California Privacy Protection Agency Advances Insurance Privacy Compliance Regulation

December 13, 2023
Insights for Insurers

On December 8, 2023, the California Privacy Protection Agency (CPPA) moved forward with an insurance regulation that could expand the privacy compliance obligations of insurance companies. The California Privacy Rights Act (CPRA) required the CPPA to undertake a rulemaking to identify what privacy gaps exist between the California insurance code and the California Consumer Privacy Act (CCPA), as amended by the CPRA. 

The CPPA Board agreed to move forward with applying CCPA obligations on consumer personal information for insurance companies where these insurance companies did not otherwise have privacy and security obligations under the Insurance Information and Privacy Protection Act (IIPPA) and the Privacy of Nonpublic Personal Information (PNPI) or otherwise had their privacy obligations fall under a CCPA exemption.

At their December 8, 2023, meeting, the CPPA staff recommended that the CPPA would apply the CCPA requirements only to insurance companies where the insurance code did not apply. The staff supported this approach because the California insurance code is set to be revised by the National Association of Insurance Commissioners Insurance Information and Privacy Protection Act in 2024 (Model Code), and it is expected that those revisions will be subsequently adopted in California.

What Does This Mean for Insurance Companies?

The CCPA regulation would apply to insurance businesses not otherwise regulated by the California insurance code, which fall within the CCPA business threshold definition and process CCPA personal information.

CCPA requirements of privacy notices, data subject access rights, rights to opt-out sale and sharing of personal information, and right to limit the use of sensitive personal information would now apply to these ancillary businesses as well as the statutory damages and the private right of action in the event of a qualifying data breach.

Next Steps

The CPPA staff will finalize the insurance regulatory text, add applicable examples and insurance division feedback, and then move the regulation to the 45-day public comment period. We will provide an update as this CCPA insurance regulation is materially revised or adopted during this CPPA regulatory process.