Insurance Consumer Privacy Protection Act of 2025.
- Establishes new privacy standards requiring insurance companies to protect and limit use of consumer data.
- Requires insurers to obtain consumer consent before sharing personal data for non-insurance purposes.
- Mandates clear privacy notices explaining how consumer data is collected, used and shared.
- Authorizes penalties up to $1 million for privacy violations and creates criminal penalties for data theft.
Senator Limón's Insurance Consumer Privacy Protection Act establishes comprehensive standards for how insurance companies and their vendors handle California consumers' personal information. The legislation requires insurers to obtain explicit consent before using customer data for purposes beyond basic insurance transactions, implement data minimization practices, and provide clear privacy notices detailing how information is collected and shared.
The bill grants consumers new rights to access, correct, and delete their personal information held by insurers. Insurance companies must respond to these requests within 30 business days and provide detailed explanations when denying coverage or making other adverse decisions. The legislation prohibits retaliation against consumers who exercise their privacy rights and bars the sale of customer data for any purpose.
Insurance licensees must develop written policies for data retention and deletion, with requirements to destroy unnecessary personal information within 90 days. Third-party service providers working with insurers face strict contractual obligations regarding data security, breach notification, and limitations on information use. The Insurance Commissioner gains authority to investigate violations, conduct hearings, and impose penalties ranging from $5,000 to $1 million per incident.
The measure aligns insurance industry practices with modern privacy standards while maintaining exemptions for fraud investigation, claims processing, and other essential business functions. Companies have five years to implement the new data retention requirements, though other provisions take effect immediately upon enactment.
 James GallagherR Assemblymember | Committee Member |  Not Contacted | |
 Mike GipsonD Assemblymember | Committee Member | Not Contacted | |
 Phillip ChenR Assemblymember | Committee Member | Not Contacted | |
 Marc BermanD Assemblymember | Committee Member | Not Contacted | |
 Monique LimonD Senator | Bill Author | Not Contacted |
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 28 | 10 | 2 | 40 | PASS |
- Establishes new privacy standards requiring insurance companies to protect and limit use of consumer data.
- Requires insurers to obtain consumer consent before sharing personal data for non-insurance purposes.
- Mandates clear privacy notices explaining how consumer data is collected, used and shared.
- Authorizes penalties up to $1 million for privacy violations and creates criminal penalties for data theft.
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Senator Limón's Insurance Consumer Privacy Protection Act establishes comprehensive standards for how insurance companies and their vendors handle California consumers' personal information. The legislation requires insurers to obtain explicit consent before using customer data for purposes beyond basic insurance transactions, implement data minimization practices, and provide clear privacy notices detailing how information is collected and shared.
The bill grants consumers new rights to access, correct, and delete their personal information held by insurers. Insurance companies must respond to these requests within 30 business days and provide detailed explanations when denying coverage or making other adverse decisions. The legislation prohibits retaliation against consumers who exercise their privacy rights and bars the sale of customer data for any purpose.
Insurance licensees must develop written policies for data retention and deletion, with requirements to destroy unnecessary personal information within 90 days. Third-party service providers working with insurers face strict contractual obligations regarding data security, breach notification, and limitations on information use. The Insurance Commissioner gains authority to investigate violations, conduct hearings, and impose penalties ranging from $5,000 to $1 million per incident.
The measure aligns insurance industry practices with modern privacy standards while maintaining exemptions for fraud investigation, claims processing, and other essential business functions. Companies have five years to implement the new data retention requirements, though other provisions take effect immediately upon enactment.
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 28 | 10 | 2 | 40 | PASS |
James GallagherR Assemblymember | Committee Member | Not Contacted | |
Mike GipsonD Assemblymember | Committee Member | Not Contacted | |
Phillip ChenR Assemblymember | Committee Member | Not Contacted | |
Marc BermanD Assemblymember | Committee Member | Not Contacted | |
Monique LimonD Senator | Bill Author | Not Contacted |