Today's Law As Amended


Bill PDF |Add To My Favorites | print page

AB-981 Insurance Information and Privacy Protection Act. (2019-2020)



As Amends the Law Today


SECTION 1.
 (a) The Legislature finds and declares all of the following:
(1) The business of insurance requires the collection, maintenance, and analysis of information in order to perform the most basic insurance functions, including ratesetting, underwriting, claims handling, fraud detection, and investigation.
(2) Insurers are obligated to protect all personal information collected, and that obligation has been recognized in California law beginning with the enactment of the Insurance Information and Privacy Protection Act (IIPPA) in 1980.
(3) The obligation to protect personal information was expanded in 2003 as part of an extensive set of privacy regulations adopted by the Insurance Commissioner.
(b) It is the intent of the Legislature to harmonize the consumer privacy protections contained in the California Consumer Privacy Act of 2018 with the requirements of conducting the business of insurance and long-established protections in the IIPPA and its implementing regulations.

SEC. 2.

 Section 1798.145 of the Civil Code is amended to read:

1798.145.
 Exemptions
(a) (1)  The obligations imposed on businesses by this title shall not restrict a business’s ability to:
(A) (1)  Comply with federal, state, or local laws or comply with a court order or subpoena to provide information. laws. 
(B) (2)  Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriff’s departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumer’s personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer’s personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumer’s personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumer’s personal information shall not use the consumer’s personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumer’s deletion request is subject to an exemption from deletion under this title. 
(C) (3)  Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(D) (i) Cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury provided that:
(I) The request is approved by a high-ranking agency officer for emergency access to a consumer’s personal information.
(II) The request is based on the agency’s good faith determination that it has a lawful basis to access the information on a nonemergency basis.
(III) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.
(ii) For purposes of this subparagraph, a consumer accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services, shall not constitute a natural person being at risk or danger of death or serious physical injury.
(E) (4)  Exercise or defend legal claims.
(F) (5)  Collect, use, retain, sell, share,  or disclose consumers’ personal  consumer  information that is deidentified or in the  aggregate consumer information.
(G) (6)  Collect, sell,  Collect  or share sell  a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit permit  a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(2) (A) This subdivision shall not apply if the consumer’s personal information contains information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.
(B) This paragraph does not alter the use of aggregated or deidentified personal information consistent with a business purpose as defined in paragraphs (1), (2), (3), (4), (5), (7), or (8) of subdivision (e) of Section 1798.140, provided that the personal information is only retained in aggregated and deidentified form and is not sold or shared.
(C) This paragraph does not alter the duty of a business to preserve or retain evidence pursuant to California or federal law in an ongoing civil proceeding.
(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135  1798.110 to 1798.135, inclusive,  shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Personal information  Information  collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with,  subject to  the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent. Administration. 
(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
(d) (1)  This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by  the sale of personal information to or from  a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in agency if that information is to be reported in, or used to generate, a consumer report as defined by  subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code. use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). 
(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.
(3) This subdivision shall not apply to Section 1798.150.
(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject pursuant  to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.).  Code).  This subdivision shall not apply to Section 1798.150.
(f) Sections 1798.105 and 1798.120 shall not apply to the extent it is necessary to retain or share a consumer’s personal information to complete an insurance transaction for a product or service, as defined in subdivision (m) of Section 791.02 of the Insurance Code, that has been requested by the consumer.
(f) (g)  This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessel’s manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.
(3) For purposes of this subdivision:
(A) “Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.
(B) “Vehicle information” means the vehicle information number, make, model, year, and odometer reading.
(C) “Vessel dealer” means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.
(D) “Vessel information” means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:
(i) An inboard engine.
(ii) An outboard engine.
(iii) A stern drive unit.
(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.
(h) Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:
(1) A time period for a business to respond to a consumer for any verifiable any verified  consumer request may be extended by up to a total of 90  90 additional  days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable verified  consumer request is manifestly unfounded or excessive.
(i) (1)  A business that discloses personal information to a service provider or contractor in compliance with this title  shall not be liable under this title if the service provider or contractor  receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor  intends to commit such a violation. A service provider or contractor  shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this  title.
(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumer’s rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.
(j) This title shall not be construed to require a business, service provider, or contractor to:
(1) (j)  Reidentify or otherwise link information that, in the ordinary course of business,  This title shall not be construed to require a business to reidentify or otherwise link information that  is not maintained in a manner that would be considered personal information.
(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.
(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.
(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumer’s personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’s possession. consumers. 
(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
(m) (1) This title shall not apply to any of the following:
(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.
(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.
(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.
(2) For purposes of this subdivision:
(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.
(B) “Director” means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C) “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.
(D) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.
(E) “Owner” means a natural person who meets one of the following criteria:
(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii) Has the power to exercise a controlling influence over the management of a company.
(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.
(4) This subdivision shall become inoperative on January 1, 2023.
(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.
(2) For purposes of this subdivision:
(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.
(B) “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
(D) “Owner” means a natural person who meets one of the following:
(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii) Has the power to exercise a controlling influence over the management of a company.
(3) This subdivision shall become inoperative on January 1, 2023.
(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agency’s collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer’s role as the owner, director, officer, or management employee of the business.
(2) For the purposes of this subdivision:
(A) “Business controller information” means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.
(B) “Commercial credit reporting agency” has the meaning set forth in subdivision (b) of Section 1785.42.
(C) “Owner” means a natural person that meets one of the following:
(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii) Has the power to exercise a controlling influence over the management of a company.
(D) “Director” means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(E) “Officer” means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.
(F) “Management employee” means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural person’s role as the primary manager of the business.
(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.
(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumer’s personal information under Section 1798.105 to the extent the verifiable consumer request applies to a student’s grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.
(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumer’s specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.
(3) For purposes of this subdivision:
(A) “Educational standardized assessment or educational assessment” means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.
(B) “Jeopardize the validity and reliability of that educational standardized assessment or educational assessment” means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.
(r) Sections 1798.105 and 1798.120 shall not apply to a business’s use, disclosure, or sale of particular pieces of a consumer’s personal information if the consumer has consented to the business’s use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumer’s photograph if:
(1) The business has incurred significant expense in reliance on the consumer’s consent.
(2) Compliance with the consumer’s request to opt out of the sale of the consumer’s personal information or to delete the consumer’s personal information would not be commercially reasonable.
(3) The business complies with the consumer’s request as soon as it is commercially reasonable to do so.

