The Council submitted comments on the NAIC’s first consumer privacy draft on April 3. A revised memo outlining the key provisions of the model can be found here. The Council has been asked to review the draft and provide any comments by July 28, 2023. We ask that you provide any feedback by Friday, July 21 to inform our next round of comments. Key changes from the prior draft include:
- No longer prohibit cross-border sharing of consumers’ personal information.
- Addressed the industry’s concerns on deletion of personal information from legacy systems. The industry indicated that this process is costly and takes years to transition.
- Adding a provision to permit joint marketing agreements.
- Amending the definition of “third-party service provider to clarify that it does not include a licensee’s “affiliates.”
- Re-working and clarifying the whole subject of “marketing,” including allowing consumer to opt-out of marketing. Clarified that opt-in restrictions do not apply to the provision of insurance or other financial products and services.
- Removed the definition of “additional permitted activities.”
- Removed the requirement for an annual notice of privacy protection practices; instead, added requirement for a notice when there is a change in the licensee’s privacy protection practices. Added a drafting note as to what is not a change triggering a subsequent notice.
- Amended several of requirements for the content of the notices. Requires notice of crossborder sharing but not when in connection with reinsurance or sharing with an affiliate.
- Working with the interested parties on how the notice should be provided – issues with some parts of the US not having access to WiFi, computers, or cell service.
- Removed the provision on pre-text interviews—no one had ever heard of anyone using them.
The following changes also appear in this version of the Model but were posted with comments due July 10. The PPWG will review the comments received on these provisions before the Summer National Meeting.
- Removal of the options for a private right of action or not—instead, we are using the IDSA’s approach that states the Act does not create a PRA but does not take away any existing rights.
- Addressed AHIP’s concerns that the confidentiality provision was not strong enough (they wanted ORSA language). Worked with NAIC legal to strengthen the language without adopting the ORSA language.
Provide a total HIPAA safe harbor if all personal information is treated as protected health information. Added a provision that if the licensee fails to qualify for the total safe harbor, the licensee is fully subject to the model law for all personal information that is not PHI.