HBill.html

33-39A-1.
This chapter shall be known and may be cited as the 'Financial Information Privacy Protection Act.'

33-39A-2.
This chapter shall be liberally construed and applied to promote uniformity and functional regulation by:
(1) Implementing Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq., herein after referred to as 'GLBA', that requires financial institutions, including insurers, to respect the privacy of their customers and to protect the security and confidentiality of those customers´ nonpublic personal financial information;
(2) Establishing appropriate consumer privacy standards for insurance providers to be administered by this state´s insurance regulatory authorities;
(3) Ensuring, pursuant to Section 6805(c) of GLBA, that this state shall be eligible to override, pursuant to Section 47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the insurance customer protections prescribed by a federal banking agency under Section 45(a) of such act;
(4) Requiring, pursuant to Sections 6802 and 6803 of GLBA, that insurers maintain a privacy policy that is clearly communicated to customers and, under certain circumstances, to consumers; and that, subject to appropriate exceptions, no nonpublic personal financial information be disclosed to nonaffiliated third parties unless a consumer has been given a chance to opt out of having his or her information disclosed;
(5) Providing for the enforcement of this chapter by the Commissioner of Insurance; and
(6) Authorizing the Commissioner of Insurance to promulgate regulations as determined to be necessary to effectuate the purposes of this chapter.

33-39A-3.
As used in this chapter, the term:
(1) 'Affiliate' means any company that controls, is controlled by, or is under common control with another company.
(2) 'Agent' means any agent, surplus lines broker, subagent, counselor, or adjuster as defined in Code Section 33-23-1.
(3) 'Clear and conspicuous' means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(4) 'Collect' means to obtain information that the licensee organizes or can retrieve by the name of an individual or by an identifying number, symbol, or other particular assigned to the individual, irrespective of the source of the underlying information.
(5) 'Company' means any corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship, or similar organization.
(6)(A) 'Consumer' means an individual, or that individual´s legal representative, who seeks to obtain, obtains, or has obtained an insurance product or service in this state from a licensee that is to be used primarily for personal, family, or household purposes and about whom the licensee has nonpublic personal financial information, including, but not limited to:
(i) An individual who provides nonpublic personal financial information to a licensee in connection with seeking to obtain or obtaining financial, insurance, investment, or economic advisory services regardless of whether the licensee establishes an ongoing relationship;
(ii) An applicant for insurance prior to the inception of insurance coverage;
(iii) An individual who provides nonpublic personal financial information to a licensee in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes, regardless of whether the loan is extended; and
(iv) To the extent that a licensee collects any nonpublic personal financial information for any reason on a beneficiary or claimant, then such beneficiary or claimant shall be deemed a consumer under this chapter.
(B) 'Consumer' does not necessarily include an individual who:
(i) Is a beneficiary of a trust for which the licensee is a trustee;
(ii) Is a third-party liability claimant;
(iii) Has designated the licensee as trustee for a trust;
(iv) Is a consumer of another financial institution to which the licensee acts as agent for, or provides processing or other services;
(v) Is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary; or
(vi) Is covered under a group or blanket insurance policy or group annuity contract issued by the licensee:
(I) Provided that the licensee provides the initial, annual and revised notices under Code Sections 33-39A-20, 33-39A-21, and 33-39A-22 of this chapter to the plan sponsor, group or blanket insurance policyholder, or group annuity contract holder; and
(II) Provided that the licensee does not disclose to a non-affiliated third party nonpublic personal financial information about such an individual other than as permitted under Code Sections 33-39A-60, 33-39A-61, and 33-39A-62 of this chapter.
In no event shall the individual, solely by virtue of the status described in divisions (6)(B)(v) and (6)(B)(vi), be deemed to be a customer for purposes of this chapter.
(7) 'Consumer reporting agency' has the same meaning as in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)) and Code Section 10-1-392 and, for the purposes of this chapter, shall include insurers.
(8) 'Control' means:
(A) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(B) Control in any manner over the election of a majority of the directors, trustees, or general partners, or individuals exercising similar functions, of the company; or
(C) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Commissioner of Insurance determines.
(9) 'Customer' means a consumer who has a customer relationship with a licensee. In no event, however, shall a beneficiary or a claimant under a policy of insurance, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for the purposes of this chapter if nonpublic personal financial information has not been collected from the beneficiary or claimant by a licensee.
(10) 'Customer relationship' means a continuing relationship between a consumer and a licensee under which the licensee provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. For a 'customer relationship' to be established, a consumer must meet certain criteria, including, but not limited to, the following:
(A) Be a current policyholder of an insurance product or other product issued by or through a licensee; or
(B) Obtain financial, investment, or economic advisory services relating to an insurance product or service from a licensee for a fee.
(11) 'Financial institution' means the same as that term is defined in Section 509(3) of GLBA and is as follows:
(A) The term 'financial institution' means any institution the business of which is engaging in financial activities as described in Section 4(k) of the federal Bank Holding Company Act of 1956;
(B) Notwithstanding subparagraph (A), the term 'financial institution' does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the federal Commodity Exchange Act;
(C) Notwithstanding subparagraph (A), the term 'financial institution' does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971; and
(D) Notwithstanding subparagraph (A), the term 'financial institution' does not include institutions chartered by Congress specifically to engage in transactions described in Section 502(e)(1)(C) of the GLBA, so long as such institutions do not sell or transfer nonpublic personal financial information to a nonaffiliated third party.
(12) 'Financial product or service' means any product or service that is offered by a licensee pursuant to this title, including, but not limited to, a licensee´s evaluation or brokerage of information that the licensee collects in connection with a request or an application from a consumer for a financial product or service.
(13) 'Licensee' means a person or other covered entity who is licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to this title. A licensee that is a producer or independent insurance agent is subject to all the requirements of this chapter, except when the producer or agent is acting as agent for a licensee. A producer acting as agent for a licensee is exempt only from the notice requirements of this chapter, and only if such producer does not disclose consumer information other than as permitted by Code Sections 33-39A-60, 33-39A-61, and 33-39A-62.
(A) 'Covered entities' shall include unauthorized insurers who place business through licensed surplus line brokers in this state but only in regard to the surplus line placements placed pursuant to Article 2 of Chapter 5 of this title.
(B) Licensed surplus line brokers placing business underwritten by covered entities and those covered entities shall be deemed to be in compliance with the notice and opt-out requirements for nonpublic personal financial information set forth in this chapter provided:
(i) Such licensed surplus line brokers and covered entities do not disclose nonpublic personal financial information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under Code Section 33-39A-60, except as permitted by Code Section 33-39A-61 or 33-39A-62; and
(ii) At the time the customer relationship is established, a single notice is delivered to the consumer on behalf of all such licensed surplus line brokers and covered entities involved in the provision of a financial product or service to a consumer or customer on which the following is printed in 16 point type:

NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL FINANCIAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS PERMITTED BY LAW.'
(14) 'Nonaffiliated third party' means any person, including, but not limited to, any company that is an affiliate solely by virtue of the licensee´s or its affiliate´s direct or indirect ownership or control of the company conducting:
(A) Merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) of the federal Bank Holding Company Act; or
(B) Insurance company investment activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)), except:
(i) The licensee´s affiliate; or
(ii) A person employed jointly by a licensee and any company that is not the licensee´s affiliate. Nonaffiliated third party includes the other company that jointly employs the person.
(15) 'Nonpublic personal financial information' means:
(A) Personally identifiable financial information;
(B) Any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any personally identifiable financial information that is not publicly available; and
(C) Any list of individuals´ names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as policy or contract numbers.
(D) Nonpublic personal financial information does not include:
(i) Health information which shall be governed by the provisions of Chapter 39 of this title;
(ii) Publicly available information, except as included on a list as described in division (iv) of this subparagraph;
(iii) Any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any personally identifiable financial information that is not publicly available; or
(iv) Any list of individuals´ names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(16) 'Opt out' means a direction by the consumer that a licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Code Sections 33-39A-60, 33-39A-61, and 33-39A-62.
(17) 'Personally identifiable financial information' means financial information:
(A) A consumer provides to a licensee to obtain a financial product or service from the licensee;
(B) About a consumer resulting from any transaction involving a financial product or service between a licensee and a consumer; or
(C) A licensee otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
(18) 'Publicly available information' means any information that the licensee has a reasonable basis to believe is lawfully made available to the general public from:
(A) Federal, state, or local government records;
(B) Widely distributed media; or
(C) Disclosures to the general public that are required to be made by federal, state or local law.
(19) 'Reasonable basis' means the licensee has a reasonable basis to believe that information is lawfully made available to the general public because the licensee has taken steps to determine:
(A) That the information is of the type that is available to the general public; and
(B) Whether an individual can direct that the information not be made available to the general public and, if so, that a licensee´s consumer has not done so.

33-39A-4.
This chapter:
(1) Requires a licensee to provide notice to customers and, under certain circumstances, to consumers about its privacy policies and practices;
(2) Describes the conditions under which a licensee may disclose nonpublic personal financial information about consumers and customers to nonaffiliated third parties;
(3) Provides a method for consumers and customers to prevent a licensee from disclosing that information unless otherwise exempted as routine business disclosures in Code Section 33-39A-60, 33-39A-61, or 33-39A-62;
(4) Establishes reasonable exceptions in Code Sections 33-39A-60, 33-39A-61, and 33-39A-62 of this chapter to the notice requirements of licensees and the ability of consumers and customers to opt out of or authorize certain disclosures; and
(5) Applies only to nonpublic personal financial information about individuals who obtain financial products or services in this state from an insurer for personal, family, or household purposes. This chapter does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes. In particular, this chapter does not apply to commercial insurance policies issued by the licensee.

