| Last Version Text |
<?xml version="1.0" ?>
<ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd">
<ns0:Description>
<ns0:Id>20250SB__035495AMD</ns0:Id>
<ns0:VersionNum>95</ns0:VersionNum>
<ns0:History>
<ns0:Action>
<ns0:ActionText>INTRODUCED</ns0:ActionText>
<ns0:ActionDate>2025-02-12</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-03-18</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-04-03</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-05-01</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-05-23</ns0:ActionDate>
</ns0:Action>
</ns0:History>
<ns0:LegislativeInfo>
<ns0:SessionYear>2025</ns0:SessionYear>
<ns0:SessionNum>0</ns0:SessionNum>
<ns0:MeasureType>SB</ns0:MeasureType>
<ns0:MeasureNum>354</ns0:MeasureNum>
<ns0:MeasureState>AMD</ns0:MeasureState>
</ns0:LegislativeInfo>
<ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Senator Limón</ns0:AuthorText>
<ns0:Authors>
<ns0:Legislator>
<ns0:Contribution>LEAD_AUTHOR</ns0:Contribution>
<ns0:House>SENATE</ns0:House>
<ns0:Name>Limón</ns0:Name>
</ns0:Legislator>
</ns0:Authors>
<ns0:Title>An act to add Article 6.65 (commencing with Section 792) to Chapter 1 of Part 2 of Division 1 of the Insurance Code, relating to insurance. </ns0:Title>
<ns0:RelatingClause>insurance</ns0:RelatingClause>
<ns0:GeneralSubject>
<ns0:Subject>Insurance Consumer Privacy Protection Act of 2025.</ns0:Subject>
</ns0:GeneralSubject>
<ns0:DigestText>
<html:p>The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information that is collected by a business, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. The California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. Existing law, the Insurance Information and Privacy Protection Act, establishes privacy standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents, and insurance-support organizations.</html:p>
<html:p>This bill would enact the Insurance Consumer Privacy Protection Act of 2025
to establish new standards for the collection, processing, retaining, or sharing of consumers’ personal information by insurance licensees and their third-party service providers. The bill would authorize processing of a consumer’s personal information for specified purposes, including in connection with an insurance transaction. The bill would require a licensee to provide a clear and conspicuous privacy notice that includes specified information to a consumer at specified times, and would prohibit the processing of a consumer’s personal information unless it is consistent with and complies with that notice and is reasonably necessary and proportionate to achieve the purposes related to an insurance transaction or other purpose the consumer requested or authorized. The bill would also require a licensee to provide a privacy rights notice, as specified, to each consumer with whom the licensee has an ongoing business relationship. The bill would require a licensee or third-party service provider to obtain a
consumer’s consent to take specified actions, and would set forth the means by which consent is obtained. The bill would authorize a licensee to retain personal information, as specified, and would require a licensee to develop a written records retention policy and schedule. The bill would require a licensee to provide specified information to a consumer if it makes an adverse underwriting decision, and would provide a process by which a consumer may correct, amend, or delete any personal or publicly available information about the consumer in the possession of the licensee or its third-party service providers. The bill would require a contract between a licensee and a third-party service provider to clearly govern the processing of personal information performed on behalf of the licensee. The bill would prohibit retaliation against a consumer because the consumer exercised or attempted to exercise their rights under the act. The bill would prohibit public disclosure of specified systems, processes,
policies, procedures, and plans that are disclosed to the Insurance Commissioner.</html:p>
<html:p>To determine if a licensee or third-party service provider has been or is engaged in any conduct in violation of the act, this bill would authorize the commissioner to examine and investigate the licensee or third-party service provider, then hold a hearing regarding those violations. If a hearing results in a finding of a knowing violation, the bill would require the commissioner to issue a cease and desist order and would authorize a penalty of at least $5,000, not to exceed $1,000,000 in the aggregate for multiple violations. The bill would authorize additional fines and suspension or revocation of the licensee’s license if a cease and desist order is violated. Under the bill, a person who knowingly and willfully obtains information about a consumer from a licensee or third-party service provider under false pretenses would be guilty of a misdemeanor, punishable by a fine of up to
$50,000, imprisonment in a county jail for up to 6 months, or both, thus creating a crime and imposing a state-mandated local program.</html:p>
<html:p>Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.</html:p>
<html:p>This bill would make legislative findings to that effect.</html:p>
<html:p>The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions
establish procedures for making that reimbursement.</html:p>
<html:p>This bill would provide that no reimbursement is required by this act for a specified reason.</html:p>
</ns0:DigestText>
<ns0:DigestKey>
<ns0:VoteRequired>MAJORITY</ns0:VoteRequired>
<ns0:Appropriation>NO</ns0:Appropriation>
<ns0:FiscalCommittee>YES</ns0:FiscalCommittee>
<ns0:LocalProgram>YES</ns0:LocalProgram>
</ns0:DigestKey>
<ns0:MeasureIndicators>
<ns0:ImmediateEffect>NO</ns0:ImmediateEffect>
<ns0:ImmediateEffectFlags>
<ns0:Urgency>NO</ns0:Urgency>
<ns0:TaxLevy>NO</ns0:TaxLevy>
<ns0:Election>NO</ns0:Election>
<ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses>
<ns0:BudgetBill>NO</ns0:BudgetBill>
<ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill>
</ns0:ImmediateEffectFlags>
</ns0:MeasureIndicators>
</ns0:Description>
<ns0:Bill id="bill">
<ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble>
<ns0:BillSection id="id_541A0DE2-1B29-48F5-8320-A2BD045EC39E">
<ns0:Num>SECTION 1.</ns0:Num>
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
The Legislature finds and declares all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. Voters acted in response to the accelerating encroachment on personal freedom and security caused by increased data collection and usage in contemporary society. The amendment established a legal and enforceable constitutional right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A major milestone in consumer privacy occurred in 2018, when more than 629,000 California voters signed petitions to qualify the California Consumer Privacy Act of 2018 (CCPA) for the ballot. In response to the measure’s qualification, the Legislature enacted the CCPA into law. The CCPA gives California consumers the right to learn what information a business has collected about them, to delete their personal information, to stop businesses from selling their personal information, including using it to target them with advertisements that follow them as they browse the internet from one internet website to another, and to hold businesses accountable if they do not take reasonable steps to safeguard their personal information.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Even before the CCPA took effect, the
Legislature considered many bills in 2019 to amend the law, some of which would have significantly weakened it. In response, the proponents of the CCPA qualified for the ballot Proposition 24, the California Privacy Rights Act of 2020, which expanded upon the rights granted under the CCPA, and expressly extended the application of the act to licensees. In November 2020, voters approved Proposition 24 by a significant margin, with nearly 9,400,000 votes cast in support.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Despite the mention of insurance business in Proposition 24, California’s insurance privacy laws, last adopted in 1980 and 2002, continue to be decades out of date and lag behind the broadly applicable privacy laws. These legacy laws are not suited to protect insurance consumers, given the data-intensive nature of the insurance business, and the increasingly complex
manner in which insurance businesses collect and use information about consumers.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Privacy is vitally important in the context of the insurance business. More than almost any other industry, insurers require significant amounts of personal information from consumers to properly manage risks. Increasingly, insurance licensees are using sophisticated technologies to collect and process consumers’ personal information, which has increased the volume and sensitivity of personal information that licensees collect about consumers. Developments in insurance business structures have led to increasingly complex contracting arrangements between licensees and service providers, with the attendant risk in supply chain data breaches. However, California’s outdated insurance privacy laws have not kept pace with the changing insurance marketplace.
There is a significant lack of oversight into how much data licensees collect, what purposes it can be used for, who it can be shared with, and how long it can be retained.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
The absence of effective oversight leaves consumers vulnerable. Currently, consumers are presented with privacy notices that are confusing and uninformative, and may also be subject to the overcollection of their personal information, proliferation of that information to recipients not contemplated by the consumer, unwanted marketing contacts, fraud arising from data breaches, underwriting based on data that is stale or unrepresentative, or retaliation for exercising privacy rights, among other risks.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
It is the intent of the Legislature that this act addresses the gaps in consumer protections and gives the
Insurance Commissioner and the Department of Insurance powerful tools to protect consumer privacy, as follows:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Data minimization: ensures that licensees are only collecting personal information related to the insurance transaction requested by the consumer.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Record retention and destruction: ensures that licensees securely destroy personal information that is no longer needed.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Oversight of third-party service provider arrangements: ensures that contractual arrangements between licensees and vendors provide for the security of consumers’ personal information, and that the information will only be used for the service provided by the licensee.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Opt in: ensures that consumers’ personal information will primarily be used to provide the insurance product requested by the consumer, and will not be used for other purposes without the express consent of the consumer.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Limitation on sensitive personal information: ensures that consumers’ sensitive personal information will only be used to provide the insurance product requested by the consumer.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
Notices to consumers: includes reasonable notice requirements to provide consumers with meaningful information about what information is collected, how it is used, to whom it is disclosed, and what rights the consumer has under the law.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
Transparency: ensures that consumers have the opportunity to
control the use of their personal information for purposes other than the insurance transaction.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
Governance processes and procedures on data use: ensures that licensees establish and follow protocols to protect consumers’ personal information and provide data breach notifications.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
Access and nonretaliation: ensures that consumers have reasonable access to their privacy rights and are not penalized for exercising those rights.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
By enacting this act, the Legislature intends to provide consumers with reasonable privacy protections that address the demands of an information-intensive insurance business climate.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
The Legislature finds and declares that
this act furthers the purpose and intent of the California Privacy Rights Act of 2020.
</html:p>
</ns0:Content>
</ns0:BillSection>
<ns0:BillSection id="id_2FDBDDB0-6359-40D1-9D37-99276ECCB93A">
<ns0:Num>SEC. 2.</ns0:Num>
<ns0:ActionLine action="IS_ADDED" ns3:href="urn:caml:codes:INS:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'1.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'2.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'CHAPTER'%20and%20caml%3ANum%3D'1.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'ARTICLE'%20and%20caml%3ANum%3D'6.65.'%5D)" ns3:label="fractionType: LAW_SPREAD||commencingWith: 792" ns3:type="locator">
Article 6.65 (commencing with Section 792) is added to Chapter 1 of Part 2 of Division 1 of the
<ns0:DocName>Insurance Code</ns0:DocName>
, to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawHeading id="id_BAFB47E3-43D4-41E3-A0F4-90F586A57739" type="ARTICLE">
<ns0:Num>6.65.</ns0:Num>
<ns0:LawHeadingVersion id="id_8E659F05-C943-4C6C-98EB-4AA024B044DD">
<ns0:LawHeadingText>Insurance Consumer Privacy Protection Act of 2025</ns0:LawHeadingText>
</ns0:LawHeadingVersion>
<ns0:LawSection id="id_801C9B0D-C475-4F6F-A4D2-68AAAB957AD6">
<ns0:Num>792.</ns0:Num>
<ns0:LawSectionVersion id="id_F74E1BAC-CBFE-4BC3-97BE-97AAD4EA84CA">
<ns0:Content>
<html:p>The purpose of this article is to establish standards for the collection, processing, retaining, or sharing, collectively known as “processing,” of consumers’ personal information by licensees and their third-party service providers to maintain a balance between the need for information by those in the business of insurance and consumers’ need for fairness and protection in the processing of consumers’ personal information. These standards address the need to do all of the following:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
Protect consumers’ personal information processed by licensees or their third-party service providers.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Inform consumers of the categories of
personal information that are processed.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Inform consumers of the categories of sources from which consumers’ personal information is collected, and identify recipients when that information is shared.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Permit consumers to choose whether or not to opt in to the sharing of their personal information by licensees for purposes other than insurance transactions in certain circumstances.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
Permit individual consumers to request access to their personal information to verify or dispute the accuracy of the information.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
Inform consumers of the reasons for adverse underwriting decisions.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
Require data minimization practices for all licensees and their third-party service providers in the processing of consumers’ personal information.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
Provide accountability for the improper processing of consumers’ personal information by licensees and their third-party service providers in violation of this article.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_BA73E857-D6B4-4E16-9643-DAD0F08217B6">
<ns0:Num>792.100.</ns0:Num>
<ns0:LawSectionVersion id="id_B8417DB5-DE29-444E-8FB5-0E1F4B6B609D">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
On and after the operative date of this article, the obligations imposed by this article shall apply to a licensee and the licensee’s third-party service providers that do any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Process consumers’ personal information in connection with the business of insurance.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Engage in insurance transactions with consumers.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Engage in activities not related to insurance transactions involving consumers’ personal information.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The obligations imposed by this article
shall not apply to depository institutions or affiliates of depository institutions that are subject to the Gramm-Leach-Bliley Act (Subchapter I (commencing with Section 6801) of Chapter 94 of Title 15 of the United States Code), unless the affiliates are licensees for purposes of this article.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
The obligations imposed by this article shall not apply to a provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance
Portability and Accountability Act of 1996 (Public Law 104-191).
