March Madness Begins: NAIC’s New Draft Privacy Model
Consumer Advocate Comments:
- Opt-in consent should be required for all but the most necessary of disclosures.
- Third-party service providers should be held to the same standards as licensees.
- Licensees should be required to disclose data collected from consumer reporting agencies and data broker resources.
- Consumers should receive immediate notice of adverse underwriting decisions and have the ability to challenge the accuracy of such information.
- The privacy model should incorporate data security provisions.
Industry Comments:
- The draft privacy model proposes a significant shift from licensees’ existing practices and should instead reflect current state approaches to privacy to improve adoption rates and increase consistency across jurisdictions.
- The draft privacy model is overly restrictive and unworkable.
- The timing and number of notices required before personal information is collected is excessive and would overwhelm consumers.
- It would impede research and actuarial work.
- Requiring an opt-in for marketing purposes, including joint marketing relationships, would impede innovation, undermine long-standing practices, and limit consumers’ ability to learn about product offerings.
- The proposed restrictions on cross-border transfers are unparalleled (e.g., even more demanding than the GDPR), unworkable for global insurers, and may conflict with international trade agreements.
- A 90-day deletion period and confirming notice obligations on an individual basis are unmanageable and go against efforts to minimize notices (e.g., FAST Act).
- The proposed third-party oversight requirements should only apply to new contracts.
- A full HIPAA exemption should apply to avoid duplicative regulation.
- Regulators should have exclusive enforcement powers (i.e., the optional private right of action should be removed).
- Expanded third-party oversight requirements for existing contracts will require extensive renegotiations.
- More flexibility is needed regarding data minimization and deletion requirements.
Next Steps
The PPWG clarified that the positions laid out in the exposure draft were meant to trigger discussion and it understood revisions to the privacy model would be necessary.
We will continue to monitor the PPWG meetings.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.