NAIC Restarts Its Work Revising Its Model Privacy Provisions

Life, Annuity, and Retirement Solutions   |   Cybersecurity and Privacy   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   May 6, 2020

After a brief hiatus due to COVID-19, the NAIC’s Privacy Working Group returned to work on May 5 discussing comments received on the working group’s markup of the NAIC Insurance Information and Privacy Protection Model Act (Model 670). Like much of the United States, COVID-19 is impacting the work of the Privacy WG as it now will expand its focus to include updating the requirements for health information in Model 670, the Privacy of Consumer Financial and Health Information Regulation (Model 672), and the Health Information Privacy Model Act (Model 55).

The chair of the Privacy WG explained the goals of the Privacy WG in changing the models, including:

  • Aligning the models with current privacy approaches reflected in the European Union’s General Data Protection Regulation and the California Consumer Privacy Act;
  • Updating the models to incorporate new definitions drawn from sources such as the NAIC Market Regulation Handbook or IT Exam Handbook; and
  • Revising the models to reflect the many new sources and ways insurers and their supporting organizations collect and share consumer information.

Based on these overarching goals, subject matter experts within the Privacy WG set forth comments on Model 670, including proposed changes, which, if adopted, would significantly impact insurers, as follows:

  • Broadening application to vendors and others with which insurers share information;
  • Extending protections to cover both natural persons and other legal entities;
  • Creating new consumer rights, such as the right to restrict particular uses and disclosures of information, the right to be forgotten, and special provisions for the information of minors and against discrimination;
  • Increasing consumer access to their information, including transferring the cost of such requests to insurers;
  • Shifting from opt-out to opt-in consent for disclosures of information for marketing purposes, and from mere notice to consent for the collection and use of information;
  • Adding restrictions on the use of data and provisions regarding insurers’ passive collection of information (e.g., tracking cookies and web beacons);
  • Increasing notice requirements, including shortening notification time frames, increasing disclosure specificity, eliminating abbreviated notices and instances in which disclosure can be made without prior authorization, and requiring more frequent notices of information practices;
  • Requiring state regulators to review and approve disclosure authorization forms, and shortening the length of time for which such authorizations are valid;
  • Deleting provisions that permit insurance institutions to delegate their obligations to others; and
  • Increasing accountability for insurers' refusal to correct or delete information and requirements to notify entities with which the insurer has shared later-corrected information, including by revising penalties provisions and drafting a version of the model law that would create a private right of action.

Interested party comments submitted thus far have focused on the importance of remaining consistent with existing privacy laws governing insurers and resisting more onerous requirements that may unnecessarily restrict insurers’ ability to compete against other industries (e.g., technology companies).

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.