The personal lines insurance industry is just breaking into the world of mobile device applications, or “apps.” From auto insurers offering digital proof of coverage to life insurers giving policy quotes directly to shoppers, insurance apps offer carriers a new platform to attract, interact with and retain policyholders. Today, the failure of a consumer-oriented business to provide an app is viewed by many like not having a website: a signal that a company is out of touch and behind on the efficiencies enabled by technology.

That said, an app is not an easy product for an industry as regulated as personal lines insurance. Insurers must find a way to reconcile the features customers want from apps with what the law requires about the collection, storage and use of consumer information. Complicating matters further, in addition to the requirements of the digital world, insurance regulations designed for a paper-based world follow carriers into the digital realm, introducing a unique set of compliance and privacy considerations.

While every app developed is different, below are three important considerations when developing or offering a personal lines insurance app.

Privacy Policy

Your app needs a privacy policy, period. In the early days of mobile applications, privacy policies were considered an optional best practice, but today, at least in California, it’s the law.

In late 2012, California Attorney General Kamala Harris filed a suit against Delta Air Lines for its failure to include a privacy policy in its Fly Delta App. The California Online Privacy Protection Act (CalOPPA) requires that, if a mobile app collects personally identifiable information about or from users, then the app must “conspicuously place” a privacy policy within the application itself. This policy must advise consumers about what type of information is collected through the app, how it is collected, and how it is used. A failure to comply comes with a tremendous cost: CalOPPA carries a statutory penalty of $2,500 for every violative copy of the application downloaded by California residents.

While Delta was ultimately able to get this case dismissed last May, it did so with an argument unavailable to insurance carriers. Delta successfully argued that CalOPPA was federally preempted by the Airline Deregulation Act, which bars states from regulating “services” provided by airlines. By contrast, with the insurance industry regulated almost entirely at the state level, an insurance carrier caught in California’s cross hairs for a CalOPPA violation would not have a federal preemption argument as a defense, potentially exposing a carrier to CalOPPA’s extreme statutory penalty.

A privacy policy is an opportunity for a carrier to explain what information is collected by the app and how that information is used. Accordingly, the features of the app should drive the contents of the privacy policy. For example, if your app uses geolocation features to identify the location of a user reporting an automobile accident or requesting roadside assistance, explain that the app captures and transmits geolocation data for this purpose. If your app accesses a phone’s picture albums to upload a user’s photographs to file a homeowner’s claim, explain that the app may access photographs and that these photographs, once transmitted, may be used as part of a claim for damages. In other words, a company can build the features its consumers expect, but each feature comes with the responsibility to explain, in the privacy policy, how each feature collects, accesses or uses a user’s information.

It also bears noting that a mobile app privacy policy may resemble, but should not be exactly the same as, a website or mobile website privacy policy. An app accesses, stores and transmits information differently than a website. If a carrier simply repurposed its website privacy policy for an app, it would likely miss everything unique to an app, such as the geolocation and photo gallery access examples. Such gaps in a privacy policy would omit a description of how information is collected and, thus, would possibly violate CalOPPA.

Finally, your privacy policy cannot be buried or hard to find because CalOPPA requires that the policy be in a “conspicuous place.” While there has been no real guidance regarding what constitutes a conspicuous place, suffice to say it should be something a user can locate easily. Acceptable options include a link at the bottom of the front page, a watermarked link or a link available at the top level of an app’s menu.

An app is an opportunity to distribute digital notices, but be aware that app functionalities may also trigger notice requirements. Almost all states require personal lines carriers to provide privacy notifications to their policyholders. Based in large part on the notice requirements of the Gramm-Leach-Bliley Act and the National Association of Insurance Commissioners Model Privacy of Consumer Financial and Health Information Regulation, these state statutes or regulations typically require an initial and annual distribution of a privacy notice that both explains how a customer’s information will be used and provides them with an opt-out (or, in some states, opt-in) from certain types of third-party information sharing.

In many cases, a mobile app is an asset for the distribution of these notices. Most states explicitly permit a carrier to distribute notices electronically, provided a person grants permission for electronic distribution. A mobile application provides a platform for obtaining consent for electronic notice distribution, as well as a low-cost method to distribute notices that may otherwise be printed and mailed. In this instance, an app can save carriers money.

That said, certain app functionalities require a carrier to be mindful of whether any notice distribution requirement is tripped by automated app activity. For example, Virginia requires that a carrier or agent deliver a notice of information collection and disclosure practices (NICDP) to policy applicants. This is a separate requirement from the Gramm-Leach-Bliley-inspired privacy notice (though the two are permissibly consolidated into one notice). The NICDP must be delivered either when a policy is placed or, if the carrier seeks information about an applicant from a third party (like a credit bureau), prior to the carrier’s obtaining this third-party information.

If a carrier offers an app that provides policy quotes, and in the process of pricing these quotes accesses third-party information sources, then preparing a quote for a Virginian has possibly tripped its obligation to provide an NICDP prior to any policy being placed or quote prepared. This is an easy problem to solve—obtain consent for electronic notices and provide the NICDP within the application prior to the submission of information—but it is an example of how certain app functionalities may trigger traditionally paper-based notice requirements.

Protect The Information

States have taken various approaches to protect their residents from the loss or theft of private information. Massachusetts and Nevada have passed laws or regulations that require the encryption of personal information, such as account numbers or other identification numbers, when stored in conjunction with a person’s name. In Nevada, businesses are required to encrypt data that is both transmitted electronically and stored on PCs or mobile devices. In Massachusetts, if personal information is stored on company mobile devices or PCs, these devices must be encrypted. Both states apply their statutes or regulations to businesses that have customers or operations in their states, impacting any company with a national footprint.

To be clear, this is not a requirement to encrypt your customer’s phones or tablets. Rather, when it comes to apps that collect and transmit information about your customers, this is a requirement to ensure that the transmission is secure, and, when you receive the information, the information is stored on a secure and encrypted device. If you are considering an app or have one in place, it’s quite likely that this is already a top priority, but it bears noting that it might also be a legal obligation.

Catering To Consumers

An app is important and a de facto requirement of many modern businesses. Modern consumers expect the companies in their lives to cater to their mobile lifestyles and provide apps that facilitate their personal, financial and economic needs. Despite facing higher regulatory hurdles, the insurance industry is advancing to fill these expectations. As insurance apps become the norm, carriers must be mindful of their privacy obligations.•

Matt Lewis is an associate in the insurance practice group of Drinker Biddle Reath in Philadelphia. He counsels personal lines insurance carriers on compliance, data security and customer privacy obligations. His practice includes the drafting of policies and procedures (including mobile app privacy policies), compliance auditing, security breach work and other regulatory and compliance challenges facing various types of personal lines products.