California’s strong laws dealing with privacy may influence the insurance industry across the U.S.
- Theodore P. Augustinos
- November 2019
For the past year, the California Consumer Privacy Act of 2018 (CCPA) has driven the conversation on privacy in the U.S. Given the CCPA's exemption for personal information collected under the Gramm-Leach-Bliley Act of 1999 (GLBA), the insurance industry (and other financial services firms) may have breathed a sigh of relief.
A close look at the GLBA exemption, however, reveals that insurers, producers and others doing business in California and meeting statutory thresholds (based on revenues, or data collected or sold) must comply with CCPA obligations concerning any information that is not nonpublic personal information under the GLBA, and could reasonably identify a California resident or household.
The exemption is limited. It exempts personal information collected under the GLBA and implementing regulations. (It also extends to information collected under the California Financial Information Privacy Act.) The NAIC Model Privacy of Consumer Financial and Health Information Regulation, promulgated to implement the GLBA for the insurance industry, defines nonpublic personal information to include nonpublic personal financial information and nonpublic personal health information.
Nonpublic personal financial information means any information a consumer provides to a licensee to obtain insurance; about a consumer resulting from an insurance transaction; or that the licensee otherwise obtains about a consumer in connection with providing insurance to that consumer. It also means any list, description or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information not publicly available.
Nonpublic personal health information means health information that identifies or could be reasonably used to identify an individual. Under the CCPA, however, personal information is defined more broadly to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA and the GLBA define “consumer” differently. For CCPA purposes, any California resident is a consumer, while a consumer as defined by the NAIC Model for purposes of the GLBA means an individual who seeks to obtain, obtains or has obtained insurance primarily for personal, family or household purposes. Also, the CCPA extends to information reasonably identified to a household (not just an individual).
The insurance industry collects vast quantities of information to which the CCPA applies because it meets the CCPA's broad definition of personal information and not the GLBA's definition of nonpublic personal information.
A new amendment to the CCPA exempts for one year (except the notice provision and the private right of action) the information of employees, job applicants and contractors. Another provides a similar one-year exemption (including the notice provision) for a business's collection of personal information of consumers who are employees, officers, directors or contractors of an entity in the context of a B2B transaction or relationship.
Insurers, producers and other financial institutions subject to the CCPA must review their data to identify personal information that is not covered by the GLBA exemption. For all personal information under the CCPA except nonpublic personal information under the GLBA, they must prepare for required notices and disclosures, and develop policies and procedures to comply with the CCPA.
Best’s Review contributor Theodore P. Augustinos is a partner at Locke Lord LLP, where he serves on the steering committee of the firm’s Privacy and Cybersecurity Practice Group and leads its CCPA Initiative. He can be reached at email@example.com. Junhan Zhang, a law student at the University of Connecticut School of Law, assisted with this article.