Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-981 Insurance Information and Privacy Protection Act. (2019-2020)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 04/30/2019 09:00 PM
AB981:v96#DOCUMENT

Amended  IN  Assembly  April 30, 2019
Amended  IN  Assembly  April 12, 2019
Amended  IN  Assembly  April 04, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill No. 981


Introduced by Assembly Member Daly

February 21, 2019


An act to amend Section 1798.145 of the Civil Code, and to amend Sections 791.01, 791.02, 791.04, 791.06, 791.08, 791.09, and 791.13 of, and to add Sections 791.24, 791.25, 791.30, and 791.31 to, the Insurance Code, relating to insurance.


LEGISLATIVE COUNSEL'S DIGEST


AB 981, as amended, Daly. Insurance Information and Privacy Protection Act.
(1) Existing law generally regulates the business of insurance in the state. Existing law, the Insurance Information and Privacy Protection Act, establishes privacy standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents, or insurance-support organizations that meet specified criteria. Under existing law, those insurance institutions, agents, and insurance-support organizations are exempted from the Confidentiality of Medical Information Act and specified consumer credit reporting laws. Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to the consumer’s personal information that is held by a business, including the right to know what personal information is collected by a business, to have personal information held by that business deleted, and to direct a business to not sell the consumer’s personal information, as specified.

This bill would additionally exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the California Consumer Privacy Act of 2018, except as specified.

This bill would eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the California Consumer Privacy Act of 2018 if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.
(2) Existing law requires an insurance institution or agent to provide a notice of information practices to all applicants or policyholders in connection with insurance transactions, as specified. Existing law prohibits an insurance institution, agent, or insurance-support organization from utilizing as its disclosure authorization form, a form or statement that authorizes the disclosure of personal or privileged information unless the form or statement meets specified requirements, including, among other things, that it be written in plain language, specifies the nature of the information authorized to be disclosed, and specifies the purposes for which the information is collected.
This bill would require the notice of information practices to also be provided to the general public and would require the notice to include the categories of personal information to be collected and purposes for which the categories of personal information will be used. The bill would also require an insurance institution or agent to provide a clear and conspicuous notice that accurately reflects its privacy policies and practices, as specified. The bill would require the disclosure authorization form to set forth reasonable means by which an individual may exercise the right to opt out of any disclosures.
The bill would require an insurance institution, agent, or insurance-support organization to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of policyholder information. The bill would require the information security program to, among other things, ensure the security and confidentiality of policyholder information and protect against any anticipated threats or hazards to the security or integrity of policyholder information.
(3) Existing law, the California Consumer Privacy Act of 2018, among other things, prohibits a business from selling the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. Under existing law, a business that willfully disregards the consumer’s age is deemed to have had actual knowledge of the consumer’s age.
This bill would enact similar provisions in the Insurance Information and Privacy Protection Act to prohibit an insurance institution, agent, or insurance-support organization from selling the personal information of an insured if the insurance institution, agent, or insurance-support organization has actual knowledge that the insured is less than 16 years of age, unless the insured, in the case of an insured between 13 and 16 years of age, or the insured’s parent or guardian, in the case of an insured who is less than 13 years of age, has affirmatively authorized the sale of the insured’s personal information. Under the bill, an insurance institution, agent, or insurance-support organization that willfully disregards an insured’s age would be deemed to have had actual knowledge of the insured’s age.
(4) Existing law prohibits an insurance institution, agent, or insurance-support organization from disclosing any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is, among other things, with the written authorization of the individual, reasonably necessary to enable the person to perform a business, professional, or insurance function for the insurance institution, agent, or insurance-support organization or insured, or the disclosure is made for the purpose of conducting actuarial or research studies.
This bill would define “research” for purposes of those provisions to mean scientific, systematic study and observation. The bill would prohibit an insurance institution, agent, or insurance-support organization from unfairly discriminating against an applicant or policyholder because that applicant or policyholder has opted out from the disclosure of nonpublic personal information or has not granted authorization for the disclosure of nonpublic personal medical record information.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 (a) The Legislature finds and declares all of the following:
(1) The business of insurance requires the collection, maintenance, and analysis of information in order to perform the most basic insurance functions, including ratesetting, underwriting, claims handling, fraud detection, and investigation.
(2) Insurers are obligated to protect all personal information collected, and that obligation has been recognized in California law beginning with the enactment of the Insurance Information and Privacy Protection Act (IIPPA) in 1980.
(3) The obligation to protect personal information was expanded in 2003 as part of an extensive set of privacy regulations adopted by the Insurance Commissioner.
(b) It is the intent of the Legislature to harmonize the consumer privacy protections contained in the California Consumer Privacy Act of 2018 with the requirements of conducting the business of insurance and long-established protections in the IIPPA and its implementing regulations.