SEC. 2.SEC. 3.

 Section 791.01 of the Insurance Code is amended to read:

791.01.
 (a) The obligations imposed by this article shall apply to those  insurance institutions, agents agents,  or insurance-support organizations which, that,  on or after October 1, 1981: 1981, engage in the following activities: 
(1) In the case of life or disability insurance: insurance, do either of the following: 
(A) Collect, receive receive,  or maintain information in connection with insurance transactions which that  pertains to natural persons who are residents of this state, or  state. 
(B) Engage in insurance transactions with applicants, individuals individuals,  or policyholders who are residents of this state.
(2) In the case of property or casualty insurance: insurance, do either of the following: 
(A) Collect, receive receive,  or maintain information in connection with insurance transactions involving policies, contracts contracts,  or certificates of insurance delivered, issued for delivery delivery,  or renewed in this state, or state. 
(B) Engage in insurance transactions involving policies, contracts contracts,  or certificates of insurance delivered, issued for delivery delivery,  or renewed in this state.
(b) The rights granted by this article shall extend to: to both of the following: 
(1) In the case of life or disability insurance, the following persons who are residents of this state:
(A) Natural persons who are the subject of information collected, received received,  or maintained in connection with insurance transactions.
(B) Applicants, individuals individuals,  or policyholders who engage in or seek to engage in insurance transactions.
(2) In the case of property or casualty insurance, the following persons:
(A) Natural persons who are the subject of information collected, received received,  or maintained in connection with insurance transactions involving policies, contracts contracts,  or certificates of insurance delivered, issued for delivery delivery,  or renewed in this state, and state. 
(B) Applicants, individuals individuals,  or policyholders who engage in or seek to engage in insurance transactions involving policies, contracts contracts,  or certificates of insurance delivered, issued for delivery delivery,  or renewed in this state.
(c) For purposes of this section, a person shall be considered a resident of this state if the person’s last known mailing address, as shown in the records of the insurance institution, agent, or insurance-support organization, is located in this state.
(d) This article shall does  not apply to any a  person or entity engaged in the business of title insurance as defined in Section 12340.3.
(e) This article shall does  not apply to a person or entity engaged in the business of a home protection company, as defined in Section 12740, which that  does not obtain or maintain personal information, as defined in this article, of its policyholders and applicants.
(f) Insurance institutions, agents, insurance support organizations or any insurance transaction insurance-support organizations, or insurance transactions  subject to this article shall be exempt from Part 2.6 (commencing with Section 56) of Division 1 of, and Sections 1785.20 and 1786.40 of, the Civil Code. both of the following: 
(1) Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code.
(2) Sections 1785.20 and 1786.40 of the Civil Code.

