CCPA and State Privacy Laws: Compliance Checklist for Digital Underwriting

The rapid evolution of digital underwriting in the insurance industry has coincided with a complex and fragmented landscape of state-level privacy regulations. While the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), have set a high bar for data protection, they are part of a growing trend. States across the U.S. are enacting their own privacy laws, creating a challenging compliance environment for carriers that use automated and data-driven underwriting models. For chief medical officers and compliance leaders, understanding the nuances of these regulations is no longer a niche legal concern but a core operational requirement. The governance of personal health information collected during digital underwriting processes is under intense scrutiny, and the definition of what constitutes "personal information" is broader than ever.

"Between July 2023 and February 2024, the California Privacy Protection Agency (CPPA) received 1,208 consumer complaints, with the most common issues being the right to delete and the right to opt-out of the sale of personal information." - California Privacy Protection Agency, 2024 Annual Report

Navigating CCPA and state privacy laws in digital underwriting

The core challenge for insurance carriers is managing the heightened obligations imposed by CCPA, state privacy laws, and digital underwriting technologies. These laws grant consumers significant rights over their personal information, including data collected through websites, mobile applications, and other digital platforms used for health and wellness assessments. The CCPA, as amended by the CPRA, is particularly significant due to its broad definition of personal information and its application to data that can identify a household, not just an individual.

For digital underwriting, this means that any data point used to train or execute an algorithm could be subject to consumer rights requests, such as the right to know, delete, and correct. The introduction of automated decision-making technology (ADMT) regulations by the CPPA further complicates compliance. Carriers must be prepared to provide consumers with meaningful information about how these automated systems work and, in some cases, offer a non-automated alternative. While exemptions for data covered under the Gramm-Leach-Bliley Act (GLBA) and HIPAA exist, they do not create a blanket immunity for all data processing activities, especially those related to marketing and prospecting.

State Privacy Law	Key Provisions for Digital Underwriting	Scope and Exemptions
California (CCPA/CPRA)	Right to know, delete, correct, and opt-out of sale/sharing of personal information. Regulations on automated decision-making technology (ADMT).	Broad definition of "personal information". Limited GLBA and HIPAA exemptions. Applies to for-profit entities doing business in California that meet certain revenue or data processing thresholds.
Colorado (CPA)	Similar rights to CCPA. Opt-in consent required for processing sensitive data. Data protection assessments required for high-risk processing activities.	Exempts financial institutions subject to GLBA at the entity level, which may simplify compliance for some insurance carriers.
Virginia (VCDPA)	Grants consumers rights to access, correct, delete, and obtain a copy of their personal data. Right to opt-out of targeted advertising and the sale of personal data.	Also provides an entity-level exemption for financial institutions subject to GLBA.
Utah (UCPA)	More business-friendly than other state laws. Provides rights to access and delete personal data and to opt-out of its sale for certain purposes.	Also includes an entity-level GLBA exemption.

A primary compliance obligation is the ability to respond to consumer requests. This requires robust data governance and mapping to track where personal information is stored and how it is used in underwriting models. The following checklist outlines key areas of focus:

• Data Inventory and Mapping: Maintain a comprehensive inventory of all personal information collected and processed for digital underwriting purposes.
• Consumer Rights Workflows: Establish and test procedures for handling consumer requests to access, delete, and correct their personal information within the statutory timeframes.
• Privacy Notices: Update privacy policies to accurately describe data collection and processing activities, including the use of automated decision-making.
• "Do Not Sell or Share" Mechanisms: Implement user-friendly methods for consumers to opt-out of the sale or sharing of their personal information.
• Vendor Risk Management: Review and update contracts with third-party data providers and technology partners to ensure they meet the requirements of applicable privacy laws.

Industry Applications

Data minimization in underwriting

The principle of data minimization, a key component of the CPRA, is now a point of emphasis for regulators. In April 2024, the CPPA issued an enforcement advisory on data minimization, signaling its importance. For digital underwriting, this means carriers should only collect the personal information that is reasonably necessary and proportionate to the underwriting outcome. This requires a shift away from "collect everything" data strategies and toward a more focused and defensible approach to data acquisition.

Automated decision-making and transparency

The CPPA's ongoing rulemaking on ADMT is one of the most significant developments for the insurance industry. These regulations will likely require carriers to provide consumers with clear and meaningful information about how automated underwriting systems function, including the logic used to make decisions and the potential outcomes. Carriers will need to prepare for a new level of transparency and be ready to explain their models to both consumers and regulators.

Responding to data subject requests

The operational challenge of honoring consumer rights to delete or access their data cannot be overstated. When a consumer requests the deletion of their data, carriers must have a process to remove it from all systems, including underwriting models and training datasets, unless a legal or regulatory exception applies. This requires close collaboration between compliance, legal, and IT departments.

Current research and evidence

The regulatory environment is far from static. The CPPA is actively developing new regulations that will have a direct impact on CCPA, state privacy laws, and digital underwriting. According to a 2024 report from the agency, cybersecurity audits, risk assessments, and ADMT are top priorities. The agency's enforcement actions have also targeted non-compliance with consumer requests and inadequate privacy notices.

A 2023 working paper from the Bank for International Settlements (BIS) provided an interesting perspective, finding that the CCPA's data privacy requirements led to more personalized pricing and better-quality borrowers in the mortgage market. While not directly focused on insurance, this research suggests that enhanced data privacy and consumer control can coexist with sophisticated data analysis. However, achieving this balance requires significant investment in compliance infrastructure.

The future of privacy in digital underwriting

Looking ahead, several trends will shape the future of privacy in digital underwriting. The patchwork of state laws is likely to continue, increasing the compliance burden and making a strong case for a unified data governance framework. There is also growing momentum for a federal privacy law, although its timing and content remain uncertain.

The most immediate and impactful trend is the convergence of privacy and AI governance. As carriers deploy more advanced machine learning models, regulators will demand greater transparency and fairness. The ability to document and justify the data used in these models, as well as their outputs, will be a critical compliance and risk management function. The focus will shift from whether a model is accurate to whether it is fair, transparent, and privacy-preserving.

Frequently asked questions

What is the biggest difference between the CCPA/CPRA and other state privacy laws?

The most significant difference is often the scope of exemptions for data covered by other federal laws. While many states provide a broad, entity-level exemption for financial institutions subject to GLBA, California's exemption is more limited and applies at the data level. This means that even if a carrier is largely compliant with GLBA, some of its data processing activities may still fall under the purview of the CCPA/CPRA.

How does the CCPA affect the use of third-party data in underwriting?

When carriers use data from third-party brokers or other sources, they are responsible for ensuring that the data was collected in a compliant manner and that they have the right to use it for underwriting. This includes honoring any consumer opt-out requests that were made to the original data collector. Vendor contracts must include strong data protection clauses and audit rights.

What should be our first step in preparing for new regulations on automated decision-making?

The first step is to create an inventory of all automated decision-making systems used in the underwriting process. For each system, you should document its purpose, the data it uses, and the logic it employs. This will be the foundation for providing the transparency that future regulations will require.

As the regulatory landscape for CCPA, state privacy laws, and digital underwriting continues to mature, a proactive and compliance-first approach is essential. Carriers that build their digital underwriting programs on a foundation of strong data governance and transparency will be better positioned to navigate the challenges and opportunities ahead. Circadify is at the forefront of this space, providing the tools and expertise to help carriers navigate these complex regulatory requirements. To learn more about how to build a compliance-first digital underwriting program, explore our compliance guides and regulatory insights at circadify.com/industries/payers-insurance.