Somewhere between your last road trip and your next insurance renewal, a file was updated. You didn’t update it. You didn’t authorise it, at least not in any way that felt like a meaningful decision. A data broker — one whose name you have probably never heard — received information from a connected system, processed it through a proprietary model, attached it to your consumer profile, and made it available to insurance companies who use it to determine what you pay for coverage. This process happened automatically, continuously, and at scale. It happened to you and to approximately 330 million other Americans, and the vast majority of them have no idea it’s occurring.
This is the data rights economy in its most consequential form — not the abstract philosophical debate about whether data is the new oil, but the very concrete question of who owns the specific information that determines whether you can afford home insurance, what you pay for auto coverage, and whether a health claim gets approved. In 2026, that question has become urgent in ways that years of privacy advocacy never quite managed to make it, because the pipeline from your personal data to your insurance premium is now shorter, faster, and less visible than at any previous point in the industry’s history.
The Pipeline Nobody Explained to You
Start with what actually flows into an insurance pricing decision in 2026, because the list has grown well beyond what most policyholders assume. Insurers now collect a vast range of personal and sensitive data including name, address, phone number, date of birth, employment status, full claims history, financial data including credit check information, and sensitive categories such as health records. Core privacy principles under GDPR Article 5 — purpose limitation, data minimisation, storage limitation — require that data be collected only for specific legitimate reasons and processed only to the extent strictly necessary. Those principles describe what the law requires. The gap between that requirement and what is operationally happening is where the consumer’s real exposure lives- Artificial Lawyer
LexisNexis C.L.U.E. — Comprehensive Loss Underwriting Exchange — is a claims information exchange operated by LexisNexis Risk Solutions. It collects and reports up to seven years of auto insurance claims and seven years of home insurance and personal property claims to help inform pricing and underwriting decisions for the insurance industry. LexisNexis also collects and reports driving behaviour data through its Telematics OnDemand product for auto insurance pricing. What the CFPB’s formal description of this product doesn’t capture is the consumer experience of discovering it — which, for a growing number of drivers, looks like opening an insurance renewal notice and finding a premium 20% higher than the previous year, with no explanation attached – For the People
One consumer filed a complaint with the Consumer Financial Protection Bureau after their car insurance prices rose following data collection they never authorised. The complaint reads: “LexisNexis provided incorrect information to my insurer, and my car insurance is elevated because of this. I never consented to them having my information, nor do I currently consent to them having any information on me. They are legally obligated to provide correct information when selling someone’s data. I demand that they correct this report so that my car insurance returns to the cost it should be.” The complaint is illuminating not because it’s unusual but because it’s representative. The car salesman had enrolled this driver in a connected vehicle subscription without explaining that the subscription was also a data pipeline. The data flowed to a broker. The broker sold it to an insurer. The insurer raised the premium. The consumer found out months later and had almost no practical recourse –Â Datatechandtools
This is the architecture of the data rights economy applied to insurance: a multi-party system in which you are simultaneously the subject of the data, the indirect source of it, and the last to know it was collected. As our analysis of telematics insurance privacy risks and what your car is really tracking documents in detail, the GM OnStar case made this pipeline undeniable — 14 million vehicles, driving data sold to LexisNexis and Verisk, premiums raised without disclosure. The FTC settlement that followed was significant. But it addressed one company’s conduct, not the structural architecture that made that conduct possible and profitable.
What Data Brokers Actually Hold — And What You Can Claim Back
The concept of a consumer disclosure report exists precisely because the regulatory framework governing data brokers acknowledges that people have some right to know what is being said about them. The enforcement of that right is considerably less robust than its existence suggests.
LexisNexis Risk Solutions provides information solutions to businesses and government that help predict and manage risk. Its customers use its products to verify identities, quote insurance rates, and offer government-assisted benefits. The information provided about consumers has been collected from public record sources, publicly available data, proprietary data, and information from third-party data sources. The practical consequence of that last sentence is significant: the data in your LexisNexis file was not collected only from sources you knowingly provided. It was assembled from a constellation of inputs — property records, court filings, connected vehicle services, financial transactions, and third-party data purchases — that you had no direct relationship with and in many cases no awareness of – Vonage
In May 2025, LexisNexis Risk Solutions disclosed a data breach affecting more than 364,000 people — a breach of a database holding the kind of personal information that feeds insurance pricing decisions across the country. The breach is relevant not just as a cybersecurity event but as a data rights event: it demonstrated, at scale, that the information being compiled about consumers without their meaningful knowledge or consent is also being stored in systems that can fail, be compromised, and expose that data to actors whose interests are directly adverse to the people it describes – GlobeNewswire
The practical tools available to consumers right now are more powerful than most people know they have. You can request your LexisNexis Consumer Disclosure Report online at consumer.risk.lexisnexis.com — this report includes real estate transaction and ownership data, lien and bankruptcy records, professional licence information, historical addresses, and driving behaviour data collected through connected vehicle services. Under the Fair Credit Reporting Act, LexisNexis must provide this report free once per year and within fifteen days of receiving a written request. If the report contains errors — and complaints to the CFPB suggest this is not rare — you have the right to dispute them, and LexisNexis is legally obligated to investigate and correct inaccurate information – Columbia Undergraduate Law Review
You can also permanently opt out of the LexisNexis prescreened offers list — the list it sells to insurance companies for direct marketing purposes — by completing the opt-out form at the LexisNexis Consumer Center. The LexisNexis Consumer Center can be reached toll-free at 866-490-1920. Note that opting out of LexisNexis’s list does not remove you from Equifax, TransUnion, or Experian lists, which require a separate opt-out call to 888-567-8688. These are real, legally enforceable rights that most Americans have never exercised because the existence of the underlying data ecosystem was never clearly disclosed to them – Norton Rose Fulbright
The broader question of how AI algorithms transform this raw data into insurance pricing decisions — and where the fairness failures in that transformation are documented — is examined in our companion piece on AI bias in insurance and whether algorithms discriminate against consumers, where the proxy discrimination mechanism is explained in full: how a model that never explicitly references race can still produce racially disparate outcomes at scale, through variables like ZIP code and credit score that correlate with protected characteristics.