SEC. 3.SEC. 4.

 Section 791.02 of the Insurance Code is amended to read:

791.02.
 As used in this act: article, the following terms have the following meanings: 
(a) (1) “Adverse underwriting decision” means any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:
(A) A declination of insurance coverage.
(B) A termination of insurance coverage.
(C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent represents and that is requested by an applicant.
(D) In the case of a property or casualty insurance coverage: coverage, either of the following: 
(i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting decision, in case of placement with an insurance institution that provides insurance to other than preferred or standard risks, shall not include placement if the applicant or insured did not specify or apply for placement as a preferred or standard risk or placement with a particular company insuring preferred or standard risks, or risks. 
(ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished.
(E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.
(2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:
(A) The termination of an individual policy form on a class or statewide basis.
(B) A declination of insurance coverage solely because coverage is not available on a class or statewide basis.
(C) The rescission of a policy.
(b) “Affiliate” or “affiliated” means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person.
(c) “Agent” means any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831).
(d) “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.
(d) (e)  “Applicant” means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.
(f) “Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, including a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(g) “Commissioner” means the Insurance Commissioner.
(h) “Confidential communications request” means a request by an insured covered under a health insurance policy that insurance communications containing medical information be communicated to the insured at a specific mail or email address or specific telephone number, as designated by the insured.
(i) (1) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
(2) “Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.
(e) (j)  “Consumer report” means any written, oral, or other communication of information bearing on a natural person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.
(f) (k)  “Consumer reporting agency” means any person who: who does any of the following: 
(1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee.
(2) Obtains information primarily from sources other than insurance institutions.
(3) Furnishes consumer reports to other persons.
(g) (l)  “Control,” including the terms “controlled by” or “under common control with,” means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.
(h) (m)  “Declination of insurance coverage” means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.
(n) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information does all of the following:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
(o) “Endanger” means that the insured covered under a health insurance policy fears that the disclosure of the medical information could subject the insured covered under a health insurance policy to harassment or abuse.
(i) (p)  “Individual” means any natural person who is any of the following:
(1) In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder.
(2) In the case of life or disability insurance, is a past, present, or proposed principal insured or certificate holder.
(3) Is a past, present, or proposed policyowner. policy owner. 
(4) Is a past or present applicant.
(5) Is a past or present claimant.
(6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this act.
(j) (q)  “Institutional source” means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than any of the following:
(1) An agent.
(2) The individual who is the subject of the information.
(3) A natural person acting in a personal capacity rather than in a business or professional capacity.
(k) (r)  “Insurance institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code.
( (s) 
l
)  “Insurance-support organization” means:
(1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
(A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
(B) The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, misrepresentation  or material nondisclosure in connection with insurance underwriting or insurance claim activity.
(2) Notwithstanding paragraph (1), the following persons shall not be considered “insurance-support organizations”:  agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer review committees. committees are not “insurance-support organizations.” 
(m) (t)  “Insurance transaction” means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:
(1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.
(2) The servicing of an insurance application, policy, contract, or certificate.
(n) (u)  “Investigative consumer report” means a consumer report or portion thereof in which information about a natural person’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person’s neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those items of information.
(o) (v)  “Medical care institution” means any facility or institution that is licensed to provide health care services to natural persons, including, including  but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics, rehabilitation agencies, and public health agencies.
(w) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, including the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
(p) (x)  “Medical professional” means any person licensed or certified to provide health care services to natural persons, including, including  but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian, clinical psychologist, chiropractor, pharmacist, or speech therapist.
(q) (y)  “Medical record information” means personal information that is both of the following:
(1) Relates to an individual’s physical or mental condition, medical history, history  or medical treatment.
(2) Is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
(r) (z)  “Person” means any natural person, corporation, association, partnership, limited liability company, or other legal entity.
(s) (aa)  “Personal information” means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. “Personal information” includes an individual’s name and address and “medical record information” but does not include “privileged information.” information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. Personal information may include, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer: 
(1) Identifiers, including real name, alias, postal address, unique personal identifier, and online identifier.
(2) Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(3) Any categories of personal information described in subdivision (e) of Section 1798.80 of the Civil Code.
(4) Characteristics of protected classifications under California or federal law including race, religion, sexual orientation, gender identity, gender expression, and age.
(5) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(6) Biometric information.
(7) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(8) Geolocation data.
(9) Audio, electronic, visual, thermal, olfactory, or similar information.
(10) Professional or employment-related information.
(11) Education information, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(12) Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(t) (ab)  “Policyholder” means any person who is any of the following:
(1) In the case of individual property or casualty insurance, is a present named insured.
(2) In the case of individual life or disability insurance, is a present policyowner.
(3) In the case of group insurance, which is individually underwritten, is a present group certificate holder.
(u) (ac)  “Pretext interview” means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:
(1) Pretends to be someone they are not.
(2) Pretends to represent a person they are not in fact representing.
(3) Misrepresents the true purpose of the interview.
(4) Refuses to identify who they are  themselves  upon request.
(v) (ad)  “Privileged information” means any individually identifiable information that both: is both of the following: 
(1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual.
(2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. However, information otherwise meeting the requirements of this division shall nevertheless be considered “personal information” under this act if it is disclosed in violation of Section 791.13.
(ae) “Pseudonymize” or “pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
(w) (af)  “Residual market mechanism” means the California FAIR Plan Association, Chapter 10 (commencing with Section 10101) of Part 1 of Division 2, and the assigned risk plan, Chapter 1 (commencing with Section 11550) of Part 3 of Division 2.
(ag) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or above the minimum age specified for consenting to the service specified in the section.
(x) (ah)  “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.
(y) (ai)  “Unauthorized insurer” means an insurance institution that has not been granted a certificate of authority by the director to transact the business of insurance in this state.
(z) “Commissioner” means the Insurance Commissioner.
(aa) “Confidential communications request” means a request by an insured covered under a health insurance policy that insurance communications containing medical information be communicated to the insured at a specific mail or email address or specific telephone number, as designated by the insured.
(ab) “Protected individual” means any adult insured covered under a health insurance policy or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(ac) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or above the minimum age specified for consenting to the service specified in the section.
(ad) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

