Consent is something the insurance market has often taken for granted. Sure, insurers did the necessary tweaks to accommodate the GDPR, but didn’t really change the fundamentals. Recent developments are now signalling that it’s time for a serious rethink. In today’s post, I look at why sector attitudes to consent need to change, and the four issues which make insurers vulnerable.
The last couple of years have seen a progression of cases from which insurers should learn. In 2020, the ABI commissioned independent research into consumer attitudes towards data and insurance. One of the research’s key findings was that 86% of consumers say that they are concerned about their data being sold or shared without their permission. And 53% were uncomfortable with this even when they’d given permission for their data to be shared. The researchers referred to this as part of the ‘double layered lens of mistrust’ that insurance was seen through. Clearly, the public feel the sector has work to do on consent.
Lots of Rulings
Later in 2020, the UK’s data protection regulator (the ICO) ruled that the country’s top three data brokers had been sharing the personal information of millions of people without their consent. In their ruling, the ICO said that none of the consents in their review of the largest of these three firms were valid. Given how embedded those three firms are in the insurance sector, this should have set alarm bells ringing at insurers.
In early 2021, the US trade regulator ruled that a firm (not in insurance) must not only delete the data it had used without consumers’ consent, but also delete the algorithms that had been trained upon that data. The implications of that are startling.
In September this year, the ICO ruled that Saga has sent out insurance marketing emails at a daily rate of around 1 million a day over a 4.5 month period, all without consent. And only last month, the ICO ruled that a software house should delete all UK personal data it held, again due to problems with consent.
A New Climate of Concern
What these and similar cases point to is a new climate of concern about how consumer data is collected and used. For insurers, this raises the distinct prospect that insurers’ fairly universal approach to consent will be challenged.
Now, some insurance people will question why people should get worked up about such a ‘basic’ thing as consent. It’s just what markets like theirs have to do, they say. And they’re both right and wrong.
They’re right in that consent is pretty fundamental to how markets work. After all, the central argument for market economics is based upon the moral legitimacy of consensual transactions.
At the same time, they’re wrong to dismiss concerns about it. After all, consumers should be free participants in markets, able to make choices as to how, when and whether they engage in those markets. Consent lies at the heart of the economic choices we all make. Abuse that choice and market confidence falls.
All this makes consent an important part of the ethics of how businesses work and how they engage with consumers. So why has insurance sector’s handling of consent produced so much mistrust amongst the public?
Insurers have traditionally used the widest form of consent. It reads pretty much as ‘we can use any of your data that we are interested in and do whatever we want with it’. Sure, I understand the sector’s rationale for this, in that risk is increasingly being seen through the lens of character and behaviour. And the data exhaust most of us give out as part of our daily lives has a lot of signals and noise in it about character and behaviour. Insurers need to sift through all that and separate out the signals for use in underwriting, counter fraud and claims decisions.
Latitude for Misuse
Yet the public are saying that such a carte blanche approach to consent carries with it too much latitude for misuse. There’s a feeling that insurers want to have their data cake and eat it, as the saying sort of goes. And such feelings can be seen as a mistrust of the power that sustains that carte blanche approach. In other words, the public have no choice but to sign up to this very wide form of consent before they’ll get even a quote, let alone a policy.
And unfortunately, the public now know that some of that mistrust is, to put it bluntly, justified. The recent pricing review in the UK found that insurers were using personal data for other purposes, such as whether we might be the type of person who would pay a higher renewal premium without looking elsewhere.
Let’s move on and take a look at the weaknesses in the sector’s approach to consent. And let’s do so by reference to the four legs of a table upon which that consent can be visualised as resting.
The first leg of that ‘consent table’ deals with how specific or generic insurers’ consent is typically worded. What the ABI research established was that the public thinks it’s too generic. And in my opinion, they’re right. It is very generic. This is wobbly leg number one.
The second leg of that consent table has to do with how informed that consent can be. Informed consent rests upon a person having a clear understanding and appreciation of the facts and implications of what they’re signing up to, and doing so voluntarily and in possession of all relevant facts. If you take a product like insurance and combine it with a very generic form of consent, then, in my mind, the consent doesn’t seem to be sufficiently informed to the extent that regulations require. To me, this feels like another wobbly leg.
Transparency and Accountability
The third leg of that consent table relates to transparency. One way in which a sector relying on a genetic form of consent can diffuse concerns about that, is to be more transparent about how it handles that consent. What all too often happens however, when calls for transparency on data use are put to the insurance sector, is a vague response centred around the ‘commercial sensitivities’ of that use. In other words, go away.
This is a response that will struggle to reassure, unless it is at the same time counter balanced with what I’ll call the fourth leg of our consent table. This deals with accountability. In other words, we’ll put up with the situation if we can be reassured that there are people within insurers shouting out for consumer interests on data and consent.
I can’t be sure that is happening in insurers to the extent that it visibly delivers reassurance. The problem is that I occasionally hear of data use at an insurer that falls so far outside of what is acceptable, that one wonders what else might be going on. As I said here, the three lines of defence do not seem to be working well at all well with regards to data and algorithms. It feels like… ‘if this is what I am reliably told is happening, what else is happening that I don’t know of?’
There are accountability processes within insurers. Are they more process than accountability? Is there enough accountability across insurers? There are customer voices within insurers. Are they being listened to?
A Crisis of Public Confidence?
I believe that insurers’ handling of consent could moving the sector, slowly but surely, towards a crisis of public confidence. The position of power upon which the sector’s use of very generic consent has relied, could in fact become a vulnerability. Those four legs on our consent table are increasingly turning it into too wobbly a thing for people to trust.
This refrain comes to mind: “well, people will just have to live with it. Insurance is complex and you have to trust the experts.” Yet consider the medical world, with over 60 years of experience of consent. It still publishes hundreds of academic papers each year on the interpretation and use of consent. This is transparency and accountability in action. Insurance however keeps its head down, hoping to just get on with thing in the way the market would prefer to. It’s not that good a basis upon which to play a ‘just trust us’ card.
The lesson for insurers is this. Don’t think of consent as just another compliance procedure or digital opportunity. Instead, see consent as an ingredient to the trust that you want your relationship with the customer to be built around. And shape your approach to consent around that.