Elizabeth Mohr, Assistant Chief Counsel
Mary Ann Shulman, Staff Counsel
California Department of Insurance
Rate Enforcement Bureau
San Francisco, CA 94105
RE: Comment on Proposed Regulations Concerning Privacy of Personal Financial and Medical Record Information - File No. RH-01018269
Submitted by the Privacy Rights Clearinghouse
and the following organizations:
Consumers Union Western Regional Office
Dear Ms. Mohr and Ms. Shulman:
The Privacy Rights Clearinghouse and the above-listed organizations appreciate the opportunity to provide the following Comments to the California Department of Insurance's (Department) proposed regulations implementing the privacy provisions of Title V of the Gramm-Leach-Bliley Act (or GLBA), 15 U.S.C. §§6801-6810. The proposed regulations were originally published for comment on December 4, 2001, and most recently on May 23, 2002.
We are pleased to see that the proposed regulations, as revised, include a number of changes that will benefit individual privacy interests. We commend the staff of the Department for efforts to balance multiple interests and their willingness to consider our concerns about loss of personal privacy.
The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer education and advocacy organization based in San Diego, California. For ten years the PRC has been educating consumers about ways to understand the evolving world of technology and personal privacy. Each individual's right to control how personal information is collected and used is at the core of all the PRC's endeavors. The PRC interacts directly with the public via a hotline and responses to e-mail inquiries. Consumer education is also provided through publication of a number of Fact Sheets, available both on the PRC's web site and by mail for those who do not have access to the Internet.
The PRC has a substantial interest in the privacy implications that flow from the information sharing practices of financial corporations, including insurance companies. In the last year and a half, the PRC has devoted considerable effort to educate the public about the privacy aspects of Title V of the Gramm-Leach-Bliley Act (GLBA) Sections 6801-6810, and the federal regulations promulgated as a result. We plan to continue our educational efforts with regard to state regulations regarding privacy of personal information in the files of insurance companies.
The PRC has commented on previous occasions with regard to regulations proposed by multiple federal agencies that have jurisdiction under GLBA. In every instance we have emphasized the important public policy interests involved in the individual's ability to maintain maximum control over how highly personal information is gathered and used. Assurance of control of how personal information is used can only be achieved through meaningful choice in a system that has become commonly known as an "opt-in." Likewise, the co-signing organizations, CALPIRG and Consumers Union, are each committed to ensuring that individuals are accorded maximum privacy protection under state laws and regulations.
We note that federal government agencies have no authority to give consumers greater control than the opt-out procedure adopted by GLBA. However, GLBA specifically gives each state the authority to provide its own citizens with greater privacy protection than that afforded under federal law. As the Department is well aware, other state insurance Commissioners, including those of New Mexico and Vermont, have acted to give the citizens of their states control over personal information through an opt-in procedure.
I. General Comment - GLBA gives the California Insurance Commissioner the authority to adopt opt-in for "personal financial information"
As proposed, the California insurance privacy regulations provide an opt-in for certain information specified by California statute as "personal information." However, action by the consumer through an opt-out is required for large amounts of data defined as "personal financial information."
We urge the department to re-examine §6807(b) of Title V of GLBA with a view toward providing California insurance customers with an opt-in for third-party information sharing for information included in the category the department has defined as "personal financial information." We believe GLBA gives the Department statutory authority to promulgate regulations to provide an opt-in for California citizens.
GLBA §6807(b) states, in part:
b) Greater protection under State law
For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subchapter if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subchapter . . .[emphasis added]
A plain reading of this section shows that Congress did not intend states to be limited to enacting new statutes in order to provide citizens with greater privacy protections than that afforded by federal regulations. Were such a limitation intended, Section 6807 need not include the words "regulation" or "order" or "interpretation."
II. Comments regarding specific sections of the proposed Insurance Privacy Regulations as revised
Comment 1: Definitions section 2689.4(a) - clear and conspicuous
The definition of "clear and conspicuous" establishes the standard for notice as "reasonably understandable" and "designed to call attention to the nature and significance of the information." Criteria for the second element of "clear and conspicuous" was 12 point typeface, but that has been changed in the current proposal to 10 point typeface.
To its credit, the Department's proposal to specify type of any size goes beyond that established in other regulations. For example, regulations promulgated by the eight federal agencies that have jurisdiction under GLBA, as well as the National Association of Insurance Commissioners (NAIC) model regulations, and even the insurance regulations promulgated by Vermont, leave type size to the discretion of the company. These regulations specify only that the type size be "easy to read."
As a result, almost all of the GLBA privacy notices we have examined appear to have been written in no more than 8 point type. Thus, the Department is correct to assume that a minimum type standard is necessary to address the failures in recognition and readability that have been the experience of the GLBA opt-out notices to date. While the Department's proposed minimum of 10 point typeface for the text of the notice is a significant improvement over the current nonspecific standard, the initial proposal of 12 point type would be easier to read.