SEC. 4.SEC. 5.

 Section 791.04 of the Insurance Code is amended to read:

791.04.
 (a) An insurance institution or agent shall provide a notice of information practices  practices, including the categories of personal information that may be collected and the purposes for which the categories of personal information may be used,  to all applicants or policyholders in connection with insurance transactions and to the general public,  as provided below:
(1) In the case of a written application for insurance, a notice shall be provided no later than: than either of the following: 
(A) At the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant, an insured under the policy, or from public records; or records. 
(B) At the time the collection of personal information is initiated when personal information is collected from a source other than the applicant, an insured under the policy, or public records.
(2) In the case of a policy renewal, a notice shall be provided no later than the policy renewal date or the date upon which policy renewal is confirmed, except that no a  notice shall not  be required in connection with a policy renewal if either of the following applies:
(A) Personal information is collected only from the policyholder, an insured under the policy, or from public records.
(B) A notice meeting the requirements of this section has been given within the previous 24 months.
(3) In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that no a  notice shall not  be required if personal information is collected only from the policyholder, an insured under the policy, or from public records or if a notice meeting the requirements of this section has been given within the previous 24 months.
(4) (A) An insurance institution or agent shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices as follows:
(i) To an applicant or policyholder, not later than at the time the insurance institution or agent establishes a customer relationship, except as provided in subparagraph (C).
(ii) To an applicant or policyholder before the insurance institution or agent discloses any nonpublic personal information about the applicant or policyholder to any nonaffiliated third party, if the insurance institution or agent makes a disclosure other than as authorized by subdivisions (a) to (k), inclusive, and subdivisions (m) to (s), inclusive, of Section 791.13, unless the insurance institution or agent has a customer relationship with the applicant or policyholder or a notice has been provided by an affiliated insurance institution or agent, the notice clearly identifies all insurance institutions or agents to whom the notice applies, and is accurate with respect to all the insurance institutions and agents involved.
(B) If an existing policyholder obtains a new insurance product or service, intended primarily for personal, family, or household purposes, the insurance institution or agent is not required to provide a new initial notice if the notice most recently provided by the insurance institution or agent is accurate with respect to the insurance institution or agent.
(C) An insurance institution or agent may provide the initial notice required within a reasonable time after the insurance institution or agent establishes a customer relationship under any of the following circumstances:
(i) If establishing the customer relationship is not at the policyholder’s election, including if an insurance institution or agent licensee acquires or is assigned an individual’s policy from another insurance institution, agent, or residual market mechanism and the policyholder does not have a choice about the insurance institution’s or agent’s acquisition or assignment.
(ii) If providing notice not later than at the time the insurance institution or agent establishes a customer relationship would substantially delay the individual’s transaction, including if the insurance institution or agent and the individual agree by telephone to enter into a customer relationship involving prompt delivery of the insurance product or service. In that case, the individual shall be provided with oral notice of the insurance institution’s or agent’s privacy policies, provided that the privacy notice is mailed or sent in electronic form within 14 business days after the sale, and documentation is maintained showing that oral disclosure was provided to the individual. For an insurance institution or agent who does not disclose personal information other than as permitted by Section 791.13, an oral disclosure is not required.
(iii) If the relationship is initiated in person at the insurance institution’s or agent’s office or through other means and the individual may view the notice on an internet website or other source.
(b) The notice required by subdivision (a) shall be in writing and shall state all of the following:
(1) Whether personal information may be collected from persons other than the individual or individuals proposed for coverage.
(2) The types categories  of personal information that may be collected and the types of sources and investigative techniques that may be used to collect such the  information.
(3) The types of disclosures identified in subdivisions (b), (c), (d), (e), (f), (i), (k),  (l), (m),  and (n) (o)  of Section 791.13 and the circumstances under which the disclosures may be made without prior authorization, except that only those circumstances need be described which occur with such frequency as to indicate a general business practice.
(4) A description of the rights established under Sections 791.08 and 791.09 and the manner in which the rights may be exercised.
(5) That information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons.
(c) In lieu of the notice prescribed in subdivision (b), the insurance institution or agent may provide an abbreviated notice informing the applicant or policyholder of the following:
(1) Personal information may be collected from persons other than the individual or individuals proposed for coverage.
(2) Such information  Information,  as well as other personal or privileged information subsequently collected by the insurance institution or agent may in certain circumstances be disclosed to third parties without authorization.
(3) A right of access and correction  access, correction, or deletion, if appropriate,  exists with respect to all personal information collected.
(4) The notice prescribed in subdivision (b) will be furnished to the applicant or policyholder upon request.
(d) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