SEC. 2.

 Section 1798.145 of the Civil Code is amended to read:

1798.145.
 (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:
(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
(f) Sections 1798.105 and 1798.120 shall not apply to the extent it is necessary to retain or share a consumer’s personal information to complete an insurance transaction for a product or service, as defined in subdivision (m) of Section 791.02 of the Insurance Code, that has been requested by the consumer.

(f)

(g) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

(g)

(h) Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:
(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

(h)

(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

(i)

(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

(j)

(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.

(k)

(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

SEC. 2.SEC. 3.

 Section 791.01 of the Insurance Code is amended to read:

791.01.
 (a) The obligations imposed by this article shall apply to insurance institutions, agents, or insurance-support organizations that, on or after October 1, 1981, engage in the following activities:
(1) In the case of life or disability insurance, do either of the following:
(A) Collect, receive, or maintain information in connection with insurance transactions that pertains to natural persons who are residents of this state.
(B) Engage in insurance transactions with applicants, individuals, or policyholders who are residents of this state.
(2) In the case of property or casualty insurance, do either of the following:
(A) Collect, receive, or maintain information in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this state.
(B) Engage in insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this state.
(b) The rights granted by this article shall extend to both of the following:
(1) In the case of life or disability insurance, the following persons who are residents of this state:
(A) Natural persons who are the subject of information collected, received, or maintained in connection with insurance transactions.
(B) Applicants, individuals, or policyholders who engage in or seek to engage in insurance transactions.
(2) In the case of property or casualty insurance, the following persons:
(A) Natural persons who are the subject of information collected, received, or maintained in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this state.
(B) Applicants, individuals, or policyholders who engage in or seek to engage in insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this state.
(c) For purposes of this section, a person shall be considered a resident of this state if the person’s last known mailing address, as shown in the records of the insurance institution, agent, or insurance-support organization, is located in this state.
(d) This article does not apply to a person or entity engaged in the business of title insurance as defined in Section 12340.3.
(e) This article does not apply to a person or entity engaged in the business of a home protection company, as defined in Section 12740, that does not obtain or maintain personal information, as defined in this article, of its policyholders and applicants.
(f) Insurance institutions, agents, insurance-support organizations, or insurance transactions subject to this article shall be exempt from all both of the following:
(1) Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code.

(2)Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code, excluding Section 1798.150. The exemption provided by this paragraph does not apply to a business activity that is not subject to this article.

(3)

(2) Sections 1785.20 and 1786.40 of the Civil Code.

SEC. 3.SEC. 4.

 Section 791.02 of the Insurance Code is amended to read:

