On June 5-6, 2023, the NAIC Privacy Protections (H) Working Group (“PPWG”) held an in-person interim meeting (“session”) to continue its work on drafting a new model privacy law, the Insurance Consumer Privacy Protection Model Law #674 (“Model Law”). Model Law #674 is intended to replace the current Models #670 and #672. The session was intended to be a drafting session focused on certain provisions of the current exposure draft not yet covered during the three preceding PPWG open drafting calls.
During the session, the working group covered third-party service providers, definitions of “insurance transactions” and “additional permitted transactions,” marketing (and joint-marketing agreements), consent to marketing (opt-in versus opt-out), and consumer privacy notices. The PPWG announced it intends to release a new exposure draft (version 1.0) of the Model Law by the end of June to address many of the comments the working group has received and discussed to date. There will be no 60-day comment period for this draft and instead, open calls to discuss drafting will restart once the new exposure draft is released.
The session discussion was lengthy and robust but several discussion highlights are summarized below:
HIPAA Safe Harbor
First, industry representatives highlighted throughout the session that the PPWG’s decision on how to draft the HIPAA safe harbor within the Model Law would impact comments on various other parts of the model. The HIPAA safe harbor language was discussed in the first open call on April 18 and much of the discussion on that call focused on whether the safe harbor should apply to licensees who are subject to and compliant with HIPAA, or whether the exemption should be expanded by applying the safe harbor to licensees who are compliant with HIPAA regardless of whether they are subject to it. The working group acknowledged this concern but did not indicate how it intends to draft the HIPAA safe harbor in the updated exposure draft.
Opt-In Versus Opt-Out
Second, industry representatives requested that the model follow an opt-out model versus an opt-in model. This was discussed in various aspects of the model, but with a particular focus on how using an opt-in approach for marketing insurance products would impact the normal course of business for licensees and would also restrict a consumer’s access to information about additional products that could be beneficial for them. It was also noted that other privacy laws in the U.S. generally follow the opt-out approach, so having the insurance industry comply with an opt-in approach would be significantly more restrictive.
Definition of Insurance Transaction
Third, industry representatives requested that the narrow definition of “insurance transaction” be broadened. Suggestions included using the CCPA definition of insurance transaction or the definitions from the existing GLBA models or including a catch-all such as for a “business purpose,” a “reasonably anticipated business purpose,” or “any function that supports the above.” Others suggested including product development among “insurance transactions. It was also requested that “Any mathematical-based decision that involves a consumer’s personal information” should be removed from the definition.
Risk-Based Versus Prescriptive Approach
Fourth, industry representatives requested that the Model Law focus on a more risk-based approach by highlighting feasibility and other practical concerns around the prescriptive language included in various provisions of the current exposure draft including requirements around third-party service provider contracts and privacy notices. Some parties noted that the prescriptive requirements for third-party service provider contracts would be difficult to implement, would necessitate sending a contract addendum out to every third-party service provider (which was recently done by many licensees to comply with the CCPA), would present challenges due to requiring the same prescriptive standards for all contracts regardless of the type of service provider, and could be challenging for small licensees due to the power imbalance of working with larger third-party service providers.
Regarding privacy notices, industry representatives highlighted that the prescriptive requirements would be burdensome to comply with, difficult to maintain as current, and could raise security concerns. For example, the requirement to list specific entities to whom information is disclosed will result in a notice that is very long, could be out of date almost immediately, and could raise security issues because threat actors could use this list as a means of targeting entities with connections to insurance data.
We will continue to monitor the PPWG’s efforts regarding drafting the Model Law.
More information on NAIC’s PPWG can be found online, including notes and related documents from previous meetings.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.