NAIC’s Draft Revisions to Protect Consumer Privacy in Model Law 672

At a Glance

• The draft revisions to Model 672 add some of the additional privacy protections that Model 674 would have implemented if passed.
• Importantly, the draft revisions to Model 672 state that the model law does not create or imply a private right of action.
• The Working Group took comments on “Section 5 — Third-Party Arrangement” of the revisions and will discuss them during their upcoming open Drafting Group meeting September 30, 2024.

The National Association of Insurance Commissioners’ (NAIC) Privacy Protections (H) Working Group (the “Working Group”) has continued its charge to draft a new or revised model law aimed at standardizing privacy protections for the collection, data ownership and use rights, and disclosure of information gathered in insurance transactions. Although the Working Group had previously drafted a new model law — Model 674 — it decided in June 2024 to scrap the draft after substantial markups and comments in favor of revising Model Law 672.

History of Privacy Protection Model Laws

The NAIC has previously adopted two privacy protection model laws. In 1992, the NAIC released the Insurance Information and Privacy Protection Model Act (“Model 670”), which established guidelines for insurers and related companies on the collection and use of consumer information, to increase fairness and transparency. In 2000, the NAIC adopted the Privacy of Consumer Financial and Health Information Model Act (“Model 672”), most recently amended in 2017, which focused on protecting consumers’ personal financial and health information.

In 2023, the Working Group released a draft of a new model law — the Insurance Consumer Privacy Protection Model Law (“Model 674”) — with the goal of modernizing the previous model laws. Model 674 would have kept many of the privacy protections established in Models 670 and 672, increased consumer protections, and limited the amount of data insurance licensees and third-party service providers can use in connection with insurance transactions. However, the draft Model 674 received heavy pushback, and it became doubtful that a majority of states would have passed 674.

Consequently, in June 2024, the Working Group voted to forego the draft Model 674 in favor of revising the widely adopted Model 672. It released Chair Draft Amendments to Model 672 on August 20, 2024.

Key Aspects of the Draft Revisions to Model 672

The draft revisions to Model 672 add some of the additional privacy protections that Model 674 would have implemented if passed. Key aspects include:

• Expanding the definition of “nonpublic personal information” to include any information that is linked or reasonably linkable to an identified or identifiable natural person. The definition excludes de-identified information, aggregated data and pseudonymous data.
• Defining sensitive personal information to mean personally identifiable “nonpublic personal financial information” about a consumer that is: (1) of racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or citizenship status; or (2) genetic information or biometric data that may be processed for the purpose of uniquely identifying an individual.
• Adding additional definitions for: (1) biometric data, (2) de-identified data, (3) genetic information, (4) pseudonymous data and (5) third-party service provider.
• Requiring licensees that disclose a consumer’s nonpublic personal information to a third-party service provider to enter into a contract with the third-party service provider subject to requirements listed in the model.
• Requiring licensees to allow for consumers to access, correct and delete nonpublic personal information.
• Requiring licensees to have consumers affirmatively opt-in prior to the sale of their nonpublic personal information.
• Placing additional limitations on and notice requirements for licensees’ use and disclosure of consumers’ sensitive personal information.

Importantly, the draft revisions to Model 672 state that the model law does not create or imply a private right of action.

The draft revisions to Model 672 are available here. The Working Group took comments on “Section 5 — Third-Party Arrangement” of the revisions and will discuss them during their upcoming open Drafting Group meeting September 30, 2024.