Two rulings by regulators on data practices should be setting ‘warning lights’ flashing across the insurance sector. Just as big data is said to be disrupting insurance, the rulings by the UK’s ICO and the US’s FTC have the potential to disrupt many of the digital strategies in insurance. And what is more, the UK regulator’s ruling is just stage one. So what can insurers do to switch off that ‘warning light’ for their digital strategies?
Let’s look at the UK situation first. In October 2020, the Information Commissioner’s Office (ICO) ruled that three data brokers (Experian, Equifax and TransUnion) had been sharing the personal information of millions of people without their consent and it must stop. Equifax and TransUnion accepted the ICO’s findings and changed their processes. Experian changed some of their processes but not all. As a result, the ICO gave them nine months to make the necessary changes or face a fine of up to £20m, or 4% of its global turnover, whichever is higher.
The main ethical issues covered in the ICO’s ruling are as follows:
- Consent – “None of the consents reviewed by (ICO) auditors and relied on by Equifax were valid…”
- Secondary Use – “Where the (three firms) are currently using personal data obtained for credit referencing purposes for direct marketing, they must stop using it.”
- Transparency – “The privacy information of the (three firms), in the context of their marketing services, did not clearly explain the processing.”
- Conflict of Interest – “The (three firms) must revise their (legitimate interest assessments) to reconsider the balance of their own interests against the rights and freedoms of individuals.”
And to these four ethical issues can be added references in the ICO ruling to lawfulness and fairness as well.
A Damning Picture
The ruling adds up to a damning picture of data practices in large firms at the heart of the big data revolution. Yet this ruling is only the start. The ICO was only focussed on ‘offline marketing services’, in other words using methods other than the internet. They still have an ongoing investigation into the online marketing services offered by data brokers. And that, I suspect, could result in equally significant findings.
So what are the implications for digital strategies in insurance? Well, I can’t imagine there are any insurers in the UK market who do not in some way make use of the data and services of data brokers like Experian, Equifax and TransUnion. This current ruling, and whatever comes out of the ICO’s online marketing investigation, should be signalling three things to insurers.
Three Actions for Insurers
Firstly, insurers should be assessing the extent to which any data they’ve bought from these three firms may have been unlawfully obtained. If it has, then clearly the insurer should no longer use it. Indeed, it would need to be deleted from their ‘data loch’.
Secondly, insurers should be looking at their due diligence processes, to establish whether they are rigorous enough. After all, each of the UK’s three main data brokers were found to have systemic compliance failings. If the ICO auditors found that none of the forms of consent being used by Equifax were valid, then what might this say about the lawfulness of other processes?
And thirdly, insurers should be looking at their own data standards and privacy protocols, to see what the ICO ruling means for themselves. Since I first wrote about consent back in 2012, I’ve seen the scope of data being gathered and used by insurers expand considerable. And more recently, the 2020 pricing review revealed that data gathered for risk purposes was being used in ways never envisaged by policyholders.
Have Insurers got Consent Right?
What this points to is the need for insurers to look again at the very generic consent wording favoured by most of the market. It may just be too generic, giving insurers options that are too ‘carte blanche’. If challenged, the extent to which the sector has been repurposing data will be exposed, undermining key aspects of many digital strategies in insurance.
Let’s be clear. If an insurer has been acquiring data and using it in underwriting, claims or counter fraud decisions, in ways outwith of the original consent attached to that data, then this would be unlawful. And the Senior Managers and Certification Regime makes clear that it will be insurers who are accountability for the data they use, even if it comes from the UK’s three biggest data brokers.
So, the implications of the ICO ruling for insurers are pretty significant. Yet the implications of a recent ruling by the US Federal Trade Commission (FTC) could be even more so. In January 2021, the FTC ruled on a photo storage app that had been using its users photos to develop and train facial recognition technology. The FTC told the firm to not just delete photos and videos of its users who deactivated their accounts, but to also delete any facial recognition algorithms developed with those users’ photos or videos. Furthermore, the firm must also delete all “face embeddings,” described as “data reflecting facial features that can be used for facial recognition purposes” derived from users’ photos who hadn’t given consent for their use.
So, again on the basis of invalid consent, a firm has been told to delete the photos, the algorithms trained on those photos and the data derived from those photos. Could this happen in the UK? It's a distinct possibility and insurers, with their strong interest in voice and image data, would immediately be exposed.
We know that some insurers are scanning social media images not just for direct evidence of say fraud, but also for analysis by predictive algorithms to discover if you’re this type or that type of person, for say underwriting or marketing purposes. And the current pandemic has increased digital image traffic enormously, giving insurers many more opportunities to gather and analyse image data. Yet as the ICO ruling reminds us, all of this has to be done with the right form of consent.
What Consumers Think
Now, some of you will be thinking that as none of this directly relates to insurance, the sector might just as well adopt a ‘wait and see’ approach. In other words, keep to its existing course until specifically told to do otherwise. There are some insurers in the UK market who very much follow this approach.
I would therefore point them to some independent research commissioned by their trade association, the Association of British Insurers (ABI). Published in early 2020, the research’s main conclusion made stark reading. In terms of ‘consumer attitudes to data and insurance’, consumers engaged with the market through “a double layered lens of distrust.”
This double layered lens of distrust meant that “consumers are primed to feel particularly cautious and sceptical when it comes to their data in the context of insurance”. It also meant that “…they are more likely to interpret new developments in relation to their data as designed to work in the industry’s best interests…”
When it came to consent, 86% of those surveyed said that they are concerned about organisations selling or sharing information about them when those organisations don’t have permission to do so. More than half (53%) remain uncomfortable with this even when they have given permission for their data to be shared.
The market is not unaware of this problem. A PwC survey back in 2017 found that 72% of UK insurance executives thought that it would be harder to sustain trust in a digitised market. This makes me wonder if the market is facing a monumental ethical dilemma.
A Monumental Ethical Dilemma
On the one hand, there are the sector’s advocates of ‘behavioural fairness ’ who see more and more data delivering ever greater levels of fairness for insurance customers. In my opinion though, their arguments are fundamentally flawed – more here. And on the other hand, there is a growing body of evidence, such as the ABI research mentioned above, that point to more and more data fuelling more and more distrust amongst consumers.
Is the sector facing a stark choice? More data and less trust, or less data and more trust? The only way out of this dilemma is for insurers, in my opinion, to revolutionise their data practices, unilaterally across the sector.
‘That’s fine to say’, some will think, ‘but it will never happen’. Well, recent research that I’ve been tracking would say otherwise. And what’s more, an alignment of evidence, motivation and regulation seems to be taking shape. That I will explain and explore in a subsequent post.
To Sum Up
To sum up. Together, the ICO and FTC rulings should set the ‘warning lights’ flashing for many digital strategies in insurance. The challenge insurers now face is being confident enough in their use of consent to calm the nerves of the senior management function holders who have individual accountability under SMCR. And that confidence will only come if it’s been through some robust and independent challenge. My radar is picking up on developments indicating that if the sector doesn’t challenge itself on this, others are preparing to do so.
If you have any questions about this post, please get in touch.
These two posts will also be of interest...