SEC. 5.SEC. 6.

 Section 791.06 of the Insurance Code is amended to read:

791.06.
 (a)  Notwithstanding any other provision of  law, no an  insurance institution, agent agent,  or insurance-support organization may  shall not  utilize as its disclosure authorization form in connection with insurance transactions a form or statement which that  authorizes the disclosure of personal or privileged information about an individual to the insurance institution, agent, or insurance-support organization unless the form or statement: statement does all of the following: 
(a) (1)  Is written in plain language.
(2) Clearly states in 16-point boldface type “IMPORTANT PRIVACY CHOICES.”
(b) (3)  Is dated.
(c) (4)  Specifies the types of persons authorized to disclose information about the individual.
(d) (5)  Specifies the nature of the information authorized to be disclosed.
(e) (6)  Names the insurance institution or agent and identifies by generic reference representatives of the insurance institution to whom the individual is authorizing information to be disclosed.
(f) (7)  Specifies the purposes for which the information is collected.
(g) (8)  Specifies the length of time the authorization shall remain valid, which shall be no longer than:
(1) (A)  In the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for change in policy benefits:
(A) (i)  Thirty months from the date the authorization is signed if the application or request involves life, health or disability insurance; or
(B) (ii)  One year from the date the authorization is signed if the application or request involves property or casualty insurance.
(2) (B)  In the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy:
(A) (i)  The term of coverage of the policy if the claim is for a health insurance benefit; or
(B) (ii)  The duration of the claim if the claim is not for a health insurance benefit; or
(C) (iii)  The duration of all claims processing activity performed in connection with all claims for benefits made by any person entitled to benefits under a nonprofit hospital service contract.
(h) (9)  Advises the individual or a person authorized to act on behalf of the individual that the individual or the individual’s authorized representative is entitled to receive a copy of the authorization form.
(10) Sets forth reasonable means by which the individual may exercise the right to opt out of any disclosure at any time.
(11) Specifies that an individual’s direction to opt out of the disclosure is effective until the individual revokes that direction in writing or electronically, at the individual’s choice.
(i) (b)  This section shall not be construed to  does not  require any authorization for the receipt of personal or privileged information about an individual.

SEC. 6.SEC. 7.

