Skip to Content

Spring Is Hot for State Privacy Legislation
May 05, 2021
It’s a hot spring for state privacy legislation. Privacy bills are pending in roughly 20 states, and while Gramm-Leach-Bliley Act (GLBA) exemptions may act as a cool breeze in some, issues remain:

  • Some states’ legislation has no GLBA exemption.
  • Some states’ legislation only contains a data-level exemption, meaning non-GLBA data would be subject to the states’ privacy requirements.
  • Even those states’ legislation that contains such an entity-level exemption will not insulate insurers from contractual obligations imposed by third parties who are subject to the legislation.

Virginia is the first state to follow California’s lead in adopting comprehensive privacy legislation, but its Consumer Data Protection Act has an entity-level GLBA exemption preventing any direct application to insurers. California, at work again, amended its Consumer Privacy Act (CCPA) by adopting the California Privacy Rights Act (CPRA), effective January 1, 2023. Below is a summary of the CPRA’s impact on insurers and the scope of the GLBA exemptions in pending legislation.

Some of the CPRA’s key impacts on insurers include:

  1. Clarifying the scope of the GLBA exemption by revising the exemption to cover “personal information collected, processed, sold, or disclosed subject to,” (rather than “pursuant to”) the GLBA or the California Financial Information Privacy Act.
  2. Expanding the private right of action insurers would face following breaches where the insurer failed to provide reasonable security to protect personal information.
  3. For non-exempt data, insurers will need to:
    • Update California privacy notices to address a new category of PI, “sensitive personal information,” and provide a right to opt out of its sharing. “Sensitive personal information” includes information such as Social Security number, driver’s license information, financial account information, race, ethnicity, religion, biometrics, and health information.
    • Revisit/revise vendor relationships/contractual requirements related to consumer data.
    • Implement data minimization.
    • Address new requirements for “cross-context behavioral advertising” (advertising targeting consumers based on their PI obtained from the consumer’s activity across businesses, websites, applications, etc., other than those with which the consumer intentionally interacts).

.

Pending Privacy Legislation

State Law/ Bill

Scope of GLBA Exemption

GLBA Exemption

AL HB 216

Data-level

PI collected, processed, sold, or disclosed pursuant to GLBA

AZ HB 2865

Data-level

Data sets regulated by GLBA

CO SB21-190

Data-level

PI collected, processed, sold, or disclosed pursuant to GLBA, if collection, processing, sale, or disclosure is in compliance with GLBA

CT SB 893

Entity-level

Financial institution or data subject to Title V of GLBA

FL HB 969

Data-level

PI collected, processed, sold, or disclosed pursuant to GLBA

FL SB 1734

Data-level, but Sen. Bradley has suggested that it may function as entity-level

PI collected, processed, sold, or disclosed pursuant to GLBA

IL HB 3910

Limited data-level

PI collected, processed, sold, or disclosed in accordance with GLBA or the Illinois Banking Act (except for private right of action given to consumers whose PI is breached due to business’s failure to implement and maintain reasonable security)

KY HB 408

Entity-level

A financial institution or an affiliate of a financial institution that is subject to GLBA

MD SB 0930

Data-level

PI collected, processed, sold, or disclosed under GLBA

MA SD 1726

None

N/A

MN HF 1492

Data-level

PI collected, processed, sold, or disclosed pursuant to GLBA, if collection, processing, sale, or disclosure is in compliance with GLBA

MN HF 36

None

N/A

NJ AB 5448

Entity-level

A financial institution or an affiliate of a financial institution that is subject to GLBA

NY A 680

Data-level

Data to the extent regulated by GLBA

NY SB 567

None

N/A

NY p. 148 of PPGG Bill

Data-level

PI collected, stored, or otherwise used in accordance with GLBA

OK HB 1602

Data-level

PI collected, processed, sold, or disclosed in accordance with GLBA

TX HB 3741

Data-level

PI processed in accordance with GLBA

UT SB 200

Entity-level

Financial institution or affiliate of same governed by Title V of GLBA

WA HB 1433

None

N/A

WA SB 5062

Data-level

PI collected, processed, sold, or disclosed pursuant to GLBA, if collection, processing, sale, or disclosure is in compliance with GLBA

WV HB 3159

None

N/A

 

Time will tell how many of the above bills pass, the modifications they will undergo before passage, and whether federal legislation, such as the Information Transparency and Personal Data Control Act introduced in Congress by Rep. Suzan DelBene (D-Wash.), which specifically preempts state privacy laws, will pass and nullify them all.
Authored By
Image: Ann Young Black
Ann Young Black
Image: Patricia M. Carreiro
Patricia M. Carreiro
Related Practices
Financial Services Regulatory Cybersecurity and Privacy Life, Annuity, and Retirement Solutions
Related Industries
Life, Annuity, and Retirement Solutions Securities & Investment Companies Life, Annuity, and Retirement Solutions
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.