The RFI was wide-ranging, seeking recommendations as to how best to define consumer data classified as “personal information” and “sensitive personal information”; how to adequately protect each category of data; what disclosures or privacy notices, if any, should be required of entities using such data; how a federal framework should handle the use of artificial intelligence (AI); how a federal framework should interact with existing state and federal laws and regulations governing consumer data privacy and security; and how the enforcement of a federal framework could operate to maximize compliance and accountability.
PIA reiterated its position that the states serve as the primary regulators of the insurance industry. In keeping with longstanding practice, codified more than 75 years ago in the McCarran-Ferguson Act, Congress delegated the regulation of the insurance industry to the states and unencumbered itself from supervision of the industry.
All 50 states have more than adequate regulatory frameworks for insurance licensees today. (This is thanks, in large part, to the 1999 passage of the Gramm-Leach-Bliley Act [GLBA] and, in response, the subsequently developed and nationally adopted National Association of Insurance Commissioners [NAIC] Privacy of Consumer Financial and Health Information Regulation model [Model #672]. Model #672 provided all 50 states with comprehensive insurance consumer data privacy oversight regimes, modified where necessary to suit states’ specific needs. Plus, the NAIC continues to update its model law regime to keep pace with the evolution of the industry.)
The establishment of a federal data privacy or security regime would be confusing, wasteful, duplicative, and burdensome. Any federal scheme should be subservient to applicable state insurance laws and regulations, and it should exclude entities that already follow other state or federal data privacy and security rules. Policymakers should grant entities that are already obligated to adhere to GLBA and other state and federal data privacy and security laws a “safe harbor” from mandatory compliance with any new, similar law. Such a clause would limit the burden on state-regulated entities like independent insurance agents.
Congress has spent considerable time over the past several years attempting to recreate the successful state data privacy and security regime at the federal level. In just the past five years, Congress has considered the American Data Privacy and Protection Act (ADPPA), which was passed by the Energy and Commerce Committee during the 117th Congress; the Data Privacy Act, which was passed by the House Financial Services Committee during the 118th Congress; and the American Privacy Rights Act (APRA), which was marked up by a subcommittee of House Energy and Commerce during the 118th Congress. The Data Privacy Act would have imposed unsuitably burdensome requirements on insurance agencies. Both it and the ADPPA would have improperly preempted state law on the topic of data protection, undermining the authority of existing state laws and regulations. PIA’s letter reiterated many of the concerns raised as Congress considered each of those bills. Specifically, it highlighted ongoing concerns about the federal preemption of existing state laws, as well as the risks linked to providing consumers with a private right of action.
The ADPPA and several other proposals over the years have included a private right of action that would dramatically expand the reach of the nation’s existing privacy frameworks, particularly as applied to the insurance industry. A private right of action could drastically increase litigation, choke the court system with frivolous suits, lead to higher costs for consumers, and destroy small businesses struggling to follow increasingly duplicative, complex, and draconian federal and state laws.