33-39A-20.
(a) A licensee must provide a clear and conspicuous notice that accurately reflects the licensee´s privacy policies and practices to:
(1) An individual who becomes a licensee´s customer, not later than the time that the licensee establishes a customer relationship, except as provided in subsection (e) of this Code section; and
(2) A consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by Code Sections 33-39A-61 and 33-39A-62.
(b) A licensee is not required to provide an initial notice to a consumer under subsection (a) of this Code section if:
(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Code Sections 33-39A-61 and 33-39A-62;
(2) The licensee does not have a customer relationship with the consumer; or
(3) A notice has been provided by an affiliated licensee, so long as the notice clearly identifies all licensees to whom the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and the other institutions.
(c)(1) A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship, where the consumer´s status is other than solely a beneficiary or claimant.
(2) A licensee establishes a customer relationship under circumstances including, but not limited to, the following:
(A) When the consumer becomes a policyholder. This occurs when an insurance policy or contract is delivered to the consumer; or
(B) When the consumer agrees to obtain financial, insurance, economic, or investment advisory services from the licensee for a fee.
(d) When an existing customer obtains a new financial product or service from a licensee that is to be used primarily for personal, family, or household purposes, a licensee satisfies the initial notice requirements of subsection (a) of this Code section as follows:
(1) A licensee may provide a revised policy notice, under Code Section 33-39A-25, that covers the customer´s new financial product or service; or
(2) If the initial, revised, or annual notice that a licensee most recently provided to that customer was accurate with respect to the new financial product or service, a licensee does not need to provide a new privacy notice under subsection (a) of this Code section.
(e) A licensee may provide the initial notice required by paragraph (1) of subsection (a) of this Code section within a reasonable time after the licensee establishes a customer relationship if:
(1) Establishing the customer relationship is not at the customer´s election, including, but not limited to, if the licensee acquires or is assigned the insurance policy or related records from another financial institution or residual market mechanism and the customer does not have a choice about such acquisition or assignment; or
(2) Providing notice not later than when the licensee establishes the customer relationship would substantially delay the customer´s transaction, including, but not limited to, when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service, and the customer agrees to receive the notice at a later time.
(f) If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the requirements of subsection (a) of this Code section by providing one initial notice to those consumers jointly.
(g) When a licensee is required to deliver an initial privacy notice by this Code section, a licensee must deliver it according to Code Section 33-39A-26. If a licensee uses a short form initial notice for noncustomers according to subsection (c) of Code Section 33-39A-22, the licensee may deliver its privacy notice according to paragraph (3) of subsection (c) of Code Section 33-39A-22.

33-39A-21.
(a) A licensee must provide a clear and conspicuous notice to a customer that accurately reflects the licensee´s privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12 consecutive month period, but the licensee must apply it to the customer on a consistent basis.
(b) A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a customer relationship. A licensee no longer has a customer relationship with an individual:
(1) If the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
(2) If the individual´s policy is lapsed, expired, or otherwise inactive or dormant under the licensee´s business practices and the licensee has not communicated with the customer about the relationship for a period of 12 consecutive months other than to provide annual privacy notices, materials required by law or regulation, or promotional materials;
(3) If the individual´s last known address according to the licensee´s records is deemed to be invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or
(4) In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received or once the licensee has completed all of its responsibilities with respect to the settlement including filing documents on the public record, whichever is later.
(c) When the licensee is required to deliver an annual privacy notice by this Code section, the licensee must deliver it according to Code Section 33-39A-25.
(d) Such annual notice may be provided by an affiliated licensee, so long as the notice clearly identifies all licensees to which the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and other institutions.

