Brief Overview of the Gramm-Leach-Bliley Act Privacy Rules
This information is directed solely to Principal Life Insurance Company ("The Principal®") brokers who are not registered representatives of Princor Financial Services Corporation ("Princor"). Separate materials have been provided to career agents of The Principal and brokers affiliated with Princor.
This information does not constitute legal advice. We urge you to consult with your attorney to ensure your privacy policies are legally compliant. This information only covers your activities as an insurance broker for The Principal and not as a registered representative. Consult with your broker-dealer if you are registered to sell securities products. This general overview considers only the model privacy regulation issued by the National Association of Insurance Commissioners ("NAIC") and not any particular state or federal privacy regulation(s) that may apply to you.
These materials do not pertain to medical information. Medical information cannot be shared under any circumstances except when necessary to process the client's application for a product.
- What is the Gramm-Leach-Bliley (GLB) Act ?
- What is protected information?
- Whose information is protected?
- Do I need to provide a privacy notice to all of my consumers and customers?
- Do I always need to provide an opt-out form before I share information with third parties?
- Can I avoid providing my own privacy notice?
- When do I need to provide a privacy notice and opt-out form?
- Who are third parties?
- How long must I wait before I can share protected information?
- What must a privacy notice include?
- How should I provide an opt-out right?
- How should a privacy notice and opt-out form be delivered?
- Do I need to provide an individual with a privacy notice more than once?
- When is GLB effective?
- May the states have variations to this law?
- Can an individual exercise his/her opt-out right at any time?
- If a customer terminates his/her relationship with me, can I share that customer's information with third parties?
What is GLB?
The Gramm-Leach-Bliley (GLB) Act is a federal law that affects how you share protected information about your clients with third parties. GLB requires you and the financial institutions you represent to protect the security and confidentiality of information collected about individuals. Depending on how you share information about your clients, you may need to provide your own privacy notice (which describes your information protection and sharing practices) and an opt-out form (which gives the individual a reasonable opportunity to say "no" to such information-sharing practices).
- Name, address, telephone number, financial information or any other information the individual provides - or you collect about the individual - in the process of providing a financial product or service
- The fact that an individual is or has been one of your customers or has obtained a financial product or service from you
- Payment history, claim history and cash values or other information about transactions between you, the individual and the financial institution(s) you represent
- All other information about an individual that is provided in connection with obtaining the product or service
Although some of this information is available through public sources, like the telephone book or city directory, it is still protected information when it pertains to your customers and other individuals listed below.
Whose information is protected?
The law protects "consumers" and "customers." A consumer is defined as an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative.
An example of a consumer is an applicant for insurance prior to the inception of insurance coverage. A customer is defined as a consumer who has a customer relationship with you. A licensee includes licensed producers and other persons licensed or required to be licensed pursuant to the insurance law of a particular state.
Some examples of protected individuals may include:
- Product owners
- Customers and former customers
- Plan participants and former plan participants
- Insureds and annuitants
Do I need to provide my own privacy notice to all of my consumers
No. Generally speaking, if you are acting as agent for The Principal, you do not need to provide a consumer or customer with your own privacy notice if you do not share protected information with third parties.
Do I always need to provide an opt-out form before I share
information with third parties?
No. The law provides certain exceptions to the opt-out requirement. Some examples may include information sharing in the following circumstances:
- Application for a product
- Processing and servicing transactions that the individual requests
- To meet regulatory and legal requirements
- Pursuant to a written request by the individual whose information is being shared
Can I avoid providing my own privacy notice?
When do I need to provide a privacy notice and opt-out form?
Generally speaking, you must provide a privacy notice and opt-out form before you share protected information about consumers and customers with third parties.
Who are third parties?
Third parties are entities or individuals who are not affiliated with you. An "affiliate" is any company that controls, is controlled by or is under common control with another company. Some examples of third parties may include banks, CPAs, attorneys, property/casualty agencies, real estate agents, and lead-sharing groups.
How long must I wait before I can share protected information?
After providing a privacy notice and opt-out form, you must give the individual at least 30 days to respond before you can share protected information.
- The categories of protected information that you collect
- The categories of protected information that you disclose
- Generally speaking, the categories of affiliates and third parties to whom you disclose protected information
- The categories of protected information about your former customers that you disclose and the categories of affiliates and third parties to whom you disclose protected information about your former customers
- If you share protected information with third parties for marketing purposes, a separate description of the categories of information you disclose and the categories of third parties with whom you have contracted
- An explanation of the consumer's right to opt out of the disclosure of protected information to third parties, including the methods by which the consumer may exercise that right at that time
- Any disclosures that you makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates)
- Your policies and practices with respect to protecting the confidentiality and security of protected information
- The fact that disclosures are made as required by law
For help in developing your privacy notice and opt out form, you may want to consult the Insurance Producer Privacy Guide published by NAIFA. NAIFA's phone number is 703.770.8100 and the Web site is www.naifa.org.
How should I provide an opt-out right?
The privacy notice and opt-out form must provide a reasonable means for the individual to exercise an opt-out right, including, but not limited to, providing a toll-free number or a reply form with check-off boxes in a prominent position. You may not require the consumer to write his or her own letter to exercise the opt-out right.
Do I need to provide an individual with a privacy notice
more than once?
Yes. Generally speaking, you need to provide a privacy notice annually that explains your privacy polices and opt-out right to your customers and to consumers if you plan to share information about them with third parties.
May the states have variations to this law?
Yes. GLB sets the "floor" for privacy legislation. Several states have stricter legislation. Currently, California, Montana, New Mexico, North Dakota, and Vermont have stricter privacy laws.
If a customer terminates his/her relationship with me,
can I share that customer's information with third parties?
No. Generally speaking, if you intend to share a former customer's protected information with third parties, you must first give that former customer a privacy notice and opt-out form.