California SB 354: A New Era in Insurance Consumer Privacy

At a Glance

• SB 354 establishes new standards for the collection, processing, retaining and sharing of consumers’ personal information by insurance licensees and third-party service providers. Overall, it seeks to increase transparency and accountability in the California insurance market and to keep California’s insurance privacy laws on pace with modern insurance business practices.
• SB 354 has potential to greatly impact California’s privacy landscape. Insurance licensees, third-party service providers and consumers should be aware of the potential rights and obligations the bill may create.

The past few years have seen a surge of activities from states with respect to the introduction and adoption of consumer privacy bills. These bills vary from state to state, but generally include requirements around data collection, processing and opt-out rights for covered entities. All state privacy laws include a Gramm-Leach-Bliley Act exemption at either the data level or entity level, excluding most information that insurance companies hold from the requirements under these statutes or the entity as a whole. In a step towards placing similar obligations on insurance companies, on April 11, 2025, California Senator Monique Limón introduced the SB 354 — the Insurance Consumer Privacy Protection Act of 2025.

The Consumer Privacy Protection Act of 2025 builds off and exceeds the California Insurance Information and Privacy Protection Act (Cal. Ins. Code § 791 et seq.) and the California Consumer Privacy Act (Cal. Civ. Code § 1798 et seq.). It establishes new standards for the collection, processing, retaining and sharing of consumers’ personal information by insurance licensees and third-party service providers. Overall, it seeks to increase transparency and accountability in the California insurance market and to keep California’s insurance privacy laws on pace with modern insurance business practices.

As currently drafted, SB 354 applies to licensees under the California insurance code, and a licensee’s third-party service providers, that (1) process consumers’ personal information in connection with the business of insurance; (2) engage in insurance transactions with consumers; or (3) engage in activities not related to insurance transactions involving consumers’ personal information. The consumer protection provisions touch on the following key areas.

Oversight of Third-Party Service Provider Arrangements

Contractual arrangements between licensees and vendors must contain language providing for the security of consumers’ personal information and stating that the information that vendors receive will only be used for the service provided for the licensee. Licensees must develop written procedures for the selection and oversight of third-party service providers and make them available to the commissioner upon request.

Data Minimization

Data collection is limited, so that licensees are only collecting personal information related to the insurance transaction requested by the consumer.

Records Retention & Deletion

Licensees are required to securely destroy personal information that is no longer needed.

Requests to Correct, Amend or Delete Information

Consumers are provided the right to correct, amend, or delete any personal or publicly available information the licensee or its third-party service provider has about the consumer.

Opt-in Standards

Licensees are required to obtain the express consent of a consumer to use the consumer’s personal information for any purposes other than for the insurance product requested by the consumer. The bill clarifies that consent is not established by: (1) acceptance of a general or broad “terms of use,” or a similar document, that contains descriptions of personal information processing along with other, unrelated information; (2) hovering over, muting, pausing or closing a given piece of content; or (3) agreement obtained through use of dark patterns.

Limitations on Sensitive Personal Information

Consumers’ sensitive personal information may be used only to provide the insurance product requested by the consumer. Sensitive personal information includes a consumer’s: (1) social security, driver’s license, state ID card, or passport number; (2) account login, financial account, debit card, or credit card numbers in combination with any required security or access code, password or access credentials; (3) precise geolocation; (4) racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership; (5) content of personal mail, email, text messages, or voice or video communications; (6) genetic or neural data; (7) sexual orientation (or information about the consumer’s sex life); (8) health information; (9) biometric information; and (10) additional items specified by the commissioner in regulation.

Consumer Privacy Notice(s)

Notice requirements are implemented to provide consumers with meaningful information about what information is collected, how it is used, to whom it is disclosed, and what rights the consumer has under the law.

Adverse Underwriting Decisions

Licensees, when issuing an adverse underwriting decision, must provide the consumer with the reasons leading to the adverse underwriting decision when issuing the decision (including, but not limited to, cancellations, nonrenewals and rescissions).

Governance Processes and Procedures on Data Use

Licensees must establish and follow protocols to protect consumers’ personal information, including providing data-breach notifications to the California Department of Insurance.

Access & Non-retaliation

Consumers may not be penalized for exercising or attempting to exercise their privacy rights.

In Conclusion

SB 354 is currently under review by the Senate Judiciary Committee and is scheduled for hearing on April 29, 2025. Although it is in its early stages, it has received support from California Commissioner of Insurance Ricardo Lara who, in a recent California Department of Insurance press release was quoted as saying: “SB 354 gives consumers the power to decide how their personal information is used and shared. This bill will enhance regulations governing the amount of data insurance licensees can collect, the purposes for which it can be used, who it can be shared with, and the duration for which it can be retained.”

SB 354 has potential to greatly impact California’s privacy landscape. Insurance licensees, third-party service providers and consumers should be aware of the potential rights and obligations the bill may create.