33-39A-22
(a) The initial, annual, and revised privacy notices that a licensee provides under Code Sections 33-39A-20, 33-39A-21, and 33-39A-24 must include each of the following items of information that applies to the licensee or to the consumers to whom the licensee sends its privacy notice, in addition to any other information the licensee wishes to provide:
(1) The categories of nonpublic personal financial information that the licensee collects;
(2) The categories of nonpublic personal financial information that the licensee discloses;
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Code Sections 33-39A-61 and 33-39A-62;
(4) The categories of nonpublic personal financial information about the licensee´s former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about its former customers, other than those parties to whom it discloses information under Code Sections 33-39A-61 and 33-39A-62;
(5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Code Section 33-39A-60 and no other exception applies to that disclosure, a separate statement of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
(6) An explanation of the right under Code Section 33-39A-40 to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise those rights at that time;
(7) Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)), that is, notices regarding the ability to opt out of disclosures of information among affiliates;
(8) The licensee´s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and
(9) A statement to the effect that the licensee makes disclosures under subsection (b) of this Code section, if such disclosures are made.
(b) If a licensee discloses nonpublic personal financial information about a consumer to third parties only as authorized under Code Sections 33-39A-61 and 33-39A-62, the licensee is not required to list those exceptions in the initial or annual privacy notices required by this chapter. When describing the categories with respect to those parties, a licensee is only required to state that it makes disclosures to other nonaffiliated third parties as permitted by law.
(c)(1) The licensee may satisfy the initial notice requirements of this chapter for a consumer who is not a customer by providing a short form initial notice at the same time as the licensee delivers an opt-out notice as required in Code Section 33-39A-25.
(2) A short form initial notice must:
(A) Be clear and conspicuous;
(B) State that a licensee´s privacy notice is available upon request; and
(C) Explain a reasonable means by which the consumer may obtain that notice, including, but not limited to, providing a toll-free telephone number the consumer may call to request the notice or, for a consumer who conducts business in person in the licensee´s office, providing notice to the consumer immediately upon request.
(3) The licensee must deliver its short form notice according to Code Section 33-39A-25. A licensee is not required to deliver its privacy notice with its short form initial notice. A licensee may instead simply provide the consumer with a reasonable means to obtain the licensee´s privacy notice. If a consumer who receives the licensee´s short form notice requests the licensee´s privacy notice, the licensee must deliver its privacy notice according to Code Section 33-39A-25.
(d) A licensee´s notice may include:
(1) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future but does not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal financial information.

33-39A-23.
(a) If a licensee is required to provide an opt-out notice under Code Section 33-39A-40, the licensee must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state:
(1) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(2) That the consumer has the right to opt out of that disclosure; and
(3) A reasonable means by which the consumer may exercise the opt out-right, provided that the licensee may require that the consumer opt out through a specified procedure, so long as the procedure is reasonable for that consumer. A licensee provides reasonable procedures to exercise an opt-out right if it:
(A) Designates check off boxes in a prominent position on the relevant forms with the opt-out notice;
(B) Includes a reply form together with the opt-out notice;
(C) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee´s website, if the consumer agrees to the electronic delivery of information;
(D) Provides a toll-free telephone number that consumers may call to opt out; or
(E) Provides the opt-out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with Code Section 33-39A-20.
(b) If a licensee provides the opt-out notice later than required for the initial notice in accordance with subsection (e) of Code Section 33-39A-20, the licensee must also include a copy of the initial notice in writing or, if the consumer agrees, electronically.
(c)(1) If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt-out notice. The licensee´s opt-out notice must explain how the licensee will treat an opt-out direction by a joint consumer as provided in paragraph (2) of this subsection.
(2) Any of the joint consumers may exercise the right to opt out. The licensee may either:
(A) Treat an opt-out direction by a joint consumer as applying to all of the associated joint consumers; or
(B) Permit each joint consumer to opt out separately.
(3) If the licensee permits each joint consumer to opt out separately, the licensee must permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A licensee may not require all joint consumers to opt out before the licensee implements any opt-out direction.
(d) A licensee must comply with a consumer´s opt-out direction as soon as reasonably practicable after the licensee receives it.
(e) A consumer may exercise the right to opt out at any time.
(f)(1) A consumer´s direction to opt out under this Code section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When a customer relationship terminates, the customer´s opt-out direction continues to apply to the nonpublic personal financial information the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt-out direction that applied to the former relationship does not apply to the new relationship.
(g) When a licensee is required to deliver an opt-out notice by this Code section, the licensee must deliver it in accordance with Code Section 33-39A-25.

33-39A-24.
(a) Except as otherwise authorized in this chapter, a licensee shall not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under Code Section 33-39A-20, unless:
(1) The licensee has provided to the consumer a revised notice that accurately describes the licensee´s policies and practices;
(2) The licensee has provided to the consumer a new opt-out notice and, if appropriate, an authorization as required in Code Section 33-39A-60;
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of or, if appropriate, authorize the disclosure; and
(4) The consumer does not opt out or, if appropriate, the consumer authorizes the disclosure.
(b) When the licensee is required to deliver a revised privacy notice by this Code section, the licensee must deliver it in accordance with Code Section 33-39A-25.

