Donata Kalnenaite, Esq
President of and Newsletter Editor of The American Bar Associate - ePrivacy Committee

How Privacy Laws Relate to the Insurance Industry

Steps insurance carriers can take to be in compliance

A number of new privacy laws have taken effect in the United States and across the world in the past few years, and the ever-growing web of privacy and data security regulations is making it harder for insurance carriers to stay compliant. Because insurance carriers process and retain a significant amount of sensitive information from consumers, non-compliance with current privacy laws could result in significant regulatory fines and penalties, not to mention lawsuits.

In an increasingly complex regulatory environment, it is imperative for insurance carriers to stay in lock step with new privacy and data security laws and regulations. This article will discuss the following topics: 

  • Privacy laws that can affect the insurance industry
  • How insurance carriers handle personally identifiable information
  • Updating the privacy policies and procedures of insurance carriers
  • The consequences for insurers for non-compliance under privacy laws

Privacy laws that can affect the insurance industry

Insurance carriers need to act now to determine which privacy laws apply to their business operations. Insurance carriers must already contend with following regulations regarding personal information collected and processed under the Gramm-Leach-Bliley Act (GLBA) and personal health and medical information collected and processed pursuant to the Health Insurance Portability and Accountability Act (HIPPA). On top of the GLBA and HIPPA, insurance carriers may need to ramp up their privacy and data protection protocols to be in compliance with the following regulations:

Insurance carriers and personally identifiable information

Personally identifiable information (PII) and the privacy laws that regulate how that information is collected, used, and disclosed to others is especially relevant to the insurance industry. PII can be defined as information that directly or indirectly relates to a specific person. Within the insurance industry, examples could include: 

  • Personal information of claimants
  • Personal information of employees
  • Personal information of website visitors
  • Consumer payment information, such as credit card numbers

Insurers can compile a comprehensive data inventory of the personal information it collects, as well as the personal information it shares with third parties. Compiling a data inventory will help insurers determine which privacy laws may or may not be applicable to each category of personal data.

Updating Privacy policies and procedures

Privacy laws are drafted to be purposely broad in scope in order to give consumers a higher level of personal data protections and rights regarding their PII.  Privacy laws are enacted with with the legislative intent to allow consumers a right to control their PII and the third parties that may have access to their sensitive information. Websites are particularly vulnerable to noncompliance with privacy laws, as they may be accessed by consumers anywhere in the world.

The CCPA, for example, give California residents the right to:

  • access and obtain a copy of their personal information;
  • the right to request deletion of their personal information; and
  • the right to opt out of the sale of their personal information.

While insurance carriers may be exempt from fulfilling some of these requests, insurers must still reply to these requests with respect to personal information covered by other privacy laws such as the GLBA and HIPAA. Insurers may also have obligations to fulfill under other state privacy laws. It is essential that insurers implement policies and procedures to track and respond to these requests in accordance with the various state law requirements.

More information can be found here regarding privacy laws that require Privacy Policies. Insurance carriers should revisit their website privacy policies to ensure that they are accurate, customized and up-to-date with all applicable privacy laws.

Consequences for non-compliance under privacy laws

Due to the sensitive nature of the personal data often collected from consumers in the insurance industry, insurance carriers are at a unique risk for fines and penalties. Under the GDPR, for example, fines greater than €20,000,000 have been assessed to American businesses not in compliance with the European regulations. Further, in certain states U.S. consumers with private rights of action may sue businesses directly for non-compliance under certain circumstances. 

Unfortunately, small and medium-sized businesses and organizations are often times hit hardest with the daunting task of navigating privacy and data protection regulations. Excessive costs for implementing compliant Privacy Policies can be compounded by further fines and penalties under various privacy laws.  Several firms offer assistance to help a customized Privacy Policy for your website and keep it updated whenever privacy laws change.  

For further information, you can contact the author at