On March 21, 2023, the Privacy Protections (H) Working Group (“PP Working Group”), a subgroup of the Innovation, Cybersecurity, and Technology (H) Committee (“H Committee”) met at the Spring 2023 US National Meeting of the National Association of Insurance Commissioners (“NAIC”). In addition to various routine matters, such as adoption of the PP Working Group’s 2022 Fall National Meeting minutes and presentation of an updated workplan for 2023, the meeting covered the following matters.
- Updates on Federal and State Legislation
The PP Working Group heard an update on federal and state privacy legislation from NAIC staff. At the state level, there are approximately 50 privacy bills under consideration across 21 states. On March 15, 2023, Iowa became the sixth state to pass a consumer data privacy bill, which is similar to that of Utah. NAIC staff also highlighted that Hawaii and Indiana are considering consumer data privacy bills that are similar to Virginia. New Jersey, Montana and Oklahoma are also considering bills.
At the federal level, the Data Privacy Act (H.R. 1165) has passed out of the House Financial Services Committee along party lines. The bill would revamp existing financial privacy protections for consumers under the Gramm–Leach–Bliley Act to create a preemptive regulatory floor and ceiling in an effort to establish a uniform federal standard that would be enforced by the functional regulators.1 The House Energy and Commerce Subcommittee on Innovation, Data and Commerce recently held a hearing on the development of a national standard on data privacy. Finally, the American Data Privacy and Protection Act (H.R. 8152) passed out of the House Energy and Commerce Committee last year and was being considered for the omnibus bill, but was ultimately not included. However, there is an expectation that the bill will be reintroduced in some form.
- Initial Comments on the New NAIC Insurance Consumer Privacy Protection Model Law (#674)
The PP Working Group also heard comments from a wide array of consumer representative organizations and trade associations on the exposure draft of the new NAIC Insurance Consumer Privacy Protection Model Law (#674) (“Model Privacy Law”). Speakers included consumer representatives Harold Ting, Birny Birnbaum and Peter Kochenburger. On the industry side, several trade organization provided comments, including the American Council of Life Insurers, America’s Health Insurance Plans, the American Property Casualty Insurance Association, Independent Insurance Agents & Brokers of America, Arbor Strategies, the National Association of Mutual Insurance Companies and the American Bankers Association. Some of the items commented on by various speakers included the following:
- Opt-in requirement for marketing;
- Handling of joint marketing;
- Consent requirement for actuarial and research studies;
- Restrictions on cross-border data sharing;
- Potential creation of a private right of action;
- Oversight of third-party service providers;
- Data minimization and mandatory deletion requirements;
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) preemption;
- Notice requirements; and
- Need for staggered implementation.
The Chair of the PP Working Group, Katie Johnson of the Virginia Bureau of Insurance, noted that when the PP Working Group was preparing the exposure draft of the Model Privacy Law, it did not have the level of input that it would have liked. Therefore, the purpose of the exposure draft of the Model Privacy Law was to invite conversation and input regarding the various items contained in the draft Model Privacy Law.
As a reminder, comments on the exposure draft of the Model Privacy Law are due on April 3, 2023, and beginning on April 18, 2023, the PP Working Group will be hosting biweekly calls to work through the various comments received. We will be montioring these discussions closely and will provide updates on key developments to the draft Model Privacy Law.
To view additional updates from the US NAIC Spring 2023 National Meeting, visit our meeting highlights page.
1 Under the McCarran-Ferguson Act, regulation of insurance is left to the states unless a federal law specifically preempts state regulation in connection with a specific insurance-related matter. In some cases, federal law sets a floor, or minimum regulatory standards, and the states are free to impose stricter standards. The Data Privacy Act (H.R. 1165), however, gives no such flexibility to the states and prohibits states from imposing more restrictive standards. At the same time, the Data Privacy Act (H.R. 1165) continues to require financial institutions to comply with the minimum privacy standards set forth in the Gramm-Leach-Bliley Act, as amended by the Data Privacy Act (H.R. 1165). Thus, the Data Privacy Act (H.R. 1165) attempts to establish a single uniform federal standard.