The Regulatory Patchwork Trying to Catch Up
The legislative response to the data rights economy in insurance is genuinely active in 2026, though it remains deeply fragmented across jurisdictions — which means that your level of protection depends heavily on which state you live in and which insurer you use.
California’s Insurance Consumer Privacy Protection Act of 2025 — SB 354 — specifically targets the insurance industry with privacy protections that exceed California’s general CCPA and CPRA frameworks. The ICPPA establishes a unique regulatory framework with enforcement under the California Department of Insurance rather than the California Privacy Protection Agency, creating industry-specific oversight. Colorado enacted HB26-1091 in its 2026 regular session, establishing personal data privacy protections specifically for homeowner’s insurance transactions — setting standards for how insurers, producers, and surplus line insurers may use consumer personal data in that context – Damiencharlotin
At the federal level, the Consumer Data Privacy and Security Act of 2026 — introduced as Senate Bill 4211 — would establish a national framework that includes the right to know what personal data is being collected, individual control over that data, security requirements, and enforcement mechanisms. The bill establishes a Right to Know provision allowing consumers to request disclosure of what personal data is being collected and how it is being processed, and Individual Control provisions that require covered entities to obtain meaningful consent before collecting or selling personal data that materially affects an individual’s eligibility for credit, employment, or insurance. The bill has not yet been enacted, and its path is uncertain — but its introduction reflects legislative recognition that the current patchwork is inadequate – Tech Life Future
The NAIC’s Insurance Data Privacy Working Group is currently drafting amendments to the Insurance Information and Privacy Protection Model Act that cover consumer rights, consent, notification, third-party contractual obligations, limits on sale of nonpublic personal information, and disclosure of sensitive personal information. The working group expects to release a full draft for public comment by early 2026, with adoption by state legislatures to follow on varying timelines. The NAIC model act process is slow, state adoption is voluntary, and the insurance industry has consistently lobbied against the most prescriptive consumer-rights provisions. But the direction is clear: the data broker ecosystem feeding insurance pricing is now a primary target of privacy regulation, not a peripheral concern. – Thebulldog
The embedded insurance dimension of this deserves explicit mention. When you accept coverage through an app, a checkout page, or a digital wallet, the consent you give — typically through a pre-checked box and a linked privacy policy — is also consent for data collection that feeds back into your broader consumer profile. Regulatory non-compliance in data protection now carries penalties significant enough to threaten insurers’ operations: fines for GDPR violations, DORA operational resilience requirements, and AI Act obligations for high-risk algorithmic systems. Loss of customer trust, when it becomes concrete through incidents like the GM OnStar scandal, creates churn that is equally existential for business models built on embedded distribution. Our coverage of embedded insurance and the hidden data collection inside apps and checkout pages maps the consent architecture of these products and what data flows through checkout moments that most consumers never scrutinise – Embroker
The comprehensive picture of how all of these elements — AI underwriting, data brokers, algorithmic bias, embedded products, and telematics surveillance — fit together as a system is the subject of our pillar piece on the algorithmic insurance economy and how AI is reshaping risk, pricing, and consumer rights in 2026. The data rights question is the moral axis around which that entire system rotates: whose interests does it serve, who bears the cost of its errors, and whether the people whose data makes the system run have any meaningful say in how it operates.
