Data privacy concerns have been bubbling up under the surface for years now. With the House of Representatives having taken up legislation on the issue, privacy will be at the forefront of industry leaders’ minds moving into 2023. What could all this mean for the insurance sector? Let’s talk about that.
Proactively Managing Your Data Policies
The American Data Privacy and Protection Act (ADPPA) passed the House Energy and Commerce Committee in July (2022), making it the farthest federal privacy legislation has progressed in the United States. While the bill may have enough bipartisan support to be passed into law, it is unlikely to happen this fall or winter. Nevertheless, the ADPPA bill provides a future compliance roadmap for U.S. companies across a wide range of sectors.
Businesses are already complying with rigorous data collection practices in California, Colorado, Connecticut, Utah, and Virginia, which will be in effect in 2023. International regulations, such as the EU’s General Data Protection Regulation (GDPR), were enacted in 2018. The addition of a federal U.S. law will bring an onslaught of new protocols and processes that are sure to create headaches for compliance and operations teams in organizations across the country, as well as a litany of new standards and requirements.
Because one of the bills passed by the legislature could soon become law, companies that have not yet planned how to handle data privacy must decide on the best time to implement the procedures and technologies required for compliance. Companies that have already complied with GDPR or other regulations must determine how the ADPPA compares with previous standards or whether it will supersede them.
Potential Regulations and What They Could Mean
The fact that the bill was passed by a committee is a sign that national data privacy legislation is approaching. There would need to be a careful balance between consumer rights and the advertising and marketing technology sector, including powerful tech giants like Google, Amazon and Facebook, in any data regulation, including attempting to achieve these objectives by establishing federal standards for protecting U.S. consumers’ personal data. This would include establishing oversight and enforcement mechanisms.
Small and medium-sized companies must consider whether they fall under the aegis of the law before doing business. ADPPA attempts to keep the burden of small and medium-sized businesses low, so it provides some exemptions for companies with less than $41 million in gross revenue and/or sensitive covered data of less than 200,000 individuals or devices. In addition, large companies—so-called “large data holders”—that have gross revenues of more than $250 million and handle covered data of more than five million individuals or devices are still subject to the law’s basic requirements. This does not mean that small and medium-sized companies are permitted to disregard the law, however.
It is likely that many large data holders have already taken steps to meet GDPR standards or to match current consumer preferences in order to keep up with demands. They may not have to create new wheels to boost their operational resilience.
So, any large data holder that has been able to avoid implementing data privacy rules would be smart to get ahead of the potential disruptive rush to conform once a new federal law passes. A shift in the regulatory environment may expose company vulnerabilities, cause service and product failures, and lead to financial losses. Companies of all sizes must monitor the constantly changing regulatory environment and determine where their current and future vulnerabilities lie.
“Privacy by Design” is a design approach that seeks to protect the privacy of users by designing applications, services, and systems to be less invasive. The ADPPA bill advocates for a “privacy by design” thinking in businesses. This approach focuses on data minimization, which requires outlining what consumer data may be collected and what is considered invasive. In privacy, operations, or compliance, this means going through a long list of acceptable data types in search of the least amount of information required for things like transaction processing, authentication, and security.
The bill also demands complete and unequivocal transparency regarding the data collection practices of firms. It details what data is gathered, who it is transferred to (including tech providers), the firm’s cybersecurity standards, and more. In addition to this, the bill calls for enhanced data security, transparency, and accountability. This includes a rule that designates a data security officer to create guidelines for assessing vulnerabilities, retaining data, and handling incidents.
The most important aspect of the new bill is that it provides guidelines for a unified opt-out for internet advertising consumers. Instead of being served a pop-up with an unreadable data policy and being compelled to click “accept all cookies,” consumers will be offered a single, universal opt-out option.
Privacy Officers Will Do the Following
The law requires large companies to have an official data privacy officer and a data security officer to implement mandated programs in line with a general market shift toward greater accountability. As part of the ADPPA bill, the leadership of large companies must do the following:
- carry out extensive biennial audits and a privacy compliance training program for all employees
- establish a plan to receive and respond to unsolicited reports of vulnerabilities
- provide a biennial privacy impact assessment report
- and maintain records of all privacy and data security practices.
To avoid long, perplexing privacy policies, large data holders must provide a “short form” version of their guidelines that is under 500 words.
Data holders should look at the technology stack of their third-party providers and judicial issues now since these companies will also be affected by any federal directive. Federal agencies will not prosecute companies for the actions of their technology providers, but companies still must exercise due diligence in choosing compliant technology partners, since any privacy violation by the partner may result in a heightened reputation risk under the new level of scrutiny.
Exceptions and Preemptions
The difficulty in complying with many overlapping laws at the state, national, and international levels, as well as the numerous exceptions and prerogatives that may apply, makes it difficult to avoid a fragmented privacy compliance program down the road.
The ADDPA would override various state laws. Unlike the GDPR, which applies to everyone living in the EU regardless of where they are, the law would only apply to U.S. citizens. ADDPA exceptions include small businesses, first-party data, employee data, government organizations, and certain kinds of targeted advertising data. However, since the debate over the corporate ad sector’s desires and consumer concerns is so vigorous, the types of targeting data will likely be restricted in future revisions of the legislation.
What Does This Mean for the Insurance Industry?
Our industry has long been held to high standards regarding privacy concerns, but there are concerns about what this legislation could do to both consumers and businesses alike. Under the Gramm Leach Bliley Act, our industry has been under intense pressure for privacy regulations for more than 20 years now. Because of this, complaints about privacy issues in our vertical are few and far between.
Concern does exist amongst insurers that the ADPPA could result in more frivolous litigation against insurance companies and business owners. These types of lawsuits can increase premiums as the cost of doing business climbs. Insurance Journal states, “When adjusting for increases in GDP and population, the costs of the U.S. tort system to businesses and families is $529 billion per year or $4,323 per year per household. This amounts to 2.3% of the nation’s GDP. Yet only 57 cents of every dollar are paid in compensation to plaintiffs. This would likely mean an increase in claims costs for insurers, which in turn could lead to higher insurance rates for consumers.” Many argue that within insurance, the ADPPA is a step too far and would do more harm than good.
Corporations and lawmakers are responding to consumers’ demands for data privacy. In addition to the five states that have passed their own privacy legislation, four other states—Michigan, New Jersey, Ohio, and Pennsylvania—are currently considering data privacy bills. Many other countries have either passed data privacy laws or are considering them.
Data regulation is fast-evolving, and the ADPPA advancement is an eye-opener. The 2021 Data Compliance Survey by Business 2 Community shows that 62.4% of companies are not “completely compliant” with the data regulations they are subject to. It would appear that constant data privacy-related enforcement actions support this finding.
Data privacy and security should be enhanced by putting the right people, processes, and technologies in place AND doing so in the industries that need them. Future-proofing companies by adopting a data protection policy now and monitoring regulatory negotiations can help prevent whatever legal requirements may arise—something the insurance sector has already done.
myCOI can help you avoid paying unforeseen costs by automatically collecting and analyzing your certificates of insurance (COIs). Let us show you how easy COI collection should be. Book your demo today!