PIA Engages with NAIC and Congress on Data Privacy

On By Lauren Pachman, Counsel & Director of Regulatory Affairs
man people woman hand

Over the past several weeks, both Congress and the National Association of Insurance Commissioners (NAIC) have turned their attention back to data privacy.

Congressional Data Privacy Activity

In May, the Innovation, Data, and Commerce Subcommittee of the House Energy and Commerce (E&C) Committee marked up a discussion draft of the American Privacy Rights Act (APRA) of 2024. The discussion draft passed out of the subcommittee unanimously and was sent to the full Committee for its consideration. In advance of the markup, PIA sent a letter to the members of the E&C Committee to alert them to our concerns about the draft.

Since 2023, Congress has considered several data privacy proposals that would create a new federal framework for how businesses, including insurance agencies, collect, share, and use consumer information. The APRA discussion draft represents Congress’s most recent attempt to establish federal uniformity in this area.

The APRA would regulate consumer data privacy and security and give consumers control over the collection of their personal information by covered entities, which, at the time of this writing, includes entities engaged in the business of insurance. It would also limit covered entities’ ability to collect and use consumer data beyond necessary and limited purposes. The APRA would also preempt the many existing state laws and regulations that address these issues.

The discussion draft exempts “small businesses,” defined as entities with annual gross revenues of $40 million or less OR entities that use the covered data of 200,000 people or fewer. However, if an entity that would otherwise qualify as a small business has transferred covered data to a third party in exchange for anything of value to facilitate the tracking of individuals over time, across websites, or for targeted advertising, that entity relinquishes its eligibility for the “small business” exemption.

The law would apply to all companies subject to the jurisdiction of the Federal Trade Commission (FTC), unless they qualify for the small business exemption, and the FTC and state attorneys general would have enforcement authority over covered entities. The discussion draft also gives consumers a private right of action, or the right to sue a covered entity that uses their data improperly or otherwise violates the law.

PIA’s concerns about the effect of the APRA on independent insurance agents include the following:

  • The McCarran-Ferguson Act exempts insurance from federal oversight. The 1945 McCarran-Ferguson Act formalized the insurance industry’s longstanding exemption from most federal oversight and delegated insurance regulation to the states. The state-based insurance regulatory regime has historically worked well because state insurance regulators are familiar with their residents’ specific geographic and economic needs, and they have the flexibility to meaningfully address those needs within their departments.
  • State insurance regulators already protect consumer data. Congress’s 1999 passage of the Gramm-Leach-Bliley Act (GLBA) prompted state insurance regulators to develop state-based consumer privacy protections. As a result, all 50 states already have well-developed data privacy laws and strong consumer data protections, and states are constantly testing and strengthening those structures. The federal passage of a detailed statutory or regulatory regime would be confusing, burdensome, and, at best, duplicative. As written, the APRA seems to be on a collision course with the states’ consumer data privacy regimes developed in accordance with GLBA.
  • The National Association of Insurance Commissioners (NAIC) continues to update its data privacy regime. Following the enactment of the GLBA, the NAIC developed a suite of model laws to guide states in developing their own data privacy protection regimes. Since then, the NAIC has updated and modified its model law regime, and those efforts are ongoing (see below). Because the NAIC represents state insurance commissioners, it is better positioned than Congress to provide comprehensive recommendations that states can customize to meet the needs of their stakeholders. Plus, in accordance with McCarran-Ferguson, the states are the proper venue for the implementation of such changes.

At a minimum, the discussion draft should be revised to exempt entities that already comply with the GLBA and the state laws passed as a result, so that Congress does not arbitrarily give the FTC expansive new authority over insurance entities in violation of McCarran-Ferguson. To that end, PIA will continue to encourage members of Congress to add an insurance industry carve-out to this draft bill.

NAIC Data Privacy Activity

Late last month, PIA submitted individual comments to the NAIC’s Privacy Protections Working Group (Working Group) in response to a request from its chair, Commissioner Amy Beard of Indiana, seeking stakeholder feedback on the Working Group’s path forward. Specifically, the Working Group asked regulators and interested parties to communicate their preference for either continuing to work on its sprawling draft Model Law #674, the development of which has been underway for about two years, or instead revising its existing Privacy of Consumer Financial and Health Information Regulation (Model Law #672, which was promulgated in response to the passage of the GLBA and has since generated corresponding laws and/or regulations in every state).

In both our individual comments and in an industry coalition comment letter we joined, we expressed our substantial concerns about Model #674 and our strong preference that the Working Group continue its efforts by revising Model Law #672. Following its receipt of stakeholder comments, the Working Group met earlier this month and voted to shift its attention from the development of Model Law #674 to the revision of Model Law #672. PIA was gratified at the support expressed for its position among Working Group members and interested regulators, as well as our fellow interested parties. We are pleased to have played a role in shifting the direction of the NAIC’s work from the development of an overly broad, unnecessarily complex new model to the modernization of an existing, universally adopted model.

As the NAIC and Congress continue their deliberations around the important public policy issues raised by the growing use of consumer data, PIA will continue to engage on this issue at both the NAIC and Congressional levels.