Is your insurance company watching you online and is it legal?

The insurance industry will soon benefit from technological advancements, such as developments in Artificial Intelligence (‘AI’) and Big Data. These tools promise cost reduction, the creation of innovative products, and the potential to offer more efficient and tailored services to consumers. However, these new opportunities are mirrored by new legal and regulatory challenges.

What if insurers are using your TV watching list to price your car insurance? What if your insurer knows your diet from your online grocery shopping habits or your fitness levels from your wearable fitness tracker?

A new study from Dr Zofia Bednarz, Lecturer in the Law School at University of Sydney and co-author Dr Kayleen Manwaring (UNSW Law & Justice), has found insurers, using models such as new machine learning algorithms, may be able to collect your online and other data – and apart from anti-discrimination laws, there are no effective constraints on them using that data to price contracts.

“Insurance firms may be using our data collected from a variety of sources – social media, customer loyalty programs or online shopping – to set prices of insurance products and we have no real control over how our data is then used, processed, aggregated and combined,” said Dr Bednarz, who is associate investigator in the Arc Centre of Excellence for Automated Decision-making and Society.

“Protections in our current privacy and data protection law are very limited in practice, and insurance law does not help either,” Dr Bednarz said. “So insurers can lawfully collect and use this data at the moment.”

The researchers argue that policymakers and regulators should act now to prevent consumer harm before insurers invest in services, software and strategies around big data and AI, and become resistant to subsequent regulation.

Published in Computer Law & Security Review, a leading international journal in the field of technology and law, the study found:

• AI and Big Data advances mean insurers could potentially collect data from non-traditional sources such as customer loyalty schemes, social media, website browsing history, wearable fitness tracking devices, telematics in cars or transaction history;
• consumers may not be aware their data could be used to price insurance;
• the ‘datafication’ of insurer processes may fuel excessive data collection in the context of insurance contracts, generating a substantial risk of harm to consumers, especially in terms of discrimination, exclusion, and unaffordability of insurance.

“Virtually every ‘digital trace’ consumers leave can be tracked, and the data extracted may potentially be used for underwriting of contracts,” Dr Bednarz said. “Artificial intelligence and machine learning tools make it possible to obtain valuable inferences regarding risk prediction from that data.”

“Inferences that can be drawn from data are very wide-reaching and many of us would find them uncomfortable,” Dr Bednarz said. “It has been shown that models, such as machine learning algorithms, can (correctly!) guess a person’s sexual orientation from pictures of their face, or possible depression from their posts on Twitter. Think about all the things that can be uncovered about us from our grocery shopping history alone: our diet, household size, maybe even health conditions or social background. It gets even more extensive and possibly precise if we think about information revealed by our social media posts, pictures, likes, or membership in various groups.”

Dr Bednarz also points out her further research, carried out with Professor Kimberlee Weatherall, University of Sydney Law School, indicating insurers’ access to data becomes even easier with the new Consumer Data Right (CDR), which already requires banks to share consumers’ banking data, at their request, with another bank or app, such as to access a new service or offer (potentially also insurance). The CDR is proposed to be expanded to the insurance and superannuation industries soon.

While the Consumer Data Right is advertised as empowering consumers, enabling access to new services and offers, and providing people with choice, convenience and control over their data, Dr Bednarz says that “in practice, however, it could mean insurance firms won’t even need to watch you online to know how much money you’re spending (and on what). They could just ask you to share your banking data through CDR.”

The researchers provide an overview of potential solutions, some already explored overseas, that include:

• prohibition on the use of external data;
• limitation on the use of data, e.g. to only specific factors;
• mandating transparency, including explaining the models used;
• privacy law improvements: higher requirements as to the privacy policies and notices, restriction of collection, disclosure and use of personal information to what can be reasonably expected by consumers (this last point is particularly timely given the ongoing Privacy Act review).

Dr Bednarz said: “There is a lot of opacity and secrecy surrounding underwriting processes and data practices of insurers. There is limited control of regulators over what data is collected and used by insurers, and in what ways. Consumers themselves have very little control over their own data.

“We propose a concept of ‘extrinsic data’ - data consumers do not expect to be collected by insurers and used for underwriting. But the issue is even bigger: even if we know insurers are using our data for underwriting, we often don’t know how it translates into the risk assessment. And this is why more transparency is needed.”

Declaration: This research was partly funded by the Centre for Law, Markets and Regulation UNSW where Dr Bednarz was employed 2020-2022. Top Image: Adobe.