California lawmakers are once again turning their attention to consumer privacy—this time with a laser focus on the insurance sector.
At a moment when insurance companies are already navigating a minefield of data privacy laws, the newly proposed Senate Bill 354 aims to introduce a sweeping and potentially disruptive layer of regulation to an industry that many argue has already invested heavily in consumer data protection.
Formally titled the Insurance Consumer Privacy Protection Act of 2025, SB 354 is authored by Senator Monique Limón and backed by Insurance Commissioner Ricardo Lara. If passed, the bill would create a new privacy regime specifically for the insurance space—distinct from the broader California Consumer Privacy Act (CCPA) and its expanded version, the California Privacy Rights Act (CPRA).
While privacy advocates see the legislation as a long-overdue modernization, many in the insurance community view it as a solution in search of a problem.
A Layered and Already Active Privacy Landscape
The insurance business has long operated within a well-defined and robust privacy framework. Depending on the type of information at issue and the nature of the transaction, insurers already comply with an overlapping set of requirements under federal and state law.
The Gramm-Leach-Bliley Act governs nonpublic personal financial information, the Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information in specific contexts, and California’s Insurance Information and Privacy Protection Act has for decades set out rules for data collection, use, and disclosure in connection with insurance transactions. Overlaying these is the CCPA/CPRA, which steps in to cover personal information not captured by sector-specific statutes.
A Shift in Regulatory Approach
What SB 354 proposes isn’t to replace these laws, but to add a new layer—one that redefines how carriers and their third-party service providers manage the life cycle of personal data.
The bill would grant consumers the enhanced rights of access, correction and deletion of their data. In addition, SB 354 would require detailed disclosures regarding data sharing practices, and perhaps most consequentially, it would prohibit the use or disclosure of personal information for non-insurance purposes unless the consumer affirmatively opts in. That’s a meaningful departure from the current opt-out model under California’s general privacy law and could have far-reaching implications for marketing, analytics, and other non-underwriting operations.
The legislation calls for stricter controls around data minimization and retention as well, placing the onus on insurers to demonstrate that they are collecting only what’s necessary and retaining it only as long as justified. Importantly, these obligations would apply not just to data gathered in connection with insurance transactions, but also to information collected through peripheral or unrelated activities.
In terms of enforcement, that would be handled exclusively by the California Department of Insurance, not the California Privacy Protection Agency, which enforces the CCPA, alongside the attorney general’s office. Of note, there’s no private right of action under the proposed law, but the CDI would have significant discretion to issue escalating penalties for noncompliance.
Industry Skepticism and Operational Concerns
For many in the industry, these developments raise both operational and philosophical concerns.
Unlike some industries that have had to play catch-up on privacy, insurance carriers, producers, and adjusters in California have already devoted substantial resources to compliance—setting up enterprise-wide privacy programs, building workflows for consumer requests, vetting vendors, and managing cross-regulatory obligations that often overlap or conflict. For them, privacy isn’t a legal formality; rather, it’s a fully embedded business function that touches virtually every department, from legal and compliance to IT and customer service.
And that’s precisely why SB 354 is drawing scrutiny. Critics of the bill question whether it meaningfully enhances consumer protection or simply adds a new set of regulatory burdens— ones that may offer minimal practical benefit to consumers but come at considerable cost. Those costs could eventually be passed down in the form of higher premiums or reduced access to innovation.
Some industry stakeholders also interpret the bill as part of a larger power struggle between the CDI and CPPA, rather than a targeted response to any demonstrated gap in consumer safeguards.
Preparing for What’s Ahead
Still, SB 354 has made its debut at a time when data privacy continues to dominate headlines and legislative agendas. Even if it does not pass in its current form, its introduction sends a clear message: regulators are interested in expanding their authority over how insurers handle data, and the policy conversation is shifting toward sector-specific regimes. That alone warrants close attention.
In the meantime, insurers would be wise to stay engaged in the legislative process while simultaneously evaluating how their current privacy processes align with the proposed framework. Data retention policies, consent mechanisms, and third-party agreements may all require revisiting if the bill gains momentum, and a mechanism for obtaining and tracking customers who opt in will need to be built.
Ultimately, SB 354 represents more than just a legislative proposal: it’s a reflection of how the state views the future of privacy in the insurance space. For an industry that has already built a strong foundation in compliance, the question isn’t whether it takes privacy seriously, but whether the state’s evolving expectations can be met with practical, scalable, and consumer-benefiting solutions. Whether this particular bill becomes law or not, that conversation is only just beginning.
Tosaris is a partner in the San Francisco office of Michelman & Robinson, LLP, a national law firm headquartered in Los Angeles. She advises insurers and other CDI-regulated entities on a range of issues, including privacy issues and regulatory compliance. PHONE: (415) 882-7770; email: etosaris@mrllp.com
Plesset is an associate at M&R. A Certified Information Privacy Professional/United States, he provides counsel to clients navigating the landscape of privacy, intellectual property and compliance. Phone: (714) 557-7990; email: aplesset@mrllp.com.
Topics California Legislation
Was this article valuable?
Here are more articles you may enjoy.
Allstate Agent Can Be Sued Over Nonrenewal of ‘Grandfathered’ Flood Insurance Policy 
Pet Insurance, Agents Gets a Shorter Leash Under Bill DeSantis Signed Into Law 
Major Florida Grower to Build New Home Development After Ending Citrus Operations 
Tesla Slumps Below 50% Share of California’s Electric Car Market 