 Section 791.08 of the Insurance Code is amended to read:

791.08.
 (a) If any individual, after proper identification, submits a written request to an insurance institution, agent agent,  or insurance-support organization for access to recorded personal information about the individual which that  is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, agent agent,  or insurance-support organization, the insurance institution, agent agent,  or insurance-support organization shall within 30 business days from the date such the  request is received: received do all of the following: 
(1) Inform the individual of the nature categories  and substance sources  of such  recorded personal information in writing, by telephone or by other oral communication, whichever the insurance institution, agent agent,  or insurance-support organization prefers; prefers. 
(2) Inform the individual of the business or commercial purpose for collecting or selling personal information.
(2) (3)  Permit the individual to see and copy, in person, such recorded personal information pertaining to him or her or to  obtain a copy of such the  recorded personal information in a safe and secure electronic manner or  by mail, whichever the individual prefers, unless such the  recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing; writing. 
(3) (4)  Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent agent,  or insurance-support organization has disclosed such the  personal information within two years prior to such the  request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom such the  information is normally disclosed; and disclosed. 
(4) (5)  Provide the individual with a summary of the procedures by which he or she  the individual  may request correction, amendment amendment,  or deletion of recorded personal information.
(b) Any personal information provided pursuant to subdivision (a) above  shall identify the source of the information if such the  source is an institutional source.
(c) Medical record information supplied by a medical care institution or medical professional and requested under subdivision (a), together with the identity of the medical professional or medical care institution which that  provided such the  information, shall be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the individual prefers. Mental health record information shall be supplied directly to the individual, pursuant to this section, only with the approval of the qualified professional person with treatment responsibility for the condition to which the information relates. If it elects to disclose the information to a medical professional designated by the individual, the insurance institution, agent agent,  or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional.
(d) Except for personal information provided under Section 791.10, an insurance institution, agent agent,  or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.
(e) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subdivision (a), an insurance institution, agent agent,  or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.
(f) The rights granted to individuals in this section shall  extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent agent,  or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subdivision shall do  not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
(g) For purposes of this section, the term “insurance-support organization” does not include a  “consumer reporting agency”. agency.” 

SEC. 7.SEC. 8.

 Section 791.09 of the Insurance Code is amended to read:

791.09.
 (a) Within 30 business days from the date of receipt of a written request or other verifiable request  from an individual to correct, amend or delete any recorded personal information about the individual within its possession, an insurance institution, agent agent,  or insurance-support organization shall either: do either of the following: 
(1) Correct, amend amend,  or delete the portion of the recorded personal information in dispute; or dispute. 
(2) Notify the individual of: of all of the following: 
(A) Its refusal to make such the  correction, amendment amendment,  or deletion.
(B) The reasons for the refusal.
(C) The individual’s right to file a statement as provided in subdivision (c).
(D) The contact information for the Department of Insurance consumer help line.
(b) If the insurance institution, agent agent,  or insurance-support organization corrects, amends amends,  or deletes recorded personal information in accordance with paragraph (1) of subdivision (a), the insurance institution, agent agent,  or insurance-support organization shall so notify the individual in writing and furnish the correction, amendment or fact of deletion to: to all of the following: 
(1) Any A  person specifically designated by the individual who may have, within the preceding two years, received such the  recorded personal information.
(2) Any An  insurance-support organization whose primary source of personal information is insurance institutions if the insurance-support organization has systematically received such the  recorded personal information from the insurance institution within the preceding seven years; provided, however, that the correction, amendment years. The correction, amendment,  or fact of deletion need not be furnished if the insurance-support organization no longer maintains recorded personal information about the individual.
(3) Any An  insurance-support organization that furnished the personal information that has been corrected, amended amended,  or deleted.
(c) Whenever If  an individual disagrees with an insurance institution’s, agent’s agent’s,  or insurance-support organization’s refusal to correct, amend amend,  or delete recorded personal information, the individual shall be permitted to file with the insurance institution, agent agent,  or insurance-support organization: organization all of the following: 
(1) A concise statement setting forth what the individual thinks is the correct, relevant relevant,  or fair information.
(2) A concise statement of the reasons why the individual disagrees with the insurance institution’s, agent’s agent’s,  or insurance-support organization’s refusal to correct, amend amend,  or delete recorded personal information.
(d) In the event an individual files either statement as described in subdivision (c), the insurance institution, agent agent,  or support organization shall: shall do all of the following: 
(1) File the statement with the disputed personal information and provide a means by which anyone reviewing the disputed personal information will be made aware of the individual’s statement and have access to it.
(2) In any subsequent disclosure by the insurance institution, agent agent,  or support organization of the recorded personal information that is the subject of disagreement, clearly identify the matter or matters in dispute and provide the individual’s statement along with the recorded personal information being disclosed.
(3) Furnish the statement to the persons and in the manner specified in subdivision (b).
(e) The rights granted to individuals in this section shall  extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent agent,  or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subdivision shall do  not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
(f) For purposes of this section, the term “insurance-support organization” does not include a  “consumer reporting agency”. agency.” 

