SB 354, the Insurance Consumer Privacy Protection Act of 2025, adds a new Article to the California Insurance Code and creates an insurance-specific privacy regime that applies to licensees (insurers, producers) and their third‑party service providers. The act defines covered personal and sensitive personal information, requires licensees to adopt data‑minimization and records‑retention policies, mandates written vendor contracts with security and deletion obligations, and sets detailed consumer rights on access, correction, deletion, and notice of adverse underwriting decisions.
The bill gives the Insurance Commissioner broad investigatory and enforcement authority — including hearings, cease-and-desist orders, and civil penalties — and establishes both administrative remedies and a limited private right of action for violations of specific consumer rights. For industry and compliance teams this means reworking privacy notices, consent capture, vendor contracts, data retention processes, and underwriting transparency practices to meet new timelines and documentation requirements.
At a Glance
What It Does
Creates a standalone insurance privacy article that limits processing to insurance‑related purposes, requires documented vendor oversight and contracts, imposes retention and deletion duties, and establishes consumer rights (access, correction, deletion, notice of adverse underwriting). It also restricts cross‑border sharing and requires recorded, revocable consent for non‑insurance uses.
Who It Affects
Applies to California licensees (insurers, producers, surplus lines where applicable) and third‑party service providers that process personal information in connection with insurance transactions; reinsurers, insurance support organizations, and consumer reporting agencies are subject to tailored obligations. Exempts GLBA‑covered depository institutions and HIPAA‑governed health-care entities (with a disability‑insurer carve‑in).
Why It Matters
This modernizes decades‑old insurance privacy law and embeds CPRA‑style controls specifically for the data‑intensive insurance sector. Compliance will require operational changes across notices, consent workflows, vendor contracts, claims handling, underwriting models, and data‑retention systems — and creates new regulatory risk through civil penalties and license actions.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 354 builds an insurance‑only privacy rulebook. It begins by defining covered terms — from “personal information” and “sensitive personal information” (biometric, genetic, neural data, precise geolocation, health info, etc.) to “third‑party service provider,” “share,” and “sale.” Those definitions drive the rest of the obligations: what licensees may collect, when consent is required, and which downstream recipients are treated as sharing versus authorized service providers.
The bill requires licensees to adopt written procedures for vendor selection and oversight, and to execute contracts that specify processing purpose, categories of data, retention periods, confidentiality duties, security safeguards, audit cooperation, breach reporting to the licensee and the commissioner, and subcontractor flow‑downs. Vendors must delete data at the contractually specified date or when services end, unless the licensee requires otherwise for lawful retention.
The statute explicitly permits limited, temporary sharing with unaffiliated vendors for the consumer’s requested service, but only with consumer consent and scope‑limited processing.Consumers get operational rights: licensees must provide clear privacy notices and an annual privacy‑rights notice, offer simple methods to make verifiable requests (mail, toll‑free number, web/app interface), acknowledge requests within five business days, and respond within 30 business days. A consumer can obtain copies of personal information, learn sources, request correction or deletion, and receive detailed reasons and supporting items when an adverse underwriting decision is taken.
The law prohibits dark patterns, requires recorded consent that is revocable and auditable, and restricts cross‑border transfers of personal information unless the consumer consents (with limited exceptions for reinsurance and affiliates).On retention and deletion the bill demands annual records reviews and a written retention schedule; when data is no longer needed the licensee must delete or destroy it within 90 days or, if targeted deletion is technically infeasible, deidentify it and submit a transition plan to the Commissioner. The Commissioner can examine licensees and third‑party providers, hold hearings, issue cease‑and‑desist orders, and impose fines; the statute creates both administrative penalties and a private cause of action limited to certain failures, with damages capped at actual damages.
The bill also preserves carve‑outs for HIPAA and GLBA and signals that future commissioner regulations will provide implementation details.
The Five Things You Need to Know
Licensees must destroy or delete consumer personal information within 90 days after determining it is no longer needed, or deidentify it and file a commissioner‑approved transition plan if targeted deletion is not feasible.
