In response to numerous comments regarding the California Consumer Privacy Act (CCPA), on February 21, 2019, Assembly Member Tom Daly (D-CA 69th) proposed AB 981, designed to clarify the privacy protection laws applicable to insurers. In its current form, the bill would (1) exempt insurance institutions, agents and support organizations from certain provisions of the CCPA and (2) amend California’s Insurance Information and Privacy Protection Act (IIPPA) to harmonize definitions and incorporate certain CCPA concepts.
Since October 1, 1981, California insurance institutions have been obligated to protect consumers’ information under IIPPA, which was enacted to provide protection to consumers by, among other things:
- Establishing standards for collecting, using and disclosing information acquired during insurance transactions
- Balancing the insurance industry’s need for information with the public’s interest in having their information handled fairly and with minimal intrusiveness
- Creating a regulatory system that allows for “natural persons” to know the information being collected about them during insurance transactions and to be able to verify and dispute that information
- Limiting information disclosure
- Enabling insurance applicants and policyholders to know the reason for an adverse underwriting decision.
These protections were further enhanced by the 2003 enactment of section 2689 of the California Code of Regulations, which adopted the Privacy of Nonpublic Personal Information Rule in response to the passage of the Gramm-Leach-Bliley Act (GLBA).
As currently structured, the CCPA will result in overlapping privacy requirements and regulators for insurers. This issue arises because although the CCPA specifically excludes personal information collected, processed, sold or disclosed under GLBA and the California Financial Information Privacy Act (FIPA), the CCPA does not expressly acknowledge the IIPPA.
To alleviate these concerns, AB 981 would, among other things:
- Exempt insurers from the CCPA, except for its data breach provisions (including breach-related private right of action).
- Add definitions for “Aggregate consumer information,” “Biometric information,” and “Deidentified” information.
- Amend definition of “Personal Information” to mirror the CCPA definition except that the IIPPA definition does not include a reference to “household.”
- Require insurers to provide notices about the information they collect and how they use it, as well as notice of privacy policies and practices.
- Require insurers to provide consumers information concerning their rights.
- Require insurers to implement a written security program with specific program content requirements, including staff training, regular testing, and a third-party management program.1
At its April 23, 2019, hearing, the Assembly Committee on Privacy and Consumer Protection approved AB 981. The bill now returns to the Assembly for a vote and should it pass, it will be forwarded to the California Senate for further consideration.