California Privacy Protection Agency Advances Insurance Privacy Compliance Regulation
Insights for Insurers Alert | 1 min read
Dec 13, 2023
On December 8, 2023, the California Privacy Protection Agency (CPPA) moved forward with an insurance regulation that could expand the privacy compliance obligations of insurance companies. The California Privacy Rights Act (CPRA) required the CPPA to undertake a rulemaking to identify what privacy gaps exist between the California insurance code and the California Consumer Privacy Act (CCPA), as amended by the CPRA.
The CPPA Board agreed to move forward with applying CCPA obligations on consumer personal information for insurance companies where these insurance companies did not otherwise have privacy and security obligations under the Insurance Information and Privacy Protection Act (IIPPA) and the Privacy of Nonpublic Personal Information (PNPI) or otherwise had their privacy obligations fall under a CCPA exemption.
At their December 8, 2023, meeting, the CPPA staff recommended that the CPPA would apply the CCPA requirements only to insurance companies where the insurance code did not apply. The staff supported this approach because the California insurance code is set to be revised by the National Association of Insurance Commissioners Insurance Information and Privacy Protection Act in 2024 (Model Code), and it is expected that those revisions will be subsequently adopted in California.
What Does This Mean for Insurance Companies?
The CCPA regulation would apply to insurance businesses not otherwise regulated by the California insurance code, which fall within the CCPA business threshold definition and process CCPA personal information.
CCPA requirements of privacy notices, data subject access rights, rights to opt-out sale and sharing of personal information, and right to limit the use of sensitive personal information would now apply to these ancillary businesses as well as the statutory damages and the private right of action in the event of a qualifying data breach.
Next Steps
The CPPA staff will finalize the insurance regulatory text, add applicable examples and insurance division feedback, and then move the regulation to the 45-day public comment period. We will provide an update as this CCPA insurance regulation is materially revised or adopted during this CPPA regulatory process.
Related People
Related Capabilities
Featured Insights
Consumer Crossroads: Where Financial Services and Litigation Intersect
Jun 18, 2026
Three Key Mortgage Enforcement Developments for Lenders in Illinois
Webinar
Jun 17, 2026
Consumer Crossroads: Where Financial Services and Litigation Intersect
Jun 18, 2026
Three Key Mortgage Enforcement Developments for Lenders in Illinois
Webinar
Jun 17, 2026
Press Release
Jun 16, 2026
In The News
Jun 12, 2026
Jennifer Driscoll Discusses Antitrust Case Against Shipping Container Manufacturers
Privacy, Cyber & AI Decoded Alert
Jun 12, 2026
Hot Topics in Data Privacy: Staying Cool and Compliant This Summer
Press Release
May 20, 2026 | Updated June 18, 2026
Hinshaw Releases America 250 Book Exploring Insurance's Role in Building the United States
Press Release
Jun 11, 2026
Nia Binns Honored With 2026 Rising Star Award by the Black Women Lawyers’ Association
Press Release
Jun 11, 2026
Insights for Employers Alert
Jun 9, 2026
A Win for Employers: Federal District Court Finds $100,000 H-1B Visa Petition Fee is Unlawful