791.02.
 As used in this article, the following terms have the following meanings:
(a) (1) “Adverse underwriting decision” means any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:
(A) A declination of insurance coverage.
(B) A termination of insurance coverage.
(C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent represents and that is requested by an applicant.
(D) In the case of a property or casualty insurance coverage, either of the following:
(i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting decision, in case of placement with an insurance institution that provides insurance to other than preferred or standard risks, shall not include placement if the applicant or insured did not specify or apply for placement as a preferred or standard risk or placement with a particular company insuring preferred or standard risks.
(ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished.
(E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.
(2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:
(A) The termination of an individual policy form on a class or statewide basis.
(B) A declination of insurance coverage solely because coverage is not available on a class or statewide basis.
(C) The rescission of a policy.
(b) “Affiliate” or “affiliated” means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person.
(c) “Agent” means any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831).
(d) “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.
(e) “Applicant” means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.
(f) “Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, including a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(g) “Commissioner” means the Insurance Commissioner.
(h) “Confidential communications request” means a request by an insured covered under a health insurance policy that insurance communications containing medical information be communicated to the insured at a specific mail or email address or specific telephone number, as designated by the insured.
(i) (1) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
(2) “Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.
(j) “Consumer report” means any written, oral, or other communication of information bearing on a natural person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.
(k) “Consumer reporting agency” means any person who does any of the following:
(1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee.
(2) Obtains information primarily from sources other than insurance institutions.
(3) Furnishes consumer reports to other persons.
(l) “Control,” including the terms “controlled by” or “under common control with,” means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.
(m) “Declination of insurance coverage” means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.
(n) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information does all of the following:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
(o) “Endanger” means that the insured covered under a health insurance policy fears that the disclosure of the medical information could subject the insured covered under a health insurance policy to harassment or abuse.
(p) “Individual” means any natural person who is any of the following:
(1) In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder.
(2) In the case of life or disability insurance, is a past, present, or proposed principal insured or certificate holder.
(3) Is a past, present, or proposed policy owner.
(4) Is a past or present applicant.
(5) Is a past or present claimant.
(6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this act.
(q) “Institutional source” means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than any of the following:
(1) An agent.
(2) The individual who is the subject of the information.
(3) A natural person acting in a personal capacity rather than in a business or professional capacity.
(r) “Insurance institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code.
(s) “Insurance-support organization” means:
(1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
(A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
(B) The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity.
(2) Notwithstanding paragraph (1), agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer review committees are not “insurance-support organizations.”
(t) “Insurance transaction” means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:
(1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.
(2) The servicing of an insurance application, policy, contract, or certificate.
(u) “Investigative consumer report” means a consumer report or portion thereof in which information about a natural person’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person’s neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those items of information.
(v) “Medical care institution” means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics, rehabilitation agencies, and public health agencies.
(w) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, including the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
(x) “Medical professional” means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian, clinical psychologist, chiropractor, pharmacist, or speech therapist.
(y) “Medical record information” means personal information that is both of the following:
(1) Relates to an individual’s physical or mental condition, medical history or medical treatment.
(2) Is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
(z) “Person” means any natural person, corporation, association, partnership, limited liability company, or other legal entity.
(aa) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. Personal information may include, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer:
(1) Identifiers, including real name, alias, postal address, unique personal identifier, and online identifier.
(2) Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(3) Any categories of personal information described in subdivision (e) of Section 1798.80 of the Civil Code.
(4) Characteristics of protected classifications under California or federal law including race, religion, sexual orientation, gender identity, gender expression, and age.
(5) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(6) Biometric information.
(7) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(8) Geolocation data.
(9) Audio, electronic, visual, thermal, olfactory, or similar information.
(10) Professional or employment-related information.
(11) Education information, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(12) Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(ab) “Policyholder” means any person who is any of the following:
(1) In the case of individual property or casualty insurance, is a present named insured.
(2) In the case of individual life or disability insurance, is a present policyowner.
(3) In the case of group insurance, which is individually underwritten, is a present group certificate holder.
(ac) “Pretext interview” means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:
(1) Pretends to be someone they are not.
(2) Pretends to represent a person they are not in fact representing.
(3) Misrepresents the true purpose of the interview.
(4) Refuses to identify themselves upon request.
(ad) “Privileged information” means any individually identifiable information that is both of the following:
(1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual.
(2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. However, information otherwise meeting the requirements of this division shall nevertheless be considered “personal information” under this act if it is disclosed in violation of Section 791.13.
(ae) “Pseudonymize” or “pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
(af) “Residual market mechanism” means the California FAIR Plan Association, Chapter 10 (commencing with Section 10101) of Part 1 of Division 2, and the assigned risk plan, Chapter 1 (commencing with Section 11550) of Part 3 of Division 2.
(ag) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or above the minimum age specified for consenting to the service specified in the section.
(ah) “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.
(ai) “Unauthorized insurer” means an insurance institution that has not been granted a certificate of authority by the director to transact the business of insurance in this state.

SEC. 4.SEC. 5.

 Section 791.04 of the Insurance Code is amended to read:

