Because insurance is a highly regulated, state-specific industry, insurers already have much of the structural underpinnings in place required by the California Consumer Privacy Act (CCPA). Yet the new legislation is disruptive to insurers for two distinct reasons.

One is that it requires carriers to know precisely where their data goes – a detail not all of them can answer today. The other is that it requires sharing that data trail and other details directly with consumers in a self-service capacity that most carriers don’t yet have.

Insurers work within a data environment that’s very different from other industries. For one thing, consumers often consent to sharing their personal information in exchange for the promise of cheaper rates or faster responsiveness on their insurance quotes. Additionally, most policies permit carriers to share policyholders’ personal information with third-party service providers, such as auto body shops or auto glass companies. The information is governed, and only those data elements required to complete the work are shared. State laws and corporate policies expressly prohibit insurers from selling consumers’ personal data.

Preparing for the Changes Ahead

CCPA does, however, raise several issues that carriers need to prepare for. Moreover, the damages for failing to comply with the new regulations can be significant.

Here’s how insurers can ensure they’re CCPA-ready:

  1. Refresh compliance policies. In today’s regulatory environment, compliance policies need to be crafted with language that’s applicable to all states while still addressing the nuances of individual states such as California. In addition to being executed and adhered to, policies should also be tested regularly. Every compliance activity has a set of controls and a test associated with each control. For example, role-based controls should be tested at specified intervals to ensure appropriate authority and access levels.

    Because CCPA requires compliance by external providers, insurers also need to ensure the third parties that support their underwriting processes are also compliant. Underwriting and claims processes often make use of external data such as personally identifiable information. While the liability for external data falls on insurers, contracts typically provide protection. In the era of CCPA, responsible compliance reporting will include distributing questionnaires to third parties to inquire about compliance with legislative changes.

  1. Model where the data goes. CCPA is about transparency and accountability. It requires openness regarding data usage patterns, including the third-party information that’s often part of the data model for billing and claims records. Where does the external data come from, and where does it go? Under CCPA, consumers have the right to know not just what data is collected about them but also the purpose for its collection.

    The good news is that many insurers maintain extensive policy safeguards for data and data usage. Yet CCPA is likely to be a harbinger of more state-level regulations, such as the even more restrictive legislation now being considered in New York, and possibly a federal-level U.S. equivalent of the General Data Protection Regulation (GDPR), the European Union’s privacy standard that includes the right to be forgotten. CCPA sets the stage for an expanding environment in which users can opt out of the data ecosystem at the click of a button and still reap the full benefits.

  1. Have a response plan for consumers. CCPA empowers consumers to communicate directly with carriers about the use of their personal information. That’s a big change. Instead of just prices and quotes, customer conversations will also be about data usage. That shift is going to require a different kind of call center, service representative or agency, as well as a self-service capability that doesn’t yet exist among carriers today. Those that sell through online brokers or independent agents will need to create customer experiences that go beyond claims and billing. They’ll need mechanisms for answering consumers’ data-related questions in ways that leave consumers confident their best interests are being served.

    What’s more, while inquiries today will come from just a single state, insurers will need to be ready as other states roll out privacy-related legislation. A scalable, responsible solution includes an action plan that addresses these elements and creates a structure that all parties will feel comfortable reporting on.

Complying with the CCPA begins with a smart data strategy and a preparedness plan. With some fine-tuning, carriers can be on their way to full compliance.

Michael Clifton

Michael Clifton

Michael Clifton is Senior Vice President, Insurance Strategy, Platforms & Ventures, at Cognizant. He leads the Emergent Business Group within Cognizant’s Global... Read more