California Privacy Protection Agency Advances Insurance Privacy Compliance Regulation
Insights for Insurers Alert | 1 min read
Dec 13, 2023
On December 8, 2023, the California Privacy Protection Agency (CPPA) moved forward with an insurance regulation that could expand the privacy compliance obligations of insurance companies. The California Privacy Rights Act (CPRA) required the CPPA to undertake a rulemaking to identify what privacy gaps exist between the California insurance code and the California Consumer Privacy Act (CCPA), as amended by the CPRA.
The CPPA Board agreed to move forward with applying CCPA obligations on consumer personal information for insurance companies where these insurance companies did not otherwise have privacy and security obligations under the Insurance Information and Privacy Protection Act (IIPPA) and the Privacy of Nonpublic Personal Information (PNPI) or otherwise had their privacy obligations fall under a CCPA exemption.
At their December 8, 2023, meeting, the CPPA staff recommended that the CPPA would apply the CCPA requirements only to insurance companies where the insurance code did not apply. The staff supported this approach because the California insurance code is set to be revised by the National Association of Insurance Commissioners Insurance Information and Privacy Protection Act in 2024 (Model Code), and it is expected that those revisions will be subsequently adopted in California.
What Does This Mean for Insurance Companies?
The CCPA regulation would apply to insurance businesses not otherwise regulated by the California insurance code, which fall within the CCPA business threshold definition and process CCPA personal information.
CCPA requirements of privacy notices, data subject access rights, rights to opt-out sale and sharing of personal information, and right to limit the use of sensitive personal information would now apply to these ancillary businesses as well as the statutory damages and the private right of action in the event of a qualifying data breach.
Next Steps
The CPPA staff will finalize the insurance regulatory text, add applicable examples and insurance division feedback, and then move the regulation to the 45-day public comment period. We will provide an update as this CCPA insurance regulation is materially revised or adopted during this CPPA regulatory process.
Related People
Related Capabilities
Featured Insights

Healthcare Alert
Jul 8, 2026
A New Era of Compliance Standards for California DSOs and MSOs After the Aspen Dental Settlement

Insights for Insurers Alert
Jul 7, 2026
What Insurers Need to Know About California’s FAIR Plan Assessment Recoupment Guidance

In The News
Jul 6, 2026
Francesco Palanda’s Practical Guide for Mitigating AI-Related Business Interruption Risk

Lawyers' Lawyer Newsletter
Jun 29, 2026
Beyond Malpractice: The Rising Threat of Privacy and Statutory Claims Against Lawyers

In The News
Jun 26, 2026
Brian McGrath Discusses Far-Reaching Impact of a NY Foreclosure Ruling on Mortgage Industry

In The News
Jun 26, 2026
Jason Oliveri Discusses AI Companions in Elder Care and the Risks for LGBTQ+ Residents

Event
June 25-26, 2026
Todd Young Speaks on Importance of Financial Literacy to ESOP Culture

Press Release
Jun 25, 2026
Scott Seaman Appointed to DRI Center for Law and Public Policy’s Social Inflation Task Force




