About Us
Insurance Reference Manual
Legislative Update
Regulatory Update
Legal Affairs
All Press/Media
Related Links
Contact Us
 

2005 Insurance Reference Manual

Personal Insurance Federation of California Insurance Reference Book

PRIVACY AND INSURANCE
An Overview.

  • SB 1 (Speier) California Financial Information Privacy Act

  • Fair and Accurate Credit Transactions (FACT Act)

  • Federal Gramm-Leach-Bliley Åct (GLBA)

  • Federal Fair Credit Reporting Act (FCRA)

  • California Insurance Information & Privacy Protection Act of 1982 (IIPPA)

Points from the Personal Insurance Federation of California (PIFC)

Insurance companies rely on personal data to identify the needs of potential customers and to serve existing customers. Information sharing is necessary to complete transactions, underwrite policies, service accounts and to extend other special offers and benefits to customers. Among the many benefits that policyholders receive from information sharing are greater convenience, timely service and cost savings. Personal data also reduces consumer exposure to unwanted offers by enabling companies to more appropriately target and match offers to customer needs.

For example, a new policyholder receives inserts in his/her monthly statement for discounts on home safety items or offers for defensive driving safety courses that, if successfully passed, would qualify the policyholder for a substantial decrease in monthly premium payments. Many insurance companies also offer multi-line discounts. To restrict this type of data sharing would impede cross-marketing and deny a policyholder "the benefits from economies of scope captured by most insurance companies. In other words, rather than one-stop shopping and seamless service, a consumer will be forced to contact service providers separately." 1

Federal Privacy Law

A federal law that took effect July 1, 2001 known as the Gramm-Leach-Bliley Act (GLBA) imposed new restrictions on the sharing of non-public personal information by financial institutions such as banks and insurers. It also requires companies to share their privacy policies with customers and to give customers the opportunity to tell the company not to share their information with non-affiliated third parties. In addition, in 2003 Congress passed new legislation known as the Fair and Accurate Credit Transactions Act (FACT Act), extending provisions of the Fair Credit Reporting Act (FCRA) regulating the sharing of consumer report information with affiliated entities. The FACT Act contains language preempting state laws that restrict information sharing with affiliates.

California State Privacy Laws

The insurance industry has been subject to state privacy laws in California since 1980 when the state adopted the National Association of Insurance Commissioners' Model Law, known as the Insurance Information and Privacy Protection Act (IIPPA). This law requires insurers to implement policies and procedures to protect the privacy of their customers.

In recent years the California Legislature has been aggressive in addressing consumers' specific privacy concerns. Since 1999, California has enacted nearly 50 new privacy laws addressing identity theft, telemarketing, medical records, public records and other privacy related issues.

The most significant of these new laws is SB 1 (Speier) which was enacted in 2003, and took effect in July 2004. SB 1 enacts the California Financial Information Privacy Act. The Act requires financial institutions, including insurers, to provide specified notices to consumers regarding the sharing of nonpublic personal information with affiliated companies or with nonaffiliated financial companies with whom the financial institution has contracted to provide financial products and services, and requires the financial institution to give the customer an opportunity to "opt out" of such sharing. The bill requires the permission of the consumer before a financial institution can share nonpublic personal information with other nonaffiliated companies (opt-in). The law provides certain exceptions from these requirements, including where the release is necessary to effect, administer or enforce a transaction, to service an account, to operate a common database among affiliated companies, and for sharing with wholly owned subsidiaries.

The provisions of SB 1 that regulate affiliate sharing have been challenged in federal court on the grounds that they are preempted under the federal FACT Act. The case is currently pending on appeal as of the time of this writing.

In addition to SB 1, new laws adopted in California also include stricter penalties for identity theft, the creation of a statewide "do not call" list that Californians can register with to prevent calls from telemarketers, and the establishment of the Office of Privacy Protection in the state Department of Consumer Affairs to educate and work with consumers and businesses on privacy related issues and to prevent identity theft. 2 (See attached list for descriptions of these laws).

The Debate: Opt-in and Opt-out: Communications Customer Preference

In the privacy bill debates, two terms are often used to describe information sharing policies: " opt-in " and " opt-out." The terms refer to the different methods by which customers may either allow or prohibit the sharing of their personal information, such as basic contact information and product preferences, between affiliated and unaffiliated third parties.

An opt-in regime prohibits the sharing of consumer information unless a company contacts the consumer and obtains express permission otherwise.

If a customer declines to respond to a company's request for permission, the financial institution may not share that customer's information with any third party for any purpose. The financial institution may communicate any number of times with its customer (through phone and email) in order to request the customer's permission to opt-in to information sharing.

An opt-out regime empowers consumers to notify a financial institution with which they do business that it MAY NOT SHARE their information with a third party.