33-39A-25.
(a) A licensee must provide all privacy and opt-out notices, including short form initial notices, that this chapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(1) The licensee may reasonably expect that a consumer will receive actual notice if the licensee:
(A) Hand delivers a printed copy of the notice to the consumer;
(B) Mails a printed copy of the notice to the last known address of the consumer, separately or in a policy, billing, or other written communication;
(C) Electronically, clearly, and conspicuously posts the notice on the electronic site for the consumer who regularly accesses the licensee´s website to conduct transactions; or
(D) For an isolated transaction with the consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
(2) A licensee may not reasonably expect that a consumer will receive actual notice of the licensee´s privacy policies and practices if the licensee:
(A) Only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices; or
(B) Sends the notice via electronic mail to a consumer who does not obtain a financial product or service electronically.
(b) A licensee may reasonably expect that a customer will receive actual notice of the licensee´s annual privacy notice if:
(1) The customer agrees to receive notices at the website, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website; or
(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee´s current privacy notice remains available to the customer upon request.
(c) A licensee may not provide any notice required by this chapter solely by oral explanation of the notice, either in person or over the telephone.
(d) For customers only, a licensee must provide the initial notice, the annual notice, and the revised notice required by this chapter, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically, including, but not limited to, hand delivering a printed copy of the notice to the customer, mailing a printed copy of the notice to the last known address of the customer upon the request of the customer, or making the licensee´s current privacy notice available on a website for the customer who agrees to receive the notice at a website.
(e) A licensee may provide a joint notice from the licensee and one or more of the licensee´s affiliates, other licensees, or other financial institutions or on behalf of another financial institution, so long as the notice is accurate with respect to the licensee and the other institutions.
(f) If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of this chapter by providing one notice to those consumers jointly.

33-39A-26.
(a) No licensee shall unfairly discriminate against any customer or consumer on the basis of the customer´s or consumer´s exercise of his or her right to opt out of the sharing of his or her nonpublic personal financial information in the manner provided in this chapter. Nothing in this Code section shall prohibit licensees from engaging in their usual, appropriate, or acceptable method for insurance underwriting.
(b) Nothing in this chapter requires a licensee to provide a benefit or commence or continue payment of a claim in the absence of nonpublic personal financial information to support or deny the claim.

33-39A-40.
(a) Except as otherwise authorized in this chapter, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(1) The licensee has provided to the consumer an initial notice as required under Code Section 33-39A-20;
(2) The licensee has provided to the consumer an opt-out notice as required in Code Section 33-39A-24;
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure. Methods of complying with this provision include, but are not limited to:
(A) The licensee mailing the notice required in paragraph (1) of this subsection to the consumer and allowing the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the licensee mailed the notice;
(B) A customer opening an on-line account with the licensee and agreeing to receive the notice required in paragraph (1) of this subsection electronically, and the licensee making the notice available to the customer on its website and allowing the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notice in conjunction with opening the account; or
(C) For an isolated transaction, such as providing the consumer with an insurance quote, a licensee providing a reasonable opportunity to opt out if the licensee provides the consumer the notice required in paragraph (1) of this subsection at the time of the transaction and requests that the consumer decide, as a necessary act of the transaction, whether to opt out before completing the transaction; and
(4) The consumer declining the opt-out right.
(b)(1) A licensee must comply with this Code section, regardless of whether the licensee and the consumer have established a customer relationship.
(2) Unless a licensee complies with this Code section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that it has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

33-39A-41.
(a) If the licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in this chapter, the licensee´s disclosure and use of that information is limited as follows:
(1) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information;
(2) The licensee may disclose the information to its affiliates and agents, but the affiliates and agents may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and
(3) The licensee may disclose and use the information pursuant to an exception in Code Section 33-39A-61 or 33-39A-62 in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(b) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in this chapter, the licensee may disclose the information only:
(1) To the affiliates of the financial institution from which the licensee received the information;
(2) To the licensee´s affiliates and agents, but the licensee´s affiliates and agents may, in turn, disclose the information only to the extent that the licensee can disclose the information; and
(3) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(c) If the licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in Code Section 33-39A-61 or 33-39A-62, the third party may disclose and use that information only as follows:
(1) The third party may disclose the information to the licensee´s affiliates;
(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) The third party may disclose and use the information pursuant to an exception in Code Section 33-39A-61 or 33-39A-62 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(d) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in Code Section 33-39A-61 or 33-39A-62, the third party may disclose the information only:
(1) To the licensee´s affiliates;
(2) To the third party´s affiliates, but the third party´s affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.

33-39A-42.
(a) A licensee must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy or contract number or similar form of access number or access code for a consumer´s credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
(b) Subsection (a) of this Code section does not apply if the licensee discloses a policy or contract number or similar form of access number or access code:
(1) To the licensee´s agent or service provider solely in order to perform marketing for the licensee´s products or services, so long as the agent or service provider is not authorized to directly initiate charges to the account;
(2) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program; or
(3) To a licensee who is a producer solely in order to perform marketing for the licensee´s own products or services.