791.04.
 (a) An insurance institution or agent shall provide a notice of information practices, including the categories of personal information that may be collected and the purposes for which the categories of personal information may be used, to all applicants or policyholders in connection with insurance transactions and to the general public, as provided below:
(1) In the case of a written application for insurance, a notice shall be provided no later than either of the following:
(A) At the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant, an insured under the policy, or from public records.
(B) At the time the collection of personal information is initiated when personal information is collected from a source other than the applicant, an insured under the policy, or public records.
(2) In the case of a policy renewal, a notice shall be provided no later than the policy renewal date or the date upon which policy renewal is confirmed, except that a notice shall not be required in connection with a policy renewal if either of the following applies:
(A) Personal information is collected only from the policyholder, an insured under the policy, or from public records.
(B) A notice meeting the requirements of this section has been given within the previous 24 months.
(3) In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that a notice shall not be required if personal information is collected only from the policyholder, an insured under the policy, or from public records or if a notice meeting the requirements of this section has been given within the previous 24 months.
(4) (A) An insurance institution or agent shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices as follows:
(i) To an applicant or policyholder, not later than at the time the insurance institution or agent establishes a customer relationship, except as provided in subparagraph (C).
(ii) To an applicant or policyholder before the insurance institution or agent discloses any nonpublic personal information about the applicant or policyholder to any nonaffiliated third party, if the insurance institution or agent makes a disclosure other than as authorized by subdivisions (a) to (k), inclusive, and subdivisions (m) to (s), inclusive, of Section 791.13, unless the insurance institution or agent has a customer relationship with the applicant or policyholder or a notice has been provided by an affiliated insurance institution or agent, the notice clearly identifies all insurance institutions or agents to whom the notice applies, and is accurate with respect to all the insurance institutions and agents involved.
(B) If an existing policyholder obtains a new insurance product or service, intended primarily for personal, family, or household purposes, the insurance institution or agent is not required to provide a new initial notice if the notice most recently provided by the insurance institution or agent is accurate with respect to the insurance institution or agent.
(C) An insurance institution or agent may provide the initial notice required within a reasonable time after the insurance institution or agent establishes a customer relationship under any of the following circumstances:
(i) If establishing the customer relationship is not at the policyholder’s election, including if an insurance institution or agent licensee acquires or is assigned an individual’s policy from another insurance institution, agent, or residual market mechanism and the policyholder does not have a choice about the insurance institution’s or agent’s acquisition or assignment.
(ii) If providing notice not later than at the time the insurance institution or agent establishes a customer relationship would substantially delay the individual’s transaction, including if the insurance institution or agent and the individual agree by telephone to enter into a customer relationship involving prompt delivery of the insurance product or service. In that case, the individual shall be provided with oral notice of the insurance institution’s or agent’s privacy policies, provided that the privacy notice is mailed or sent in electronic form within 14 business days after the sale, and documentation is maintained showing that oral disclosure was provided to the individual. For an insurance institution or agent who does not disclose personal information other than as permitted by Section 791.13, an oral disclosure is not required.
(iii) If the relationship is initiated in person at the insurance institution’s or agent’s office or through other means and the individual may view the notice on an internet website or other source.
(b) The notice required by subdivision (a) shall be in writing and shall state all of the following:
(1) Whether personal information may be collected from persons other than the individual or individuals proposed for coverage.
(2) The categories of personal information that may be collected and the types of sources and investigative techniques that may be used to collect the information.
(3) The types of disclosures identified in subdivisions (b), (c), (d), (e), (f), (i), (l), (m), and (o) of Section 791.13 and the circumstances under which the disclosures may be made without prior authorization, except that only those circumstances need be described which occur with such frequency as to indicate a general business practice.
(4) A description of the rights established under Sections 791.08 and 791.09 and the manner in which the rights may be exercised.
(5) That information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons.
(c) In lieu of the notice prescribed in subdivision (b), the insurance institution or agent may provide an abbreviated notice informing the applicant or policyholder of the following:
(1) Personal information may be collected from persons other than the individual or individuals proposed for coverage.
(2) Information, as well as other personal or privileged information subsequently collected by the insurance institution or agent may in certain circumstances be disclosed to third parties without authorization.
(3) A right of access, correction, or deletion, if appropriate, exists with respect to all personal information collected.
(4) The notice prescribed in subdivision (b) will be furnished to the applicant or policyholder upon request.
(d) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

SEC. 5.SEC. 6.

