California Privacy Protection Agency Advances Insurance Privacy Compliance Regulation
Insights for Insurers Alert | 1 min read
Dec 13, 2023
On December 8, 2023, the California Privacy Protection Agency (CPPA) moved forward with an insurance regulation that could expand the privacy compliance obligations of insurance companies. The California Privacy Rights Act (CPRA) required the CPPA to undertake a rulemaking to identify what privacy gaps exist between the California insurance code and the California Consumer Privacy Act (CCPA), as amended by the CPRA.
The CPPA Board agreed to move forward with applying CCPA obligations on consumer personal information for insurance companies where these insurance companies did not otherwise have privacy and security obligations under the Insurance Information and Privacy Protection Act (IIPPA) and the Privacy of Nonpublic Personal Information (PNPI) or otherwise had their privacy obligations fall under a CCPA exemption.
At their December 8, 2023, meeting, the CPPA staff recommended that the CPPA would apply the CCPA requirements only to insurance companies where the insurance code did not apply. The staff supported this approach because the California insurance code is set to be revised by the National Association of Insurance Commissioners Insurance Information and Privacy Protection Act in 2024 (Model Code), and it is expected that those revisions will be subsequently adopted in California.
What Does This Mean for Insurance Companies?
The CCPA regulation would apply to insurance businesses not otherwise regulated by the California insurance code, which fall within the CCPA business threshold definition and process CCPA personal information.
CCPA requirements of privacy notices, data subject access rights, rights to opt-out sale and sharing of personal information, and right to limit the use of sensitive personal information would now apply to these ancillary businesses as well as the statutory damages and the private right of action in the event of a qualifying data breach.
Next Steps
The CPPA staff will finalize the insurance regulatory text, add applicable examples and insurance division feedback, and then move the regulation to the 45-day public comment period. We will provide an update as this CCPA insurance regulation is materially revised or adopted during this CPPA regulatory process.
Related People
Related Capabilities
Featured Insights
Event
Apr 23, 2026
Driving Ahead: Insights from Industry Leaders Auto Finance Seminar
Event
Apr 16, 2026
Press Release
Mar 26, 2026
Healthcare Alert
Mar 26, 2026
Are You Beyond the Red Line? Mastering Your FQHC’s Scope of Project to Avoid Noncompliance
Webinar
Mar 24, 2026
David Alfini on How Regulatory Citations Become Senior Living Risk
![[VIDEO] Lucy Wang Featured in Business Interview TV Series](/a/web/28aUdvEJH2Txwy8MGsu35J/bo3TFX/featured-in-the-business-insurance-business-interview-series-insights.jpg)
In The News
Mar 20, 2026
Consumer Crossroads: Where Financial Services and Litigation Intersect
Mar 18, 2026
How Should Entities Prepare for California’s New DFAL Licensing Requirement?
Webinar
Mar 17, 2026
Legal Insights on Medical Aid in Dying from Katie Anderson and Adam Guetzow
Consumer Crossroads: Where Financial Services and Litigation Intersect
Mar 13, 2026
DOJ Settlement with Car Retailer Highlights SCRA Repossession Risks
Privacy, Cyber & AI Decoded Alert
Mar 11, 2026
Compliance Considerations for GDPR Consent in Biotech Clinical Research
