Many insurers contemplate using data from internet- connected devices, including wearables, for a deep dive into wearers’ lifestyles and invaluable insights for automated underwriting. Before diving into the deep end, there are numerous privacy considerations. To ensure your IoT data does not plunge you into trouble:

1. Adjust your data map.
   1. Begin by drawing out all the actors that will collect, use, access, transfer, or disclose consumer data.
   2. Write in what type of data each of them will collect, use, access, transfer, or disclose.
   3. Draw arrows to show the flow of data between these actors and add the purposes for which each arrow/“data flow” occurs.
   4. To make sure you have captured everything, practice running different scenarios through your data map (consumer applies through X, application is approved, application is denied, etc.).
   5. Be sure to get each relevant department within your organization’s approval that the data map is correct and complete. Ask questions and test answers.

2. Make sure your contracts with third parties won’t sink you.
   1. Contracts with third parties with whom you will share data (or vice versa) should align with the data map. Ensure your contracts appropriately reflect what data the third party will receive, who is responsible for obligations associated with that data (e.g., who is responsible for providing X notice or securing Y consent), and what the third party can and cannot do with that data.
   2. Evaluate each sharing as a potential “sale” under the CCPA. Ways to avoid the CCPA’s “sale” obligations include:​
      1. GLBA or CalFIPA Data. Personal information “collected, processed, sold, or disclosed pursuant to” the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA) is exempt from most of the CCPA. For other data, a separate exemption is needed.
      2. Service Providers. If the data might not be GLBA or CalFIPA data, the next best “out” of the CCPA’s “selling” obligations is sharing with a “service provider.” To qualify as a “service provider,” however, specific contractual terms must be included in the insurer third-party contract.
   3. Don’t forget contractual “floaties” requiring your third-party partners to appropriately protect the data, notify you in case of an actual or suspected breach, indemnify you in case of such breaches, process consumer requests, and assist in demonstrating compliance to regulators. Also, given privacy laws’ springboard of activity, including the NAIC’s Working Group, seek a commitment from your partners to comply with new legal requirements.
3. Watch out for the deep end, as privacy obligations in your third-party contracts may be submersed in hyperlinks included in the contract or their standard terms of use. Understand these obligations and how they can change with or without notice to you. Consider whether your partner requires consumers to complete a particular form, whether you are required to specifically disclose that partner and link to its terms of use in your notices, whether you are agreeing to comply with an entirely different privacy law that you are not otherwise subject to, etc.
4. As with any new data, update your privacy notices and authorizations to cover this new data collection and its associated uses, sharing(s), and purpose(s). Multiple federal and state laws are likely to govern the notices, consents, registrations, and processes required. As the recently filed class action suits against Lemonade reflect, your notices must accurately reflect your practices.

With proper analysis and planning, your program could win gold.