Personal data is the currency with which we pay for allegedly “free” services like Google and Facebook. Effective 2019, subscribers will be required to pay John Hancock with data about their activities in order to obtain life insurance. Is the company beating against the tide or at the forefront of a trend?
John Hancock, one of the oldest life insurance companies in North America recently announced that it is leaving the business of traditional life insurance and will only sell “interactive policies.” That term, no doubt dreamed up by a marketing professional seeking to expand the life insurance market by targeting millennials, requires as a condition of the insurance that the subscriber wear a fitness device that transmits his or her activity levels to John Hancock.
What sort of “activity levels?” That’s not clear, at least not yet, nor have the safeguards for security and sharing of those data been made public in readily understandable terms. Those concerned with privacy have raised concerns as varied as the potential uses of that information. Restrictions, if any, on sharing with or seeking those data to marketers who will target ads to subscribers based on the subscriber’s activity levels, have not been announced.
Isn’t this sort of tracking precisely the issue that has raised concerns in the media and government at the state and federal levels? In Europe, the General Data Protection Regulation (GDPR) requires that a data user be advised of why and how her information is collected, parties with whom the data is shared and the purpose of that sharing. California recently enacted a similar law, and New Jersey has commenced hearings on a law that would comprise such notice to consumers. Illinois, Colorado, Vermont and New York (for financial services organizations) have enacted laws with stringent cybersecurity requirements in the past year. As Natasha Singer recently wrote in The New York Times, the motivation for such laws is “is unfettered data exploitation and its potential deleterious consequences — among them, unequal consumer treatment, financial fraud, identity theft, manipulative marketing and discrimination.”
Before we conclude that state legislatures will save the privacy day, the technology industry has begun a concerted push for federal privacy legislation that would preempt state laws. The industry isn’t motivated by concerns for consumer privacy or concerns about consumer retribution but, instead, to head off privacy-motivated state legislation. A hearing in the US Senate held September 25 comprised testimony from AT&T, Google, Apple, Amazon and Twitter, in which executives of these companies stated that federal preemption of state privacy laws that restrict how businesses can use data and require disclosure of these uses) was critical for their businesses. Preemption of state privacy laws, Senator Brian Schatz of Hawaii stated that state law preemption is “the holy grail” for these companies, but that it won’t come about without “meaningful” protection for consumers.
Maybe John Hancock is ahead of the curve, not behind it.
If you have questions concerning compliance with state, federal or non-US laws regarding data management, privacy and cybersecurity please contact Kenneth N. Rashbaum.