As insurance companies continue to examine their compliance with current privacy and cybersecurity regulations, new state laws and proposed federal bills add another level of complexity to the landscape.
The Information Transparency & Personal Data Control Act is Congress’ latest attempt to regulate private companies’ use of consumer data. The bill, introduced by Rep. Suzan DelBene (D-WA), requires companies to provide “plain language” consumer privacy policies, enables consumers to opt-in to the use of their sensitive private information and broadly preempts conflicting state laws. The stated purpose of the bill is to develop a national privacy framework to replace the current patchwork of states privacy laws, such as the CPRA.
The bill would give the Federal Trade Commission broad rulemaking authority in order to keep up with evolving privacy trends. The prospects of the bill’s passage remain unknown, and with close Democratic majorities in both the House and Senate, it remains to be seen if the Biden administration pushes privacy as one of its early priorities.
While Congress continues to debate privacy legislation, Virginia has become the latest state to adopt a sweeping privacy law. Governor Ralph Northam signed the Consumer Data Privacy Act (CDPA) into law on March 2, 2021. The CDPA creates a number of privacy obligations for businesses, such as undertaking a formal data protection assessment of their data collection and processing activities and posting a privacy notice, and gives Virginia consumers more control over their personal data. For example, Virginia consumers would now have the right to correct errors in their personal information, request the deletion of personal data, and opt out of the processing of their personal information for certain defined purposes like advertising.
The CDPA has several exemptions, including one for “financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act.” How this exemption will fully impact the insurance industry is still being assessed, and several provisions still remain unclear. Insurers should closely monitor privacy developments in Virginia.