33-39A-60
(a) The opt-out requirements of this chapter do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for or functions on behalf of the licensee, if the licensee:
(1) Provides the initial notice in accordance with this chapter; and
(2) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Code Section 33-39A-61 or 33-39A-62, in the ordinary course of business to carry out those purposes.
(b) A licensee may use and disclose personally identifiable financial information to a person acting on behalf of or at the direction of the licensee to perform the licensee´s insurance functions, including, but not limited to, claims administration; claims adjustment and management; fraud investigation; underwriting; loss control; rate making functions; reinsurance; risk management; case management; disease management; quality assessment; quality improvement; provider credentialing verification; utilization review; peer review activities; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; account administration; processing premium payments; processing insurance claims; administering insurance benefits, including utilization review activities; participating in research projects; and as otherwise required or specifically permitted by federal or state law.
(c) The services performed for a licensee by a nonaffiliated third party under subsection (a) this Code section may include marketing of the licensee´s own products or services or marketing of financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
(d) For purposes of this Code section, 'joint agreement' means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.

33-39A-61.
(a) The requirements for initial notice to consumers in paragraph (2) of subsection (a) of Code Section 33-39A-20, providing the opt-out opportunity to consumers and customers, and the application of this chapter to service providers and joint marketing do not apply if a licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with:
(1) Servicing or processing a financial product or service requested or authorized by the consumer, including such products or services under consideration by a consumer;
(2) Maintaining or servicing the consumer´s account with the licensee or with another entity;
(3) Transactions involving a person acting as agent of the licensee, provided such agent agrees not to disclose said nonpublic personal financial information to additional third parties; or
(4) A proposed or actual securitization; secondary market sale, including sales of servicing rights; or similar transaction related to a transaction of the consumer.
(b) The requirements of this chapter do not apply if a licensee discloses nonpublic personal financial information for any purpose related to effecting, administering, or replacing a group benefit plan, a group health plan, or a group welfare plan.
(c) 'Necessary to effect, administer, or enforce a transaction' means, in this Code section, that the disclosure is:
(1) Required, or is one of the lawful or appropriate methods, to enforce the licensee´s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) Required, or is a usual, appropriate, or acceptable method:
(A) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer´s account in the ordinary course of providing the financial service or financial product;
(B) To administer, adjudicate, or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(C) To provide a confirmation, statement, or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer´s agent or broker;
(D) To accrue or recognize incentives or bonuses associated with the transaction that are provided by the licensee or any other party;
(E) To underwrite insurance at the consumer´s request or for reinsurance purposes or for any of the following purposes as they relate to a consumer´s insurance: account administration; reporting; investigating; preventing fraud or material misrepresentation; processing premium payments; processing insurance claims; administering insurance benefits, including utilization review activities; participating in research projects; or as otherwise required or specifically permitted by federal or state law; or
(F) In connection with:
(i) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or policy or contract number, or by other payment means;
(ii) The transfer of receivables, accounts, or interests therein; or
(iii) The audit of debit, credit, or other payment information.

33-39A-62.
(a) The requirements for initial notice to consumers in paragraph (2) of subsection (a) of Code Section 33-39A-20, the opportunity to opt out, and the provisions applicable to service providers and joint marketing in this chapter do not apply when a licensee discloses nonpublic personal financial information:
(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
(2) To protect the confidentiality or security of a licensee´s records pertaining to the consumer, service, product, or transaction;
(3) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
(4) For required institutional risk control or for resolving consumer disputes or inquiries;
(5) To persons holding a legal or beneficial interest relating to the consumer;
(6) To persons acting in a fiduciary or representative capacity on behalf of the consumer;
(7) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the licensee, persons that are assessing the licensee´s compliance with industry standards, and the licensee´s attorneys, accountants, and auditors;
(8) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401, et seq.), to law enforcement agencies, including a federal functional regulator, the secretary of the treasury of the United States, with respect to 31 U.S.C. Chapter 53, Subchapter II — Records and Reports on Monetary Instruments and Transactions, and 12 U.S.C. Chapter 21 — Financial Recordkeeping; a state insurance authority, with respect to any person domiciled in that insurance authority´s state that is engaged in providing insurance; the Federal Trade Commission; self-regulatory organizations; or for an investigation on a matter related to public safety;
(9) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681, et seq.) and the fair credit laws of this state;
(10) From a consumer report reported by a consumer reporting agency;
(11) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of such business or unit;
(12) To comply with federal, state, or local laws, rules, and other applicable legal requirements;
(13) To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities;
(14) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law;
(15) Necessary to provide ongoing health care treatment;
(16) In connection with quality assessment evaluations or investigations;
(17) To reveal a consumer´s general health condition and presence in a facility owned by the licensee;
(18) To a reinsure, stop-loss, or excess loss carrier for the purpose of underwriting, claims adjudication, and conducting claim file audits;
(19) Needed for one of the following purposes:
(A) To identify a deceased individual;
(B) To determine the cause and manner of death by a chief medical examiner or the medical examiner´s designee; or
(C) To provide necessary protected health information about a deceased individual who is a donor of an anatomical gift;
(20) To a state department of insurance that is performing an examination, investigation, or audit of the licensee; or
(21) Pursuant to a court order issued after the court´s determination that the public interest in disclosure outweighs the consumer´s privacy interest and that the information is not reasonably available by other means.
(b) Nothing in this chapter shall be construed as applicable to information disclosures by licensees in connection with the purchase of insurance coverage by the licensee or the arrangement of insurance coverage by the licensee for its employees.