If a customer chooses not to opt-out, the financial institution may provide that information to third parties to offer goods and services. Unlike opt-in, the federal opt-out system that currently regulates financial institutions requires one communication per year from a financial institution to its customer, explaining the manner in which information is shared with third parties and providing the customer the opportunity to prohibit the sharing.

Specific Provisions of Existing Privacy Laws

Delineated below are specific provisions of existing federal and state law regarding privacy.

SB 1 Speier, California Financial Information Privacy Act

  • Prohibits a financial institution from disclosing nonpublic personal information to any nonaffiliated third party unless the financial institution has obtained the consent of the consumer (the consumer has "opted-in").

  • Prohibits a financial institution from discriminating against or denying an otherwise qualified consumer a financial product or service because the consumer has not provided that consent, but does not prohibit a financial institution from offering an incentive or discount designed to elicit a specific response to the notice.

  • Sets forth the specific requirements that the opt-in form utilized to obtain the prior consent must meet.

  • Prohibits a financial institution from disclosing nonpublic personal information to an affiliate unless the financial institution has notified the consumer annually in writing that the information may be disclosed and the consumer has not directed that the nonpublic personal information not be disclosed (has not "opted-out").

  • Provides that information is not disclosed to an affiliate merely because the information is obtained in a common information system or database to which employees and affiliates of the financial institution have access, or because a consumer accesses a Web site jointly operated by the financial institution and its affiliate, provided that where a consumer has exercised the right to opt-out, nonpublic information is not further disclosed or used by an affiliate except as otherwise permitted by this division.

  • Allows the release of nonpublic personal information by a financial institution to another nonaffiliated financial institution with whom the financial institution has a written joint marketing agreement without obtaining the prior consent of the consumer if the following requirements are met: (a) the financial product being offered is a product of at least one of the financial institutions that is a party to the agreement, (b) the product is jointly offered and clearly and conspicuously identifies for the consumer both of the financial institutions disclosing and receiving the information, (c) the agreement includes a confidentiality clause and restricts the disclosure and use of the information to the joint offering of the product that is the subject of the agreement, and (d) the consumer has been given the opportunity to opt-out and has not done so. Allows information to be disclosed pursuant to a preexisting joint marketing contract until January 1, 2005 without having to meet the above requirements.

  • Provides that nothing in this division shall restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries, or among financial institutions that are wholly owned by the same holding company, or among the insurance and management entities of a single insurance holding company system consisting of one or more reciprocal insurance exchanges, provided that in each instance the companies are regulated by the same functional regulator, are engaged in the same line of business, and share a common brand. Provides that insurance, banking and securities are separate lines of business. Excludes a brand consisting solely of a graphic element or symbol.

  • Provides a conclusive presumption of compliance if the financial institution uses the opt-out notice set forth in the statute. Provides that if the financial institution does not use the statutory form, then they may use an alternative form, provided that the form meets certain specified criteria. Allows a financial institution that uses an alternative form other than the statutory form to submit the form to its functional regulator for approval. Requires that any such alternative forms be filed with the Office of Privacy Protection within 30 days after their first use. Alternative forms approved by the institution's functional regulator and filed with the Office of Privacy Protection prior to July 1, 2007 are entitled to a rebuttable presumption that the form complies with the statute.

  • Requires that the notice be sent as a separate notice, with the GLBA privacy notice, with a bill, application or statement of account, or with any other mailing, in which case it must be the first page of the mailing. States that insurers may combine the form required by this bill with the form required pursuant to Sections 791 et seq of the Insurance Code and implementing regulations.

  • Requires a financial institution with assets in excess of $25 million to include a stamped self-addressed return envelope with the notice. In lieu of paid postage, the institution may provide two alternative cost-free means for a consumer to communicate their privacy choices. Financial institutions with less than $25 million in assets are required to include a self-addressed return envelope but it need not be stamped. Also, notices sent by electronic means that comply with certain specified requirements are not required to include a return envelope.

  • Requires a financial institution to allow 45 days to pass after the first opt-out notice to a consumer before disclosing information. Allows a consumer at any time to direct that their nonpublic personal information not be disclosed. Requires the financial institution to comply with such direction within 45 days of receipt.

  • Sets forth specific requirements for sharing of information with affinity product partners, limiting the types of information which can be shared and requiring that the consumer be given the opportunity to opt-out.

  • Provides express exemptions permitting the release of nonpublic personal information under specified circumstances, including but not limited to, where necessary to effect, administer or enforce a transaction requested or authorized by the consumer, in connection with maintaining or servicing an account, to prevent fraud, for debt collection, to insurance rate advisory organizations, guaranty funds, rating agencies, attorneys, accountants and auditors, for law enforcement purposes, for data processing and mail house services pursuant to a contract, for real estate appraisals, to consumer reporting agencies, and pursuant to a written agreement between a consumer and a securities broker-dealer or a registered investment advisor.

