California’s SB 354 Could Usher in New Privacy Laws for Tech Companies Serving the Insurance Industry

Overview of Senate Bill 354

California is once again at the forefront of privacy regulation, this time with a sharp focus on the insurance sector.

California’s proposed Senate Bill 354, styled as the Insurance Consumer Privacy Protection Act of 2025 (the “ICPP Act” or the “Act”), would, if enacted, introduce an augmented privacy regime for the insurance sector. Its advocates claim the ICPP Act goes beyond the protections found in California’s current consumer privacy laws, including the California Insurance Information and Privacy Protection Act (the “IIPPA”) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”).

The IPCC Act has cleared the Senate and now must pass the state’s lower house before the governor considers signing it into law. If enacted as currently drafted, the ICPP Act would create a sector-specific framework directly impacting not only insurance licensees but also the technology companies and other third-party service providers serving the insurance industry—including cloud providers, Software-as-a-Service vendors, data analytics firms, and other third-party service providers as defined by the ICPP Act.

Why the Tech Industry Should Take Notice

The IIPPA applies only to licensed agents, brokers, and insurance companies; whereas, the ICPP Act would apply to insurance licensees and the third-party service providers providing services to the insurance industry.

The ICPP Act defines a “licensee” as a person licensed, authorized to operate, or registered, or required to be license, authorized, or registered including an insurer, a producer, a surplus line insurer, and a director, officer, employee, or agent of a licensee. The bill also defines “third-party service providers” as any organization, including directors, officers, employees, and agents thereof, that contracts with an insurance licensee and that provides services to the insurance licensee and processes, shares, or otherwise is permitted access to personal information through its provision of services to the insurance licensee.

Furthermore, the proposed ICPP Act expands the definition of “third-party service provider” to include any organization that may have to share personal or publicly available information in connection with an insurance transaction, even if that person or organization does not have a contract with the insurance licensee.

This would mean any technology company “processing” (defined to include collecting, using, sharing, storing, disclosing, analyzing, deleting, retaining, or modifying) personal information on behalf of California insurance licensees would be subject to the Act’s requirements even if such tech companies do not have a direct contractual relationship with the insurance licensees. This includes companies providing services to insurers or insurance intermediaries or processing insurance-related data, even if their primary business is not insurance-related. The Act’s requirements apply to personal information processed in connection with insurance transactions, as well as data collected by insurance licensees or the licensee’s third-party service providers through activities that, while maybe peripheral or unrelated to insurance transactions, involve the processing of insurance-related data.

Key Compliance Requirements for Tech Companies

If adopted, the ICPP Act would mandate insurance licensees and their third-party service providers to adhere to rigorous privacy standards. Some critical provisions that tech companies need to be aware of include:

1. Clear and Conspicuous Privacy Notices: The Act would grant consumers the right to receive notice about how licensees and others will process their personal information. While the primary obligation to provide such notice falls upon licensees, tech companies acting as third-party service providers are obligated to provide consumers with notice when processing personal information independently of a licensee—such as through their own websites or for purposes unrelated to an insurance transaction. If the tech company is not operating solely under a written contract with a licensee or uses personal information beyond the scope of its contract with a licensee, the tech company must publish and comply with its own privacy notice. However, when processing is conducted exclusively on behalf of a licensee under contract, the licensee’s privacy notice generally governs unless the tech company acting as a third-party service provider is expressly delegated to provide notice.
2. Consumer Consent: The ICPP Act requires insurance licensees and third-party service providers to obtain consumer consent for any use of consumer personal information unrelated to the insurance transaction. This means insurance licensees and tech companies must implement mechanisms to capture and record consumer consent, ensuring that it is specific, informed, and unambiguous.
3. Data Minimization and Retention Policies: Tech companies must follow the data retention and deletion terms outlined in their contracts with licensees and must adopt data minimization practices, collecting and retaining only the personal information necessary for the insurance transaction. Additionally, they must securely destroy personal information that is no longer needed.
4. Oversight of Third-Party Service Providers: The Act places significant emphasis on insurance licensees’ oversight of third-party service providers. Insurance licensees must bind third-party service providers, including tech companies, to contracts governing the processing of personal information, including the nature and purpose of processing, the types of personal information involved, the duration of processing, and limiting the third-party service provider’s use of the personal information to only the provision of services to the licensee.
5. Prohibition on the Sale of Personal Information: The sale of personal information would be strictly prohibited. Under the Act, “sale” is defined as “the exchange of personal information to a third party for monetary or other valuable consideration.” Tech companies must ensure they do not engage in the sale of personal information and that any sharing of information is done in compliance with the Act.
6. Consumer Rights: The bill would grant consumers expanded rights to access, correct, amend, or delete their personal information. Tech companies must be prepared to respond to consumer requests promptly and accurately, providing the necessary information and making the required corrections, amendments, or deletions.

Direct Obligations and Action Steps for Tech Companies

The potential implications of the ICPP Act for the technology sector are significant. If passed, the bill would impose direct, affirmative obligations on third-party service providers, not just the insurance licensees themselves. This level of regulatory scrutiny is new for many technology companies operating in the insurance space and will require a fundamental rethinking of data governance, contract management, and compliance programs.

Technology companies providing services to insurance licensees should closely monitor the development of SB 354 and consider reviewing and updating their contracts with insurance clients, mapping and assessing their data flows, and implementing robust consent management systems. Security and privacy measures along with incident response protocols may need to be strengthened, and processes for supporting consumer data requests must be established. Proactive compliance planning is essential to avoid regulatory penalties and maintain trusted business relationships with insurance licensee clients.

Conclusion

The proposed ICPP Act represents a significant shift in California’s approach to insurance data privacy with direct and far-reaching implications for tech companies serving the insurance sector. The California Insurance Commissioner and the Department of Insurance would be empowered with significant enforcement authority under the Act. It would also grant the California Department of Insurance sweeping authority to investigate, hold hearings, and issue cease and desist orders.

Penalties for knowing violations can range from $5,000 to $1 million in the aggregate for multiple violations, with additional fines for repeated offenses. Third-party tech company service providers should be on alert with respect to the ever-changing privacy regulatory landscape. We recommend tech companies review their data processing practices, contractual arrangements, and consumer rights management systems to ensure readiness for the Act’s likely passage and implementation.