New House Data Privacy Bill Could Limit State Insurance Regulators' Authority

A new House bill could change the forms and procedures you and financial services providers use to protect your clients’ privacy.

Members of the House Financial Services Committee have marked up the bill, H.R. 1165, the Data Privacy Act of 2023, along with other financial services bills.

The bill would update the data privacy provisions in the Gramm-Leach-Bliley Act of 1999. It would apply the same privacy rules to all communication channels; expand privacy notice requirements; make it easier for consumers to opt out of data-sharing; and let federal data privacy standards preempt state privacy standards.

One provision, section 5, could keep state insurance regulators from imposing any insurance privacy restrictions that were more restrictive than the privacy regulations that apply to other types of financial services organizations, such as banks.

Insurance industry groups are asking for many changes, and consumer groups are criticizing the bill’s reliance on privacy notices and opt-out provisions.

What It Means

If H.R. 1165, or something like it, becomes law, you might have to replace the privacy notices you provide and update your website.

If you use outside data providers in marketing, the information provided by the services could change.

The Text

McHenry focused on disclosure and consumer choice when he drafted the bill.

The requires a company collecting consumer data to tell the consumer what information is collected, how the information will be used, who has access to the information, and how data retention policies will work.

The company must give consumers a chance to opt out of any data sharing that’s not necessary to provide the product or service.

Consumers would have the right to terminate collection of data and request deletion of data at any time.

The provision preempting state data privacy rules will “reduce compliance burden and provide certainty to both consumers and entities that handle their financial data,” according to McHenry.

The Markup

McHenry included his bill on the agenda today for the House Financial Services Committee bill markup, or bill revision session.

It’s the first House markup held during the current session of Congress. The other bills marked up related to matters such as banking, national security and efforts to fight public health emergencies.

McHenry is the only sponsor of H.R. 1165, but he emphasized at the hearing that most of the other bills being marked up have Democratic sponsors or co-sponsors as well as Republican sponsors, and that he wants his committee to operate in a bipartisan way.

“These are not messaging bills,” McHenry said. “We are a legislating committee. Our product is legislation… I renew my call to every member of this committee to bring you ideas to me. My door is open to both sides of the aisle.”

McHenry described H.R. 1165 as a modernization of Gramm-Leach-Bliley, rather than as an overhaul of financial data privacy laws.

The bill is the product of three years of work be House Financial Services Committee Republicans, and drafters sought input from a wide range of parties, he said.

The House Financial Services Committee considered the H.R. 1165 privacy bill at a bill markup meeting.

Insurance Industry Reactions

A group that includes the American Council of Life Insurers, the American Property Casualty Insurance Association, the Council of Insurance Agents and Brokers, the Independent Insurance Agents and Brokers of America, the Insured Retirement Institute, the National Association of Insurance and Financial Advisors and the National Association of Mutual Insurance Companies has submitted a joint comment letter welcoming McHenry’s efforts but asking for changes, according to a draft of the letter provided by the ACLI.

The industry group is asking McHenry to:

• Add exceptions to the rules for insurance administration purposes, such as reinsurance and collection of statistical data.
• Limit the need to provide privacy notices to consumers who simply want to see coverage price quotes or make other simple inquiries.
• Eliminate the need to send annual privacy notices to holders of products, such as single-premium annuity products, where there might not be any transactions for a long period of time.
• Ease the rules for how affected entities, such as small insurance agencies, must provide consumers with access to their information.
• Give companies at least two years to comply with any new rules, once the new rules are completed.

The National Association of Insurance Commissioners, a group for state insurance regulators, said that it’s aware of the bill and is engaging with McHenry’s staff.

“We are also watching today’s committee markup and monitoring the bill’s progress,” the NAIC said.

EPIC’s View

The Electronic Privacy Information Center, a privacy rights organization, says the Gramm-Leach-Bliley approach to privacy protection is flawed because consumers lack much ability to use the disclosure and opt-out provisions.

“Even if consumers had the time to read every privacy policy and statement, they would in most cases come away with woefully incomplete information,” EPIC told McHenry. “In reality, very few consumers read these notices or exercise their opt-out option.”

Another problem with H.R. 1165 is that adding consumer data brokers could give the data brokers more protection, by shielding them from state regulation, rather than giving consumers more protection against data brokers, EPIC said.

“Data brokers have sold data on military personnel to foreign adversaries and facilitated elder scams,” EPIC said. “Foreign governments seeking personal data on Americans can simply purchase it from a data broker — no cyberattack needed.”

Lawmakers should not put data brokers under the Gramm-Leach-Bliley data privacy framework unless the privacy protections in H.R. 1165 are imposed and set a higher standard than existing state laws, EPIC argued.

Pictured: House Financial Services Committee Chair Patrick McHenry, R-N.C. (Photo: House)