  • Exempts licensed insurance producers acting within the scope of their respective license provided information is not shared with an affiliate or nonaffiliated third party. Provides that it does not limit the ability of insurance producers to respond to requests from consumers and to obtain competitive quotes. Exempts the sharing of nonpublic personal information by an insurer or its affiliate with its exclusive agent.

  • Provides for civil penalties of up to $2,500 per violation for a negligent violation, up to a total of $250,000, and $2,500 per violation for a knowing and willful violation. Provides for doubling of the penalty where a violation results in identity theft. Provides that the civil penalties shall be exclusively assessed and recovered in a civil action brought in the name of the people of the state by the Attorney General or the functional regulator.

  • Preempts all local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions. This provision applies prospectively and retroactively.

GLBA Insurance Industry Requirements: (Federal law)

    • Insurers, like all financial institutions, their agents and brokers must notify their customers annually regarding how they will collect and share their customers' non-public personal information.
    • Insurers, agents and brokers must provide an "opt-out" option to their customers if they plan to share personal information with companies not affiliated with the insurance company. "Opt-out" means that customers will receive a notice giving them the opportunity to tell the company they do not want their non-public personal information shared. If so, the customer can sign the "opt-out" notice or call the insurance company and "opt-out" from having their personal information shared with non-affiliated companies.

FCRA Insurance Industry Requirements: (Federal law)

    • While the GLBA permits information sharing among affiliates, the FCRA regulates that sharing.
    • The FCRA permits institutions to share among affiliates their own transaction and experience information with their customers.
    • If an institution wants to share with an affiliate certain consumer report information, the company must first provide the customer with notice of the type of information to be shared, the parties with which it may be shared and the right to "opt-out" of such sharing. If the customer chooses to "opt-out," the consumer report information may not be shared among affiliates.
    • Additionally, the FCRA requires that if a company wants to share with its affiliates the consumer information customers will allow to be shared, it must also include the disclosure in the initial GLBA notice and every subsequent annual GLBA notice.
    • The GLBA and the FCRA provide interlocking limitations on information sharing so that together they regulate the disclosure of a customer's personal information, both to nonaffiliated third parties and between affiliates.

The 2003 federal FACT Act removed the sunset on the FCRA and added new language preempting state laws which seek to regulate affiliate sharing. To the extent that state privacy laws seek to go beyond federal law and regulate affiliate transactions, they are arguably preempted by the FCRA.

IIPPA Insurance Industry Requirements: (State law)

    • Based on the 1982 National Association of Insurance Commissioners Model Law, the IIPPA regulates the information practices of insurers.
    • It requires insurers to implement policies and procedures to protect the privacy of their customers.
    • IIPA requires insurers or agents to provide a notice of information practices to all applicants or policyholders in connection with insurance transactions. Insurers can comply with the Act by sending a notice of information practices with each new policy and at renewal.
    • The Act also prohibits insurers from disclosing personal or privileged information about an individual without the written authorization of the individual, subject to certain exceptions that are generally necessary to permit insurers to conduct insurance functions such as claim settlement, underwriting, and insurance fraud prevention and investigation.

CDI Regulations

The Insurance Commissioner has adopted new regulations to bring the state law and GLBA requirements into conformity. The regulations took effect on

March 24, 2003, and are located at Title 10, California Code of Regulations §§2689.1 through 2689.24. CDI subsequently proposed changes to the regulations which have been noticed but not yet adopted as of the date of this writing.

Conclusion

National uniformity and consistency between state and federal privacy laws is important for consumers and business due to the fact that financial services and insurance are regulated by federal and state laws. California state legislators and regulators must decide how restrictive they wish to make state privacy laws in order not to conflict with or contradict federal law. The proponents of legislation that would place severe restrictions on information sharing ignore hearings before Congress which stressed that state insurance regulation should not become an impediment to financial modernization of insurance, banking and securities business in the United States. Measures that prevent exchange of information between insurance and non-insurance affiliates frustrate the purpose behind the Financial Modernization ACT (GLBA) of 1999.

The complexity of the financial services market and the importance of the flow of information to the state's economy make it essential that each California legislative proposal be evaluated for its practical and unintended consequences. Privacy of personal data is important and must be protected. But, the Legislature should balance the desire to protect consumer information with the need to foster free market competition, facilitate economic growth, and enhance the availability and affordability of insurance products and services that benefit all consumers in California.

1 The Potential Economic Impact of "Opt-In" Data Privacy Laws in California by Peter A. Johnson, PhD. School of International and Public Affairs, Columbia University, January, 2002.

2 Financial Services Privacy Coalition, the California Chamber of Commerce, April, 2002.

Back to Table of Contents