As reported here, recent amendments to the annual privacy notice requirement under the Gramm-Leach-Bliley Act (the “GLBA”) contained in the Fixing America’s Surface Transportation (“FAST”) Act eliminated the requirement for financial institutions to provide annual privacy notices under GLBA under certain circumstances. At its spring meeting held April 4, the NAIC Privacy Disclosure (D) Working Group adopted a draft bulletin available here and considered draft amendments to the Model Privacy of Consumer Financial and Health Information Regulation available here intended to implement the FAST Act changes to the requirement to provide annual privacy notices.
The GLBA does not preempt state laws that provide greater protection of consumer privacy rights. Therefore, the FAST Act amendment to the GLBA requirement for annual privacy notices presumably did not override state insurance requirements for annual privacy notices, which had been implemented to comply with the requirements of the GLBA as originally enacted, and are now more protective than the GLBA requirements as amended by the FAST Act. Both the draft bulletin and proposed amendments to the model regulation are pending approval by the NAIC. The NAIC’s promulgation of the new model bulletin and regulation would be the first step in the process to eliminate the burden and cost of annual notices for the insurance industry under certain circumstances. Ultimately, it will be up to individual states to adopt an amended privacy regulation and/or to issue a bulletin following the NAIC’s proposal, to allow eligible insurers the relief provided under the GLBA amendments.
We will continue to track developments, including NAIC issuance of a draft bulletin and amended model regulation, as well as action on the state level, for the implementation of the FAST Act relief from the annual privacy notice requirement.