This is a tooltip for the edit command button

Insurers have long collected massive amounts of data from consumers, regardless of the line of business written. For decades, insurers have had to provide information about privacy collection practices and procedures and safeguards provided to consumers.  In the 1990s, the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) came into effect, and the Gramm-Leach-Bliley Act (GLBA) soon followed.   In recent years, New York and the National Association of Insurance Commissioners have promulgated additional privacy and cyber acts that specifically apply to the insurance industry.

However, in addition to the specific privacy acts that apply, the insurance industry also is subject to the emerging landscape of other privacy enactments at the state level.  This article briefly summarizes the privacy developments in the insurance industry and then turns to the California Consumer Privacy Act of 2018,[1] as modified by the California Privacy Rights Act of 2020 (collectively, the CPRA), as well as other states’ enactments, and the additional issues those present for insurers.[2]

History of Privacy in the United States          
It is important to understand the nature of privacy rights in the United States and how those rights might be different than in the European Union or in some states, such as California. The word “privacy” is not found in any of the nation’s founding documents.  The Declaration of Independence refers to “certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”[3]  The Constitution also does not address privacy per se.  The Supreme Court of the United States did find the right to privacy in the “penumbras” of the Constitution.  In Griswold v. Connecticut[4], a case addressing the issue of whether the Constitution protected the right of marital privacy against state restrictions on a couple's ability to be counseled in the use of contraceptives, the Court, in a 7-2 decision written by Justice William O. Douglas, found that it did protect such a right.  Douglas wrote:

“The foregoing cases suggest that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance. See Poe v. Ullman, 367 U. S. 497, 367 U. S. 516-522 (dissenting opinion). Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment, in its prohibition against the quartering of soldiers ‘in any house’ in time of peace without the consent of the owner, is another facet of that privacy. The Fourth Amendment explicitly affirms the ‘right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’ The Fifth Amendment, in its Self-Incrimination Clause, enables the citizen to create a zone of privacy which government may not force him to surrender to his detriment. The Ninth Amendment provides: ‘The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.’ The Fourth and Fifth Amendments were described in Boyd v. United States, 116 U. S. 616, 116 U. S. 630, as protection against all governmental invasions ‘of the sanctity of a man's home and the privacies of life.’ We recently referred in Mapp v. Ohio, 367 U. S. 643, 367 U. S. 656, to the Fourth Amendment as creating a ‘right to privacy, no less important than any other right carefully and particularly reserved to the people.’ See Beaney, The Constitutional Right to Privacy, 1962 Sup.Ct.Rev. 212; Griswold, The Right to be Let Alone, 55 Nw.U.L.Rev. 216 (1960).”[5]

Griswold has been used the last sixty years to protect other privacy rights for citizens of the United States.

Prior to Griswold, Louis Brandeis in 1890 wrote a paper, “The Right to Privacy,”[6] with his partner, Samuel Warren, that was published in the Harvard Law Review and was to have a profound effect on the body of jurisprudence going forward.  They spoke of a zone  of privacy, and Brandeis when he joined the Supreme Court as an associate justice would often advocate and write for findings of zones of privacy in various areas of the law.  The Court would adopt his logic, culminating in the Griswold case.

Initial Considerations of Privacy       
While privacy has not been deemed a fundamental right that is afforded to US citizens by our founding documents, the issue of privacy and protection of information has long been a concern, not only in the United States but worldwide.

A variety of privacy and cyber regulations and laws have been promulgated over the years. The origins and framework for privacy policies has been traced back to a 1980 gathering of the Organisation for Economic Co-operation and Development (OECD), an economic group of 34 countries.  In a time when the Internet did not exist and smartphones were decades away in the future, the OECD established a set of principles that should be familiar to anyone who practices at all in privacy. 

