Privacy Notices May Still Be Required Under Georgia Law

In early December, I wrote a post about a change made to the Gramm-Leach-Bliley Act (the “GLBA”) by Congress at the end of 2015, which created an exemption under that Act from its requirement that notices of an insurance agency’s data sharing and privacy policies be given to its customers on an annual basis.  In preparing for a recent presentation to a group of insurance agents on this subject, I realized that, while my earlier post was correct, it did not take into account the fact that Georgia has a statute that took effect in 1982 that also governs the giving of such notices by insurance agents and companies.  Its provisions were not affected by the change made to the GLBA, and they impose notice requirements that are different from those found in the GLBA.

The Georgia data sharing and privacy policy statute is found in Chapter 39 of Title 33 of the Georgia code.  As with the GLBA, the Georgia statute requires the giving of a data sharing and privacy policy notice to customers and potential customers at the beginning of the relationship, but it does not impose an annual requirement for the giving of such notices thereafter.  Instead, such notices must be given “no later than the policy renewal date” and “no later than the time a request for a policy reinstatement or change in insurance benefits is received” by the agent, with some exceptions.  In both situations, no notice need be given if personal information about the policyholder in connection with the renewal, reinstatement, or change in benefits is obtained only from the policyholder or from public records.  In the case of a policy renewal, no notice need be given if a notice meeting the requirements of the statute was given to the policyholder within the prior 24 months, even if information about the policyholder is obtained from other sources.

Thus, it appears that for customers who have policy renewals, a notice meeting the requirements of the Georgia statute must be given to such customers at least every 24 months, unless information about the policyholder in connection with every renewal during that 24 month period is obtained only from the policyholder or public records.  Fortunately, as with the GLBA, the notice requirement only applies to products and services that are “primarily for personal, family, or household needs”, i.e.,  personal lines property and casualty and individual life, health, or disability insurance applicants and customers.  In determining whether, a particular renewal customer does or does not have to be given a privacy notice, it is important to remember that any previous notice given such customer must satisfy the requirements of Georgia law, which are not the same as the notice requirements under the GLBA.  Georgia law requires that more information be included in such a notice, including a description of the recipient’s right to submit a written request to the agent for access to their personal information collected by the agent and their right to request that corrections be made to such information and the way these rights may be exercised.

When I asked my audience how many of their agencies had been giving privacy notices to their customers, only a couple of hands went up.  Apparently, many of them assumed that this requirement was being satisfied by the insurance company.  That is possible under Georgia law if the insurance company is “authorized to act on” behalf of the agency, but it is possible under the GLBA only for entities that are affiliated with each other, i.e., under common ownership or control.

It would be a good idea for all Georgia insurance agents to check their agency agreements to see if those agreements authorize the insurance company to provide the privacy notices required by Georgia law on their behalf.  If not, such a provision should be added or the agency should be prepared to comply with that law, because the Insurance Commissioner has the authority to impose up to a $500 fine for each “knowing violation” of the law (i.e, for each privacy notice that was not sent or did not contain the required information) with a maximum penalty of $10,000.00.

 

 

 

Digiprove sealCopyright secured by Digiprove © 2017 Mark Burnette