SEC. 8.SEC. 9.

 Section 791.13 of the Insurance Code is amended to read:

791.13.
 An insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is: is any of the following: 
(a) With the written authorization of the individual, and meets either of the conditions specified in paragraph (1) or (2):
(1) If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirement of Section 791.06.
(2) If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is: is all of the following: 
(A) Dated.
(B) Signed by the individual.
(C) Obtained one year or less prior to the date a disclosure is sought pursuant to this section.
(b) To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary: necessary for either of the following: 
(1) To enable the person to perform a business, professional, or insurance function for the disclosing insurance institution, agent, or insurance-support organization or insured and the person agrees not to disclose the information further without the individual’s written authorization unless the further disclosure: either of the following apply: 
(A) Would  The further disclosure would  otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or organization. 
(B) Is  The further disclosure is  reasonably necessary for the person to perform its function for the disclosing insurance institution, agent, or insurance-support organization.
(2) To enable the person to provide information to the disclosing insurance institution, agent agent,  or insurance-support organization for the purpose of: of either of the following: 
(A) Determining an individual’s eligibility for an insurance benefit or payment; or payment. 
(B) Detecting or preventing criminal activity, fraud, material misrepresentation misrepresentation,  or material nondisclosure in connection with an insurance transaction.
(c) To an insurance institution, agent, insurance-support organization organization,  or self-insurer, provided the information disclosed is limited to that which is reasonably necessary under either paragraph (1) or (2): (2) to do either of the following: 
(1) To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or transactions. 
(2) For either the disclosing or receiving insurance institution, agent, or insurance-support organization to perform its function in connection with an insurance transaction involving the individual.
(d) To a medical-care institution or medical professional for the purpose of any of the following:
(1) Verifying insurance coverage or benefits.
(2) Informing an individual of a medical problem of which the individual may not be aware.
(3) Conducting operations or services audit, provided the  only such  information is  disclosed as  is reasonably necessary to accomplish the foregoing purposes.
(e) To an insurance regulatory authority; or authority. 
(f) To a law enforcement or other governmental authority pursuant to law.
(g) Otherwise permitted or required by law.
(h) In response to a facially valid administrative or judicial order, including a search warrant or subpoena.
(i) Made for the purpose of conducting actuarial or research studies, provided: studies, provided that all of the following conditions are met: 
(1) No individual may be identified in any actuarial or research  report.
(2) Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed.
(3) The actuarial or research  organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, agent  or insurance-support organization.
(j) Made for the purpose of conducting research studies performed by nonaffiliated entities. For the purposes of this subdivision, “research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with an insurer, agent, or insurance-support organization for other purposes shall be all of the following:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(8) Subjected by the business conducting the research to additional security controls with limited access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(j) (k)  To a party or a representative of a party to a proposed or consummated sale, transfer, merger, merger  or consolidation of all or part of the business of the insurance institution, agent, agent  or insurance-support organization, provided: provided that both of the following conditions are met: 
(1) Prior to the consummation of the sale, transfer, merger, or consolidation the  only such  information is  disclosed as  is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation.
(2) The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization.
(k) (l)  To a person whose only use of the information will be in connection with the marketing of a product or service, provided: provided that either of the following conditions are met: 
(1) No medical-record  Medical-record  information, privileged information, or personal information relating to an individual’s character, personal habits, mode of living, or general reputation is not  disclosed, and no any  classification derived from the information is disclosed; or not disclosed. 
(2) Both of the following conditions are met:
(2) (A)  The individual has been given an opportunity to indicate that the individual does not want personal information disclosed for marketing purposes and has given no indication that the individual does not want the information disclosed; and disclosed. 
(3) (B)  The person receiving the information agrees not to use it except in connection with the marketing of a product or service.
( (m) 
l
)  To an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, provided the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons.
(m) (n)  By a consumer reporting agency, provided the disclosure is to a person other than an insurance institution or agent.
(n) (o)  To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution’s or agent’s operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit.
(o) (p)  To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional.
(p) (q)  To a governmental authority for the purpose of determining the individual’s eligibility for health benefits for which the governmental authority may be liable.
(q) (r)  To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction.
(r) (s)  To a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance. The information disclosed shall be limited to that which is reasonably necessary to permit the person to protect that person’s  their  interest in the policy and shall be consistent with Article 5.5 (commencing with Section 770).
(s) (t)  To an insured or the insured’s lawyer when the information disclosed is from an accident report, supplemental report, investigative report, report  or the actual report from a government agency or is a copy of an accident report or other report that which  the insured is entitled to obtain under Section 20012 of the Vehicle Code or Article 1 (commencing with Section 7923.600) of Chapter 1 of Part 5 of Division 10 of Title 1 of  subdivision (f) of Section 6254 of  the Government Code.