33-39A-80.
(a) Nothing in this chapter shall be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681, et seq.), and no inference shall be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under Section 603 of that act. The protections of the federal Fair Credit Reporting Act (15 U.S.C. 1681, et seq.) shall be fully available and are in no way inconsistent with the intent of this chapter including, but not limited to:
(1) Section 1681g, requiring the disclosure of information to consumers;
(2) Section 1681h, assuring timely disclosures in person or by telephone;
(3) Section 1681i, outlining the summary procedure to contest the accuracy of information; and
(4) Section 1681j, permitting a charge for copies of disclosures.
(b) Nothing in this chapter shall be construed to modify, limit, or supersede the operation of the fair credit law of this state.
(c) Nothing in this chapter shall preempt or supercede existing state law related to medical records, health, or insurance information privacy.

33-39A-81.
(a) No licensee shall knowingly or willfully violate the provisions of this chapter.
(b) The Commissioner shall have power to examine and investigate into the affairs of every licensee doing business in this state to determine whether the licensee has been or is engaged in any conduct in violation of this chapter.

33-39A-82.
(a) Whenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in this state which violates this chapter, or if the Commissioner believes that a licensee has been or is engaged in conduct outside this state which has an effect on a customer residing in this state and which violates this chapter, the Commissioner shall issue and serve upon such licensee a statement of charges and notice of hearing to be held at a time and place fixed in the notice. The date for such hearing shall be not less than 30 days after the date of service.
(b) At the time and place fixed for such hearing the licensee charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause shown, the Commissioner shall permit any adversely affected person to intervene, appear, and be heard at such hearing by counsel or in person.
(c) At any hearing conducted pursuant to this Code section, the Commissioner may administer oaths, examine and cross-examine witnesses, and receive oral and documentary evidence. The Commissioner shall have the power to subpoena witnesses, compel their attendance, and require the production of books, papers, records, correspondence, and other documents which are relevant to the hearing. A stenographic record of the hearing shall be made upon the request of any party or at the discretion of the Commissioner. If no stenographic record is made and if judicial review is sought, the Commissioner shall prepare a statement of the evidence for use on review. Hearings conducted under this Code section shall be governed by the same rules of evidence and procedure as set forth in Chapter 2 of this title.
(d) Statements of charges, notices, orders, and other processes of the Commissioner under this chapter may be served by anyone duly authorized to act on behalf of the Commissioner. Service of process may be completed in the manner provided by law for service of process in civil actions or by registered mail or statutory overnight delivery. A copy of the statement of charges, notice, order, or other process shall be provided to the customer or customers whose rights under this chapter have been allegedly violated. A verified return setting forth the manner of service, or return postcard receipt in the case of registered mail or statutory overnight delivery shall be sufficient proof of service.

33-39A-83.
For the purpose of this chapter, a licensee transacting business outside this state which has an effect on a customer residing in this state shall be deemed to have appointed the Commissioner to accept service of process on its behalf, provided the Commissioner causes a copy of such service to be mailed forthwith by registered mail or statutory overnight delivery to the licensee at its last known principal place of business. The return postcard receipt for such mailing shall be sufficient proof that the same was properly mailed by the Commissioner.

33-39A-84.
(a) If, after a hearing pursuant to Code Section 33-39A-82, the Commissioner determines that the licensee charged has engaged in conduct or practices in violation of this chapter, the Commissioner shall reduce his or her findings to writing and shall issue and cause to be served upon such licensee a copy of such findings and an order requiring such licensee to cease and desist from the conduct or practices constituting violation of this chapter.
(b) If, after a hearing pursuant to Code Section 33-39A-82, the Commissioner determines that the licensee charged has not engaged in conduct or practices in violation of this chapter, the Commissioner shall prepare a written report which sets forth findings of fact and conclusions of law. Such report shall be served upon the licensee charged and upon the customer whose rights under this chapter were allegedly violated.
(c) Until the expiration of the time allowed under Code Section 33-39A-86 for filing a petition for review or until such petition is actually filed, whichever occurs first, the Commissioner may modify or set aside any order or report issued under this Code section. After the expiration of the time allowed under Code Section 33-39A-86 for filing a petition for review, if no such petition has been duly filed, the Commissioner may, after notice and opportunity for hearing, alter, modify, or set aside, in whole or in part, any order or report issued under this Code section whenever conditions of fact or law warrant such action or if the public interest so requires.