For consumer requests, a licensee or its third‑party service provider must acknowledge receipt within five business days and respond substantively within 30 business days, including providing sources and the identities of recipients for shared data covering the current year and at least the prior three calendar years.
A mandatory vendor contract must require confidentiality duties, administrative/technical safeguards, breach notification to the licensee and commissioner, deletion at the contract end date, subcontractor flow‑downs, and make relevant records available for compliance review.
The Insurance Commissioner can impose penalties of at least $5,000 per knowing violation (up to $1,000,000 aggregate) and, after violation of a cease‑and‑desist order, may levy fines up to $10,000,000 or suspend/revoke a license where the licensee knew or should have known of violations.
A licensee may not share a consumer’s personal information outside the United States without prior consumer consent, with narrow exceptions for reinsurance transactions and affiliate transfers.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Who is covered and key statutory exemptions
This section sets the statute’s reach: it applies to licensees and their third‑party service providers that process consumer personal information in connection with insurance transactions or related activities. The statute excludes GLBA‑covered depository institutions and most HIPAA entities, while explicitly bringing disability insurers not regulated as health care plans within scope. Practically, vendors working for insurers and insurance support organizations that process California residents’ data fall under the new regime.
Definitions that determine practical coverage
The bill supplies granular definitions for terms that drive compliance: 'personal information' (broad, includes inferences and electronic identifiers), 'sensitive personal information' (explicit list), 'share' vs 'sale', 'third‑party service provider', and 'insurance transaction' (broadly includes algorithmic decisionmaking, actuarial studies, and certain short‑term uses). These definitions narrow or expand obligations — for example, sensitive data processing is restricted to insurance transactions, and 'share' is broad enough to capture many non‑monetary disclosures.
Vendor‑contract and oversight duties
Licensees must adopt written due‑diligence procedures for selecting and overseeing vendors and keep those procedures confidential. Contracts must list processing purposes, categories of data, retention duration, confidentiality duties, security requirements, breach notification commitments, deletion timing, audit cooperation, subcontractor obligations, and a clause permitting licensee contract termination if the vendor fails to comply. The provision makes vendor accountability central: vendors must promptly report incidents and assist with consumer or commissioner investigations.
Data minimization, permitted uses, and sale prohibition
The statute requires that processing be consistent with the licensee’s privacy notice and 'necessary and proportionate' to insurance purposes. It bans processing sensitive personal information except for insurance transactions, and disallows selling consumer personal information. Permitted exceptions include compliance with legal processes, protection of lienholders’ interests, certain research and joint marketing with consumer consent, and fraud prevention and actuarial uses — but those exceptions are circumscribed by necessity and proportionality tests.
Annual review, retention schedule, and targeted deletion rules
Licensees must adopt a written records‑retention policy, review records annually, and delete personal information within 90 days after determining it is no longer needed. Where legacy systems prevent targeted deletion, a licensee must deidentify data to the extent possible and submit a confidential plan to the Commissioner for migrating away from the system, then report progress annually. This provides a compliance path for insurers with entrenched legacy infrastructure while forcing a timebound migration.
How consent must be obtained, recorded, and revoked
The bill requires consent to be 'freely given, specific, informed, and unambiguous' and recordable for as long as the business relationship exists. It disqualifies general terms‑of‑use, dark‑patterned interfaces, and passive behaviors (hovering, closing content) as valid consent. Consent must be revocable by the same means used to give it, must be separately offered for categories of non‑insurance purposes and cross‑border transfers, and the licensee must preserve a dated copy of the consumer’s authorization where applicable.
Operational consumer rights and timelines
Licensees must provide accessible channels (mail, toll‑free, web/app) and not impose fees or dark patterns. For verifiable requests, licensees must acknowledge within five business days and fulfill substantive requests within 30 business days: deliver copies of personal information, identify sources for items not supplied by the consumer, and list recipients with whom data was shared in the last three years. The statute preserves limits on privileged information (claims investigations) and requires that investigative consumer‑report interviews be offered and performed when requested.