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A “third-party service provider” does not include a provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
For purposes of this subdivision, “medical information” and “provider of health care” have the same meanings as defined in Section 56.05 of the Civil Code, and “business associate,” “covered entity,” and “protected health information” have the same meanings as
defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Notwithstanding paragraphs (1) and (2), this article applies to a disability insurer licensed pursuant to Section 106 that is not regulated as a health care service plan pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_9E925A04-CF41-4CF2-A056-B81DD6C059D2">
<ns0:Num>792.105.</ns0:Num>
<ns0:LawSectionVersion id="id_811648E4-8D4B-4DAA-B345-E8FEAB68A3E7">
<ns0:Content>
<html:p>The protections of this article shall extend to a consumer who meets any of the following criteria:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
Whose personal information is processed in connection with an insurance transaction.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Who has previously engaged in insurance transactions with a licensee or third-party service provider involving the consumers’ personal information.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Whose personal information is used for purposes other than insurance transactions by licensees and third-party service providers.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_E65ABE75-AB7A-4E86-9002-81F7EAD6E805">
<ns0:Num>792.110.</ns0:Num>
<ns0:LawSectionVersion id="id_DFD02792-CB46-4352-AB6C-B5B55AE809DA">
<ns0:Content>
<html:p>For purposes of this article:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
“Address of record” means either of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A consumer’s last known United States Postal Service (USPS) mailing address shown in the licensee’s records.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A consumer’s last known email address as shown in the licensee’s records, if the consumer has consented to conducting business electronically pursuant to Title 2.5 (commencing with Section 1633.1) of Part 2 of Division 3 of the Civil Code.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
“Adverse underwriting decision” means any of the following actions
by a licensee or producer in the business of insurance:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A denial, in whole or in part, of insurance coverage requested by a consumer, including a reduction in coverage limits or scope of coverage.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A termination of insurance coverage for reasons other than nonpayment of premium or, for title insurance coverage, for reasons other than transfer of title to the insured property or satisfaction or release of the insured lien interest.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A rescission of the insurance policy.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Refusing to renew an existing insurance policy or offering to renew an existing insurance policy at higher than standard rates.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Any of the following for property or casualty insurance coverage:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Placement by a licensee of a risk with a residual market mechanism or an insurer that specializes in substandard risks.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Placement by an insurer or producer of a risk with an insurer not approved to conduct business in this state.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Charging a higher rate based on information that differs from the information that the consumer furnished.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
For life, health, or disability insurance coverage, an offer to insure at higher than standard rates.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
“Affiliate” or “affiliated” means a person that directly, or indirectly
through one or more intermediaries, controls, is controlled by, or is under common control with another person. For purposes of this definition, “control” means any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Ownership of, or power to vote with an interest equaling 25 percent or more of the outstanding shares of a class of voting security of the company, directly or indirectly, or acting through one or more other persons.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Control over the election of a majority of the directors, trustees, or general partners of the company, or individuals exercising similar functions of the company.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner
determines.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
“Aggregated consumer information” means information that relates to a group or category of consumers, that is deidentified, and that is not linked or reasonably linkable to a consumer, household, or specific electronic device.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
“Applicant” means a person who seeks to contract for insurance coverage, other than a person seeking group insurance that is not individually underwritten.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
“Biometric information” means an individual’s physiological, biological, or behavioral characteristics that can be used, singly or in combination with other identifying information, to establish a consumer’s identity. Biometric information may include an iris or retina scan, fingerprint, face, hand, palm, ear, vein pattern,
and voiceprint, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, or any other means to identify an individual.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
“Clear and conspicuous notice” means a notice that is reasonably understandable and designed to call attention to the nature and significance of its contents.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
“Collect” or “collecting” means buying, renting, gathering, obtaining, receiving, or accessing a consumer’s personal information.
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
“Commissioner” means the Insurance Commissioner.
</html:p>
<html:p>
(j)
<html:span class="EnSpace"/>
“Consent” means a freely given, specific, informed, and unambiguous
indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.
</html:p>
<html:p>
(k)
<html:span class="EnSpace"/>
“Consumer” means an individual who is a resident of California whose personal information is processed, may be processed, or has been processed in the business of insurance, including a current or former applicant, claimant, beneficiary, policyholder, insured, participant, annuitant, employee, or certificate holder. “Consumer” includes an individual’s legal representative.
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A consumer is in an ongoing
business relationship with a licensee if there is a continuing relationship between the consumer and the licensee based on one or more insurance transactions provided by the licensee. For title insurance, continuation of coverage under an existing policy does not constitute an ongoing business relationship unless or until there is a claim, renewal, or modification.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A consumer is a resident of this state if the consumer’s last known mailing address, as shown in the records of the licensee, is in this state unless the last known address of record is deemed invalid pursuant to subdivision (h) of Section 792.175.
</html:p>
<html:p>
(l)
<html:span class="EnSpace"/>
“Consumer report” has the same meaning as defined in Section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681a(d)).
</html:p>
<html:p>
(m)
<html:span class="EnSpace"/>
“Consumer reporting agency” has the same meaning as defined in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681a(f)).
</html:p>
<html:p>
(n)
<html:span class="EnSpace"/>
“Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.
</html:p>
<html:p>
(o)
<html:span class="EnSpace"/>
“Deidentified information” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a licensee that uses deidentified information meets all the following criteria:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Has implemented technical safeguards designed to
prohibit reidentification of the consumer to whom the information may pertain.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Has implemented reasonable business policies that specifically prohibit reidentification of the information.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Has implemented business processes designed to prevent inadvertent release of deidentified information.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Makes no attempt to reidentify the information.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Does not retain any sensitive personal information.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
Other requirements pertaining to deidentification that the commissioner specifies in regulation.
</html:p>
<html:p>
(p)
<html:span class="EnSpace"/>
“Delete” and “deleted” means to
remove or destroy personal information by permanently erasing the personal information on existing systems so that it is not maintained in human or machine-readable form and cannot be retrieved or utilized in that form.
</html:p>
<html:p>
(q)
<html:span class="EnSpace"/>
“Digital application” means an application that a consumer accesses and manipulates using a specialized electronic device, computer, mobile device, tablet, or other device with a display screen, including any add-ons or additional content for that application.
</html:p>
<html:p>
(r)
<html:span class="EnSpace"/>
“Financial product or service” means a product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to that financial activity pursuant to Section 4(k) of the federal Bank Holding Company Act of 1956 (12 U.S.C. Sec.
1843(k)). “Financial service” includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
</html:p>
<html:p>
(s)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
Subject to paragraphs (2) and (3), “genetic information” means information about any of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
An individual’s genetic tests.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The genetic tests of family members of an individual.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
The manifestation of a disease or disorder in family members of an individual.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
A request for, or receipt of, genetic services, or
participation in clinical research that includes genetic services, by an individual or a family member of the individual.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Genetic information” concerning an individual or family member of an individual includes the genetic information of both of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A fetus carried by the individual or family member who is pregnant.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
An embryo legally held by an individual or family member utilizing an assisted reproductive technology.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
“Genetic information” does not include information about the sex or age of any individual.
</html:p>
<html:p>
(t)
<html:span class="EnSpace"/>
“Health care” means both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, services, procedures, tests, or counseling that does either of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Relates to the physical, mental, or behavioral condition of an individual.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Prescribing, dispensing, or furnishing drugs or biologicals, medical devices, or health care equipment and supplies to an individual.
</html:p>
<html:p>
(u)
<html:span class="EnSpace"/>
“Health care provider” means a health care provider, as defined
by Section 160.103 of Title 45 of the Code of Federal Regulations, who meets the licensing, certification, or other accreditation required by state law to provide health care.
</html:p>
<html:p>
(v)
<html:span class="EnSpace"/>
“Health information” means a consumer’s information or data, except age or gender, created by or derived from a health care provider or the consumer that relates to any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The past, present, or future physical, mental, or behavioral health or condition of an individual.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The genetic information of an individual.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The provision of health care to an individual.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Payment for the provision of health care to
an individual.
</html:p>
<html:p>
(w)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
“Insurance support organization” means a person who regularly engages in the processing of a consumer’s information for the primary purpose of providing insurers or producers with information in connection with the business of insurance, including any of the following actions:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
The furnishing of consumer reports or investigative consumer reports to licensees or other insurance support organizations for use in connection with the business of insurance.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The processing of personal information from licensees or other insurance support organizations to detect or prevent insurance fraud and insurance crime, material misrepresentation, or material nondisclosure in connection with
the business of insurance.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
The processing of personal information in connection with an insurance transaction that may have an application in transactions or activities other than insurance transactions.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Insurance support organization” does not include producers, government institutions, insurers, health care providers, reinsurers, and third-party service providers. However, “insurance support organizations” shall otherwise be subject to the requirements pertaining to third-party service providers pursuant to this article.
</html:p>
<html:p>
(x)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
“Insurance transaction” means a transaction or service by or on behalf of a licensee and its affiliates related to any of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
The underwriting or the determination of a consumer’s eligibility for or the amount of insurance coverage, rate, benefit, payment, or claim settlement.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Licensees or third-party service providers performing services, including maintaining or servicing accounts, providing customer service, processing requests or transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or any similar services.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Provision of “value-added services or benefits” in connection with the business of insurance.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Processing of personal information using algorithmic or automated
decisionmaking means.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
An actuarial study related to rating, risk management, or exempt research activities conducted by or for the benefit of the
licensee using consumers’ personal information.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
The short-term, transient use of a consumer’s personal information in connection with the consumer’s current interaction with the licensee, including nonpersonalized advertising shown as part of a consumer’s current interaction with the licensee, if the consumer’s personal information is not otherwise shared or sold and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the licensee.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Detection or prevention of insurance fraud, crime related to insurance claims, material misrepresentation, or material nondisclosure.
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Providing personal information to statistical agents, reinsurers,
or insurance support organizations, provided that the personal information is only used for the purposes for which it is shared.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Insurance transaction” does not include processing related to marketing or research.
