The NAIC is developing a new Consumer Privacy Protections Model Act (# 674) which will ‎replace the preexisting Insurance Information & Privacy Protection Model Act (# 670) and ‎Privacy of Consumer Financial & Health Information Regulation (# 672).‎ ‎ The Working Group ‎exposed its first draft on January 31 for a 60-day public comment period which closes April 3. ‎Yesterday at the NAIC Spring National Meeting, the Working Group adopted a work plan which ‎lays out a detailed schedule across the spring and summer for regulatory only meetings, ‎consultations with industry, and open sessions, including public comment periods and final ‎approval at the Fall National Meeting in December. ‎

The Working Group heard comments from multiple trade associations which uniformly criticized ‎the current draft as unworkable, failing to reach the right balance between insurance licensees’ ‎need to collect and retain data and consumer’s preferences to restrict insurer’s use of their data. ‎Of particular note, is the intentional exclusion by the Working Group of a joint marketing ‎exemption, a point explicitly reaffirmed by regulators when raised by industry representatives.

The contours of an exemption or safe harbor for insurance licensees who either comply with or ‎are subject to HIPAA appears likely, though the exact form of such an exemption or safe harbor ‎is to be determined.‎

While the Working Group Chair, Virginia Commissioner Katie Johnson, emphasized that the ‎exposed version is only a first draft, at this stage, we can report some foundational decisions by ‎the Working Group critical to the likely shape of the final model act. First, the model will not ‎directly regulate third-party service providers, but will rely upon state insurance regulators’ ‎authority to regulate licensees’‎ ‎contracts with third-party service providers. Second, in ‎recognition of insurance licensees’ heightened need to retain consumer information the Working ‎Group is rejecting a “right to be forgotten” choosing instead information retention standards. ‎Similarly, the Working Group rejected prior consent requirements for collecting consumer data ‎but would impose restrictions on selling or transferring consumer data and correcting inaccurate ‎data alongside mandates to de-identify and aggregate data that is deemed no longer necessary to ‎retain. Lastly, the Working Group chose to include adverse underwriting decisions within the ‎draft model.‎

Locke Lord will continue to monitor for any developments. If you have questions, please contact ‎‎your Locke Lord relationship partner or the author.‎