The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information that is collected by a business, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. The California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. Existing law, the Insurance Information and Privacy Protection Act, establishes privacy standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents, and insurance-support organizations.
This bill would enact the Insurance Consumer Privacy Protection Act of 2025 to establish new standards for the collection, processing, retaining, or sharing of consumers' personal information by insurance licensees and their third-party service providers. The bill would authorize processing of a consumer's personal information for specified purposes, including in connection with an insurance transaction. The bill would require a licensee to provide a clear and conspicuous privacy notice that includes specified information to a consumer at specified times, and would prohibit the processing of a consumer's personal information unless it is consistent with and complies with that notice and is reasonably necessary and proportionate to achieve the purposes related to an insurance transaction or other purpose the consumer requested or authorized. The bill would also require a licensee to provide a privacy rights notice, as specified, to each consumer with whom the licensee has an ongoing business relationship. The bill would require a licensee or third-party service provider to obtain a consumer's consent to take specified actions, and would set forth the means by which consent is obtained. The bill would authorize a licensee to retain personal information, as specified, and would require a licensee to develop a written records retention policy and schedule. The bill would require a licensee to provide specified information to a consumer if it makes an adverse underwriting decision, and would provide a process by which a consumer may correct, amend, or delete any personal or publicly available information about the consumer in the possession of the licensee or its third-party service providers. The bill would require a contract between a licensee and a third-party service provider to clearly govern the processing of personal information performed on behalf of the licensee. The bill would prohibit retaliation against a consumer because the consumer exercised or attempted to exercise their rights under the act. The bill would prohibit public disclosure of specified systems, processes, policies, procedures, and plans that are disclosed to the Insurance Commissioner.
To determine if a licensee or third-party service provider has been or is engaged in any conduct in violation of the act, this bill would authorize the commissioner to examine and investigate the licensee or third-party service provider, then hold a hearing regarding those violations. If a hearing results in a finding of a knowing violation, the bill would require the commissioner to issue a cease and desist order and would authorize a penalty of at least $5,000, not to exceed $1,000,000 in the aggregate for multiple violations. The bill would authorize additional fines and suspension or revocation of the licensee's license if a cease and desist order is violated. Under the bill, a person who knowingly and willfully obtains information about a consumer from a licensee or third-party service provider under false pretenses would be guilty of a misdemeanor, punishable by a fine of up to $50,000, imprisonment for not more than one year in a county jail, or both, thus creating a crime and imposing a state-mandated local program.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.

Statutes affected:
SB 354: 791.07 INS
02/12/25 - Introduced: 791.07 INS
03/18/25 - Amended Senate: 791.07 INS