California is once again at the forefront of privacy regulation, this time with a sharp focus on the insurance sector.
California’s proposed Senate Bill 354, styled as the Insurance Consumer Privacy Protection Act of 2025 (the “ICPP Act” or the “Act”), would, if enacted, introduce an augmented privacy regime for the insurance sector. Its advocates claim the ICPP Act goes beyond the protections found in California’s current consumer privacy laws, including the California Insurance Information and Privacy Protection Act (the “IIPPA”) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”).
The IPCC Act has cleared the Senate and now must pass the state’s lower house before the governor considers signing it into law. If enacted as currently drafted, the ICPP Act would create a sector-specific framework directly impacting not only insurance licensees but also the technology companies and other third-party service providers serving the insurance industry—including cloud providers, Software-as-a-Service vendors, data analytics firms, and other third-party service providers as defined by the ICPP Act.
The IIPPA applies only to licensed agents, brokers, and insurance companies; whereas, the ICPP Act would apply to insurance licensees and the third-party service providers providing services to the insurance industry.
The ICPP Act defines a “licensee” as a person licensed, authorized to operate, or registered, or required to be license, authorized, or registered including an insurer, a producer, a surplus line insurer, and a director, officer, employee, or agent of a licensee. The bill also defines “third-party service providers” as any organization, including directors, officers, employees, and agents thereof, that contracts with an insurance licensee and that provides services to the insurance licensee and processes, shares, or otherwise is permitted access to personal information through its provision of services to the insurance licensee.
Furthermore, the proposed ICPP Act expands the definition of “third-party service provider” to include any organization that may have to share personal or publicly available information in connection with an insurance transaction, even if that person or organization does not have a contract with the insurance licensee.
This would mean any technology company “processing” (defined to include collecting, using, sharing, storing, disclosing, analyzing, deleting, retaining, or modifying) personal information on behalf of California insurance licensees would be subject to the Act’s requirements even if such tech companies do not have a direct contractual relationship with the insurance licensees. This includes companies providing services to insurers or insurance intermediaries or processing insurance-related data, even if their primary business is not insurance-related. The Act’s requirements apply to personal information processed in connection with insurance transactions, as well as data collected by insurance licensees or the licensee’s third-party service providers through activities that, while maybe peripheral or unrelated to insurance transactions, involve the processing of insurance-related data.
If adopted, the ICPP Act would mandate insurance licensees and their third-party service providers to adhere to rigorous privacy standards. Some critical provisions that tech companies need to be aware of include:
The potential implications of the ICPP Act for the technology sector are significant. If passed, the bill would impose direct, affirmative obligations on third-party service providers, not just the insurance licensees themselves. This level of regulatory scrutiny is new for many technology companies operating in the insurance space and will require a fundamental rethinking of data governance, contract management, and compliance programs.
Technology companies providing services to insurance licensees should closely monitor the development of SB 354 and consider reviewing and updating their contracts with insurance clients, mapping and assessing their data flows, and implementing robust consent management systems. Security and privacy measures along with incident response protocols may need to be strengthened, and processes for supporting consumer data requests must be established. Proactive compliance planning is essential to avoid regulatory penalties and maintain trusted business relationships with insurance licensee clients.
The proposed ICPP Act represents a significant shift in California’s approach to insurance data privacy with direct and far-reaching implications for tech companies serving the insurance sector. The California Insurance Commissioner and the Department of Insurance would be empowered with significant enforcement authority under the Act. It would also grant the California Department of Insurance sweeping authority to investigate, hold hearings, and issue cease and desist orders.
Penalties for knowing violations can range from $5,000 to $1 million in the aggregate for multiple violations, with additional fines for repeated offenses. Third-party tech company service providers should be on alert with respect to the ever-changing privacy regulatory landscape. We recommend tech companies review their data processing practices, contractual arrangements, and consumer rights management systems to ensure readiness for the Act’s likely passage and implementation.