The Privacy Principles[7]         
The OECD established  set of principles that form the skeleton of any privacy laws we see today, including the CPRA. The principles established in 1980 for data privacy and protection are:

  • Collection Limitation Principle
  • Data Quality Principle
  • Purpose Specification Principle
  • Use Limitation Principle
  • Security Safeguards Principle
  • Openness Principle
  • Individual Participation Principle
  • Accountability Principle

The OECD framework and principles were designed taking into account the recognition of the fundamental right to privacy that exists in many post-World War II constitutions, including the OECD members’ constitutions.

The OECD framework would become the backbone or underpinnings for almost all privacy regimes that followed, including in the insurance industry.       

State Insurance Regulation  of Cybersecurity Programs

Beginning in 2015 or 2016, the NAIC began to take a closer look at cybersecurity and ransomware issues and began to consider a model law for the industry. In 2017, the New York Department of Financial Services (NYDFS) promulgated its program, beating the NAIC to it, and the NAIC soon followed suit.  

On March 1, 2017, New York enacted a cybersecurity program.[8] The New York Cybersecurity Regulation applies to anyone “operating under a license, registration, charter, certificate, permit, accreditation or similar authorization” under the banking law, insurance law, or financial services law of the State of New York.”

NAIC Model Insurance Data Security Model Law 

In late 2017, after much discussion and in large part based on the New York Cybersecurity Regulation, the NAIC adopted the Model Insurance Data Security Model Law.  The NAIC model is similar in many ways to the NYDFS model, although it has some variation. 

Rather quickly, eight states adopted the NAIC Model Law (often with modifications).[10] In 2020, three additional states adopted the Model Law: Virginia on March 10, 2020;[11] Indiana on March 20, 2020;[12] and, Louisiana on June 11, 2020.[13] In 2021, the number of states adopting the law continued to expand, with Hawaii being the latest, when Governor David Y. Ige signed the bill on June 28, 2021.[14] An additional six states adopted the model law in 2021:
  • Maine—March 17, 2021;[15]
  • North Dakota—March 2021;[16]
  • Iowa—April 30, 2021;[17]
  • Tennessee—May 6, 2021;[18]
  • Minnesota—June 26, 2021;[19] and
  • Wisconsin—July 15, 2021.[20]

These actions bring the total number of states adopting the model law to eighteen. Illinois continues to consider adoption of the model, but has not done so to date.  As of publication, the number remains 18 states.

Currently, insurance regulators focus on cybersecurity and privacy obligations of those companies that they regulate. We can expect additional states to become part of this continued adoption of the model law.

California Enters The Fray on a Pure Privacy Perspective

Like the European Union constitutions and some state constitutions, the California Constitution contains privacy protections for its residents.  The California Constitution provides[21]:

“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”[22]

It is important to understand just how broad the California right to privacy is.  California’s right to privacy is wider than its federal counterpart in that it protects individuals not only against violations by state and federal government entities, but also against violations by other individuals and private companies.  There is a judicial right of action conferred on all Californians for privacy violations. Like many rights in California, the California right to privacy was enacted by ballot measure in November 1972.  At the time of the ballot initiative, Ronald Reagan was the Governor of California.


In June 2018, California’s governor signed legislation that the California legislature passed, the CCPA.[23] The CCPA provided new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale of their personal information -and-
  • The right to non-discrimination for exercising their CCPA rights

When enacted, the act was referred to as the “toughest online privacy law” and the most “sweeping data privacy bill” and was compared to the EU General Data Protection Regulation.  The bill was enacted hastily in order to thwart efforts for a variety of ballot initiatives.  (That would not prevent the initiative from being on the ballot in 2020.)

On January 1, 2020, the landmark legislation went into effect.  The CCPA provides groundbreaking protections for consumers in their ability to control the use of their personal data, and is intended to ensure the rights of Californians to: (1) know what personal information is being collected about them; (2) know whether their personal information is sold or disclosed and to whom; (3) say no to the sale of personal information; (4) access their personal information; and (5) receive equal service and price, even if they exercise their privacy rights.  The California Attorney General is authorized to bring enforcement actions and set penalties pursuant to the law.  And, as part of the implementation and enforcement of the law, the Attorney General was charged with promulgating interpreting regulations on or before July 1, 2020.  The CCPA provides a private right of action for consumers, with statutory damages, for violations of the security requirement that result in an unauthorized disclosure of personal information. 

