On November 28, 2016, the Georgia Insurance Commissioner’s Office issued a Bulletin, 16-EX-2, that clarified the duty of insurance agencies in Georgia to give annual notices to their customers of their data sharing and privacy policies. In that Bulletin, the Insurance Commissioner’s Office confirmed that it would adopt a change that had been made to the Gramm-Leach-Bliley Act (the “GLBA”) by Congress at the end of 2015. This change created an exemption from the requirement imposed by that Act for certain “financial institutions”, which include insurance agencies, to give their customers an annual notice of their policies on the sharing with other entities of nonpublic personal information they collected about their customers. These notices are commonly referred to as privacy notices.
The giving of privacy notices under GLBA was a very hot topic back around the turn of the century when that law was first enacted. I gave many seminars on who had to give those notices and what they had to contain, but since then I have not heard much about those notices from my clients. Apparently, it has not been something the Insurance Commissioner’s Office and the federal regulatory agencies involved have been that concerned about. I have sometimes wondered how many of my clients were actually giving the required notices every year.
In any event, there is now an exemption from the requirement for the giving of privacy notices. That exemption applies to any insurance agency that only shares the nonpublic personal information they collect about their customers in ways that are explicitly permitted by the GLBA and that have not changed their data sharing policies since their “most recent disclosure sent to consumers in accordance with” the GLBA. An agency that satisfies these two requirements is relieved of the obligation to provide annual privacy notices to their customers until they no longer meet both requirements, i.e., they begin to share nonpublic personal information about their customers in ways that are not explicitly permitted by the GLBA or they otherwise change their data sharing policies from what was said in the last notice sent to their customers.
The list of ways in which nonpublic personal information is explicitly permitted to be shared under the GLBA is a long one, but the permitted sharing of such information that is most relevant to insurance agencies involves three main areas: marketing, the use of such information to perform the services requested by the customer, and the disclosure of such information to insurance rate advisory organizations or other state or federal regulatory bodies and the agency’s attorneys, accountants, and auditors. Disclosing such information to consumer reporting agencies and in connection with the sale, merger, or other transfer of the ownership of all or a portion of an agency’s business is also permitted. Of course, any such disclosure to which the customer consents is permitted.
The most likely situation where an insurance agency may step over the line, so to speak, and thus, be required to give a privacy notice is in connection with its marketing activities. Under the GLBA, an agency can disclose the nonpublic personal information of its customers to parties affiliated with it and to a non-affiliated third party to perform marketing activities for its products or services, if the agency fully discloses that it is doing so to its customers and enters into a contract with the non-affiliated third party that requires the third party to maintain the confidentiality of the information provided to it. If the full disclosure of such information sharing has previously been made by an agency to its customers in a privacy notice, it is no longer required to continue to give such notices every year, unless and until its data sharing practices in this regard or in other ways change.