NAIFA joined in a letter of support to the House Financial Services Committee for efforts in introducing the Data Privacy Act of 2023. The Data Privacy Act would modernize the Gramm-Leach-Bliley Act (GLBA), a working data privacy framework for insurance consistent with consumer expectations.

NAIFA members have managed consumers’ confidential medical and financial information for decades. Fittingly, insurers and producers (agents and brokers) have long been subject to comprehensive federal and state privacy laws and regulations. These requirements provide a complex, broad and rigorous regulatory framework that requires the insurance industry to protect the privacy, use and security of consumers’ personal information. These laws have reflected a critically important balance between consumers’ legitimate privacy concerns and the proper use of personal information to the benefit of existing and prospective customers.

In the letter, NAIFA and the Joint-Trades Coalition made recommendations to the House Financial Services Committee that would improve upon the data privacy framework to best suit consumers and financial institutions.

The bill was marked-up in Committee on February 28 and passed by a 26-21 party-line vote. Provisions in the language that would change GLBA included:

As discussed in further detail below, the Act would make the following amendments to GLBA:

• Expands “financial institution” definition to includes data aggregators, removes the “financial” qualifier from NPI, and expands the customer relationship to include consumers.
• Amends current GLBA disclosure requirements for financial institutions to include NPI collected by the entity, the purpose for collecting the NPI, and how it will be used.
• Requires financial institutions to obtain consent from customers and consumers prior to sharing NPI with third parties and creates opt out rights for consumers including the right to terminate sharing, right to access all NPI held by the entity, and right to have their NPI deleted (subject to certain exceptions).
• With respect to persons engaged in insurance, requires each state to issue its own regulations as necessary (so no uniformity), but those regulations may not be more restrictive than those issued by the coordinating federal agencies.
• Preempts state laws that seek to regulate activity governing by the Act.
• Contains no reference to enforcement, instead requiring a GAO report to study existing enforcement mechanisms.

Any changes in a landmark privacy framework should continue to both protect nonpublic personal information and remain consistently workable for all financial institutions including insurers, agents, and brokers, to serve their customers and consumers. NAIFA will continue working with legislators to ensure that data privacy legislation serves both consumers and the agents and brokers that serve them.