 Section 791.06 of the Insurance Code is amended to read:

791.06.
 (a) Notwithstanding any other law, an insurance institution, agent, or insurance-support organization shall not utilize as its disclosure authorization form in connection with insurance transactions a form or statement that authorizes the disclosure of personal or privileged information about an individual to the insurance institution, agent, or insurance-support organization unless the form or statement does all of the following:
(1) Is written in plain language.
(2) Clearly states in 16-point boldface type “IMPORTANT PRIVACY CHOICES.”
(3) Is dated.
(4) Specifies the types of persons authorized to disclose information about the individual.
(5) Specifies the nature of the information authorized to be disclosed.
(6) Names the insurance institution or agent and identifies by generic reference representatives of the insurance institution to whom the individual is authorizing information to be disclosed.
(7) Specifies the purposes for which the information is collected.
(8) Specifies the length of time the authorization shall remain valid, which shall be no longer than:
(A) In the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for change in policy benefits:
(i) Thirty months from the date the authorization is signed if the application or request involves life, health or disability insurance; or
(ii) One year from the date the authorization is signed if the application or request involves property or casualty insurance.
(B) In the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy:
(i) The term of coverage of the policy if the claim is for a health insurance benefit; or
(ii) The duration of the claim if the claim is not for a health insurance benefit; or
(iii) The duration of all claims processing activity performed in connection with all claims for benefits made by any person entitled to benefits under a nonprofit hospital service contract.
(9) Advises the individual or a person authorized to act on behalf of the individual that the individual or the individual’s authorized representative is entitled to receive a copy of the authorization form.
(10) Sets forth reasonable means by which the individual may exercise the right to opt out of any disclosure at any time.
(11) Specifies that an individual’s direction to opt out of the disclosure is effective until the individual revokes that direction in writing or electronically, at the individual’s choice.
(b) This section does not require any authorization for the receipt of personal or privileged information about an individual.

SEC. 6.SEC. 7.

 Section 791.08 of the Insurance Code is amended to read:

791.08.
 (a) If any individual, after proper identification, submits a written request to an insurance institution, agent, or insurance-support organization for access to recorded personal information about the individual that is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, agent, or insurance-support organization, the insurance institution, agent, or insurance-support organization shall within 30 business days from the date the request is received do all of the following:
(1) Inform the individual of the categories and sources of recorded personal information in writing, by telephone or by other oral communication, whichever the insurance institution, agent, or insurance-support organization prefers.
(2) Inform the individual of the business or commercial purpose for collecting or selling personal information.
(3) Permit the individual to obtain a copy of the recorded personal information in a safe and secure electronic manner or by mail, whichever the individual prefers, unless the recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing.
(4) Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent, or insurance-support organization has disclosed the personal information within two years prior to the request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom the information is normally disclosed.
(5) Provide the individual with a summary of the procedures by which the individual may request correction, amendment, or deletion of recorded personal information.
(b) Any personal information provided pursuant to subdivision (a) shall identify the source of the information if the source is an institutional source.
(c) Medical record information supplied by a medical care institution or medical professional and requested under subdivision (a), together with the identity of the medical professional or medical care institution that provided the information, shall be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the individual prefers. Mental health record information shall be supplied directly to the individual, pursuant to this section, only with the approval of the qualified professional person with treatment responsibility for the condition to which the information relates. If it elects to disclose the information to a medical professional designated by the individual, the insurance institution, agent, or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional.
(d) Except for personal information provided under Section 791.10, an insurance institution, agent, or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.
(e) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subdivision (a), an insurance institution, agent, or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.
(f) The rights granted to individuals in this section extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subdivision do not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
(g) For purposes of this section, the term “insurance-support organization” does not include a “consumer reporting agency.”

SEC. 7.SEC. 8.

 Section 791.09 of the Insurance Code is amended to read:

