�����о����ٷ�

Last Updated: 7/30/2025

Today’s economy runs on data, and the insurance industry is no exception. Increasing technology and computer processing capabilities, combined with the availability of unprecedented amounts of digital consumer information, has led to the extensive use of consumer data by a variety of commercial, financial and technology companies. That, coupled with action in the European Union (EU) and pressure on Congress to pass national data privacy legislation, raises concerns of preemption of state efforts and solutions that may not be appropriate for the insurance industry. State insurance regulators continue to monitor the impacts of the innovative use of technology and consumer data in the insurance sector. They are also tracking the impact big data and artificial intelligence (AI) including machine learning (ML) will have on the existing regulatory framework.  

Data privacy refers to the amount of control consumers have over their personal data. There is now an incredible amount of data collected on individuals via smart phones, internet browsers and other digitally connected services. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and requires companies to allow consumers to “opt in” to the collection and use of personal data. In January 2020, the California Consumer Privacy Act (CCPA) went into effect. This requires for-profit companies operating in California to provide consumers with transparency and control of their personal data. Many states have recently enacted data privacy laws, and other states are actively considering similar legislation.  

The �����о����ٷ� currently has a few model laws that deal with consumer data privacy:   

• The Insurance Data Security Model Law (#668)
• The �����о����ٷ� Insurance Information and Privacy Protection Model Act (#670)  
• The Privacy of Consumer Financial and Health Information Regulation (#672)  
• The Standards for Safeguarding Customer Information Model Regulation (#673) 

Every state has adopted #672 to comply with Gramm-Leach-Bliley Act requirements. However, as this model is several decades old, it does not reflect the technological advancements and proliferation of data collection in the digital era. The �����о����ٷ� Privacy Protections (H) Working Group is currently drafting amendments to modernize Model #672. 

The Privacy Protections (H) Working Group is charged with drafting amendments to Model #672. The group is currently engaged in the drafting process and taking a section-by-section approach. The amendments cover several topics including consumer rights, consent, and notification as well as third-party contractual obligations, and limits on sale of nonpublic personal information and disclosure of sensitive personal information. The working group is taking a collaborative approach to the drafting process and collecting feedback from various stakeholders, including consumers and industry representatives. The current drafts of amendments to various sections of the model can be found on the exposure drafts tab of the working group’s webpage. The working group hopes to release a full draft of amendments to the model for public comment by early 2026.

The �����о����ٷ� will also continue to engage with state attorneys general and Congress regarding state and federal data privacy laws to identify ways to work together to enhance consumer protections in this area.