Adverse underwriting disclosures, anti‑retaliation, and enforcement powers
If a licensee makes an adverse underwriting decision it must provide the specific reasons, supporting items, sources, and the systems/processes involved. The bill prohibits retaliation for exercising privacy rights. The Commissioner gains broad investigatory powers, may hold hearings, issue cease‑and‑desist orders, and levy graduated penalties (minimum $5,000 per knowing violation up to $1,000,000 aggregate; higher fines up to $10,000,000 for repeated violations or ordered penalties and license suspension/revocation in egregious cases). Confidentiality protections govern materials supplied to the Commissioner, and regulations will set implementation details.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California insurance consumers — get clear, auditable rights to access, correct, and delete their insurance‑related personal information, plus written explanations when underwriting decisions harm coverage or pricing.
- Protected individuals seeking sensitive health services — the bill bolsters confidential communications and limits disclosure of sensitive medical information to policyholders when the policyholder is not the recipient of the care.
- Privacy‑minded vendors with robust compliance programs — those that already maintain deletion workflows, security controls, and audit trails gain a market advantage because the statute favors demonstrable vendor accountability.
- Researchers and actuaries using deidentified data — the statute expressly permits processing deidentified information and narrowly scoped research tied to insurance purposes, preserving important risk‑modeling functions.
Who Bears the Cost
- Insurers and licensees — must rewrite privacy notices, capture and store granular consents, reengineer retention/deletion processes, update underwriting models to document reasons and inputs, and fund annual audits and vendor oversight programs.
- Third‑party service providers and subcontractors — must accept contract flow‑downs to implement deletion, breach reporting, confidentiality duties, and provide audit evidence; small vendors may face significant compliance overhead.
- Smaller insurers, surplus lines, and legacy systems owners — face higher relative costs migrating from legacy platforms unable to support targeted deletion; the statute forces expensive system changes or reliance on deidentification plus commissioner approval.
- The Department of Insurance — gains expanded enforcement responsibilities and will need resources to examine licensees, review confidential transition plans, and handle an expected increase in consumer complaints and investigations.
Key Issues
The Core Tension
The central tension in SB 354 is a classic one: strengthen individual control over highly sensitive insurance data (privacy, deletion rights, limits on cross‑border transfers) while preserving insurers’ legitimate need for durable, often longitudinal datasets to underwrite risk, detect fraud, price products, and comply with legal obligations — a balance that forces insurers to choose between operational complexity (retooling systems and contracts) and potential limits on analytic capability that could affect pricing and availability.
The bill exposes real trade‑offs that regulators and industry will confront during implementation. First, data minimization and the 90‑day deletion mandate clash with underwriting, fraud detection, and actuarial practices that historically rely on long historical datasets; the statute mitigates this by allowing retention for specific legal or actuarial purposes and by permitting deidentification where deletion is infeasible, but lines remain thin between necessary retention and overcollection, and the 'reasonably necessary and proportionate' standard will be litigated and clarified only through regulations and enforcement actions.
Second, the bill’s technical dictates — targeted deletion, auditable consent, annual retention reviews, and vendor auditability — will pressure legacy systems and create transition costs; the five‑year staging for certain retention provisions recognizes the burden but leaves uncertainty about acceptable migration timelines and deidentification standards.
Interplay with federal regimes and carve‑outs creates implementation friction. The statute preserves HIPAA and GLBA coverage but carves in disability insurers not regulated as health plans, and allows certain affiliate and reinsurance transfers (and FCRA preemptions) that complicate cross‑border protections and global reinsurance workflows.
The Commissioner’s ability to promulgate binding regulations without the Administrative Procedure Act and the confidentiality of submitted compliance materials narrows public participation in rulemaking but accelerates regulatory action; that combination increases uncertainty about how broad concepts like 'necessary and proportionate' or 'sensitive personal information' will be applied in practice. Finally, the act couples administrative enforcement (potentially large fines and license actions) with a limited private right of action capped at actual damages — this keeps major enforcement in the regulator’s hands but may leave consumers relying on the Commissioner rather than litigation for remedies.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.