791.09.
 (a) Within 30 business days from the date of receipt of a written request or other verifiable request from an individual to correct, amend or delete any recorded personal information about the individual within its possession, an insurance institution, agent, or insurance-support organization shall do either of the following:
(1) Correct, amend, or delete the portion of the recorded personal information in dispute.
(2) Notify the individual of all of the following:
(A) Its refusal to make the correction, amendment, or deletion.
(B) The reasons for the refusal.
(C) The individual’s right to file a statement as provided in subdivision (c).
(D) The contact information for the Department of Insurance consumer help line.
(b) If the insurance institution, agent, or insurance-support organization corrects, amends, or deletes recorded personal information in accordance with paragraph (1) of subdivision (a), the insurance institution, agent, or insurance-support organization shall so notify the individual in writing and furnish the correction, amendment or fact of deletion to all of the following:
(1) A person specifically designated by the individual who may have, within the preceding two years, received the recorded personal information.
(2) An insurance-support organization whose primary source of personal information is insurance institutions if the insurance-support organization has systematically received the recorded personal information from the insurance institution within the preceding seven years. The correction, amendment, or fact of deletion need not be furnished if the insurance-support organization no longer maintains recorded personal information about the individual.
(3) An insurance-support organization that furnished the personal information that has been corrected, amended, or deleted.
(c) If an individual disagrees with an insurance institution’s, agent’s, or insurance-support organization’s refusal to correct, amend, or delete recorded personal information, the individual shall be permitted to file with the insurance institution, agent, or insurance-support organization all of the following:
(1) A concise statement setting forth what the individual thinks is the correct, relevant, or fair information.
(2) A concise statement of the reasons why the individual disagrees with the insurance institution’s, agent’s, or insurance-support organization’s refusal to correct, amend, or delete recorded personal information.
(d) In the event an individual files either statement as described in subdivision (c), the insurance institution, agent, or support organization shall do all of the following:
(1) File the statement with the disputed personal information and provide a means by which anyone reviewing the disputed personal information will be made aware of the individual’s statement and have access to it.
(2) In any subsequent disclosure by the insurance institution, agent, or support organization of the recorded personal information that is the subject of disagreement, clearly identify the matter or matters in dispute and provide the individual’s statement along with the recorded personal information being disclosed.
(3) Furnish the statement to the persons and in the manner specified in subdivision (b).
(e) The rights granted to individuals in this section extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subdivision do not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
(f) For purposes of this section, the term “insurance-support organization” does not include a “consumer reporting agency.”

SEC. 8.SEC. 9.

 Section 791.13 of the Insurance Code is amended to read:

791.13.
 An insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is any of the following:
(a) With the written authorization of the individual, and meets either of the conditions specified in paragraph (1) or (2):
(1) If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirement of Section 791.06.
(2) If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is all of the following:
(A) Dated.
(B) Signed by the individual.
(C) Obtained one year or less prior to the date a disclosure is sought pursuant to this section.
(b) To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary for either of the following:
(1) To enable the person to perform a business, professional, or insurance function for the disclosing insurance institution, agent, or insurance-support organization or insured and the person agrees not to disclose the information further without the individual’s written authorization unless either of the following apply:
(A) The further disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization.
(B) The further disclosure is reasonably necessary for the person to perform its function for the disclosing insurance institution, agent, or insurance-support organization.
(2) To enable the person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of either of the following:
(A) Determining an individual’s eligibility for an insurance benefit or payment.
(B) Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction.
(c) To an insurance institution, agent, insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary under either paragraph (1) or (2) to do either of the following:
(1) To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions.
(2) For either the disclosing or receiving insurance institution, agent, or insurance-support organization to perform its function in connection with an insurance transaction involving the individual.
(d) To a medical-care institution or medical professional for the purpose of any of the following:
(1) Verifying insurance coverage or benefits.
(2) Informing an individual of a medical problem of which the individual may not be aware.
(3) Conducting operations or services audit, provided only such information is disclosed as is reasonably necessary to accomplish the foregoing purposes.
(e) To an insurance regulatory authority.
(f) To a law enforcement or other governmental authority pursuant to law.
(g) Otherwise permitted or required by law.
(h) In response to a facially valid administrative or judicial order, including a search warrant or subpoena.
(i) Made for the purpose of conducting actuarial studies, provided that all of the following conditions are met:
(1) No individual may be identified in any actuarial report.
(2) Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed.
(3) The actuarial organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization.
(j) Made for the purpose of conducting research studies performed by nonaffiliated entities. For the purposes of this subdivision, “research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with an insurer, agent, or insurance-support organization for other purposes shall be all of the following:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(8) Subjected by the business conducting the research to additional security controls with limited access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(k) To a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the insurance institution, agent or insurance-support organization, provided that both of the following conditions are met:
(1) Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation.
(2) The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization.
(l) To a person whose only use of the information will be in connection with the marketing of a product or service, provided that either of the following conditions are met:
(1) Medical-record information, privileged information, or personal information relating to an individual’s character, personal habits, mode of living, or general reputation is not disclosed, and any classification derived from the information is not disclosed.
(2) Both of the following conditions are met:
(A) The individual has been given an opportunity to indicate that the individual does not want personal information disclosed for marketing purposes and has given no indication that the individual does not want the information disclosed.
(B) The person receiving the information agrees not to use it except in connection with the marketing of a product or service.
(m) To an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, provided the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons.
(n) By a consumer reporting agency, provided the disclosure is to a person other than an insurance institution or agent.
(o) To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution’s or agent’s operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit.
(p) To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional.
(q) To a governmental authority for the purpose of determining the individual’s eligibility for health benefits for which the governmental authority may be liable.
(r) To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction.
(s) To a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance. The information disclosed shall be limited to that which is reasonably necessary to permit the person to protect their interest in the policy and shall be consistent with Article 5.5 (commencing with Section 770).
(t) To an insured or the insured’s lawyer when the information disclosed is from an accident report, supplemental report, investigative report or the actual report from a government agency or is a copy of an accident report or other report which the insured is entitled to obtain under Section 20012 of the Vehicle Code or subdivision (f) of Section 6254 of the Government Code.