The moral dimension of this has been addressed at the highest institutional level. Pope Leo XIV’s Magnifica Humanitas, released May 25, 2026, warns explicitly against what it calls “new monopolies of AI” — the concentration of data and algorithmic power in the hands of a few entities. The document argues that “technology is never neutral, because it takes on the characteristics of those who devise, finance, regulate, and use it” — and that AI systems operating in consequential domains like insurance must be governed by shared standards of social justice, not merely by market efficiency. What the encyclical identifies as a moral concern is, in the data rights economy, also a structural one: when the same companies that collect your data also build the models that price you and also lobby against the regulations that would make that pricing transparent, the accountability gap is not incidental to the system. It is the system. Our piece on what Magnifica Humanitas means for insurance, algorithms, and human dignity situates that moral framework within the practical insurance context where it lands with the most force.- MoneyGeek
Frequently Asked Questions
In most jurisdictions, you do not legally own your personal data in the same way you own property. What you have are rights — rights to access, correct, and in some states delete or restrict the use of data held about you. The data used to set your insurance premium typically flows from multiple sources: your insurer’s own records, consumer reporting agencies like LexisNexis (which holds your CLUE report), your credit bureau file, connected vehicle data if your car is enrolled in a telematics programme, and third-party data brokers who compile consumer profiles from public records and purchased datasets. None of these entities are required to proactively inform you that they hold your data or how they are using it — the obligation runs the other way: you must request the disclosure, and they must respond within legally defined timeframes.
A CLUE report — Comprehensive Loss Underwriting Exchange — is a consumer report maintained by LexisNexis Risk Solutions that records up to seven years of your auto and home insurance claims history. Insurers use it to assess risk before quoting a premium or issuing a policy. LexisNexis also maintains a Telematics OnDemand product that collects and reports driving behaviour data from connected vehicles for auto insurance pricing. If your CLUE report contains errors — including claims made by previous owners of your home, or data incorrectly attributed to your vehicle — those errors can raise your premium without your knowledge. You are entitled to one free CLUE report per year under the Fair Credit Reporting Act, available at consumer.risk.lexisnexis.com. If errors are found, you have the right to dispute them and LexisNexis is legally required to investigate.
Partially, and with meaningful limitations. You can opt out of LexisNexis Risk Solutions’ prescreened offers list — which is used to market insurance products to you — by completing the opt-out form at consumer.risk.lexisnexis.com or calling 866-490-1920. This does not remove you from Equifax, TransUnion, or Experian prescreened lists, which require a separate opt-out call to 888-567-8688. In California, SB 354 — the Insurance Consumer Privacy Protection Act of 2025 — gives policyholders additional rights to restrict sale of their nonpublic personal information. In Colorado, HB26-1091 establishes data privacy protections specifically for homeowner’s insurance transactions. If your insurer or connected vehicle provider has enrolled you in a telematics programme, you typically have the right to withdraw from that programme, though this may affect any discount associated with participation.
At the federal level, the Fair Credit Reporting Act governs how consumer reporting agencies — including LexisNexis, Verisk, and the major credit bureaus — collect, maintain, and disclose consumer information used in insurance decisions. It gives you the right to request disclosure of your file, dispute inaccurate information, and receive notice when an adverse action is taken based on your consumer report. The Consumer Data Privacy and Security Act of 2026 (Senate Bill 4211), introduced in the 119th Congress, would significantly expand these protections — establishing rights to know, individual control over data use, and security requirements — but has not yet been enacted. The NAIC is separately developing amendments to the Insurance Information and Privacy Protection Model Act, expected for public comment in early 2026, which would establish consent requirements, limits on data sale, and disclosure obligations specifically for the insurance sector.
Request three reports: your CLUE auto and home report from LexisNexis at consumer.risk.lexisnexis.com, your credit report from all three bureaus at annualcreditreport.com, and if you drive a connected vehicle, your LexisNexis Telematics OnDemand report, which shows what driving behaviour data has been collected and reported. Compare what each report says against your actual claims and driving history. If you find discrepancies — including claims you didn’t make, accidents incorrectly attributed to your vehicle, or driving scores generated from data you never consented to share — file a dispute directly with LexisNexis and, if unresolved, submit a complaint to the CFPB at consumerfinance.gov/complaint or your state insurance commissioner. The FTC’s action against GM and OnStar established that inaccurate data resulting in premium increases creates a legally cognisable consumer harm — which means documented errors are disputable, not just unfortunate.
The Bottom Line
The data rights economy isn’t a future problem. It is the present operating reality for every person who owns a connected car, has ever filed an insurance claim, carries a credit score, or lives at an address with a property history. The information that determines your premium was assembled without your active participation, is held by entities you have never directly interacted with, is processed by AI models you cannot inspect, and can raise the cost of your coverage without triggering any obligation to inform you that it happened.
The Colorado AI Act, effective 2026, requires AI systems developers to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination in high-risk systems — including insurance underwriting. State privacy laws across 20-plus jurisdictions now establish consumer rights to know, correct, and restrict their data. The direction of travel is clear, even if the pace is insufficient. – Dataversity
The tools to begin reclaiming your data rights exist today: request your CLUE report, check your telematics file, read your insurer’s data-sharing provisions at renewal, and understand that the premium you pay is downstream of a data pipeline you have both the right and the means to examine. You may not own the data. But you have more rights over it than the industry has been motivated to explain.
This topic is pretty relevant these days. How do you think consumers can better protect their data in the insurance industry?