Must an Agency Website Contain a Privacy Statement?

A recent question about the use of privacy statements on websites maintained by insurance agencies prompted me to look again at the basic laws that govern when and how such statements must be given to the customers of insurance agencies.  On  the federal level ,there is the Gramm, Leach, Bliley Act (“GLBA”) passed by Congress in 1999 and in Georgia, there is Section 33-39-1, et seq., of the Insurance Code, which was enacted by the General Assembly in 1982 and became effective on January 1, 1984.  The GLBA permits its requirements to be superseded by state laws that impose greater requirements on the giving and contents of privacy statements.

Unfortunately, for Georgia insurance agents, the Georgia law does impose greater requirements than the GLBA on the giving and contents of privacy statements.  Fortunately, the requirements of both laws only apply to “personal information” (Georgia law) and “nonpublic personal information” (GLBA), which means that privacy notices need not be given to insureds or potential insureds who have or are seeking commercial lines coverages that do not involve the collection of personally identifiable information about individuals.  In all cases where such information will be collected by an agency in connection with the obtaining of an insurance coverage, a privacy notice must be given.

Georgia law specifies different times for when such notices must be given in connection with an initial application for insurance, depending on the sources from which personal information about the applicant will be collected before a policy is issued.  If such information will only be collected from the applicant and public records, a privacy notice need not be given until the policy is delivered to the applicant.  If such information will be collected from any other source, a privacy notice must be given when any personal information is first collected about the applicant.

Thus, if an insurance agency has a website that allows a potential customer to get a quote by providing certain personally identifiable information about themselves and before providing that quote, the agency will get any more personal information about the potential customer from a source other than public records, the website must give the customer the required privacy notice when the customer first enters their personal information.  The privacy notice in this situation required by Georgia law is more extensive than the one required by GLBA.  Among other things, that notice must tell the customer of their right to inspect personal information about themselves in the records of an insurance institution, agent, or insurance support organization, to get other information from those entities, and to request a correction of any such information.

The Georgia law requires a privacy notice to be “in writing”.  However, given the subsequent passage of the Georgia Uniform Electronic Transactions Act and the enactment last year of a revised Section 33-24-14 of the Georgia Insurance Code (click here for blog post), which specifically applied the provisions of that Act to the Insurance Code, if the requirements of the Act are met, the required privacy notice can be given electronically on the agency’s website.  Those requirements have been explained in an article I wrote for the Dec Page magazine.  If an agency would prefer not to put a full blown privacy notice on its website, the Georgia law permits an abbreviated notice to be given that informs the customer that (i) personal information may be collected from persons other than the customer, (ii) such information as well as other personal or privileged information subsequently collected by the agency may in certain circumstances be disclosed to third parties without authorization, (iii) a right of access and correction exists with respect to all personal information collected; and (iv) a complete privacy notice will be furnished to the customer upon request.