On March 21, 2023, the Privacy Protections (H) Working Group ("PP Working Group"), a subgroup of the Innovation, Cybersecurity, and Technology (H) Committee ("H Committee") met at the Spring 2023 US National Meeting of the National Association of Insurance Commissioners ("NAIC"). In addition to various routine matters, such as adoption of the PP Working Group's 2022 Fall National Meeting minutes and presentation of an updated workplan for 2023, the meeting covered the following matters.

  • Updates on Federal and State Legislation

The PP Working Group heard an update on federal and state privacy legislation from NAIC staff. At the state level, there are approximately 50 privacy bills under consideration across 21 states. On March 15, 2023, Iowa became the sixth state to pass a consumer data privacy bill, which is similar to that of Utah. NAIC staff also highlighted that Hawaii and Indiana are considering consumer data privacy bills that are similar to Virginia. New Jersey, Montana and Oklahoma are also considering bills.

At the federal level, the Data Privacy Act (H.R. 1165) has passed out of the House Financial Services Committee along party lines. The bill would revamp existing financial privacy protections for consumers under the Gramm–Leach–Bliley Act to create a preemptive regulatory floor and ceiling in an effort to establish a uniform federal standard that would be enforced by the functional regulators.1 The House Energy and Commerce Subcommittee on Innovation, Data and Commerce recently held a hearing on the development of a national standard on data privacy. Finally, the American Data Privacy and Protection Act (H.R. 8152) passed out of the House Energy and Commerce Committee last year and was being considered for the omnibus bill, but was ultimately not included. However, there is an expectation that the bill will be reintroduced in some form.

  • Initial Comments on the New NAIC Insurance Consumer Privacy Protection Model Law (#674)

The PP Working Group also heard comments from a wide array of consumer representative organizations and trade associations on the exposure draft of the new NAIC Insurance Consumer Privacy Protection Model Law (#674) ("Model Privacy Law"). Speakers included consumer representatives Harold Ting, Birny Birnbaum and Peter Kochenburger. On the industry side, several trade organization provided comments, including the American Council of Life Insurers, America's Health Insurance Plans, the American Property Casualty Insurance Association, Independent Insurance Agents & Brokers of America, Arbor Strategies, the National Association of Mutual Insurance Companies and the American Bankers Association. Some of the items commented on by various speakers included the following:

  • Opt-in requirement for marketing;
  • Handling of joint marketing;
  • Consent requirement for actuarial and research studies;
  • Restrictions on cross-border data sharing;
  • Potential creation of a private right of action;
  • Oversight of third-party service providers;
  • Data minimization and mandatory deletion requirements;
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) preemption;
  • Notice requirements; and
  • Need for staggered implementation.

The Chair of the PP Working Group, Katie Johnson of the Virginia Bureau of Insurance, noted that when the PP Working Group was preparing the exposure draft of the Model Privacy Law, it did not have the level of input that it would have liked. Therefore, the purpose of the exposure draft of the Model Privacy Law was to invite conversation and input regarding the various items contained in the draft Model Privacy Law.

As a reminder, comments on the exposure draft of the Model Privacy Law are due on April 3, 2023, and beginning on April 18, 2023, the PP Working Group will be hosting biweekly calls to work through the various comments received. We will be montioring these discussions closely and will provide updates on key developments to the draft Model Privacy Law.

To view additional updates from the US NAIC Spring 2023 National Meeting, visit our meeting highlights page.

Footnote

1. Under the McCarran-Ferguson Act, regulation of insurance is left to the states unless a federal law specifically preempts state regulation in connection with a specific insurance-related matter. In some cases, federal law sets a floor, or minimum regulatory standards, and the states are free to impose stricter standards. The Data Privacy Act (H.R. 1165), however, gives no such flexibility to the states and prohibits states from imposing more restrictive standards. At the same time, the Data Privacy Act (H.R. 1165) continues to require financial institutions to comply with the minimum privacy standards set forth in the Gramm-Leach-Bliley Act, as amended by the Data Privacy Act (H.R. 1165). Thus, the Data Privacy Act (H.R. 1165) attempts to establish a single uniform federal standard.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.