Skip to content

New rules for insurer responsibilities under California Privacy Act

CPPA introduces new rules for insurer responsibilities under California Privacy Act

The California Privacy Protection Agency (CPPA) has moved forward with new rules clarifying insurer obligations under the California Consumer Privacy Act (CCPA) and regulating the use of automated decision-making technology.

These proposed regulations aim to address when insurers must comply with CCPA requirements, especially regarding machine learning-based tools.

The CCPA, passed in 2018 and effective since 2020, now includes updated guidelines. The CPPA specifies that insurers must adhere to the CCPA for personal information not covered under the insurance code and regulations.

For example, if a company gathers personal data from website visitors for targeted advertisements before the visitor applies for insurance, it must provide an opt-out option for data sales or sharing.

Insurers must also comply when collecting information on employees or job applicants, as this data isn’t subject to the insurance code. Companies are required to give notice before or at the point of collecting personal information.

The rules for automated decision-making technology (ADMT) impact companies using these tools for significant consumer decisions, such as insurance approvals or denials.

Firms that use personal data to train decision-making systems must also comply. The proposed regulations demand consumer notifications and opt-out options for automated decision-making in certain scenarios.

There are exceptions for companies using ADMT strictly for security, fraud prevention, or safety. Additionally, if a company offers a human review process for appeals, it may be exempt.

Ashkan Soltani, CPPA Executive Director, noted the importance of these measures for protecting privacy rights in a rapidly evolving technological landscape. Public and stakeholder feedback will be integral to refining the regulations, with meetings scheduled throughout the state.

Ashkan Soltani, California Privacy Protection Agency Executive Director

The advancement of each of these regulation packages is crucial for protecting Californian’s privacy rights. Technology is evolving at a record pace, and we must innovate and evolve as well. The board’s vote today is an important next step in the agency’s mission, and I applaud the care and thoughtfulness that went into developing the draft rules.

Ashkan Soltani, California Privacy Protection Agency Executive Director

The California Department of Insurance did not comment on the rules, and industry trade groups did not provide responses.

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale or sharing of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

CPRA amends the CCPA; it does not create a separate, new law. As a result, our office typically refers to the law as “CCPA” or “CCPA, as amended.”