United States: Privacy Protections (H) Working Group

On August 13, 2023, the Privacy Protections (H) Working Group ("PP Working Group") met at the Summer 2023 US National Meeting of the National Association of Insurance Commissioners ("NAIC"). In addition to routine matters, such as adoption of the minutes from recent meetings, the meeting covered the following matters:

Updates on Federal and State Legislation

NAIC staff reported that Delaware became the twelfth state¹ to pass personal data privacy legislation (awaiting governor's signature), and at least 16 more have introduced data privacy bills during the current legislative cycle. NAIC staff also reported that despite significant bipartisan progress being made with respect to a comprehensive data privacy bill last year, and a hearing held in March of this year by the House Committee on Energy and Commerce's new Subcommittee on Innovation, Data and Commerce, currently there does not appear to be momentum at the federal level to pass comprehensive data privacy legislation this year; the NAIC staff noted that data privacy action of a more limited scope was more likely instead. For example, the House Judiciary Committee approved a bill that would ban law enforcement agencies from buying sensitive personal information from data brokers.²

Comments on the Draft Model Privacy Law

The PP Working Group announced that it intends to ask for additional time to work on drafting the new NAIC Insurance Consumer Privacy Protection Model Law (#674) ("Model Privacy Law").

Following a significant rewrite of the draft Model Privacy Law in July- based on comments received on the prior draft, the PP Working Group received approximately 35 comment letters on the latest draft. At this meeting, the working group intended to hear additional comments specifically on the topics of marketing, consumer notices and opt-in/opt-out frameworks. However, many of the comments received during the meeting were broader in scope. Notably, several commenters—including those representing certain state regulators and industry associations—highlighted that the draft Model Privacy Law would need significant revisions to become a model law that could be widely adopted by state legislatures. LeeAnn Crow, Director of the Consumer Assistance Division at the Kansas Insurance Department, even proposed that the working group terminate work on the draft Model Privacy Law immediately.

Several industry groups presented comments during the meeting. Some of the key issues raised by these groups included the following:

• Need for Extensive Revisions: Several commenters noted that the draft Model Privacy Law needed extensive revisions to be workable and in a form that could be passed in many states. Some of the provisions highlighted as needing further revisions were: definitions, requirements for retention, deletion and sharing of information, access and correction requirements, the requirement for annual review of personal information held by a licensee, notice requirements (timing, content and delivery), provisions regarding marketing and joint marketing, handling of adverse underwriting decisions and third-party service providers. One industry group commented that a complete change in direction was necessary and that rather than trying to develop a new model law, the PP Working Group should focus on enhancing the existing privacy requirements under the Gramm-Leach-Bliley Act ("GLBA").
• Need for Harmonization: Numerous commenters emphasized the need for harmonization of the draft Model Privacy Law with existing privacy regulations, such as the GLBA and California requirements. Some commenters cautioned against creating a significantly more rigorous standard than what already applies to other financial institutions.
• Interaction with Governmental Insurance Programs: One industry group highlighted the need for the working group to consider how the requirements of the Model Privacy Law will be executed in practice in connection with governmental insurance programs, such as the National Flood Insurance Program ("NFIP"). For example, insurance agents often sell excess flood policies along with NFIP policies to make sure that consumers are not underinsured. The industry group questioned whether such sales would need to be broken down into two separate transactions to accommodate the need to get separate written consent for the sale of the excess flood insurance policies.

On the other hand, consumer representatives generally expressed support for the PP Working Group's efforts to modernize insurance data privacy regulation. Some of the more-specific issues raised by the consumer representatives included the following:

• Developing a standard template for privacy notices.
• Avoiding unintended consequences (such as restricting the ability of insurers and governmental agencies to investigate insurance fraud).
• Support for opt-in consents.
• Categorization of personal information (i.e., the importance of building out categories of personal information for protection, such as commercial transaction history, internet use history, biometric information, geolocation data, audio/visual data, professional or employment history, and education history; need for a detailed look at types of personal information stems from a concern about discriminatory use of such information by insurers).
• Assessment of systems where personal information is held (e.g., information held by third parties).

Conclusion

The PP Working Group is committed to continuing its work to develop the Model Privacy Law despite numerous warnings that, even if a final draft of the Model Privacy Law is adopted by the NAIC, there are significant concerns that there will be limited adoption of the model law by states if the Model Privacy Law promulgated by the NAIC remains close to its current form. We will continue to monitor and report on the working group's efforts to address key criticisms of the current draft, as well as how further revisions to the draft Model Privacy Law could impact the likelihood that the model law is adopted by state legislatures.

To view additional updates from the US NAIC Summer 2023 National Meeting, visit our meeting highlights page.

Footnotes

1. The other states that have adopted personal data privacy legislation are California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.

2. The Senate Commerce Committee recently approved two children's privacy bills. In addition, House Financial Services Committee Chairman Patrick McHenry continues to seek to advance his own update to the Gramm-Leach-Bliley privacy requirements.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.