The California Privacy Protection Agency has moved forward with new regulations that clarify when insurers must adhere to the California Consumer Privacy Act (CCPA) and specify how companies may use “automated decision-making technology” (ADMT), including machine learning tools.
These proposed rules follow the CCPA, which became law in 2018 and took effect in 2020, and seek to address emerging privacy issues related to automated technology in the insurance industry.
The agency’s proposed rules confirm that insurers must comply with CCPA requirements for personal information not governed by the state’s insurance code.
This includes scenarios where companies collect personal data from individuals who have not applied for insurance or other services.
For instance, if an insurance company collects personal information to target ads to a website visitor who has not engaged in any insurance application, the firm would need to provide an option for that consumer to opt out of personal data sales and sharing, as this data is unrelated to an insurance transaction.
The updated guidelines also apply to employee and job applicant data collected by insurers, which is not regulated by the insurance code. In such cases, companies would be required to notify individuals before gathering personal data, according to the agency.
The rules extend to companies utilizing ADMT in significant decisions involving consumers, such as decisions regarding access to insurance or essential services.
If companies use personal data to develop automated systems capable of making impactful decisions, they are also subject to the proposed regulations.
The draft rules outline that companies must disclose when ADMT is used in decision-making and, in some cases, allow consumers to opt out of automated processes.
The proposed regulations include exceptions for companies that deploy ADMT strictly for security, fraud prevention, and safety purposes. Companies that provide an appeals process involving human review for automated decisions may also be exempt from certain requirements.
California Privacy Protection Agency executive director Ashkan Soltani emphasized the significance of advancing these regulation packages, stating that evolving technology requires updated privacy protections to keep pace.
“Technology is evolving at a record pace, and we must innovate and evolve as well. The board’s vote today is an important next step in the agency’s mission, and I applaud the care and thoughtfulness that went into developing the draft rules,” said Soltani.
As the agency advances through the formal rule-making process, the public and various stakeholders will have opportunities to provide input on the proposed regulations. Public meetings are planned across California to collect feedback.
The California Department of Insurance did not comment on the agency’s proposed rules, and attempts to reach industry trade groups for input were unsuccessful.
What do you think about the agency’s move to regulate automated decision-making? Share your thoughts in the comments.