</html:p>
<html:p>
(y)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
“Insurer” means any of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A corporation, association, or partnership required to be licensed by the commissioner to assume risk or otherwise authorized to assume risk, including a reciprocal exchange, interinsurer, fraternal benefit society, or multiple-employer welfare
arrangement.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
A self-funded plan subject to regulation by the commissioner.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
A preferred provider organization administrator.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Insurer” does not include producers, insurance support organizations, foreign-domiciled risk retention groups, reinsurers, or surplus line insurers.
</html:p>
<html:p>
(z)
<html:span class="EnSpace"/>
“Investigative consumer report” means a consumer report or portion of a consumer report in which information about an individual’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the individual’s neighbors, friends, associates, acquaintances, or others who may have knowledge concerning that
information. However, that information does not include specific factual information on a consumer’s credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when the information was obtained directly from a creditor of the consumer or from the consumer.
</html:p>
<html:p>
(aa)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
“Licensee” means a person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to this code, including all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
An insurer.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
A producer.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
A surplus line insurer.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
A director, officer, employee, or
agent of a licensee.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Licensee” does not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
</html:p>
<html:p>
(ab)
<html:span class="EnSpace"/>
“Neural data” means information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.
</html:p>
<html:p>
(ac)
<html:span class="EnSpace"/>
“Nonadmitted insurer” means an insurer that has not been granted a certificate of authority or is not otherwise authorized by the commissioner to transact the business of insurance in this state.
</html:p>
<html:p>
(ad)
<html:span class="EnSpace"/>
“Person” means an
individual, corporation, association, partnership, or other legal entity. “Person” does not include a governmental entity.
</html:p>
<html:p>
(ae)
<html:span class="EnSpace"/>
“Personal information” means information processed in the business of insurance that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
“Personal information” includes any of the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Identifiers such as a real name, alias, postal address, unique personal identifier,
online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Personal information described in subdivision (e) of Section 1798.80 of the Civil Code.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Characteristics of protected classifications pursuant to state or federal law.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Biometric information.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Internet or other electronic network activity
information, including browsing history, search history, and information
regarding a consumer’s interaction with an internet website application or advertisement.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Geolocation data.
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Auditory, electronic, visual, thermal, olfactory, or other sensory information.
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Professional or employment-related information.
</html:p>
<html:p>
(J)
<html:span class="EnSpace"/>
Education information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g) and related regulations (Part 99 (commencing with Section 99.1) of Title 34 of the Code of Federal Regulations).
</html:p>
<html:p>
(K)
<html:span class="EnSpace"/>
Inferences drawn from any of the information
identified in this paragraph to create a profile about a consumer reflecting the consumer’s preferences, characteristics, character, habits, avocations, finances, occupation, general reputation, credit, health, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
</html:p>
<html:p>
(L)
<html:span class="EnSpace"/>
Sensitive personal information.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
For purposes of this paragraph, “publicly available” means any of the following:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
Information that is lawfully made available from federal, state, or
local government records.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
Information that a licensee, reinsurer, or third-party service provider has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.
</html:p>
<html:p>
(iii)
<html:span class="EnSpace"/>
Information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.
</html:p>
<html:p>
(iv)
<html:span class="EnSpace"/>
Records evidencing interest in real property that have been accurately transcribed from a county recorder’s records into a title plant owned by an insurer licensed to transact title insurance, as defined in Section 104.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
“Publicly available” does not mean biometric information collected about a consumer without the consumer’s knowledge.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
“Personal information” can exist in various formats, including all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Physical formats, including paper documents, printed images, vinyl records, or video tapes.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Digital formats, including text, image, audio, or video files.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
“Personal
information” does not include aggregated consumer information, deidentified information, or publicly available information.
</html:p>
<html:p>
(af)
<html:span class="EnSpace"/>
“Precise geolocation” means data that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, including trip or routing information that might be used to predict the travel habits of a consumer, except as prescribed by regulations.
</html:p>
<html:p>
(ag)
<html:span class="EnSpace"/>
“Privileged information” means personal information that is collected in connection with or in reasonable anticipation of a claim for insurance benefits or a civil or criminal proceeding involving a consumer, until the claim or proceeding is finalized. However, information that otherwise meets the requirements of this
article shall nevertheless be considered “personal information” if it is disclosed in violation of this article.
</html:p>
<html:p>
(ah)
<html:span class="EnSpace"/>
To “process,” “processing,” or a “process” means an operation or set of operations performed by a licensee, reinsurer, surplus line insurer, or third-party service provider, by manual or automated means, on the personal information or sets of personal information of a consumer, including the collection, use, sharing, storage, disclosure, analysis, deletion, retention, or modification of personal information.
</html:p>
<html:p>
(ai)
<html:span class="EnSpace"/>
“Producer” means a person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section
1831).
</html:p>
<html:p>
(aj)
<html:span class="EnSpace"/>
“Publicly available” means information about a consumer that a licensee has a reasonable basis to believe is lawfully made available from any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Federal, state, or local government records.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Widely distributed media.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Disclosures to the general public that are required to be made pursuant to federal, state, or local law.
</html:p>
<html:p>
(ak)
<html:span class="EnSpace"/>
“Reinsurer” means a legal entity primarily engaged in assuming all or part of the risk associated with existing insurance policies originally underwritten by insurers, or a legal entity known as a retrocessionaire that accepts all or part of one
or more reinsurance policies issued by a reinsurer.
</html:p>
<html:p>
(al)
<html:span class="EnSpace"/>
“Research activities” means systemic investigation, including development, testing, and evaluation, designed to develop or contribute to generalizable knowledge if there is sharing of personal information with nonaffiliated third parties. “Research activities” does not mean any of the following if part of an insurance transaction:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Relating to rating or risk management.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
For actuarial studies.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Disclosure to an insurance support organization.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Subject to a research university internal review board or privacy board approval that
requires use of a process that follows confidentiality best practices and if a contract agreeing to that protection has been executed.
</html:p>
<html:p>
(am)
<html:span class="EnSpace"/>
“Residual market mechanism” means the California FAIR Plan Association established pursuant to Chapter 9 (commencing with Section 10090) of Part 1 of Division 2, the assigned risk plan established pursuant to Chapter 1 (commencing with Section 11550) of Part 3 of Division 2, and the State Compensation Insurance Fund established pursuant to Chapter 4 (commencing with Section 11770) of Part 3 of Division 2.
</html:p>
<html:p>
(an)
<html:span class="EnSpace"/>
“Retain,” “retention,” or “retaining” means storing or archiving personal information that is in the continuous possession, use, or control of licensee or a licensee’s third-party service
provider.
</html:p>
<html:p>
(ao)
<html:span class="EnSpace"/>
“Sale,” “sell,” or “selling” means the exchange of personal information to a third party for monetary or other valuable consideration. “Sale” of personal information does not include any of the following sharing of personal information:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Disclosing information to a third-party service provider for the purpose of or in support of providing an insurance or financial product or service requested by the consumer.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Sharing with or receiving information from an insurance support organization, statistical agent, or reinsurer.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Providing information to an affiliate.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Transferring personal information to a third party as an asset pursuant to a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the party assumes control of all or part of the licensee’s assets.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Disclosure pursuant to a consumer’s direction to the licensee to disclose personal information to, or interact with, one or more licensees or other financial institutions.
</html:p>
<html:p>
(ap)
<html:span class="EnSpace"/>
“Sensitive personal information” means personal information, including all of the following, of a consumer:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Social security, driver’s license, state identification card, or passport number.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Precise geolocation.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Content of personal mail, personal email, personal text messages, or personal voice or video communications, unless the person in possession is the intended recipient of the communication.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
Genetic or neural data.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
Information about the consumer’s sex
life or sexual orientation.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
Health information.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
Biometric information.
</html:p>
<html:p>
(10)
<html:span class="EnSpace"/>
Additional items specified by the commissioner in regulation.
</html:p>
<html:p>
(aq)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by a licensee or third-party service provider to a third party, whether or not for monetary or other valuable consideration, including transactions between a licensee or third-party service provider and a third party for the benefit of
any person, in which no money is exchanged.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A licensee or third-party service provider does not share personal information when any of the following occurs:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A consumer uses or directs the licensee or third-party service provider to intentionally disclose personal information or intentionally interact with one or more third parties.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The licensee or third-party service provider uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s
sensitive personal information.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
The licensee or third-party service provider transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, if that information is used or shared consistently with this article. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their consent consistently with this article. This subparagraph does not authorize a person to make
material, retroactive privacy policy changes or make other changes to a privacy policy in a manner that would violate the Unfair Practices Act (Chapter 4 (commencing with Section 17000) of Part 2 of Division 7 of the Business and Professions Code).
</html:p>
<html:p>
(ar)
<html:span class="EnSpace"/>
“Statistical agent” means an entity that has been designated by the commissioner to collect statistics from licensees and provide reports developed from those statistics to the commissioner for the purpose of fulfilling the statistical reporting obligations of those licensees.
</html:p>
<html:p>
(as)
<html:span class="EnSpace"/>
“Surplus line insurer” means a nonadmitted insurer that accepts business placed through a licensed surplus line broker pursuant to Chapter 6 (commencing with Section 1760).
</html:p>
<html:p>
(at)
<html:span class="EnSpace"/>
“Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than failing to pay a premium as required by the policy.
</html:p>
<html:p>
(au)
<html:span class="EnSpace"/>
“Third-party service provider” means a person, including directors, officers, employees, and agents thereof, that contracts with a licensee that provides services to the licensee, and processes, shares, or otherwise is permitted access to personal information through its provision of services to the licensee. “Third-party service provider” includes insurance support organizations and a person with whom a licensee does not have a continuing business relationship and does not have a contract, but may have to share personal or publicly available information in connection with an insurance
transaction pursuant to subdivision (c) of Section 792.115. “Third-party service provider” does not include governmental entities, licensees, affiliates of licensees, or reinsurers.
</html:p>
<html:p>
(av)
<html:span class="EnSpace"/>
“Value-added service or benefit” means a product or service that meets both of the following criteria:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Relates to insurance coverage applied for or purchased by a consumer.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Is primarily designed to satisfy one or more of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Provide loss mitigation or loss control services or products designed to mitigate risks related to the insurance requested by or offered to a consumer.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Reduce
claim costs or claim settlement costs.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Provide education about liability risks or risk of loss to persons or property.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Monitor or assess risk, identify sources of risk, or develop strategies for eliminating or reducing risk.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Enhance the health of the consumer, including care coordination.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Enhance financial wellness of the consumer through education or financial planning services.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Provide post-loss services.
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Incentivize behavioral changes to improve the health or reduce the risk of death or disability of a
policyholder, potential policyholder, certificate holder, potential certificate holder, insured, potential insured, or applicant.
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Assist in the administration of employee or retiree benefit insurance coverage.
</html:p>
<html:p>
(aw)
<html:span class="EnSpace"/>
“Verifiable request” means a request that the licensee can reasonably verify, using commercially reasonable methods, made by the consumer whose personal information is the subject of the request or by a person authorized by the consumer to act on the consumer’s behalf.
</html:p>
<html:p>
(ax)
<html:span class="EnSpace"/>
“Written” or “in writing” includes a writing, including electronic communications subject to the Uniform Electronic Transactions Act (Title 2.5 (commencing with Section 1633.1) of Part 2 of Division 3 of the Civil
Code).