On August 14, 2020, the California Office of Administrative Law approved and released the Final Regulations for the CCPA.[24] Before the Final Regulations were approved, the California Attorney General (AG) had already started to take enforcement steps against companies, sending out notices of noncompliance.

While the CCPA set forth the steps and procedures that companies holding consumers’ information must take, the Final Regulations set forth in 28 pages what steps companies should take to comply. These steps include:

  • Reviewing and updating privacy policy disclosures.
    • All policies should be reviewed and updated to disclose additional data privacy collection, use, disclosure and sale practices, and provide details on the business’s verification and processing of requests, and financial incentives the business provides.
  • Providing updated notice of collection of personal information.
    • Provide timely notice of collection and use of personal information to employees and consumers online, in-store and via mobile applications, and update that notice as collection practices change. (This is also a focus of Federal Trade Commission enforcement actions in recent years, with significant penalties assessed on those businesses that have practices different from those disclosed.)
  • Reviewing and adjusting methods for accepting and responding to consumer requests.
  • Ensure consistency with CCPA requirements
    • Ensure that sensitive personal information (i.e., Social Security numbers (SSNs), account passwords, biometric information, etc.) is never disclosed.
  • Applying reasonable security controls to responses to consumer requests.
    • Specific security controls and measures are necessary to ensure that personal information provided to a consumer pursuant to a consumer request is subject to reasonable security procedures.
  • Adhering to guidelines for verifying consumer requests.
    • The Final Regulations provide guidelines for verifying consumer requests for general as well as specific information.
  • Establishing adequate recordkeeping.
    • Businesses must maintain records of CCPA consumer requests in a specific form for at least 24 months.
  • Enabling notice to individuals with disabilities.
    • The Final Regulations address ensuring that the required notices regarding the business’s privacy practices are reasonably accessible to consumers with disabilities.
  • Confirming receipt of consumer requests.
    • Consistent with the CCPA, the Final Regulations require that businesses must respond to consumer requests within ten days of receipt, informing the consumer of the business’s verification process and timing for response. Given the AG’s recent activity, this likely will be closely monitored by California.

The CCPA and Final Regulations set forth onerous obligations on all companies, including insurers, who do business with California consumers. Anyone doing business in California should closely review the Final Regulations and seek guidance if questions arise. As noted, the California AG is busy addressing issues of noncompliance and more is likely to follow.

Jurisdictional Scope

The CCPA applies to a “business” dealing in the “personal information” of  “consumers,” with the CCPA broadly defining “personal information.”  A “consumer” is a natural person who is a “California resident.”  The CCPA defines personal information as:

’Personal information’ [(PI)] means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

  1. Identifiers such as name, alias, address, unique personal identifier, IP address, email, account name, SSN, drivers license number, passport number, or other similar identifiers.
  2. Other PI under California law including physical description, telephone, insurance policy number, financial info, etc.
  3. Characteristics of protected classifications under California and federal law.
  4. Commercial information including purchasing history or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.[25]).
  11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”[26]

While the definition is extremely broad, the CCPA does not include in the definition publicly available information or consumer information that is deidentified or aggregate consumer information.

Given the nature of the internet and challenges presented by siloing off California, many consumer facing business have chosen to give CCPA-style rights to all US residents to have a uniform compliance program and to avoid the problem of establishing whether someone is a “California resident.” 

The Provisions and Applicability

The legislature listed a long set of reasons and purposes for why the CCPA was needed, including reference to the 1972 Constitution change that arose from the ballot initiative. The legislature found (italicization in original):

The Legislature finds and declares that:

(a) In 1972, California voters amended the California Constitution to include the right of privacy among the ‘inalienable’ rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.

(b) Since California voters approved the right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, a California law intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.

(c) At the same time, California is one of the world’s leaders in the development of new technologies and related industries. Yet the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy. It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.

(d) As the role of technology and data in the every daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.

(e) Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.