Larger type (12 point) would be of particular benefit to elderly people who often have difficulty reading due to deteriorating eyesight. Furthermore, the difference between 10 point and 12 point type should make little difference in the overall length of the notice as long as the notice focuses on what is required by law to tell consumers and refrains from extensive marketing language.
The PRC is acutely aware that most consumers did not see the GLBA privacy notices that were mailed to them prior to the deadline of July 1, 2001. We conducted a consumer education program during that time to inform the public about the GLBA notices. In response, the PRC was contacted by approximately 2,000 individuals. About two-thirds of those who contacted the PRC had no knowledge of the provisions of GLBA until seeing a media report.
Similarly, a study of 1,000 people conducted by the American Bankers Association showed that 41% had not recognized privacy notices in the first instance. The low level of consumer recognition of the significance of the notices was a major failure of the GLBA's privacy provisions. The PRC reported this and other observations in a report to the Federal Trade Commission (FTC) Workshop "Get Noticed" on December 4, 2001.
Recommendation: The success of an opt-out procedure depends upon drawing the attention of the consumer. We recommend use of the larger 12 point typeface as contained in the regulations as originally proposed. When combined with other readability factors, this could make the difference between whether an insurance company customer recognizes the significance of the notice or not. This is a small concession for the insurance industry to make for public awareness.
Comment 2: Definitions section - Need to add definitions of "opt-in" and "opt-out"
Insurance privacy regulations should be accessible to consumers as well as insurance industry professionals and attorneys. The terms "opt-in" and "opt-out" have become a part of the privacy vocabulary since the federal regulations implementing GLBA took effect on July 1, 2001.
If the Department were to use the terms "opt-in" and "opt-out" in the final regulations, consumers would more readily understand them and could therefore more effectively determine their privacy rights when dealing with insurance matters in California.
Without the addition of familiar terms such as "opt-in" and "opt-out," we are concerned that consumers who want to know their privacy rights will be even more confused when confronted with references in the regulations to the three types of information: (1) personal information, (2) privileged information, and (3) personal financial information.
Recommendation: (1) We recommend inclusion of "opt-in" under the definition of "personal information" which specifies the types of information in CIC §791.02(s) that requires a consumer's consent prior to disclosure. (2) We recommend that the term "privileged information" when used in the definition of "personal information" be followed by a reference to its statutory definition in CIC §791.02(v) or be separately defined in the final version of these privacy regulations. (3) The term "opt-out" should be incorporated into the definition of "personal financial information" so that consumers will be on notice that this type of information requires an affirmative action, i.e. an opt-out, to prevent disclosures for marketing purposes.
COMMENT 3 - Initial privacy notice (§2689.5(c)(2) - How soon to give notice
Section 5 (c)(2) as originally proposed required that a notice be mailed or provided in electronic form within three business days after a customer relationship is established. The current proposal extends that time to fourteen (14) business days.
Furthermore, privacy notices are preprinted and standardized, so there is no need for a company to delay providing a privacy notice in order to tailor the notice to each new customer. Providing the notice should be as routine as the execution of applications or other documents necessary to establish the relationship.
COMMENT 4 -- Annual privacy notice (§2689.6) - Treatment of closed accounts
Consumers are concerned about personal information in closed account as well as open accounts. The proposed regulation says a licensee is not required to provide an annual notice to a former customer with whom the licensee no longer has a continuing relationship.
This provision has not been changed from the original proposal, and we understand that the Department is not obligated to consider our comments. Nonetheless, this is an issue about which the PRC has received numerous questions from consumers.
As written, a consumer who closes an account immediately before the annual notice is sent, would not have the right to receive the notice and then take the opportunity to opt-out of information sharing with third parties.
Recommendation: Consumers should have the same rights of notice and opt-out for information contained in recently active accounts. Annual notices and the opportunity to opt-out should be extended to former customers whose accounts were active within the twelve (12) months prior to the date of the annual notice.
COMMENT 5: Statement about disclosure to affiliates for marketing - §2689.7(7)
Consumers are confused about their ability to opt-out of information sharing among affiliates. Many believe they have this right when, in fact, they do not - unless, of course, the company decided to extend the opt-out to affiliate sharing. If a licensee reserves the right to disclose information for marketing purposes to affiliates, the statement required by this section should make it clear that the consumer has no legal right to opt-out.
Recommendation: We recommend that licensees (1) maximize consumers' understanding that they have no control over a licensee's ability to share information with an affiliate for marketing purposes and (2) to make it clear that the choice belongs to the licensee and not the consumer. The privacy notice should include a statement in at least 12 point bold type to the effect:
"WE MAY DISCLOSE INFORMATION TO OUR AFFILIATES FOR MARKETING PURPOSES. THE LAW DOES NOT PROVIDE CUSTOMERS THE ABILITY TO RESTRICT SUCH DISCLOSURE."
If the licensee enables its customers to opt-out of affiliate sharing, it of course would not be required to post this statement.
