Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

March Madness Begins: NAIC’s New Draft Privacy Model

March 24, 2023
The first round on the Insurance Consumer Privacy Protection Model Law (#674) started on March 21 as the NAIC’s Privacy Protections Working Group (PPWG) held its first open meeting to discuss the draft privacy model. The draft privacy model was exposed on February 1 and discussed in our article “A New Draft Privacy Model Blooms From the NAIC Privacy Working Group.” The meeting followed some initial play-in private discussions between stakeholders and the PPWG, as well as internal PPWG meetings. Later rounds will include biweekly meetings starting in mid-April. The PPWG anticipates scheduling a June two-day in-person meeting to discuss particularly thorny issues, including whether joint marketing relationships will continue their special treatment. The PPWG anticipates that the final round will occur at the NAIC Fall National Meeting, where it will present the privacy model for adoption. Key comments of the industry and consumer representatives are summarized below.

Consumer Advocate Comments:

  • Opt-in consent should be required for all but the most necessary of disclosures.
  • Third-party service providers should be held to the same standards as licensees.
  • Licensees should be required to disclose data collected from consumer reporting agencies and data broker resources.
  • Consumers should receive immediate notice of adverse underwriting decisions and have the ability to challenge the accuracy of such information.
  • The privacy model should incorporate data security provisions.

Industry Comments:

  • The draft privacy model proposes a significant shift from licensees’ existing practices and should instead reflect current state approaches to privacy to improve adoption rates and increase consistency across jurisdictions.
  • The draft privacy model is overly restrictive and unworkable.
    • The timing and number of notices required before personal information is collected is excessive and would overwhelm consumers.
    • It would impede research and actuarial work.
    • Requiring an opt-in for marketing purposes, including joint marketing relationships, would impede innovation, undermine long-standing practices, and limit consumers’ ability to learn about product offerings.
    • The proposed restrictions on cross-border transfers are unparalleled (e.g., even more demanding than the GDPR), unworkable for global insurers, and may conflict with international trade agreements.
    • A 90-day deletion period and confirming notice obligations on an individual basis are unmanageable and go against efforts to minimize notices (e.g., FAST Act).
    • The proposed third-party oversight requirements should only apply to new contracts.
  • A full HIPAA exemption should apply to avoid duplicative regulation.
  • Regulators should have exclusive enforcement powers (i.e., the optional private right of action should be removed).
  • Expanded third-party oversight requirements for existing contracts will require extensive renegotiations.
  • More flexibility is needed regarding data minimization and deletion requirements.

Next Steps

The PPWG clarified that the positions laid out in the exposure draft were meant to trigger discussion and it understood revisions to the privacy model would be necessary.

We will continue to monitor the PPWG meetings.
Authored By
Image: Ann Young Black
Ann Young Black
Image: Patricia M. Carreiro
Patricia M. Carreiro
Related Practices
Cybersecurity and Privacy Life, Annuity, and Retirement Solutions
Related Industries
Life, Annuity, and Retirement Solutions
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.