(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.

(g) In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened.

(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.”[27]

Among other things, the CCPA applies to any entity doing business in California that has gross revenues in excess of $25 million per year.  If a company meets one of the following thresholds, the CCPA generally applies:

  • Annual gross revenues of $25M or more;
  • Buys, Receives, Sells, or Shares the PI of 50,000 or more consumers, households, or devices;
  • Derives 50% or more of annual revenues from selling consumer’s PI.

This broad definition means that many companies, including insurers, fall within the scope of the law.  Although the CCPA also has an exemption for information that is already subject to certain federal laws, such as the GLBA and the (HIPAA), these other privacy laws and the CCPA are separate legal frameworks with different scopes, definitions, requirements, rights and remedies. 

A key question businesses must address is whether they are “selling” information of consumers. Per the CCPA:

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Whether your organization is “selling” data is a critical question. If so, then the CCPA:

  • Requires a Notice of Right to Opt-Out
  • Requires additional disclosures in your privacy policy and other documentation
  • Requires a “Do Not Sell My Personal Information” link on your homepage
  • Requires the creation of an “opt-out” function


As noted, by ballot initiative, the CPRA was adopted.  The CPRA expands the rights granted to California consumers under the CCPA and introduces some new privacy rights, including:

  • The right to opt out of sharing of personal information. “Sharing” is defined as “sharing…or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration,” which essentially refers to interest-based advertising.
  • The right to opt out of certain uses and disclosures of “sensitive personal information,” which refers to personal information that reveals: a consumer’s Social Security number, driver’s license, state identification card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with a security or access code, password or credentials; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages, unless the business is the intended recipient of the communications; a consumer’s genetic data; a consumer’s biometric data, in certain circumstances; a consumer’s health data; and data concerning a consumer’s sex life or sexual orientation.
  • The right to correct inaccurate personal information.
  • The right to enhanced transparency about a business’s information practices, including information about data retention periods.
  • New rights with respect to the use of automated decision-making technology, including for profiling.

The  threshold requirements referenced above changed somewhat under the CPRA, the new thresholds are:

  • As of January 1 of the calendar year, the company exceeded $25 million in gross revenue in the preceding calendar year.
  • The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
  • The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.

If any of the criteria above are satisfied, the company will be deemed a “business” under the CPRA.

The CPRA imposes new obligations on businesses, including requirements related to data retention, data minimization, and purpose limitation, as well as to forward deletion requests not only to service providers but also to contractors and third parties to which the businesses have sold or shared information. This will be a significant obligation.  The law also mandates additional provisions that businesses must include in their contracts with service providers, contractors, and other third parties.

The CPRA also creates a new state agency, the California Privacy Protection Agency. Under the CPRA, this agency was authorized to begin exercising rulemaking authority July 1, 2021, or six months after the agency gives notice to the California AG that the agency will commence rulemaking. The CPRA is subject to 22 different categories of regulations, many with subparts, and final regulations must be adopted by July 1, 2022.

Insurer Considerations Under CCPA

At first blush, the CCPA appears to have exemptions that provide insurers with a pass on compliance.  These exemptions include:

Health Information[28]. The CCPA exempts “medical information” governed by the Confidentiality of Medical Information Act and “protected health information” collected by a covered entity or business associate under HIPAA. In addition, health care providers and covered entities governed by HIPAA are exempt, to the extent the provider or covered entity maintains patient information in the same manner as medical information/protected health information.[29]

GLBA[30]. The CCPA exempts personal information collected, processed, sold or disclosed pursuant to the federal GLBA and implementing regulations. This exemption does not apply to the provisions granting consumers a private right of action.[31]

Driver’s Privacy Protection Act[32]. The CCPA exempts personal information collected, processed, sold or disclosed pursuant to the Driver’s Privacy Protection Act. This  exemption does not apply to the provisions granting consumers a private right of action[33].

