NAIC Restarts Its Work Revising Its Model Privacy Provisions
The chair of the Privacy WG explained the goals of the Privacy WG in changing the models, including:
- Aligning the models with current privacy approaches reflected in the European Union’s General Data Protection Regulation and the California Consumer Privacy Act;
- Updating the models to incorporate new definitions drawn from sources such as the NAIC Market Regulation Handbook or IT Exam Handbook; and
- Revising the models to reflect the many new sources and ways insurers and their supporting organizations collect and share consumer information.
Based on these overarching goals, subject matter experts within the Privacy WG set forth comments on Model 670, including proposed changes, which, if adopted, would significantly impact insurers, as follows:
- Broadening application to vendors and others with which insurers share information;
- Extending protections to cover both natural persons and other legal entities;
- Creating new consumer rights, such as the right to restrict particular uses and disclosures of information, the right to be forgotten, and special provisions for the information of minors and against discrimination;
- Increasing consumer access to their information, including transferring the cost of such requests to insurers;
- Shifting from opt-out to opt-in consent for disclosures of information for marketing purposes, and from mere notice to consent for the collection and use of information;
- Adding restrictions on the use of data and provisions regarding insurers’ passive collection of information (e.g., tracking cookies and web beacons);
- Increasing notice requirements, including shortening notification time frames, increasing disclosure specificity, eliminating abbreviated notices and instances in which disclosure can be made without prior authorization, and requiring more frequent notices of information practices;
- Requiring state regulators to review and approve disclosure authorization forms, and shortening the length of time for which such authorizations are valid;
- Deleting provisions that permit insurance institutions to delegate their obligations to others; and
- Increasing accountability for insurers' refusal to correct or delete information and requirements to notify entities with which the insurer has shared later-corrected information, including by revising penalties provisions and drafting a version of the model law that would create a private right of action.
Interested party comments submitted thus far have focused on the importance of remaining consistent with existing privacy laws governing insurers and resisting more onerous requirements that may unnecessarily restrict insurers’ ability to compete against other industries (e.g., technology companies).
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.