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_06C21609-3FDD-4B2F-A966-EBE9CDE218EE">
<ns0:Num>792.115.</ns0:Num>
<ns0:LawSectionVersion id="id_8AD3AE9E-9359-4BCD-9208-06DCD9EF8260">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee shall exercise due diligence in selecting and overseeing its third-party service providers. A licensee shall develop written procedures for the selection and oversight of third-party service providers and shall make them available to the commissioner upon request. A licensee’s procedures developed pursuant to this section shall be confidential and not subject to public disclosure requests made pursuant to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A contract between a licensee and a third-party service provider shall govern the processing of personal information performed
on behalf of the licensee. The contract shall contain clear instructions for processing personal information, the nature and purpose of processing, the types of personal information subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the third-party service provider shall do all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the personal information, and only uses the personal information for legitimate duties as assigned.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Develop and maintain a program of administrative, technical, and physical safeguards sufficient to ensure the confidentiality, integrity, and availability of personal
information provided by the licensee.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Promptly report to the licensee and the commissioner any incident affecting the confidentiality, integrity, or availability of personal information, including an event constituting a breach pursuant to subdivision (g) of Section 1798.82 the Civil Code.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Unless retention of the personal information is otherwise required by law, delete the personal information as of the date specified in the contract between the licensee and third-party service provider, or upon the conclusion of the provision of services, unless the licensee specifies an earlier destruction date.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Upon the reasonable request of the licensee, make available to the licensee all information in its possession
necessary to demonstrate the third-party service provider’s compliance with this article.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
Provide reasonable assistance to the commissioner with respect to an investigation or proceeding pursuant to this code, or to the licensee with respect to a consumer request pursuant to this article.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
Engage a subcontractor pursuant to a written contract that requires the subcontractor to comply with the same obligations as the third-party service provider with respect to the personal information.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
Not further process or disclose the personal information obtained from or on behalf of the licensee other than as specifically stated in the contract.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
Promptly notify the licensee if the third-party service provider is no longer able to comply with its obligations under the contract, in which case the licensee has the right to terminate the contract.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Notwithstanding subdivision (b), in connection with an insurance transaction, a licensee may share a consumer’s personal
information with a third-party service provider with whom the licensee has no ongoing business relationship and with whom the licensee has no written contract with the consent of the consumer and only to the extent necessary to provide the temporary service requested by the licensee on behalf of the consumer.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
The section applies to a contract between a licensee and a third-party service provider that is executed, amended, or renewed after the effective date of this article. If a licensee has an in-force contract with a third-party service provider that collects, processes, retains, or shares any consumer’s personal information, and the contract has not been renewed after the effective date of this article, the licensee shall notify the third-party service provider of the requirements of this article.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
This article applies only to a third-party service provider that processes personal information on behalf of a licensee, or in the business of insurance.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_5F998D21-3D00-49B4-86B8-57DF0225ACD4">
<ns0:Num>792.120.</ns0:Num>
<ns0:LawSectionVersion id="id_7965C7DA-B6EC-417D-B940-7F1F75F80C8F">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee shall not process a consumer’s personal information unless both of the following are true:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The collection, processing, retention, or sharing of the consumer’s personal information is consistent with and complies with the most recent privacy notice provided to the consumer by the licensee.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The processing and retention of the consumer’s personal information is reasonably necessary and proportionate to achieve the purposes related to an insurance transaction or other purpose the consumer requested or authorized, and not further processed in a manner that is incompatible with those
purposes.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee shall not permit an employee to collect, process, retain, or share a consumer’s personal information, except as relevant and necessary as part of that employee’s assigned duties.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A licensee shall not process a consumer’s sensitive personal information, other than in relation to an insurance transaction.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A reinsurer, third-party service provider, or surplus line insurer shall not process a consumer’s personal information unless all of the following are true, as applicable:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The processing is in compliance with this article.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The processing of the consumer’s personal
information is consistent with and complies with the most recent privacy notice provided by the reinsurer, third-party service provider, or surplus line insurer on its internet website.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
With respect to reinsurers, the processing of the consumer’s personal information is reasonably necessary and proportionate to achieve the purposes related to the reinsurance transaction and not further processed in a manner that is incompatible with those purposes.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
With respect to third-party service providers and surplus line insurers, the processing of the consumer’s personal information is reasonably necessary and proportionate to achieve the purposes related to the purposes for which the third-party service provider or surplus line insurer collected the information and not further
processed in a manner that is incompatible with those purposes.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
Other than pursuant to a contract with a licensee pursuant to Section 792.115, a reinsurer, third-party service provider, or surplus line insurer shall not process a consumer’s personal information obtained in the business of insurance for a purpose unrelated to an insurance transaction.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
An affiliate that processes information received from, or on behalf of, a licensee shall be subject to the same requirements under this article as are applicable to the licensee.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_882C796F-C955-49C1-919A-6BA385CB92D2">
<ns0:Num>792.125.</ns0:Num>
<ns0:LawSectionVersion id="id_260A8F09-E23F-43EA-BCDA-D36B717517EF">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
Consistent with this article, a licensee may process a consumer’s personal information as necessary for all of the following purposes:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
In connection with an insurance transaction.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
For compliance with a request or directive from a law enforcement or insurance regulatory authority or an administrative, criminal, or civil legal process, arbitration, or any other legal requirement or order that is binding upon the licensee, so long as that law does not interfere with state law, including the Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division
106 of the Health and Safety Code).
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
When otherwise specifically required by state law.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
For a lienholder, mortgagee, assignee, lessor, or other person shown on the records of a licensee as having a legal or beneficial interest in an insurance policy, to protect that interest, if both of the following are true:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Health information is not shared, unless the sharing would otherwise be permitted by this section.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The information shared is limited to that which is reasonably necessary to protect the requestor’s legal interests in the policy.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
To permit a party or a representative of a party
to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the licensee to review the information necessary for the transaction, if both of the following are true:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Before the consummation of the sale, transfer, merger, or consolidation information is only shared as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The recipient agrees not to share the acquired personal information for purposes other than the sale, transfer, merger, or consolidation.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
To permit a group policyholder to report claims experience or conduct an audit of the operations or services of a licensee, if the
information shared is reasonably necessary for the group policyholder to make the report or conduct the audit and is not otherwise shared.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
To permit a governmental authority to determine the consumer’s eligibility for health care benefits for which the governmental authority may be liable, so long as any disclosure does not interfere with state law, including the Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
In connection with the marketing of a product or service, after receiving affirmative consent from the consumer to use the consumer’s information in connection with specific marketing activity to which the consumer has consented.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
In connection with research activity, after receiving affirmative consent from the consumer to use the consumer’s information in connection with specific research activity to which the consumer has consented.
</html:p>
<html:p>
(10)
<html:span class="EnSpace"/>
In connection with the joint marketing of cobranded financial products or services between a licensee and a financial institution, provided that all of the following are true:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
The consumer is provided with notice and the ability to opt out of the joint marketing activity, and has not done so.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Personal information is only processed pursuant to a contract complying with the requirements of subdivision (b) of Section 792.115.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Only the following elements of personal information are shared and processed for purposes of the joint marketing activity, including providing notice and the opportunity to opt out:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
Name.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
Address or email address.
</html:p>
<html:p>
(iii)
<html:span class="EnSpace"/>
Financial institution affiliation and account type.
</html:p>
<html:p>
(iv)
<html:span class="EnSpace"/>
Age.
</html:p>
<html:p>
(11)
<html:span class="EnSpace"/>
Additional purposes specified by the commissioner in regulation.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee may process consumers’ deidentified information.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Processing of a consumer’s personal information by a licensee or third-party service provider shall, at all times, be consistent with the consent obtained from the consumer pursuant to Section 792.135.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Notwithstanding any other law, a licensee or third-party service provider shall not sell a consumer’s personal information for any type of consideration.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
This section does not prohibit the sharing of a consumer’s personal information with a licensee’s affiliates to the extent preempted by Section 1681t(b)(1)(H) or Section 1681t(b)(2) of Title 15 of the United States
Code.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_E0F76A26-CBF0-4369-B8F0-012374057AF6">
<ns0:Num>792.130.</ns0:Num>
<ns0:LawSectionVersion id="id_38B9FA21-5972-418B-A9EF-F7937536E545">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
Once the licensee provides the initial privacy notice pursuant to this article, the licensee may retain a consumer’s personal information as necessary for any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Performance of an insurance transaction with a consumer who is in an ongoing business relationship with the licensee.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Compliance with a legal obligation related to an insurance transaction involving a consumer’s personal information to which the licensee is subject, including state, federal, or international statute of limitation periods applicable to the licensee in connection with a consumer’s personal information.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Compliance with a request or directive from a law enforcement agency or state, federal, or international regulatory authority, a warrant, subpoena, discovery request, judicial order, or other administrative, criminal, or civil legal process, or another legal requirement that is binding upon a licensee, so long as that law does not interfere with state law, including the Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Protection of a legal or beneficial interest in an insurance policy, with respect to a lienholder, mortgagee, assignee, lessor, or other person shown on the records of a licensee as having a legal or beneficial interest in the insurance policy.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Exempt research activities related to an insurance transaction involving a consumer’s personal information, or for rating or risk management purposes for or on behalf of the licensee in connection with an insurance product or service.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
Identification of beneficiaries of unclaimed insurance policy benefits.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
Uses consistent with the requirements of paragraph (8), (9), or (10) of subdivision (a) of
Section 792.125.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
Additional purposes specified by the commissioner in regulation.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Not less than annually, a licensee shall review its records containing personal information to determine whether any of the purposes specified in subdivision (a) permit the continuing retention of any consumer’s personal information.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A licensee shall develop a written records retention policy and records retention schedule and shall make it available to the commissioner upon request. A licensee’s policy and schedule developed pursuant to this subdivision shall be confidential and
not subject to requests made pursuant to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code). Not less than annually, a licensee shall review and update its records retention policy and records retention schedule to ensure compliance with this article.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
Once a licensee has determined that a consumer’s personal information, or a specific element of a consumer’s personal information, is no longer needed pursuant to subdivision (b), the licensee shall destroy or delete the consumer’s personal information within 90 days after making the determination.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Subject to the approval of the commissioner, a licensee that retains a consumer’s personal information on a system or systems in
which targeted disposal is not possible shall deidentify all personal information to the extent possible. If personal information cannot be deidentified or deleted, the licensee shall do both of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Develop a written plan, in a manner and form specified by the commissioner, that provides for transitioning from the system or systems within a reasonable timeframe and the projected date for the transition.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Report to the commissioner regarding the plan developed pursuant to subparagraph (A), and report annually thereafter on the licensee’s progress on implementing its plan pursuant to subparagraph (A).
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A licensee’s plan developed pursuant to this section shall be confidential and not subject to
requests made pursuant to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
The commissioner may grant to an individual licensee an exception to this section for good cause.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
Unless retention of the personal information is otherwise required by law, a third-party service provider in possession of a consumer’s personal information provided by a licensee shall delete that information as of the date specified in the contract between the licensee and third-party service provider, or upon the conclusion of the provision of services, unless the licensee specifies an earlier destruction date.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
If a consumer requests a copy of the consumer’s personal information
that has been deleted or deidentified pursuant to this article, the licensee shall inform the consumer that the licensee and the licensee’s third-party service providers in possession of the consumer’s personal information no longer retain any of the consumer’s personal information or that the information has been deidentified.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
A licensee shall develop written policies and procedures for compliance with this section and be able to demonstrate compliance with those policies and procedures. These policies and procedures may be combined with the policies and procedures required by subdivisions (c) and (d).
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
This section does not require the deletion of information related to tracking or detection of fraud or
information related to an individual’s claims history.