SEC. 9.SEC. 10.

 Section 791.24 is added to the Insurance Code, to read:

791.24.
 (a) An insurance institution, agent, or insurance-support organization shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of policyholder information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the insurance institution, agent, or insurance-support organization and the nature and scope of its activities.
(b) The information security program shall be designed to do all of the following:
(1) Ensure the security and confidentiality of policyholder information.
(2) Protect against any anticipated threats or hazards to the security or integrity of policyholder information.
(3) Protect against unauthorized access to or use of information that could result in substantial harm or inconvenience to any policyholder.
(c) The insurance institution, agent, or insurance-support organization shall do all of the following:
(1) Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of policyholder information or policyholder information systems.
(2) Assess the likelihood and potential damage of the internal and external threats, taking into consideration the sensitivity of policyholder information.
(3) Assess the sufficiency of policies, procedures, policyholder information systems, and other safeguards in place to control risks.
(4) Design its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the insurance institution’s, agent’s, or insurance-support organization’s activities.
(5) Train staff, as appropriate, to implement the information security program.
(6) Regularly test or otherwise regularly monitor the key controls, systems, and procedures of the information security program. The frequency and nature of the tests shall be determined by the insurance institution’s, agent’s, or insurance-support organization’s risk assessment.
(7) Exercise appropriate due diligence in selecting service providers.
(8) Require its service providers, by contract, to implement appropriate measures designed to meet the objectives of this section, and, where indicated by the risk assessment, take appropriate steps to confirm that its service providers have satisfied those obligations.
(9) Monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its policyholder information, internal or external threats to information, and the insurance institution’s, agent’s, or insurance-support organization’s own changing business arrangements, including mergers and acquisitions, outsourcing arrangements, and changes to policyholder information systems.
(d) The commissioner shall audit an insurance institution’s, agent’s, or insurance-support organization’s compliance with this section in a manner and with such frequency as the commissioner deems necessary.

SEC. 10.SEC. 11.

 Section 791.25 is added to the Insurance Code, to read:

791.25.
 A policyholder shall have the right to request and receive a copy of the policyholder’s personal information from an insurance institution, agent, or insurance-support organization in a readily usable format that can be transferred to another entity.

SEC. 11.SEC. 12.

 Section 791.30 is added to the Insurance Code, to read:

791.30.
 An insurance institution, agent, or insurance-support organization shall not sell the personal information of an insured if the insurance institution, agent, or insurance-support organization has actual knowledge that the insured is less than 16 years of age, unless the insured, in the case of an insured between 13 and 16 years of age, or the insured’s parent or guardian, in the case of an insured who is less than 13 years of age, has affirmatively authorized the sale of the insured’s personal information. An insurance institution, agent, or insurance-support organization that willfully disregards an insured’s age shall be deemed to have had actual knowledge of the insured’s age. This right may be referred to as the “right to opt in.”

SEC. 12.SEC. 13.

 Section 791.31 is added to the Insurance Code, to read:

791.31.
 (a) An insurance institution, agent, or insurance-support organization shall not unfairly discriminate against an applicant or policyholder because that applicant or policyholder has opted out from the disclosure of nonpublic personal information pursuant to this article.
(b) An insurance institution, agent, or insurance-support organization shall not unfairly discriminate against an applicant or policyholder because that applicant or policyholder has not granted authorization for the disclosure of nonpublic personal medical record information pursuant to this article.
(c) As used in this section, “unfairly discriminate” includes denying an applicant or policyholder a product or service because the applicant or policyholder has refused to authorize disclosure of nonpublic personal information as provided in subdivision (l) of Section 791.13.