The California Privacy Protection Agency on Friday will discuss new topics for potential rulemaking, including most notably regulations that would govern the insurance industry.
The meeting will be the first time that board members turn their attention to the insurance topic, where California is the one the world’s largest markets with a value at over $123 billion along with strong consumer protections. Multiple states are scrutinizing more closely how insurers use AI and personal data, with Colorado being the first state to adopt rules related to insurance algorithms.
The voter-approved 2020 California Privacy Rights Act directs the agency to review the state’s insurance code along with state privacy statutes in its rulemaking. The agency is then required to adopt the strongest protections to apply to the sector.
The rulemaking will attract the attention of insurance companies as some have sought to use personal data to help determine premiums or other costs for certain individuals. In California, there’s been an ongoing campaign by consumer advocates to keep auto insurers from using data collected by connected cars, a subject area that the privacy agency has launched its first publicly announced probe.
Navigating the insurance landscape will be tricky as the agency board members decide which direction to pursue. For example, they will have to consider existing state laws such as the Insurance Information and Privacy Protection Act and related regulations by the The California Department of Insurance. The department asked the privacy agency in a 2021 public comment letter to work collaboratively, given ongoing national work to revise insurance privacy models that will affect state law.
Other Topics
The privacy agency also is set to establish a registration fee for data brokers and adopt regulations for the sector. It’s the first step in the agency taking over California’s data broker registry from the state attorney general, part of the state’s new groundbreaking data broker law.
Named the Delete Act, the law tasks the agency with creating a single “delete button” that consumers can use to erase all their data from all registered data brokers, companies which rely on amassing and selling personal data as their business model.
Board members will also discuss possible updates to the first set of CPRA regulations that the agency enacted in March. Those regulations—currently on pause by a court ruling—may eventually see some minor updates, such as giving consumers the ability to request all personal information beyond the standard of the past 12 months from businesses.
Under the proposed revisions, consumers would be able to withdraw consent for the use of personal data at any time. The proposed updates also include a requirement that when a business denies a consumer request to delete personal data or opt out, it must also inform the consumer that they can file a complaint with the agency and the attorney general’s office.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.