</html:p>
<html:p>
(j)
<html:span class="EnSpace"/>
This section does not permit or require the deletion of a record that is required to be retained by law.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_0A172764-EE6C-406D-8306-2681F0D33A5B">
<ns0:Num>792.135.</ns0:Num>
<ns0:LawSectionVersion id="id_524C792F-CC63-4B7F-AA60-30D7119423AA">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
The consumer has a right to expect that the consumer’s personal information shall be processed primarily for the purposes of the insurance transaction requested by the consumer.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not process a consumer’s personal information in a manner inconsistent with the consent provided by the consumer.
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
To comply with the consent requirements of this article, a licensee or third-party service provider shall use a method of capturing a consumer’s consent that is capable of being recorded or maintained for as long as the licensee has a business relationship with
a consumer, or that the licensee or its third-party service provider is required to maintain the information pursuant to this article.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
For purposes of this article, consent is not established by any of the following means:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Hovering over, muting, pausing, or closing a given piece of content.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Agreement obtained through use of dark patterns.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not process a consumer’s personal information for a purpose unrelated to the insurance transaction, without the prior consent of the consumer.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Notwithstanding paragraph (1), if a licensee has given a consumer notice and the opportunity to opt out, and the consumer has not opted out, the licensee may process a consumer’s personal information for purposes of joint marketing if the licensee complies with paragraph (10) of subdivision (a) of Section 792.125.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not process a consumer’s personal information or share a consumer’s personal information with a person outside of the United States or its
territories without the prior consent of the consumer. This requirement does not apply if the only processing or sharing is either of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
In connection with a reinsurance transaction.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
With an affiliate of the licensee.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
Before processing a consumer’s personal information for a purpose unrelated to the insurance transaction or sharing a consumer’s personal information with a person outside of the United States or its territories, a licensee or third-party service provider shall provide a reasonable means for a consumer to provide
consent or opt out
and maintain a written record of that consent or opt-out election.
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A licensee shall provide the consumer with a means to separately indicate the consumer’s consent or opt-out election, as applicable, with respect to use of personal information for any of the following reasons:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Marketing the licensee’s products and services.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Marketing products and services from affiliates of the licensee.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Joint marketing of financial products or services.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Marketing products and services from unrelated companies.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Research activities that are unrelated to the consumer’s insurance transaction.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Processing the consumer’s personal information for any other purpose unrelated to the insurance transaction.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Sharing the consumer’s personal information with a person who will process it in a jurisdiction outside of the United States or its territories.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
If two or more consumers jointly obtain an insurance or financial product or service from a licensee, the licensee or third-party
service provider may provide a single consent notice. Each of the joint consumers may indicate their own consent.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
When a consumer has a choice to provide prior consent pursuant to this article, the form used to obtain the consumer’s consent shall meet all of the following requirements:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Be written in plain language.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Be dated and, if the authorization related to the collection of personal information of a consumer with whom the licensee has no ongoing relationship pursuant to a claim under the licensee’s policy, contain a termination date for the consent.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Specify the persons with whom the consumer’s personal or privileged information will be shared
consistent with the provisions of this article.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Specify the types of personal information the consumer is authorizing to be shared.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Specify the purposes for which the consumer is authorizing the processing of the consumer’s personal information.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Name the licensee that the consumer is authorizing to share the consumer’s personal information.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Advise the consumer that the consumer is entitled to receive a copy of the form containing the consumer’s consent.
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Explain that, pursuant to this article, the consumer will be protected from retaliation, discrimination, or disparate
treatment, based on the consumer’s decision to provide or withhold consent.
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Include additional information or elements specified by the commissioner in regulation.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
A licensee’s or third-party service provider’s processing of personal information shall comply with the consumer’s consent as soon as reasonably practicable after the licensee is notified of the consumer’s consent.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
A consumer who has consented to processing of personal information pursuant to this section may revoke that consent. A consumer shall be able to revoke consent in any manner by which the consumer is able to indicate consent. A licensee or third-party service provider shall maintain a written record of the revocation.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
The consumer’s most recent consent shall take precedence over any prior consent.
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
A consumer’s consent pursuant to this article is effective until it is revoked by the consumer, but consent provided by a consumer with whom a licensee has no ongoing customer relationship shall only be valid for the duration specified on the consent document.
</html:p>
<html:p>
(j)
<html:span class="EnSpace"/>
If a consumer later establishes a new relationship with the licensee, any consent that applied to the former relationship shall not apply to the new relationship. A new relationship occurs when the consumer who previously ended all business relationships with the licensee reestablishes a business relationship more than 30 days after the previous business relationship
ended.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_7EEAD0FB-D778-4617-BE36-A146EC97BEEE">
<ns0:Num>792.140.</ns0:Num>
<ns0:LawSectionVersion id="id_FE6E179F-EB93-42D3-81AF-E9C66BF7EF84">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall provide easily accessible means for consumers to exercise their rights pursuant to this article, including both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A mailing address and toll-free telephone number through which consumers may submit a request.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A portion of the licensee’s internet website or digital application that permits consumers to exercise their rights pursuant to this article, if the licensee maintains an internet website or digital application.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The requirements of this section are met if the
licensee or third-party service provider provides means for exercising consumer rights that are easy to locate, access, and understand.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not require a consumer to take unreasonable steps to exercise the consumer’s rights pursuant to this article, and shall not require a consumer to pay fees or incur costs to exercise those rights.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not use dark patterns or other means designed to prevent a consumer from exercising the consumer’s rights pursuant to this article. A licensee or third-party service provider shall not use dark patterns or other means designed to influence a consumer’s choice to consent or otherwise hinder the consumer from freely choosing to provide or withhold
consent to processing of the consumer’s personal information.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
The commissioner may specify additional requirements pertaining to access in regulation.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_9D4970DD-2E3D-41A6-86FC-453C56E83BC4">
<ns0:Num>792.145.</ns0:Num>
<ns0:LawSectionVersion id="id_91BD9E31-1051-4992-AF52-030B29B35F67">
<ns0:Content>
<html:p>A licensee shall develop, implement, and maintain a program of administrative, technical, and physical safeguards sufficient to ensure the confidentiality, integrity, and availability of nonpublic information in the possession of the licensee.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_F90CA57D-4FB4-4BE7-9490-7ACA45B3E5A6">
<ns0:Num>792.150.</ns0:Num>
<ns0:LawSectionVersion id="id_74E5E710-178B-4573-AEF8-969FB8E83F2F">
<ns0:Content>
<html:p>A licensee or third-party service provider shall promptly, and in a manner and form specified by the commissioner, provide notice to the commissioner of an incident constituting a breach, as defined in subdivision (g) of Section 1798.82 of the Civil Code. Notice to the commissioner shall comply with Section 1798.82 of the Civil Code.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_FCDC4775-2E4C-4C45-9524-3348E745F834">
<ns0:Num>792.155.</ns0:Num>
<ns0:LawSectionVersion id="id_C040180E-6BDF-4B88-968B-83C33AAD5F9C">
<ns0:Content>
<html:p>A licensee that, pursuant to an insurance transaction with a consumer, takes title to a device containing personal information of the consumer, shall delete the consumer’s personal information within a reasonable period of time, and shall not further process or share personal information obtained in this manner. This section does not require the deletion of privileged information.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_6943A6E0-DBA6-4142-8B62-ADAF718D0732">
<ns0:Num>792.160.</ns0:Num>
<ns0:LawSectionVersion id="id_5AF8D90A-662A-4414-AA10-9A917F7A4A63">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee shall provide a clear and conspicuous privacy notice to a consumer that describes the licensee’s privacy practices. The privacy notice shall be provided within a reasonable time after the licensee, directly or through a third-party service provider, first collects, processes, or shares the consumer’s personal or publicly available information, except that a privacy notice shall not unreasonably be delayed if establishing the consumer relationship is not at the consumer’s election or upon agreement of the consumer in order to expedite the insurance transaction. Notwithstanding this requirement, a privacy notice shall not be required in any of the following circumstances:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
If a reinsurer, in connection with the provision of
reinsurance, a third-party service provider, or a surplus line insurer, has posted a privacy notice on its internet website.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
To individual plan participants of an employee benefit plan, if a privacy notice has been provided to the employer.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
To a beneficiary of a life insurance policy, if the licensee does not use the beneficiary’s personal information for purposes unrelated to the policy for which the person is a beneficiary.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
By an employee, representative, or designee of a licensee, who is also a licensee, to the extent that the processing of personal information is consistent with the privacy practices of the employer, represented, or designator licensee and that licensee provides the privacy notice
required pursuant to this section.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A privacy notice meeting the requirements of this article shall be provided to a consumer with whom a licensee has an ongoing business relationship and whose personal or publicly available information has been processed before the effective date of this article upon renewal or reinstatement of the consumer’s policy, or upon the processing of the consumer’s information for any other purpose, if the consumer has not already been provided a privacy notice meeting the requirements of this article.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
A licensee shall provide an updated privacy notice to each consumer with whom the licensee has an ongoing business relationship when the privacy practices of the licensee change, or the substantive content of the preceding
privacy notice is no longer accurate. The licensee shall do both of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Conspicuously identify in its updated privacy notice any changes in its privacy practices.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Provide any third-party claimant or beneficiary an updated privacy notice if there are changes in the licensee’s privacy practices during a claim involving the claimant or beneficiary.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Notwithstanding paragraph (1), a title insurer or title producer is not required to provide subsequent privacy notices once the initial privacy notice has been provided to the consumer if the title insurer or title producer has its privacy notice posted on its internet website.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Each version
of a licensee’s privacy notice shall contain a revision date that shall remain on the privacy notice until the licensee revises the privacy notice pursuant to subdivision (c). The updated privacy notice shall specify the date the privacy notice was revised.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
If the licensee’s privacy practices change, the licensee remains bound by the terms of the most recent privacy notice it has given a consumer, until a revised privacy notice has been given.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_580EA9D6-279C-448B-8A21-546B0776A4F7">
<ns0:Num>792.165.</ns0:Num>
<ns0:LawSectionVersion id="id_6E4C55EB-DDAF-4A40-9BBE-600A41A3F2BE">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A privacy notice required pursuant to Section 792.160 shall state in writing all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
If personal information has been or may be collected from sources other than the consumer, and if that information is collected by the licensee or by third-party service providers.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The categories of the consumer’s personal information that the licensee or its third-party service providers have or may process, including examples of the information in each category.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The sources that have been used or may be used by the licensee to collect
the consumer’s personal information.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
The purposes for which the licensee processes the consumer’s personal information.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
That the licensee and its third-party service providers have not and will not sell the consumer’s personal information as that term is defined in this article. However, the licensee and its third-party service providers may share the consumer’s personal information for purposes of the insurance transaction, or with the consent of the consumer.
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
The categories of persons with whom the licensee or its third-party service providers have shared, or may share, the consumer’s personal information.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
That the consumer may, upon
request, annually obtain a list of persons with whom the licensee or its third-party service providers has shared the consumer’s personal information within the last 12 months.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
That the consumer has the right to opt out of joint marketing activity, and that a licensee may process the consumer’s personal information in connection with joint marketing activity, unless the consumer has opted out of that processing.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
That the consumer’s prior consent is
required for the licensee or its third-party service providers to process the consumer’s
personal information for any purposes unrelated to the insurance transaction.
</html:p>
<html:p>
(10)
<html:span class="EnSpace"/>
A statement of the rights of the consumer to access, correct, amend, or delete personal or publicly available information about the consumer, and the instructions for exercising those rights.
</html:p>
<html:p>
(11)
<html:span class="EnSpace"/>
A statement of the rights of the consumer to receive notice regarding an adverse underwriting decision, including the reasons for the adverse underwriting decision, the specific items of information underlying the adverse underwriting decision, and the sources of that information.