33-39A-85.
(a) In any case where a hearing pursuant to Code Section 33-39A-82 results in the finding of a knowing violation of this chapter, the Commissioner may, in addition to the issuance of a cease and desist order as prescribed in Code Section 33-39A-84, order payment of a monetary penalty of not more than $500.00 for each violation but not to exceed $10,000.00 in the aggregate for multiple violations.
(b) Any licensee who violates a cease and desist order of the Commissioner under Code Section 33-39A-84 may, after notice and hearing and upon order of the Commissioner, be subject to one or more of the following penalties, at the discretion of the Commissioner:
(1) A monetary fine of not more than $10,000.00 for each violation;
(2) A monetary fine of not more than $50,000.00 if the Commissioner finds that violations have occurred with such frequency as to constitute a general business practice; or
(3) Suspension or revocation of a licensee´s license.

33-39A-86.
(a) Any licensee subject to an order of the Commissioner under Code Section 33-39A-84 or Code Section 33-39A-85 may obtain a review of any order or report of the Commissioner by filing in the Superior Court of Fulton County, within 30 days from the date of the service of such order or report, a written petition requesting that the order or report of the Commissioner be set aside. A copy of such petition shall be simultaneously served upon the Commissioner, who shall forthwith certify and file in such court a transcript of the entire record of the proceeding giving rise to the order or report which is the subject of the petition. Upon filing of the petition and transcript the court shall have jurisdiction to make and enter a decree modifying, affirming, or reversing any order or report of the Commissioner, in whole or in part. The findings of the Commissioner as to the facts supporting any order or report, if supported by any evidence, shall be conclusive.
(b) To the extent an order or report of the Commissioner is affirmed, the court shall issue its own order commanding obedience to the terms of the order or report of the Commissioner. If a licensee affected by an order or report of the Commissioner shall apply to the court for leave to produce additional evidence and shall show to the satisfaction of the court that such additional evidence is material and that there are reasonable grounds for the failure to produce such evidence in prior proceedings, the court may order such additional evidence to be taken before the Commissioner in such manner and upon such terms and conditions as the court may deem proper. The Commissioner may modify his or her findings of fact or make new findings by reason of the additional evidence so taken and shall file such modified or new findings along with any recommendation, if any, for the modification or revocation of a previous order or report. If supported by clear and convincing evidence, the modified or new findings shall be conclusive as to the matters contained therein.
(c) An order or report issued by the Commissioner under Code Section 33-39A-84 or 33-39A-85 shall become final:
(1) Upon the expiration of the time allowed for the filing of a petition for review, if no such petition has been duly filed except that the Commissioner may modify or set aside an order or report to the extent provided in subsection (c) of Code Section 33-39A-84; or
(2) Upon a final decision of the superior court if it directs that the order or report of the Commissioner be affirmed or the petition for review dismissed.
(d) No order or report of the Commissioner under this chapter or order of the court to enforce the same shall in any way relieve or absolve any licensee affected by such order or report from any liability under any law of this state.

33-39A-87.
No cause of action in the nature of defamation, invasion of privacy, or negligence shall arise against any licensee for disclosing nonpublic personal financial information in accordance with this chapter, nor shall such a cause of action arise against any licensee for furnishing nonpublic personal financial information to a licensee; provided, however, this Code section shall provide no immunity for disclosing or furnishing false nonpublic personal financial information with malice or willful intent to injure any person.

33-39A-88.
Any person who knowingly and willfully obtains information about a customer from a licensee under false pretenses shall be guilty of a misdemeanor.

33-39A-89.
The Commissioner of Insurance may promulgate such rules and regulations necessary to implement and enforce the provisions of this chapter.

33-39A-90.
(a) This chapter shall become effective on July 1, 2001. In order to provide sufficient time for insurers and other licensees to establish policies and systems to comply with the requirements of this chapter, time for compliance with this chapter is extended until January 1, 2002.
(b) By January 1, 2002, the licensee shall have provided an initial notice, as required by Code Section 33-39A-20, to consumers who are the licensee´s customers on January 1, 2002.
(c) Until January 1, 2003, a contract that the licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on its behalf does not need to satisfy the provisions of Code Section 33-39A-60, which provides that the third party maintain the confidentiality of nonpublic personal financial information, so long as the licensee entered into the agreement before July 1, 2001."