Skip to Content

A New Draft Privacy Model Blooms From the NAIC Privacy Working Group

On February 1, the NAIC’s Privacy Working Group’s new privacy model germinated. After months of development, the exposure draft, titled “Insurance Consumer Privacy Protection Model Law #674” (Proposed Model), has finally reached daylight. The Proposed Model is intended to replace existing Model 670 (NAIC Insurance Information and Privacy Protection Model) and Model 672 (Privacy of Consumer Financial and Health Information Regulation). The Proposed Model fertilizes state insurance privacy laws by:

  1. Seeking to harmonize the various consumer privacy protections put in place in the roughly 30 to 40 years since Models 670 and 672 were developed;
  2. Addressing new technologies, data practices, and methods of securing consumer consent since businesses have advanced beyond paper; and
  3. Reducing duplicative notice requirements across Models 670 and 672.

The Proposed Model includes a HIPAA safe harbor and optional private right of action. The rights and requirements in the Proposed Model will be familiar to insurers as it is a bouquet of existing high-level requirements of Models 670 and 672 (e.g., notice and consent requirements, rights to know, access, and correct, etc.), and the concepts taken from recent privacy legislation. The notable changes are discussed below.

New and Revised Definitions

  • A new definition of “personal information” explicitly capturing not only information gathered as part of an insurance transaction, but also as part of a licensee’s marketing efforts, including inferences about an individual’s inclinations (particularly relevant to the AI marketing tools being used by many insurers);
  • A new definition of “de-identified data,” and an explicit statement that de-identified information is not being regulated; and
  • New flexibility in the definition of “written consent” (likely to recognize how doing business has changed in the decades since Models 670 and 672 were passed).

Stricter Requirements for Third-Party Risk Management and Data Minimization

  • Increased focus on service provider due diligence and contracting, including requiring written agreements with specific restrictions/commitments; and
  • A new stress on data minimization. Licensees may not collect, process, retain, or share personal information unless such information is “in connection with an insurance transaction as defined in this Act” and “reasonably necessary and proportionate to achieve the purposes related to the requested insurance transaction or additional permitted transactions,” and licensees must delete personal information within 90 days of the data no longer being necessary.

New and Broadened Restrictions on Use and Sharing

  • Broadened restrictions on the use of personal information for marketing purposes, even the insurer’s marketing of its own products and services;
  • New restrictions on the use of sensitive personal information for marketing purposes, where the included definition of “sensitive personal information” has been taken largely from the California Privacy Rights Act; and
  • New restrictions surrounding, and the ability for consumers to control, sharing of their data with entities outside the United States, including a requirement to obtain “prior consent from any consumer whose personal information will be… [s]hared with a person outside the jurisdiction of the United States, or its territories.”

Modifications to Access, Correction, and Deletion Provisions

  • Deletion of Model 670’s prior “right to delete”; and
  • Shortened time periods for processing consumer access and correction requests (previously 30 business days; now 15 business days).

The changes would, if finalized by the NAIC and then adopted by each state, require insurers to re-cultivate their policies and procedures (e.g., revise their privacy and document retention and destruction policies, update workflows to reflect new rights and shortened time periods for processing requests, determine and adjust their practices surrounding data sharing with entities located outside the U.S., etc.). At this point, however, the Proposed Model is only a draft that the Working Group expects to prune based upon insurance industry input.

Next Steps

Comments are being received through April 3, 2023. A revised draft is expected in July, and the Working Group will vote on the revised Proposed Model at the NAIC’s August Summer Meeting.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.