While insurers say that uniform privacy regulations have been largely achieved, in a few states, including Vermont, California and Massachusetts, privacy standards are still being debated.
A proposed regulation was scheduled to be reviewed by the Vermont legislative committee on administrative rules at press time.
The Vermont department of banking, insurance, securities and health care administration has dropped the joint marketing opt-out requirement for non-affiliates.
Affiliates would be required to operate according to the federal Fair Credit Reporting Act which says affiliates can share some data such as name and contact information. However, for information such as credit worthiness and personal characteristics, an opt-in would be required. Other states have an opt-out provision.
The Vermont department is trying to establish standards for insurers that are similar to standards for banks created by the Vermont bank privacy law, says Jackie Hughes, general counsel.
Insurers say that the proposed rule goes beyond the Gramm-Leach-Bliley Act of 1999.
The American Council of Life Insurers in Washington, according to Michael Lovendusky, a senior counsel, is concerned that the Vermont regulation establishes an opt-in requirement for information disclosures to nonaffiliated third parties. This departs substantially from the NAIC Model Privacy Regulation, he says, that requires the financial institution to provide a consumer with an opportunity to opt-out of such information disclosure. Information disclosure to affiliates is treated the same in both the Vermont and NAIC approaches because opt-outs to consumers are provided one time at the initiation of a relationship for certain kinds of information, pursuant to FCRA, Lovendusky adds.
Concern that privacy regulations could overreach GLB was played out in the California legislature recently when a Senate bill, S.B. 773, was deferred until the next legislative session in January 2002.