Almost three years ago, I wrote a post titled, “Must an Agency Website Contain a Privacy Statement?“. My conclusion was that such a statement was required only if the website could be used to collect “nonpublic personal information” about someone who visited it. This would be the case, for example, if a potential customer could obtain a quote by submitting personal information to the agency through its website.
The Office of the General Counsel of the Independent Insurance Agents and Brokers of America (“IIABA”) has recently issued a memorandum that states the website of every insurance agency should contain a privacy statement or notice. This regardless of whether any “nonpublic personal information” is collected. The reasons given are a more expansive interpretation of the Graham-Leach-Bliley Act (“GLBA”) by regulators and the recent passage of a regulation in New York and a law in California that impose such a requirement with respect to agencies doing business within those states. The California law does not take effect until January 2020, so for those agents who have customers in that state, there is plenty of time to satisfy its requirements. In addition, the National Association of Insurance Commissioners (“NAIC”) has recently adopted a model law on data security that contains such a requirement. It is likely only a matter of time until that law is adopted by many states (South Carolina has already done so), as that is usually what happens with NAIC model laws.
Given the likely adoption of a specific requirement for privacy notices on agency websites by more states and the increasing level of public concern about data breaches, it makes sense for all agencies to take this step. Such a notice would inform their customers and potential customers up front about how any personal data they may provide the agency will be handled. The lack of a privacy notice may indicate that an agency is not serious about protecting such data.
The sample notice should also be modified to take into account Georgia’s more extensive requirements for the contents of a privacy notice. As noted in my previous blog post, Georgia law requires, among other things, that a privacy notice must tell the customer of their right to inspect personal information about themselves in the records of an insurance institution, agent, or insurance support organization, to get other information from those entities, and to request a correction of any such information. A good place to start in creating an appropriate privacy notice for an agency’s website would be to use the privacy notice that an agency has been giving its customers already as a template for the website notice.