Skip to main content
Back to Guides
Compliance6 min read

Cookie Consent for Insurance Websites

Insurers are financial institutions under GLBA and regulated by 50 state insurance departments, and their quote forms collect health and financial data. Here's how to run cookie consent on an insurance site without leaking regulated information.

An auto-insurance quote form asks for your address, vehicle, driving history, and sometimes prior claims. A life or health quote asks about your age, medical conditions, and sometimes tobacco use. That's financial and health data collected through a web form, and it lands an insurer in one of the most heavily regulated corners of US privacy law: the Gramm-Leach-Bliley Act, 50 state insurance departments, and, for health lines, the edge of HIPAA.

Cookie consent on an insurance site isn't a formality bolted onto a marketing page. It's part of how you keep advertising and analytics scripts away from the regulated data those quote forms collect. This guide covers the rules that apply and the practical steps that follow.

The three rulebooks insurers answer to

Insurance data privacy runs on layered regulation, and a website touches all of it.

  • GLBA. Insurers are financial institutions under the Gramm-Leach-Bliley Act, so they must give privacy notices, protect nonpublic personal information (NPI), and offer opt-outs of certain data sharing. Data collected through online interactions, including cookies, counts as part of that NPI picture.
  • State insurance law. Insurance is regulated at the state level. The NAIC Insurance Data Security Model Law (#668), adopted by most states, requires a written information security program and breach notification to the state commissioner. The NAIC is also drafting amendments to its consumer privacy model (targeted for public comment in early 2026) that address consumer consent, third-party obligations, and limits on selling NPI and disclosing sensitive personal information.
  • State privacy laws. California and the other state laws layer on consumer rights, sensitive-data rules, and opt-out of sale/sharing and targeted advertising, on top of any GLBA exemption. Health-related inferences are treated as sensitive.

The practical read: marketing and analytics cookies need consent (opt-in in the EU/UK, opt-out with a Do Not Sell or Share path in US states), while cookies that run the quote engine, authentication, and fraud checks are necessary.

Quote forms are the highest-risk surface

The quote flow is where an insurance site collects its most sensitive data, and where a careless pixel does the most damage. Advertising and session-recording scripts can capture field values as they're typed. On a health or life form, that means a marketing tag potentially ingesting medical information; on any insurance form, it means NPI flowing to a third party you never authorized to receive it.

  • Keep marketing tags off the quote flow. Block advertising, session-recording, and analytics scripts on quote and application pages until consent, and confirm they don't capture form fields even after consent.
  • Server-side, not client-side, for lead events. Send "quote started" and "policy bound" conversions server-to-server with only the fields you're allowed to share, rather than letting a browser pixel scrape the whole form.
  • Scan the quote pages specifically. They carry different tags than your content pages. A cookie scan across the application funnel catches lead-vendor and rater-integration cookies you may not know are firing.

Health insurers and the pixel problem

Health lines sit on a sharper edge. A health insurer that's a HIPAA covered entity handles protected health information, and US regulators have taken a hard line on tracking technologies on pages that reveal health information. Advertising pixels that transmit health-related browsing to ad platforms have driven a wave of enforcement and litigation against healthcare organizations. An insurer running a health-plan shopping experience should assume the same scrutiny applies.

The safe posture: no third-party marketing or analytics tracking on pages where a visitor's health condition, treatment interest, or plan selection could be inferred, unless you have a valid legal basis and, where required, a business associate agreement with the vendor. Our HIPAA and cookie consent guide covers the pixel-tracking rules healthcare organizations face, most of which map directly onto health insurers.

Agencies, carriers, and shared responsibility

Independent agencies and brokers add a layer. An agency site often embeds carrier rating tools, comparison raters, and lead-generation platforms, each setting its own cookies on the agency's domain. Under both GLBA and state law, the agency is responsible for the data flows it puts on its own site, and it needs contracts with those vendors that govern how consumer data is handled.

Two things to get right:

  • Vendor cookies are your consent responsibility. A rater or comparison widget that drops analytics or advertising cookies on your domain needs to sit behind consent, because you chose to embed it.
  • Have the contracts. Where a vendor processes personal data on your behalf, you need a data processing agreement (or its GLBA-context equivalent) that limits use and sharing. Our data processing agreements guide covers what to look for.

How CookieBeam handles insurance sites

CookieBeam manages the consent and tracking layer. It doesn't build your GLBA security program or your NAIC information-security policy, but it targets the web-side risks that program has to account for.

  • Script blocking that protects quote data. Marketing, analytics, and session-recording scripts stay blocked until consent, so they can't ingest data typed into quote and application forms. The quote engine, authentication, and fraud cookies run regardless, so the funnel never breaks.
  • Scanning across the application funnel. The scanner crawls quote, rater, and application pages and flags new cookies and outbound connections when a carrier or lead-vendor integration changes.
  • US opt-out plus EU opt-in. A working Do Not Sell or Share link, Global Privacy Control handling, and geo-targeted regional consent so one configuration serves both models, with sensitive-data (health inference) handling built into the rules. See our sensitive data guide for why that matters.
  • Durable consent records. Timestamped logs of what each visitor agreed to, which supports both a GLBA audit and a state examination. Our consent logging guide covers what a defensible record looks like.

Checklist for insurance websites

  1. Classify cookies against GLBA and state law. Marketing and analytics need consent; quote engine, auth, and fraud are necessary.
  2. Keep marketing tags off quote and application forms. Block them until consent and confirm they don't capture fields.
  3. Treat health lines like HIPAA. No third-party marketing tracking on pages that reveal health conditions or plan selection without a valid basis and vendor agreement.
  4. Own your vendor cookies. Raters, comparison widgets, and lead platforms on your domain sit behind consent and need contracts.
  5. Ship US opt-out and honor GPC. Retargeting counts as sharing or sale under state law.
  6. Handle health inferences as sensitive data. That raises the consent bar in most state laws.
  7. Log consent and scan the funnel continuously. Keep records for examinations and catch integration drift early.
Insurance Website Cookie Consent 2026 | CookieBeam | CookieBeam