Notwithstanding these beneficial exemptions, insurers should carefully review the partial exemptions.    Many insurers engage in information collection, processing and sale activities outside of the GLBA,. The definitions in the two statutes are very different, with the CCPA defining personal information and consumer much more broadly than the GLBA. Also, the GLBA exemption does not apply to the private right of action provided under the CCPA. The private right of action allows consumers to seek statutory damages if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.[34]” Despite exemptions, insurers are still subject under the CCPA to potentially significant damages if they experience a data breach.

Further, other jurisdictions have not robustly exempted insurance information to the same extent as the CCPA.

Other States

While California has the most robust laws in place for consumer protection of information, it is not the only state.  Other states that have recently enacted broad consumer protection laws include: Colorado[35], Utah[36],  Virginia[37], and Connecticut[38].  Many other states in coming months are expected to pass broad legislation.  The four other states that have enacted laws similar to California are all relatively consistent, with tweaks among them.  One thing that is not as robust as the CCPA is in the insurance exemptions provided above.


Insurers face an increasing amount of privacy obligations on them, from GLBA to the NYDFS and NAIC Model Law, to the increasing number of state enactments that apply to consumer data more generally.  In the coming months, more privacy laws will be passed in the states, and insurers will have to keep abreast to comply with the rights of consumers to protections of their data.


[1] Cal Civ Code § 1798.100 - ___.

[2] This article does not address statues such as the Biometric Information Privacy Act of Illinois, and other such statutes.

[3] The Declaration of Independence para. 2 (U.S. 1976)

[4] 381 U.S. 479 (1965).

[5] Id.

[6] Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).    


[8] N.Y. Comp. Codes R. & Regs. Tit. 23, § 500 (2017).

[9] National Association of Insurance Commissioner, Insurance Data Security Model Law, Model Laws, Regulations, Guidelines and Other Resources (2017),

[10] The eight states are South Carolina, Ohio, Michigan, Mississippi, Alabama, Connecticut, New Hampshire, and Delaware.

[11] Va. Code Ann. §§ 38.2-621 to 38.2-629 (2020).

[12] Ind. Code Ann. §§ 27-2-27-1 to 27-2-27-32 (2020).

[13] H.B. 614 (La. 2020).

[14] Act 112, SB 1100 (Haw. 2021); see Memorandum from State of Hawaii, Dep’t of Com. & Consumer Affs. Ins. Div., Act 112, Relating to Insurance Data Security (July 12, 2021),

[15] Me. Rev. Stat. Ann. Tit. 24-A, Ch. 24-B; see also State of Maine, An Act to Enact the Maine Insurance Data Security Act (Mar. 17, 2021),

[16] N.D. Cent. Code § 26.1-02.2,

[17] Iowa House File 719 (Apr. 30, 2021),

[18] Tenn. HB0766 (2021),

[19] Minn. HF 6 (2021),

[20] Press Release, Wis. Office of Comm’r of Ins., Governor Evers Signs Law to Enhance Insurance Security Measures (July 15, 2021), (noting Governor’s signing of Act 73).

[21] CA Const., art. I Declaration of Rights, § 1,

[22] Id.

[23] California Consumer Privacy Act of 2018.

[24] Final Regulation Text, Title 11. Law Division 1. Attorney General, Chapter 20. California Consumer Privacy Act Regulations.

[25] 20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99.

[26] Cal. Civ. Code § 1798.140(o).

[27] Bill Text - AB-1202 Privacy: data brokers. (

[28] .Cal. Civ. Code § 1798.145(c)(1).

[29] Cal. Civ. Code §1798.145(c).

[30] Cal. Civ. Code § 1798.145(e); Gramm-Leach-Bliley Act (Public Law 106-102)

[31] Cal. Civ. Code §1798.145(e).

[32] Cal. Civ. Code § 1798.145(f).

[33] Id..

[34] Cal. Civ. Code §1798.150.

[35] SB21-190

Protect Personal Data Privacy.

[36] S.B. 227 Consumer Privacy Act.

[37] An Act to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 52, consisting of

sections numbered 59.1-571 through 59.1-581, relating to Consumer Data Protection Act.

[38] S.B. No. 6