</html:p>
<html:p>
(12)
<html:span class="EnSpace"/>
A statement of the rights of nonretaliation established pursuant to Section 792.195.
</html:p>
<html:p>
(13)
<html:span class="EnSpace"/>
A statement of the consumer’s right to provide consent before the consumer’s personal information may be processed in a jurisdiction outside of the United States or its territories.
</html:p>
<html:p>
(14)
<html:span class="EnSpace"/>
Additional items that the commissioner specifies in regulation.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
If the licensee shares a consumer’s personal information for purposes unrelated to the insurance transaction, in addition to the information required by subdivision (a), all of the following information shall be included in the privacy notice:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A statement that the consumer may, but is not required to, provide consent to the sharing of the consumer’s personal information for purposes unrelated to the insurance transaction.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A description of the reasonable means by which consumers may indicate consent for any one or more of those purposes.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
That once the consumer consents to the sharing, the consumer may revoke the consent at any time and that the licensee will no longer share the consumer’s personal information for those purposes.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
The obligations imposed by this section upon a licensee may be satisfied by another licensee or third-party service provider authorized to act on its
behalf.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_302B0D47-E2B8-45B5-AD40-857C3DBBCC9F">
<ns0:Num>792.170.</ns0:Num>
<ns0:LawSectionVersion id="id_DF12F122-D010-4FCC-B4D8-9410E2B9E39C">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
In addition to the privacy notice required pursuant to Section 792.160, a licensee shall provide to each consumer with whom the licensee has an ongoing business relationship a privacy rights notice describing the consumer’s rights pursuant to this article.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The privacy rights notice required pursuant to this section shall do all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Be clear and conspicuous and inform the consumer of the consumer’s right to all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Access the consumer’s own personal information.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Request correction or amendment of inaccurate or incomplete personal information about the consumer.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Request deletion of personal information that is not needed for completion of the insurance transaction requested by the consumer.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Opt out of processing of the consumer’s personal information in connection with joint marketing activity.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Not to have the
consumer’s personal information used for
marketing, except as authorized by paragraph (10) of subdivision (a) of Section 792.125, or research purposes, unless the consumer has provided consent.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Be informed that the consumer may consent to the processing of the consumer’s personal information by licensees. If the consumer chooses to consent, any use of the consumer’s personal information by the licensee shall be limited to the purposes
specified in the consent executed by the consumer.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Not to have the consumer’s personal information collected by a licensee, unless the personal information is necessary for an insurance transaction requested by the consumer.
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Request additional information about
the licensee’s privacy practices, including identification of all persons who have received the consumer’s personal information within the last three years.
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Be free from retaliation by the licensee and not incur unreasonable expenses in connection with the consumer’s exercise of rights pursuant to this article.
</html:p>
<html:p>
(J)
<html:span class="EnSpace"/>
Be informed of how to find notice of the licensee’s privacy practices on the licensee’s internet website.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Provide the consumer with information about how to exercise the consumer’s rights required pursuant to this article, including contact information for submitting requests pursuant to this article.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Be provided to the consumer at least every 12 months.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Be provided in addition to other notices required pursuant to this article.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
The privacy rights notice required pursuant to this section may be combined with other policy documents or communications between the licensee and the consumer if the privacy rights notice content required
pursuant to this section remains clear and conspicuous and is readily distinguishable from other information being provided to the consumer.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
The obligations imposed by this section upon a licensee may be satisfied by another licensee or third-party service provider authorized to act on its behalf.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_6A9A6CA2-2448-43B4-8C40-0933D8737A2E">
<ns0:Num>792.175.</ns0:Num>
<ns0:LawSectionVersion id="id_AC099195-C29C-47F6-9875-239F2A77053E">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee shall provide the notices required pursuant to this article so that the licensee reasonably expects a consumer to receive actual notice in writing.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee may reasonably expect that a consumer will receive actual notice if the licensee does one of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Hand delivers a printed copy of the notice to the consumer.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Mails a printed copy of the notice to the address of record of the consumer separately, or in a policy, billing, or other written communication.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
With respect to a consumer who has agreed to conduct
business electronically pursuant to the Uniform Electronic Transactions Act (Title 2.5 (commencing with Section 1633.1) of Part 2 of Division 3 of the Civil Code), and to use the licensee’s internet website or digital application to access insurance products and services, either of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Emails the notice to the consumer’s email address of record.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
With respect to the privacy notice required pursuant to Section 792.160, emails an initial copy to the consumer’s email address of record, and posts on its internet website in a clear and conspicuous manner its current notices required pursuant to Sections 792.160 and 792.170. If the licensee conducts business through a digital application, the current notices required pursuant to Sections 792.160 and
792.170 shall be easily accessible through the digital application.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A licensee shall not reasonably expect that a consumer will receive actual notice of its privacy practices if it does any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Only posts a sign in its office or generally publishes advertisements of its privacy practices.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Sends the notice electronically to a consumer who has not agreed to conduct business electronically with the licensee.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Provides a notice solely by oral means, either in person, or over the telephone or other electronic device.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Provides a notice that does not include all required
elements of the notice content, or that requires the consumer to click a link, scan a code, or use any other secondary means to access any or all of the required notice content.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Does not provide the notices required pursuant to this article so that the consumer is able to retain them or obtain them later in writing, either electronically or on paper.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A licensee may provide a joint notice from the licensee and one or more of its affiliates if the notice accurately reflects the licensee’s and the affiliate’s privacy practices with respect to the consumer.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
If two or more consumers jointly obtain a product or service in connection with an insurance transaction from a licensee, the licensee may satisfy
the initial and updated notice requirements of Sections 792.160 and 792.170 by providing one notice to those consumers jointly.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
In addition to providing individual notices to consumers, a licensee shall prominently post and make available the notices required pursuant to this article on its internet website home page if the licensee maintains an internet website. The licensee shall design its internet website home page so that all of the following are true:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The notices are clearly and conspicuously available.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The text or visual cues encourage scrolling down the page, if necessary, to view the entire notice and ensure that other elements on the internet website home page, such as text, graphics, hyperlinks,
or sound, do not distract attention from the notice.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The notice is either of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Placed on a portion of the internet website home page that consumers frequently access.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Accessible using a clear and conspicuous link in an area that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
Notices and communications to consumers shall be easy to read, understandable to consumers, and avoid technical or legal jargon.
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Notices required pursuant to this article shall meet all of the following criteria:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Use a format that makes the notices readable, including on smaller screens, if applicable.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Be available in the languages in which the licensee in its ordinary course of business provides contracts, disclaimers, sale announcements, and other information to consumers.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Be accessible to consumers with disabilities. For notices provided online, the licensee shall follow current generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1, from the World Wide Web Consortium, or the most recent version. Licensees shall take reasonable steps to ensure that consumers with
disabilities may access the notices in an alternative format.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
For digital applications, licensees shall include their notices in a clear and conspicuous manner on the digital application’s platform page or download page. The notices may also be accessible through a link within the application, such as through the application’s settings menu.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
An address of record is invalid for purposes of this article if either of the following is true:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
USPS mail sent to that address by the licensee has been returned as undeliverable and subsequent attempts by the licensee to obtain a current valid address for the consumer have been unsuccessful.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The
consumer’s email address in the licensee’s records is returned as undeliverable and subsequent attempts by the licensee to obtain a current valid email address for the consumer have been unsuccessful.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_7B6C6F42-21A2-4AD8-A4E0-3E99EF62F20E">
<ns0:Num>792.180.</ns0:Num>
<ns0:LawSectionVersion id="id_6128B5FA-25FE-406C-AA14-C8B404AB7D70">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A consumer may submit a verifiable request to a licensee for access to the consumer’s personal and publicly available information in the possession of the licensee or its third-party service providers.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The licensee or third-party service provider shall do both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Acknowledge the request submitted pursuant to subdivision (a) within five business days from the date the request is received.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Within 30 business days from the date the request submitted pursuant to subdivision (a) is received, do all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Provide the consumer with a copy of any items of personal information relating to the consumer.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
If the consumer is not the source of an item of personal information provided to the consumer pursuant to this subdivision, identify the source of the item of personal information.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Disclose to the consumer the identity of those persons to whom the licensee or any third-party service provider has shared an item of the consumer’s personal information within the current year and, at a minimum, the three calendar years before the date the consumer’s request is received.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Health information in the possession of a licensee and requested pursuant to
subdivision (a), together with the identity of the source of the information, shall be supplied either directly to the consumer or to a health care provider as designated by the
consumer. If the consumer elects for the licensee to disclose the information to a health care provider designated by the consumer, the licensee shall notify the consumer, at the time of the disclosure, that it has provided the information to the designated health care provider.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
The obligations imposed by this section upon a licensee may be satisfied by another licensee authorized to act on its behalf.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
The rights granted to a consumer pursuant to this section:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Shall extend to an individual to the extent that personal or publicly available information about the individual is processed by a licensee or its third-party service provider.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Shall not extend to privileged information or personal information about the consumer that is processed in connection with, or is in reasonable anticipation of, a claim or a civil or criminal proceeding involving the consumer, until the claim or proceeding is finalized.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Shall not be construed to require disclosure of information pertaining to an anticipated or active fraud investigation.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
A licensee shall provide reasonable means for a consumer to exercise their rights pursuant to this section. A licensee does not provide reasonable means if they are unduly burdensome or require the consumer to incur expenses.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
For purposes of this section, “third-party service provider” does not include a consumer reporting agency, except to the extent that this section imposes more stringent requirements on a consumer reporting agency than other state or federal laws.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_FA534758-D036-4D21-9AF7-8BA845343225">
<ns0:Num>792.185.</ns0:Num>
<ns0:LawSectionVersion id="id_0C15E99E-7516-4F69-92A0-66F971DC6B29">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A consumer may submit a verifiable request to a licensee to correct, amend, or delete any personal or publicly available information about the consumer in the possession of the licensee or its third-party service providers.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The licensee or third-party service provider shall do both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Acknowledge the request submitted pursuant to subdivision (a) within five business days from the date the request is received.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Within 30 business days from the date the request submitted pursuant to subdivision (a) is received, do the
following, as appropriate:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Correct, amend, or delete the personal or publicly available information in dispute unless the publicly available information was part of a government record that can only be corrected, amended, or deleted upon request by the consumer to the applicable governmental agency.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Refuse to make the correction, amendment, or deletion if there is no specific factual basis for correcting, amending, or deleting the personal or publicly available information in question, and provide all of the following information to the consumer:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
Written notice of the refusal to make the correction, amendment, or deletion.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
The basis
for the refusal to correct, amend, or delete the information.
</html:p>
<html:p>
(iii)
<html:span class="EnSpace"/>
The contact information for filing a complaint with the commissioner.
</html:p>
<html:p>
(iv)
<html:span class="EnSpace"/>
The consumer’s right to file a statement pursuant to subdivision (d).
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Refuse to make the deletion if it is not permitted by law, and provide all of the following information to the consumer:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
Written notice of the refusal to make the deletion.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
The basis for the refusal to delete the information.
</html:p>
<html:p>
(iii)
<html:span class="EnSpace"/>
The contact information for filing a complaint with the commissioner.
</html:p>
<html:p>
(iv)
<html:span class="EnSpace"/>
The consumer’s right to file a statement pursuant to subdivision (d).
