, “except for specific purposes required or specifically permitted by law”;
  • The right to have their health information shared (whether with affiliates or others) only if they provide affirmative opt-in consent for such sharing; and
  • The right to request:
    • A copy of their personal information, how that information is used, and the sources from which that information is collected; and
    • Correction, amendment, or deletion of their personal information.

Although the change in tone from the Working Group’s policy statement to its report turned a potential wildfire into a controlled burn, there remains no doubt that this blaze needs close supervision to avoid charring.


©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.