Regulatory/Law
Privacy Concerns

• Stephanie Lemoine
• March 2019
• 

The development of new technology and the rise in the use of existing technology are transforming the insurance industry. From telematics that track and report location, time of day, speed, number of miles driven and braking habits to cancer detection technology built into breathalyzer devices, as well as smart-home security sensors that detect break-ins and even plumbing leaks, insurers are in a better position than ever to gauge and manage the risks they insure.

The use of this data has become so paramount to some insurers that one leading insurer is even re-branding itself not as an insurer, but as a customer-focused data company.

While not unique to the insurance industry, the collection and storage of data by insurers and their service providers have heightened privacy concerns among consumers regarding the types of data their insurers are collecting, how that data will be secured, and how and by whom that data will ultimately be used. The fine print in the privacy policies for many insurers' mobile applications specifies that a consumer's personal information will be shared with third parties for a variety of business purposes outside the determination of premium rates, including the marketing of products to the consumer.

The value of consumer data is such that it is now considered an asset that can be used as collateral for financing or sold as part of bankruptcy proceedings. Recognizing the value of the data and consumer privacy concerns, states across the country have begun enacting laws that limit the collection and use of certain data.

In 2008, Illinois led the country in implementing a statute governing the retention, collection, disclosure, and destruction of biometrics, and other states followed suit. California's recent passage of the Consumer Privacy Act of 2018, which becomes operative Jan. 1, 2020, is the most broad-sweeping legislation regarding personal identifying information.

This new law requires businesses to disclose, upon request of the consumer, information regarding the specific pieces of personal information collected, the sources of that information, the business purposes for collecting or selling the information, and the categories of third parties with which the business shares the consumer's personal information. The law permits consumers to request deletion of their personal information and to opt out of a business's sale or disclosure of the consumer's personal information. The law also prohibits businesses from charging a different price to consumers who exercise their privacy rights, specifically including the use of discounts or other benefits or by imposing penalties unless the difference in price is reasonably related to the value provided to the consumer for the data. However, businesses will be permitted to offer financial incentives, such as payments to consumers as compensation, for the collection of personal information. In addition to enforcement by the attorney general, the California Consumer Privacy Act of 2018 provides for a private right of action by consumers for unauthorized access or disclosure of the consumer's personal information as a result of a business's violation of its duty to implement and maintain reasonable security measures to protect personal information.

Insurers can reasonably expect that other states will follow California's lead in regulating the collection, protection and use of consumers' personal information and should monitor the implementation of consumer privacy laws to ensure compliance or risk penalties that may outweigh the value of using consumers' personal information.