Quick Hits

• The California Privacy Protection Agency voted in November 2024 to advance a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
• The proposed regulation defines “insurance company” and specifies that the CCPA applies to personal data not governed by the California Insurance Code.
• Illustrations in the proposed regulation clarify that insurance companies must comply with the CCPA for personal data collected from website visitors and employees.

Information obtained in an insurance transaction is governed by the federal Gramm-Leach-Bliley Act. Given this, there has been uncertainty about the CCPA’s application to insurance companies, which are state regulated. In a brief proposed regulation, the agency attempted to clarify this issue to a certain degree.

As an initial matter, the proposed regulation defines the term “insurance company” as any person or company that is subject to the California Insurance Code and its regulations, including insurance institutions, agents, and insurance support organizations. The term “insurance institution” means “any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance.

The term “agents” means a person who is licensed to transact insurance in California and an “insurance support organization” means any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions.

Having defined the scope, the proposed regulation states that the CCPA applies “to any personal information not subject to the Insurance Code and its regulations.” Although the statement lacks definite clarity, the proposed regulation provides some guidance with an additional statement that the CCPA’s requirements apply to information “that is collected for purposes not in connection with an insurance transaction, as that term is defined in Insurance Code, section 791.02.” Section 791.02(m) defines insurance transaction as “any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following: (1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment. (2) The servicing of an insurance application, policy, contract, or certificate.”

The proposed regulation provides two illustrations that further clarify the application of the CCPA:

“Insurance company A collects personal information from visitors of its website who have not applied for any insurance product or other financial product or service from Company A. This information is used to tailor personalized advertisements across different business websites. Insurance company A must comply with the CCPA, including by providing consumers the right to opt-out of the sale/sharing of their personal information and honoring opt-out preference signals, because the personal information collected from the website browsing is not related to an application for or provision of an insurance transaction or other financial product or service.”

“Insurance company B collects personal information from its employees and job applicants for employment purposes. Insurance company B must comply with the CCPA with regard to employee information, including by providing a Notice at Collection to the employees and job applicants at or before the time their personal information is collected. This is because the personal information collected in this situation is not subject to the Insurance Code or its regulations.”

Insurers may also want to note that the second illustration applies only to California resident job applicants and employees. The notice to job applicants required under the CCPA should be provided if the company solicits applicants from California.

Finally, the CCPA is not the only privacy law or regulation that needs to be considered with regard to the collection and use of consumer data and information. In particular, California Penal Code sections 630 and 638.51 are currently the subject of numerous lawsuits.