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
If the consumer obtains a correction, amendment, or deletion to a government record that was incorrect, make the correction in its systems within a reasonable time and provide the correction to any third-party service provider with whom the licensee shared the information.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
A licensee shall not refuse to correct, amend, or delete a consumer’s personal information without good cause, which shall be demonstrated to the commissioner upon request.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
If the licensee corrects, amends, or deletes personal or publicly available information in accordance with
this section, the licensee shall notify the consumer in writing and furnish the correction, amendment, or deletion to all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A person specifically designated by the consumer who may have received the personal or publicly available information within the preceding two years.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
An insurance support organization whose primary source of personal information is insurers, if the insurance support organization has systematically received personal information from the insurer within the preceding five years. The correction, amendment, or deletion does not need to be furnished if the insurance support organization no longer maintains personal information about the consumer.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
A third-party service
provider or insurance support organization that furnished the personal or publicly available information.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
If a consumer disagrees with the refusal of a licensee to correct, amend, or delete personal or publicly available information, the consumer may file with the licensee a statement setting forth both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The relevant and factual information demonstrating the errors in the information held by the licensee or third-party service provider.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The reasons why the consumer disagrees with the refusal of the licensee to correct, amend, or delete the personal or publicly available information.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
If a consumer files a statement
described in subdivision (d), the licensee shall do both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Include the statement with the disputed personal or publicly available information and provide a copy of the consumer’s statement to anyone reviewing the disputed personal or publicly available information.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Clearly identify, in a later disclosure of the personal or publicly available information that is the subject of disagreement, the matter or matters in dispute and include the consumer’s statement with the personal or publicly available information being disclosed.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
The rights granted to a consumer by this section shall not extend to personal or publicly available information about the consumer that is processed in connection
with or in reasonable anticipation of a claim or a civil or criminal proceeding involving the consumer.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
The rights granted to a consumer by this section shall not extend to records evidencing interest in real property that have been accurately transcribed from a county recorder’s records into a title plant owned by an insurer licensed to transact title insurance, as defined in Section 104.
</html:p>
<html:p>
(h)
<html:span class="EnSpace"/>
A licensee shall provide reasonable means for a consumer to
exercise the consumer’s rights pursuant to this section. A licensee does not provide reasonable means if they are unduly burdensome or require the consumer to incur expenses.
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
For purposes of this section, “insurance support organization” does not include a consumer reporting agency, except to the extent that this section imposes more stringent requirements on a consumer reporting agency than other state or federal law.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_D3C08560-D266-43C7-B847-E6F66F408E8A">
<ns0:Num>792.190.</ns0:Num>
<ns0:LawSectionVersion id="id_349DA235-CED0-4EFC-A337-1F84392267CE">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
In the event of an adverse underwriting decision, the licensee responsible for the decision shall provide all of the following in writing to the consumer at the consumer’s address of record:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The specific reason or reasons for the adverse underwriting decision.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The specific items of personal, publicly available, or privileged information that support those reasons, including the names and addresses of the sources that supplied the information resulting in the adverse underwriting decision.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A list identifying with reasonable
specificity any systems, processes, policies, or procedures involved in generating information resulting in the adverse underwriting decision.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Notwithstanding paragraph (2):
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A licensee shall not be required to furnish specific privileged information if it has a reasonable suspicion, based upon specific information available for review by the commissioner, that the consumer has engaged in criminal activity, fraud, material misrepresentation, or a material nondisclosure, and the information withheld relates to the suspected criminal activity, fraud, material misrepresentation, or a material nondisclosure.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Health information supplied by a health care provider shall be disclosed either directly to the consumer
about whom the information relates, or to a health care provider designated by the individual consumer and licensed to provide health care with respect to the condition to which the information relates. The identity of any health care provider shall be disclosed either directly to the consumer or to the health care provider designated by the consumer.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
A summary of the rights established pursuant to this section and Sections 792.180 and 792.185.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee shall not base an adverse underwriting decision on any of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Solely the loss history of the previous owner of the property to be insured.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Personal information received
from a third-party service provider whose primary source of information is licensees, unless the licensee obtains further information independently supporting the adverse underwriting decision.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A previous adverse underwriting decision affecting the consumer, unless the licensee bases its underwriting decision on the underlying basis of the previous decision.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Information that the consumer inquired about the nature or scope of coverage under a policy and the inquiry did not result in the filing of a claim.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
The fact that an accident involving a peace officer, member of the Department of the California Highway Patrol, or firefighter has been reported and the licensee retains no liability pursuant to Section
488.5 and subdivision (b) of Section 557.5.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
The obligations imposed by this section upon a licensee may be satisfied by another licensee authorized to act on its behalf.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
The commissioner may assist a consumer with obtaining information about an adverse underwriting decision affecting the consumer. The commissioner may request information regarding systems, processes, policies, or procedures responsible for generating information resulting in the adverse underwriting decision. Any information received about systems, processes, policies, or procedures shall be received pursuant to Section 12919 and shall not be subject to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
For purposes of this article, the following actions are not adverse underwriting decisions, but the licensee responsible for taking the action shall provide the consumer with the specific reason or reasons for the action in writing:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The termination of an individual policy form on a classwide or statewide basis, except termination of a title insurance policy form.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A denial of insurance coverage solely because the coverage is not available on a classwide or statewide basis.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
If requested by a consumer, any other insurer-initiated increase in premium on an insurance product purchased by a consumer.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_DBFC92A5-3F94-4ABE-B52C-77777D317F24">
<ns0:Num>792.195.</ns0:Num>
<ns0:LawSectionVersion id="id_441CE09A-C06A-4BD5-A5CF-EC8DF707C132">
<ns0:Content>
<html:p>A licensee or a third-party service provider shall not retaliate against a consumer because the consumer exercised or attempted to exercise the consumer’s rights pursuant to this article. A licensee or a third-party service provider retaliates against a consumer if the licensee or third-party service provider, as a result of a consumer’s privacy choices, does any of the following:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
Infringes upon a right, or impairs or impedes a benefit or protection, that is afforded to consumers under this article.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Requires the consumer to consent to sharing of the consumer’s personal information for a purpose unrelated to an insurance
transaction to obtain a particular product, coverage, rate, or service, if the consumer has an option to consent to sharing pursuant to this article.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Imposes a fee or charge for a consumer to exercise the consumer’s rights pursuant to this article.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Charges a different rate or premium to the consumer, provides a different insurance product, refuses to write insurance coverage for the consumer, or denies a claim under an insurance product purchased by the consumer.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_EB8278E8-4060-40DB-B4DE-D9143E4371AD">
<ns0:Num>792.200.</ns0:Num>
<ns0:LawSectionVersion id="id_55E71E69-BCCD-4140-BA38-E5D81E8EACF8">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall not prepare or request an investigative consumer report about a consumer in connection with an insurance transaction involving an application for insurance, policy renewal, policy reinstatement, or change in insurance benefits unless the licensee or third-party service provider informs the consumer in writing before the report preparation that the consumer:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
May request to be interviewed in connection with the preparation of the investigative consumer report and the licensee or third-party service provider shall conduct the interview.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Is
entitled to receive a written copy of the investigative consumer report.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
If a licensee uses a third-party service provider to obtain an investigative consumer report, the written contract between the licensee and the third-party service provider shall require the third-party service provider to do both of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Comply with the requirements of this section.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Not use personal information provided to the third-party service provider by the licensee or obtained by the third-party service provider in its investigation of the consumer other than to fulfill the purpose of the contract with the licensee.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
If a licensee requests that a third-party
service provider prepare an investigative consumer report, the licensee shall notify the third-party service provider in writing if a personal interview has been requested by the consumer. The third-party service provider shall conduct the interview requested.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A licensee that prepares or requests an investigative consumer report in connection with an insurance claim shall notify the consumer that the consumer may request to be interviewed in connection with the preparation of the investigative consumer report. Neither the licensee nor the third-party service provider is required to provide a copy of an investigative report prepared in connection with an insurance claim, and that contains privileged information, unless compelled to do so by a state or federal court.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_1752C216-6965-4452-BA66-F619F2DC1677">
<ns0:Num>792.210.</ns0:Num>
<ns0:LawSectionVersion id="id_868F9E5E-4BF6-4DF1-BFFE-2015F0A6E11B">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
To determine if a licensee or third-party service provider has been or is engaged in any conduct in violation of this article, the commissioner may examine and investigate the affairs of a licensee or third-party service provider transacting business in this state or transacting business outside this state that has an effect on a consumer residing in this state.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
If the commissioner has reason to believe that a licensee or third-party service provider has been or is engaged in conduct that violates this article, in this state or outside this state that has an effect on a consumer residing in this state, the commissioner shall issue and
serve upon the licensee or third-party service provider a statement of charges and notice of hearing to be held at a time and place fixed in the notice. The date for the hearing shall be not less than 30 days after the date of service.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
At the time and place fixed for the hearing, the licensee or third-party service provider charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause shown, the commissioner shall permit any adversely affected person to intervene, appear, and be heard at the hearing by counsel or in person.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
At a hearing conducted pursuant to this section, the commissioner may administer oaths, examine and cross-examine witnesses, and receive oral and documentary evidence. The commissioner may
subpoena witnesses, compel their attendance, and require the production of books, papers, records, correspondence, and other documents that are relevant to the hearing. A stenographic record of the hearing shall be made upon the request of a party or at the discretion of the commissioner. If a stenographic record is not made and if judicial review is sought, the commissioner shall prepare a statement of the evidence for use on review. Hearings conducted pursuant to this section shall be governed by the same rules of evidence and procedure applicable to administrative proceedings conducted pursuant to the laws of this state.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Statements of charges, notice, orders, and other processes of the commissioner pursuant to this article may be served by anyone duly authorized to act on behalf of the commissioner. Service of process may be
completed in the manner provided by law for service of process in civil actions or by registered mail or by a mailing service offered by a third-party mailing service with tracking capability. A copy of the statement of charges, notice, order, or other process shall be provided to the person or persons whose rights pursuant to this article have been allegedly violated. A verified return setting forth the manner of service, the return postcard receipt in the case of registered mail, or signed receipt documentation, shall be sufficient proof of service.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
A third-party service provider transacting business outside this state that has an effect on a person residing in this state shall be deemed to have appointed the commissioner to accept service of process on its behalf, if the commissioner causes a copy of the service to be mailed immediately
by registered or certified mail, or by a mailing service offered by a third-party mailing service with tracking capability, to the third-party service provider at its last known principal place of business. The return postcard receipt or signed receipt documentation for the mailing shall be sufficient proof of proper mailing by the commissioner.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
If, after a hearing pursuant to subdivision (b), the commissioner determines that the licensee or third-party service provider charged has engaged in conduct or practices in violation of this article, the commissioner shall reduce the commissioner’s findings to writing and shall issue and cause to be served upon the licensee or third-party service provider a copy of the findings and an order requiring the licensee or third-party service provider to cease and desist from
the conduct or practices constituting a violation of this article.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
If, after a hearing pursuant to subdivision (b), the commissioner determines that the licensee or third-party service provider charged has not engaged in conduct or practices in violation of this article, the commissioner shall prepare a written report that sets forth findings of fact and conclusions of law. The report shall be served upon the licensee or third-party service provider charged and upon the person or persons, if any, whose rights pursuant to this article were allegedly violated.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Until the expiration of the time allowed pursuant to this article for filing a petition for review or until the petition is actually filed, whichever occurs first, the commissioner may modify or set aside an order
or report issued under this section. If a petition has not been duly filed after the expiration of the time allowed for filing a petition for review, the commissioner may, after notice and opportunity for hearing, alter, modify, or set aside, in whole or in part, an order or report issued under this section if conditions of fact or law warrant that action or if the public interest requires.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A person subject to an order of the commissioner pursuant to subdivision (c) or a person whose rights pursuant to this article were allegedly violated may obtain a review of an order or report of the commissioner by submitting a filing in a court of competent jurisdiction pursuant to Section 1094.5 of the Code of Civil Procedure within 30 days from the date of the service of the order or report. The court shall have jurisdiction to make and enter a decree
modifying, affirming, or reversing an order or report of the commissioner, in whole or in part.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
An order or report issued by the commissioner pursuant to subdivision (c) shall become final upon either of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The expiration of the time allowed for the filing of a petition for review, if a petition has not been duly filed, except that the commissioner may modify or set aside an order or report pursuant to paragraph (3) of subdivision (c).
