As California Goes, so Goes the Nation? Part One
Many of you probably read earlier this month that California's Office of Administrative Law ("OAL") approved the California Department of Insurance's ("DOI") proposal to repeal certain privacy regulations. And you yawned. Or you quickly skimmed over, confident in the knowledge that this is just, well, those crazy Californians (we'll eventually fall into the ocean so no need to worry). The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act (GLBA), so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. While California was the first "mavericky" state to pass data breach legislation (SB 1386) back in the early part of the last decade, many states long ago blew past California in passing and enforcing strict privacy and security regulations (e.g., Massachusetts and Connecticut). While other states have been taking steps over the last few years to galvanize privacy and security regulations, California has moved in the opposite direction - Governor Schwarzenegger has, on numerous occasions, vetoed legislation that would have enhanced California's breach notification law (to require, for example, notice to California regulators) and now the California DOI has repealed what some might consider to be standard notice and opt-out requirements for insurance agents and brokers. (Query whether this general trend will change when the Brown administration takes office in January, and/or depending on the ultimate results of the California Attorney General race. But that's fodder for a future post, maybe Part Two of this series.) Many of our followers have asked me to break down this newest California development, so here goes. (The DOI's proposed regulation text is here; the DOI's "Statement Supporting Change Without Regulatory Effect” is here.)
For privacy purposes, California insurance brokers and agents are subject to numerous regulations:
- GLBA (which regulates financial institutions, including organizations that insure, guarantee, or indemnify against loss, harm, damage, illness, disability or death, or provide and issue annuities, and act as principal, agent, or broker for purposes of the foregoing, in any State);
- California's Financial Information Privacy Act (or CalFIPA, as I like to call it, Cal. Fin. Code sections 4050-4060);
- California's Insurance Information and Privacy Protection Act, Section 791 et seq. (let's call it CalIIPPA, just for fun), promulgated pursuant to GLBA (although GLBA is a federal law, state insurance authorities are responsible for the enforcement of the financial institution safeguards and disclosure/opt-out procedures required by GLBA as applied to “any person engaged in providing insurance," see 15 U.S.C. § 6805(a)(6)); and
- California's Code of Regulations ("CCRs") promulgated pursuant to CalIIPPA.
With me so far? OK.
CalFIPA section 4056.5(b), which took effect more than six years ago in 2004, permits broker-agents to use nonpublic personal information without obtaining prior customer consent to shop for new policies on renewal. However, the older CCRs resulting from GLBA and CalIIPPA (specifically, Section 2689.8(c)(3)) were inconsistent and required agents and brokers to annually mail privacy policies to all customers and to provide an opt-out that, if returned by the customer, prevented the broker-agents from using nonpublic personal information to obtain information to respond to a customer request for policy rate quote information.
On November 4, OAL approved changes to the CCRs that repealed Section 2689.8(c)(3). OAL also clarified that all brokers and agents are exempt from sending out their own privacy policies provided that the insurance company issuing the policy has complied with the notification requirements. The amendments took effect immediately.
The insurance industry noted that the changes make the CCRs consistent with CalFIPA and "prevent [consumers] from being bombarded with multiple, identical privacy policies on every insurance product they purchase." Setting aside the question of whether those privacy policies are or should be "identical," there is a legitimate issue, noted on numerous recent occasions by the FTC and privacy advocates in a more general context, as to whether more fine print and pages in privacy policies result in more transparency or just more confusion.
Because the changes to CCRs were, as reported by the Insurance Journal, "the verbatim result of changes to previously enacted statutory law," the CA DOI was not required by the California Administrative Procedures Act to hold public hearings or otherwise initiate a new rulemaking hearing. However, the OAL was required to approve the DOI action in order for the changes to take effect.
It is not clear from the limited press reports whether other states like California that have adopted the 1982/1992 Model Act of the National Association of Insurance Commissioners for privacy purposes (Arizona, Connecticut, Georgia, Illinois, Kansas to some extent, Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia) have confronted similar inconsistencies as between their privacy regulations promulgated pursuant to GLBA, on the one hand, and their other state privacy laws, or whether they will follow California's lead in resolving any such conflicts.
It is also not clear that the changes will have any real impact on brokers and agents to the extent they serve customers in other states that still require notice and opt-out. But, for those few California brokers and agents that serve only California customers, the amendments are likely to result in significant savings with respect to preparation of privacy notices and effectuating opt-outs.
My primary takeaway from all this - there is a real need for some consistency and predictability in the privacy and security regulatory scheme(s) in this country, as between and among states and industries. Having said that, I don't think the proposed federal legislation currently under consideration gets us there (at least, not beyond some of the proposed breach notification requirements). In the meantime, the business and technology worlds are moving forward.