A New Draft Privacy Model Blooms From the NAIC Privacy Working Group
- Seeking to harmonize the various consumer privacy protections put in place in the roughly 30 to 40 years since Models 670 and 672 were developed;
- Addressing new technologies, data practices, and methods of securing consumer consent since businesses have advanced beyond paper; and
- Reducing duplicative notice requirements across Models 670 and 672.
The Proposed Model includes a HIPAA safe harbor and optional private right of action. The rights and requirements in the Proposed Model will be familiar to insurers as it is a bouquet of existing high-level requirements of Models 670 and 672 (e.g., notice and consent requirements, rights to know, access, and correct, etc.), and the concepts taken from recent privacy legislation. The notable changes are discussed below.
New and Revised Definitions
- A new definition of “personal information” explicitly capturing not only information gathered as part of an insurance transaction, but also as part of a licensee’s marketing efforts, including inferences about an individual’s inclinations (particularly relevant to the AI marketing tools being used by many insurers);
- A new definition of “de-identified data,” and an explicit statement that de-identified information is not being regulated; and
- New flexibility in the definition of “written consent” (likely to recognize how doing business has changed in the decades since Models 670 and 672 were passed).
Stricter Requirements for Third-Party Risk Management and Data Minimization
- Increased focus on service provider due diligence and contracting, including requiring written agreements with specific restrictions/commitments; and
- A new stress on data minimization. Licensees may not collect, process, retain, or share personal information unless such information is “in connection with an insurance transaction as defined in this Act” and “reasonably necessary and proportionate to achieve the purposes related to the requested insurance transaction or additional permitted transactions,” and licensees must delete personal information within 90 days of the data no longer being necessary.
New and Broadened Restrictions on Use and Sharing
- Broadened restrictions on the use of personal information for marketing purposes, even the insurer’s marketing of its own products and services;
- New restrictions on the use of sensitive personal information for marketing purposes, where the included definition of “sensitive personal information” has been taken largely from the California Privacy Rights Act; and
- New restrictions surrounding, and the ability for consumers to control, sharing of their data with entities outside the United States, including a requirement to obtain “prior consent from any consumer whose personal information will be… [s]hared with a person outside the jurisdiction of the United States, or its territories.”
Modifications to Access, Correction, and Deletion Provisions
- Deletion of Model 670’s prior “right to delete”; and
- Shortened time periods for processing consumer access and correction requests (previously 30 business days; now 15 business days).
The changes would, if finalized by the NAIC and then adopted by each state, require insurers to re-cultivate their policies and procedures (e.g., revise their privacy and document retention and destruction policies, update workflows to reflect new rights and shortened time periods for processing requests, determine and adjust their practices surrounding data sharing with entities located outside the U.S., etc.). At this point, however, the Proposed Model is only a draft that the Working Group expects to prune based upon insurance industry input.
Next Steps
Comments are being received through April 3, 2023. A revised draft is expected in July, and the Working Group will vote on the revised Proposed Model at the NAIC’s August Summer Meeting.