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A final decision of the court, if the court directs that the order or report of the commissioner be affirmed or the petition for review dismissed.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
An order or report of the commissioner pursuant to this
article or order of a court to enforce the order shall not relieve or absolve a person affected by the order or report from liability pursuant to the laws of this state.
</html:p>
<html:p>
(g)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
If a hearing pursuant to subdivision (b) results in the finding of a knowing violation of this article, the commissioner may, in addition to the issuance of a cease and desist order pursuant to subdivision (c), order payment of a penalty of at least five thousand dollars ($5,000) for each violation, not to exceed a penalty of up to one million dollars ($1,000,000) in the aggregate for multiple violations.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A person who violates a cease and desist order of the commissioner issued pursuant to subdivision (c) may, after notice and hearing and upon order of the commissioner, be
subject to one or more of the following penalties, at the discretion of the commissioner:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
A fine of at least twenty-five thousand dollars ($25,000), but not more than ten million dollars ($10,000,000) for each violation.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
A fine of at least fifty thousand dollars ($50,000) for each violation, if the commissioner finds that violations have occurred with such frequency as to constitute a general business practice.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Suspension or revocation of the licensee’s license if the licensee knew or reasonably should have known it was in violation of this article.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_60D22446-D64C-4C28-A820-38799782380E">
<ns0:Num>792.215.</ns0:Num>
<ns0:LawSectionVersion id="id_351770FA-395C-4611-B3CF-52B331094FA7">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
Any documents, materials, data, or information in the control or possession of the commissioner that are furnished by a licensee or third-party service provider, or an employee or agent thereof acting on behalf of the licensee or third-party service provider, pursuant to this article, or that are obtained by the commissioner in any investigation, or an examination pursuant to this article shall be confidential by law and privileged, shall not be subject to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code), shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in a private civil action. This article does not
limit the commissioner’s authority to use and, if appropriate, to make public, a final or preliminary examination report, examiner or company work papers or other documents, or any other information discovered or developed during the course of any examination in the furtherance of a legal or regulatory action that the commissioner may, in the commissioner’s discretion, deem appropriate.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The commissioner or a person who receives documents, data, materials, or information while acting pursuant to the authority of the commissioner shall not be permitted or required to testify in a private civil action concerning confidential documents, materials, or information subject to this article.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
To assist in the performance of the commissioner’s duties pursuant to this article,
the commissioner:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
May share documents, data, materials, or information, including the confidential and privileged documents, data, materials, or information subject to this article, with other state, federal, and international regulatory agencies, the National Association of Insurance Commissioners, its affiliates, or subsidiaries, a third-party consultant or vendor, and with state, federal, and international law enforcement authorities, if the recipient agrees in writing to maintain the confidentiality and privileged status of the documents, data, materials, or information.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
May receive documents, data, materials, or information, including otherwise confidential and privileged documents, data, materials, or information, from the National Association of Insurance Commissioners,
its affiliates, or subsidiaries and from regulatory and law enforcement officials of other foreign or domestic jurisdictions, and shall maintain as confidential or privileged the documents, data, materials, or information received with notice or the understanding that it is confidential or privileged pursuant to the laws of the jurisdiction that is the source of the documents, data, materials, or information.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Shall enter into a written agreement with a third-party consultant or vendor governing sharing and use of documents, data, materials, or information provided pursuant to this article, consistent with this subdivision that shall do all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Specify that the third-party consultant or vendor agrees in writing to maintain the confidentiality and privileged status
of the documents, data, materials, or information subject to this article.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
Specify that the ownership of the documents, data, materials, or information shared pursuant to this article with the third-party consultant or vendor remains with the commissioner, and the third-party consultant’s or vendor’s use of the information is subject to the direction of the commissioner.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Prohibit the third-party consultant or vendor from retaining the documents, data, materials, or information shared pursuant to this article after the purposes of the contract have been satisfied.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Require prompt notice be given to the commissioner if confidential documents, data, materials, or information in possession of the third-party
consultant or vendor pursuant to this article is subject to a request or subpoena to the third-party consultant or vendor for disclosure or production.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Require the third-party consultant or vendor to consent to intervention by a licensee or third-party service provider in a judicial or administrative action in which the third-party consultant or vendor may be required to disclose confidential information about the licensee or third-party service provider shared with the third-party consultant or vendor pursuant to this article.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A waiver of any applicable privilege or claim of confidentiality in the documents, data, materials, or information shall not occur due to disclosure to the commissioner pursuant to this section or due to sharing as authorized in this article.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
This article does not prohibit the commissioner from exercising discretion, pursuant to applicable laws, to release final, adjudicated actions that are open to public inspection to a database or other clearinghouse service maintained by the National Association of Insurance Commissioners, its affiliates, or subsidiaries.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_739FBF63-8096-4D8C-870C-B020EF1BD697">
<ns0:Num>792.220.</ns0:Num>
<ns0:LawSectionVersion id="id_70AB9CB6-E51D-4EF3-82E5-659584C10CE6">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
Notwithstanding any other law, a licensee or third-party service provider shall maintain sufficient evidence in its records of compliance with this article for the calendar year in which the activities governed by this article occurred and the three calendar years thereafter.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A licensee or third-party service provider shall maintain all records necessary for compliance with this article, including all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Records related to the consumer’s rights of access, correction, and deletion pursuant to this article.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Copies of any consent executed by a consumer pursuant to this article, for as long as the consumer is in a continuing business relationship with the licensee.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Representative samples of a notice required to be provided to a consumer pursuant to this article, for as long as the consumer is in a continuing business relationship with the licensee.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_C5E72100-185D-4AAC-9A0D-75D599F41998">
<ns0:Num>792.225.</ns0:Num>
<ns0:LawSectionVersion id="id_25169CEA-CBF0-4A50-9422-7BDA9D4262E2">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
If a licensee or third-party service provider fails to comply with Section 792.125, 792.135, 792.140, 792.180, 792.185, 792.190, or 792.195, with respect to the rights granted pursuant to those sections, a person whose rights are violated may apply to a court of competent jurisdiction for appropriate equitable relief. A licensee or third-party service provider that discloses information in violation of Section 792.125 shall be liable for damages sustained by the consumer about whom the information relates. A consumer is not entitled to a monetary award that exceeds the actual damages sustained by the consumer as a result of a violation of Sections 792.125 and 792.135.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
In an action brought pursuant to this section, the court may award the cost of the action and reasonable attorney’s fees to the prevailing party.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
Notwithstanding any other law, an action pursuant to this section shall be brought within two years from the date the alleged violation is or should have been discovered.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Other than remedies pursuant to this section, a remedy or recovery shall not be available to consumers, in law or in equity, for occurrences constituting a violation of this article.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_776831D2-A765-422C-8ACE-3D65BBD7A686">
<ns0:Num>792.230.</ns0:Num>
<ns0:LawSectionVersion id="id_A5CCCCA4-F9CE-43FB-AD41-DA7BF8B26247">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A cause of action for defamation, invasion of privacy, or negligence shall not arise against either of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
A person for disclosing personal or privileged information in accordance with this article.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A person for furnishing personal or privileged information to a licensee or third-party service provider.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
This section does not provide immunity for disclosing or furnishing false information with malice or willful intent to injure a person.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_51D4047E-8B59-4C33-BC66-1205C3F00791">
<ns0:Num>792.235.</ns0:Num>
<ns0:LawSectionVersion id="id_9E9208BE-7113-4254-862F-C45A24F17E2F">
<ns0:Content>
<html:p>A person who knowingly and willfully obtains information about a consumer from a licensee or third-party service provider under false pretenses is guilty of a misdemeanor punishable by imprisonment in a county jail for up to six months, a fine of up to fifty thousand dollars ($50,000), or both.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_B21F36C1-6CDC-4BDF-82FA-70790F97575B">
<ns0:Num>792.240.</ns0:Num>
<ns0:LawSectionVersion id="id_00B67A0B-9B6E-4571-9DF7-12C9F0B26B0B">
<ns0:Content>
<html:p>The provisions of this article are severable. If any provision of this article or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_E99C9BE2-E692-423A-8F84-2BA8E86CF3D4">
<ns0:Num>792.245.</ns0:Num>
<ns0:LawSectionVersion id="id_90ACD450-0DE3-4F4C-99CB-39CDF1406361">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
This article preempts and supersedes all state laws and portions of state laws that are inconsistent with this article.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
This article does not preempt or supersede existing federal or state law related to protected health information.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
This article does not preempt or supersede the law as amended by the California Privacy Rights Act of 2020.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_F4B57AC5-6680-402B-A913-2EA60D12E5BD">
<ns0:Num>792.250.</ns0:Num>
<ns0:LawSectionVersion id="id_A08A674B-3761-4E95-B76F-A57AA6D3C003">
<ns0:Content>
<html:p>The commissioner may issue rules, regulations, and orders as the commissioner deems convenient to carry out this article. The rules or regulations promulgated pursuant to this article shall not be subject to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
<ns0:LawSection id="id_845F6705-E664-4229-9F9C-3AE9531DDB65">
<ns0:Num>792.255.</ns0:Num>
<ns0:LawSectionVersion id="id_8F8E1230-E36E-422F-B313-BC377A3EBEB2">
<ns0:Content>
<html:p>A licensee has five years from the operative date of this article to implement Section 792.130, except that a licensee shall comply with subdivision (c) of Section 792.130 on the operative date of this article.</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:LawHeading>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_CB92EC9D-192C-4352-B19D-2D26C9854699">
<ns0:Num>SEC. 3.</ns0:Num>
<ns0:Content>
<html:p>The Legislature finds and declares that Section 2 of this act, which adds Sections 792.115, 792.130, 792.190, and 792.215 to the Insurance Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
The documents protected from public disclosure pursuant to this act are not official records
of the department. These documents contain confidential and sensitive information related to a licensee or third-party service provider’s personal information privacy compliance, internal operations, and proprietary and trade secret information that, if made public, could potentially cause the licensee or third-party service provider competitive harm or disadvantage, or expose a licensee or third-party service provider’s personal information practices to malicious external actors.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The interests in protecting the internal operations and proprietary and trade secret information of the licensees and third-party services providers, in order to promote consumer choice and competition in the marketplace and prevent malicious actors from exploiting this information, strongly outweigh the public interest in having access to this information, and
there are other means to obtain this information, such as a subpoena for the original source of the information.
</html:p>
</ns0:Content>
</ns0:BillSection>
<ns0:BillSection id="id_11B6063C-7050-422E-8EBC-BCC122C9F8E7">
<ns0:Num>SEC. 4.</ns0:Num>
<ns0:Content>
<html:p>
No reimbursement is required by this act pursuant to Section 6 of Article XIII
<html:span class="ThinSpace"/>
B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII
<html:span class="ThinSpace"/>
B of the California Constitution.
</html:p>
</ns0:Content>
</ns0:BillSection>
</ns0:Bill>
</ns0:MeasureDoc>
|