RatedWithAI

RatedWithAI

Accessibility scanner

AI PrivacyJuly 10, 2026

CCPA and AI Underwriting: Compliance Guide for Insurance 2026

Insurers and insurtechs already navigate a dense state insurance code for how they price and deny coverage. AI underwriting adds a second compliance layer on top: CCPA's consumer rights, sensitive-data rules, and automated decision-making requirements apply the moment the model touches Californians' personal information.

Two regimes
State insurance law and CCPA apply simultaneously to AI underwriting
ADMT
Automated decision-making rules add notice, opt-out, and access duties
Sensitive data
Health, geolocation, and financial inputs trigger extra CCPA protections

Why Insurance AI Draws Extra Scrutiny

AI underwriting and claims tools ingest exactly the kind of data CCPA treats most carefully: driving history, health conditions, financial records, and increasingly telematics data pulled from connected devices. Layer an AI model on top that scores risk or flags claims for denial, and you've combined sensitive personal information with an automated decision that has a real, significant effect on the consumer — coverage, pricing, or a claim payout.

Insurance regulators have long required underwriting to be explainable and non-discriminatory. CCPA doesn't replace that obligation — it adds a parallel, consumer-facing layer of rights that applies regardless of what the insurance code separately requires.

Where CCPA Attaches to AI Underwriting

Automated decision-making notice and opt-out

Where AI substantially replaces human judgment in a decision that significantly affects a consumer — such as denying or pricing a policy — California's ADMT rules generally require pre-use notice describing the logic involved and an opt-out right, subject to the regulation's specific scope and exceptions.

Sensitive personal information limits

Health data, precise geolocation from telematics or usage-based insurance devices, and certain financial data used as model inputs typically qualify as sensitive personal information, giving consumers the right to limit its use beyond what's reasonably necessary to provide the insurance product.

Access and correction rights

Consumers can request the categories and specific pieces of personal information used to generate a risk score or underwriting decision, and can dispute inaccurate inputs — a right that intersects with, but doesn't replace, any adverse-action process required by insurance regulators.

Third-party data and vendor scoring models

Many insurers license third-party AI risk-scoring or claims-triage models rather than building in-house. CCPA's obligations don't stop at the vendor boundary — the insurer using the tool remains responsible for consumer-facing rights even when the underlying model is licensed.

Where Deletion Rights Run Into Retention Law

This is where insurance AI diverges from most other CCPA use cases:

  • Record-retention mandates under state insurance codes often require insurers to keep underwriting and claims records for years — a CCPA deletion request doesn't override a legally mandated retention period, but insurers still need a documented basis for denying or limiting a deletion request.
  • Training-data deletion is harder still: if a consumer's data was used to train a risk-scoring model rather than just stored in a record, deleting the source record doesn't remove its influence on the model, raising practical questions insurers need a documented position on.
  • Opt-out of automated decisions doesn't mean opting out of underwriting altogether — insurers typically need a documented fallback process (human review) for consumers who exercise an ADMT opt-out right.

Building a Compliance Checklist

Treat CCPA compliance as an added layer on top of your existing insurance-regulatory program, not a separate track.

Map every AI underwriting, pricing, and claims-triage tool and the personal data it consumesEssential
Determine which uses trigger ADMT pre-use notice and opt-out obligationsEssential
Flag health, geolocation, and financial inputs as sensitive personal information with limit-use controlsEssential
Build a documented human-review fallback for consumers who opt out of automated underwritingOperational
Confirm vendor contracts for licensed AI scoring models assign CCPA compliance responsibilities clearlyVendor risk
Reconcile CCPA deletion requests against state insurance record-retention requirements with documented justificationLegal review

Undisclosed AI decisioning is a compliance gap you can find before regulators do

RatedWithAI helps teams find and fix the compliance gaps on their web properties before they become complaints. Start with a free scan.

Scan Your Site for Free →

Frequently Asked Questions

Does CCPA override state insurance regulators on AI underwriting fairness?

No. State insurance departments retain primary authority over rating factors, unfair discrimination, and underwriting fairness. CCPA operates alongside that framework, adding consumer-facing data rights — notice, access, deletion, and opt-out — that apply independently of insurance-specific substantive rules.

Does usage-based insurance telematics data count as sensitive personal information?

Precise geolocation data, which telematics devices commonly generate, is one of CCPA's enumerated categories of sensitive personal information. Insurers using telematics for AI-driven pricing generally need to provide the associated limit-use right and factor that into their notice and consent flows.

Can an insurer deny a CCPA deletion request tied to an active claim or policy?

Generally yes, to the extent the data is necessary to complete the transaction, comply with a legal obligation such as a retention mandate, or is otherwise covered by one of CCPA's statutory exceptions — but the insurer should document the specific exception relied on rather than issuing a blanket denial.

Do CCPA's ADMT rules apply to every AI tool an insurer uses?

No. The rules are generally triggered where AI substantially replaces human decision-making in a way that produces a legal or similarly significant effect on the consumer, such as denying coverage or setting a materially different price — tools that merely assist human underwriters without replacing their judgment may fall outside that specific trigger, though other CCPA obligations can still apply.

Related Guides