SEC. 10.

 Section 791.24 is added to the Insurance Code, to read:

791.24.
 (a) An insurance institution, agent, or insurance-support organization shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of policyholder information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the insurance institution, agent, or insurance-support organization and the nature and scope of its activities.
(b) The information security program shall be designed to do all of the following:
(1) Ensure the security and confidentiality of policyholder information.
(2) Protect against any anticipated threats or hazards to the security or integrity of policyholder information.
(3) Protect against unauthorized access to or use of information that could result in substantial harm or inconvenience to any policyholder.
(c) The insurance institution, agent, or insurance-support organization shall do all of the following:
(1) Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of policyholder information or policyholder information systems.
(2) Assess the likelihood and potential damage of the internal and external threats, taking into consideration the sensitivity of policyholder information.
(3) Assess the sufficiency of policies, procedures, policyholder information systems, and other safeguards in place to control risks.
(4) Design its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the insurance institution’s, agent’s, or insurance-support organization’s activities.
(5) Train staff, as appropriate, to implement the information security program.
(6) Regularly test or otherwise regularly monitor the key controls, systems, and procedures of the information security program. The frequency and nature of the tests shall be determined by the insurance institution’s, agent’s, or insurance-support organization’s risk assessment.
(7) Exercise appropriate due diligence in selecting service providers.
(8) Require its service providers, by contract, to implement appropriate measures designed to meet the objectives of this section, and, where indicated by the risk assessment, take appropriate steps to confirm that its service providers have satisfied those obligations.
(9) Monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its policyholder information, internal or external threats to information, and the insurance institution’s, agent’s, or insurance-support organization’s own changing business arrangements, including mergers and acquisitions, outsourcing arrangements, and changes to policyholder information systems.
(d) The commissioner shall audit an insurance institution’s, agent’s, or insurance-support organization’s compliance with this section in a manner and with such frequency as the commissioner deems necessary.

SEC. 11.

 Section 791.25 is added to the Insurance Code, to read:

791.25.
 A policyholder shall have the right to request and receive a copy of the policyholder’s personal information from an insurance institution, agent, or insurance-support organization in a readily usable format that can be transferred to another entity.

SEC. 12.

 Section 791.30 is added to the Insurance Code, to read:

791.30.
 An insurance institution, agent, or insurance-support organization shall not sell the personal information of an insured if the insurance institution, agent, or insurance-support organization has actual knowledge that the insured is less than 16 years of age, unless the insured, in the case of an insured between 13 and 16 years of age, or the insured’s parent or guardian, in the case of an insured who is less than 13 years of age, has affirmatively authorized the sale of the insured’s personal information. An insurance institution, agent, or insurance-support organization that willfully disregards an insured’s age shall be deemed to have had actual knowledge of the insured’s age. This right may be referred to as the “right to opt in.”

SEC. 13.

 Section 791.31 is added to the Insurance Code, to read:

791.31.
 (a) An insurance institution, agent, or insurance-support organization shall not unfairly discriminate against an applicant or policyholder because that applicant or policyholder has opted out from the disclosure of nonpublic personal information pursuant to this article.
(b) An insurance institution, agent, or insurance-support organization shall not unfairly discriminate against an applicant or policyholder because that applicant or policyholder has not granted authorization for the disclosure of nonpublic personal medical record information pursuant to this article.
(c) As used in this section, “unfairly discriminate” includes denying an applicant or policyholder a product or service because the applicant or policyholder has refused to authorize disclosure of nonpublic personal information as provided in subdivision (l) of Section 791.13.