COMMENT 6: Disclosures under the Fair Credit Reporting Act (FCRA) - §2689.7(a)(7) and 2689.7(b)
Section 2689.7(a)(7) (formerly (a)(9)) mandates that disclosures required by the FCRA be included in the notice required by the Department's regulations. We have observed that financial institutions make this disclosure to consumers by simply adopting the vague and confusing language of the FCRA. The legal terms of "transaction information" and "creditworthiness information" applied to the FCRA opt-out requirement are not descriptive enough to advise consumers of the kinds of information at stake.
The regulations as initially proposed recognized this vagueness in §2689.7(b) when it stated that "general terms" such as "transaction information" do not adequately categorize information.
As revised, the following statement has been deleted from the regulations: "A licensee does not adequately categorize the information that it discloses if the licensee only uses general terms, such as transaction information about the consumer." As we understood this statement to mean, licensees would be required to go beyond the language of the law. California licensees would thus be held to a higher standard for "plain language" than that adopted by financial institutions under the federal regulations. The language associated with the FCRA was given as an example of the need of licensees to explain legal terms in common language.
Recommendation: To give consumers a clearer understanding of the kinds of information that may be included in "transaction information" and "creditworthiness information," examples of each should be required to be included in the notice to customers. The following phrase should be reinserted: "A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer."
COMMENT 7: - Time allowed to opt-out §2689.8(f)
The original proposal gave consumers 45 days to opt-out before insurance companies could disclose personal information. The time consumers have to opt-out has been shortened to 30 days under the current proposal.
This reduction means that consumers under the revised proposal would realistically have only 20 days to act to prevent disclosure of personal information, allowing for five days of mailing time to the consumer and five days to return the notice to the insurance company.
We note that the National Association of Insurance Commissioners (NAIC) in commenting on proposed regulations to federal agencies recommended that the agencies adopt a 60 day window in which consumers would respond to opt-out notices The NAIC's letter to the Securities and Exchange Commission, for example, states as follows regarding the need for 60 days as a more reasonable time to permit customers to exercise their opt-out rights:
Considering mail delays and daily personal activities that demand a person's attention, we do not believe 30 days provides an adequate opportunity to receive an opt-out notice and respond to it. Since this only applies to personal information given to nonaffiliated third parties, we do not believe consumers should be forced to reach a hasty judgment or stop their daily activities to respond in a two or three week period.
Recommendation: We strongly urge the Department to reconsider the amount of time for consumers to opt-out. Consumers should have at least 45 days to communicate this important choice to insurance companies.
COMMENT 8: Appendix A -- Sample Clauses
Some of the most frequently asked consumer questions are not answered by typical privacy notices. These include:
How long do I have to opt-out?
How long does a financial institution have to honor my opt-out request?
If I miss the deadline to opt-out, do I have to wait for the annual notice?
Can the company close my account if I opt-out?
The notice is primarily required to tell consumers about (1) the types of information collected, (2) the types of information disclosed, and (3) and the categories of companies to whom disclosures are made.
The Department is to be commended for going beyond the federal regulations in this regard. Considering that most consumers will not have access to the regulations and that the first line of consumer education will come from the notices themselves, such information should be a requirement of the notices.
Recommendation: Sample clauses should be included that would, as a minimum, inform consumers about the deadlines included in the proposed regulations and inform consumers that the right to opt-out is continuing.
COMMENT 9: Sample Clauses - Categories of parties to whom a licensee discloses customer information
The sample clause included in the regulations is virtually the same as the sample clause included in federal regulations. The sample gives three types of companies to whom disclosures may be made: (1) financial service providers, (2) non-financial companies, and (3) others, with the requirement that an example of each category be given.
Such a statement is too vague to give consumers meaningful notice about how their information might be used and to whom it might be disclosed. Rather than inform, such statements actually raise more questions than they answer.
Recommendation: A more instructive notice would include specific examples of recent disclosures made by the licensee and the details of such disclosures, i.e. the name and type of company that received the information, the information disclosed, the financial or reciprocal terms of the disclosure, and any agreed upon limits with regard to further disclosure.
In conclusion, we appreciate the opportunity to offer the above comments to the proposed regulations as revised. Overall, the current proposal represents an improvement, particularly regarding the definition of personal and personal financial information.
We do, however, reiterate our initial position in these comments. We urge the Department to revisit the possibility of an overall opt-in for California insurance customers and to follow the examples of greater privacy protection established by the Insurance Commissioners of Vermont and New Mexico.
Tena Friery, Research Director
Beth Givens, Director
Privacy Rights Clearinghouse
And the following organizations:
Western Reg. Office
The results of the consumer response to the PRC as a result of our education program can be found on the PRC web site. See: 2001: The GLB Odyssey-We're Not There Yet: How Consumers Responded to Financial Privacy Notices and Recommendations for Improving Them (Dec 4, 2001).
See American Bankers Association Press Release, "ABA Survey Shows Nearly One Out of Three Consumers Reads Opt-Out Notices," (June 15, 2001) available at www.aba.com/Press+Room/bankfee060701.htm
The PRC's presentation at the FTC workshop, along with presenters from the financial services industry and government, is also available on the FTC web site at www.ftc.gov