The NAIC is developing a new Consumer Privacy Protections Model Act (# 674) which will replace the preexisting Insurance Information & Privacy Protection Model Act (# 670) and Privacy of Consumer Financial & Health Information Regulation (# 672). The Working Group exposed its first draft on January 31 for a 60-day public comment period which closes April 3. Yesterday at the NAIC Spring National Meeting, the Working Group adopted a work plan which lays out a detailed schedule across the spring and summer for regulatory only meetings, consultations with industry, and open sessions, including public comment periods and final approval at the Fall National Meeting in December.
The Working Group heard comments from multiple trade associations which uniformly criticized the current draft as unworkable, failing to reach the right balance between insurance licensees’ need to collect and retain data and consumer’s preferences to restrict insurer’s use of their data. Of particular note, is the intentional exclusion by the Working Group of a joint marketing exemption, a point explicitly reaffirmed by regulators when raised by industry representatives.
The contours of an exemption or safe harbor for insurance licensees who either comply with or are subject to HIPAA appears likely, though the exact form of such an exemption or safe harbor is to be determined.
While the Working Group Chair, Virginia Commissioner Katie Johnson, emphasized that the exposed version is only a first draft, at this stage, we can report some foundational decisions by the Working Group critical to the likely shape of the final model act. First, the model will not directly regulate third-party service providers, but will rely upon state insurance regulators’ authority to regulate licensees’ contracts with third-party service providers. Second, in recognition of insurance licensees’ heightened need to retain consumer information the Working Group is rejecting a “right to be forgotten” choosing instead information retention standards. Similarly, the Working Group rejected prior consent requirements for collecting consumer data but would impose restrictions on selling or transferring consumer data and correcting inaccurate data alongside mandates to de-identify and aggregate data that is deemed no longer necessary to retain. Lastly, the Working Group chose to include adverse underwriting decisions within the draft model.
Locke Lord will continue to monitor for any developments. If you have questions, please contact your Locke Lord relationship partner or the author.