CCPA and AI Underwriting: Compliance Guide for Insurance 2026
Insurers and insurtechs already navigate a dense state insurance code for how they price and deny coverage. AI underwriting adds a second compliance layer on top: CCPA's consumer rights, sensitive-data rules, and automated decision-making requirements apply the moment the model touches Californians' personal information.
Why Insurance AI Draws Extra Scrutiny
AI underwriting and claims tools ingest exactly the kind of data CCPA treats most carefully: driving history, health conditions, financial records, and increasingly telematics data pulled from connected devices. Layer an AI model on top that scores risk or flags claims for denial, and you've combined sensitive personal information with an automated decision that has a real, significant effect on the consumer — coverage, pricing, or a claim payout.
Insurance regulators have long required underwriting to be explainable and non-discriminatory. CCPA doesn't replace that obligation — it adds a parallel, consumer-facing layer of rights that applies regardless of what the insurance code separately requires.
Where CCPA Attaches to AI Underwriting
Automated decision-making notice and opt-out
Where AI substantially replaces human judgment in a decision that significantly affects a consumer — such as denying or pricing a policy — California's ADMT rules generally require pre-use notice describing the logic involved and an opt-out right, subject to the regulation's specific scope and exceptions.
Sensitive personal information limits
Health data, precise geolocation from telematics or usage-based insurance devices, and certain financial data used as model inputs typically qualify as sensitive personal information, giving consumers the right to limit its use beyond what's reasonably necessary to provide the insurance product.
Access and correction rights
Consumers can request the categories and specific pieces of personal information used to generate a risk score or underwriting decision, and can dispute inaccurate inputs — a right that intersects with, but doesn't replace, any adverse-action process required by insurance regulators.
Third-party data and vendor scoring models
Many insurers license third-party AI risk-scoring or claims-triage models rather than building in-house. CCPA's obligations don't stop at the vendor boundary — the insurer using the tool remains responsible for consumer-facing rights even when the underlying model is licensed.
Where Deletion Rights Run Into Retention Law
This is where insurance AI diverges from most other CCPA use cases:
- Record-retention mandates under state insurance codes often require insurers to keep underwriting and claims records for years — a CCPA deletion request doesn't override a legally mandated retention period, but insurers still need a documented basis for denying or limiting a deletion request.
- Training-data deletion is harder still: if a consumer's data was used to train a risk-scoring model rather than just stored in a record, deleting the source record doesn't remove its influence on the model, raising practical questions insurers need a documented position on.
- Opt-out of automated decisions doesn't mean opting out of underwriting altogether — insurers typically need a documented fallback process (human review) for consumers who exercise an ADMT opt-out right.
Building a Compliance Checklist
Treat CCPA compliance as an added layer on top of your existing insurance-regulatory program, not a separate track.
Undisclosed AI decisioning is a compliance gap you can find before regulators do
RatedWithAI helps teams find and fix the compliance gaps on their web properties before they become complaints. Start with a free scan.
Scan Your Site for Free →Frequently Asked Questions
Does CCPA override state insurance regulators on AI underwriting fairness?
No. State insurance departments retain primary authority over rating factors, unfair discrimination, and underwriting fairness. CCPA operates alongside that framework, adding consumer-facing data rights — notice, access, deletion, and opt-out — that apply independently of insurance-specific substantive rules.
Does usage-based insurance telematics data count as sensitive personal information?
Precise geolocation data, which telematics devices commonly generate, is one of CCPA's enumerated categories of sensitive personal information. Insurers using telematics for AI-driven pricing generally need to provide the associated limit-use right and factor that into their notice and consent flows.
Can an insurer deny a CCPA deletion request tied to an active claim or policy?
Generally yes, to the extent the data is necessary to complete the transaction, comply with a legal obligation such as a retention mandate, or is otherwise covered by one of CCPA's statutory exceptions — but the insurer should document the specific exception relied on rather than issuing a blanket denial.
Do CCPA's ADMT rules apply to every AI tool an insurer uses?
No. The rules are generally triggered where AI substantially replaces human decision-making in a way that produces a legal or similarly significant effect on the consumer, such as denying coverage or setting a materially different price — tools that merely assist human underwriters without replacing their judgment may fall outside that specific trigger, though other CCPA obligations can still apply.