Current through 2024 Regular Session legislation effective June 6, 2024
Section 746.620 - Notice of insurance information practices; exceptions; rules(1) A licensee must provide a clear and conspicuous notice of personal information practices to individuals in connection with insurance transactions under the following circumstances and at the following times:(a) Except as provided in this paragraph, to a consumer who becomes a customer of the licensee, not later than the date that the licensee establishes a continuing relationship under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. A licensee may provide the notice within a reasonable time after the date the licensee establishes a customer relationship if: (A) Establishing the customer relationship is not at the customer's election; or(B) Providing notice not later than the date that the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.(b) To a consumer other than as described in paragraph (a) of this subsection, before the licensee discloses any personal information about the consumer pursuant to the requirements of ORS 746.665, unless the disclosure meets one or more of the conditions specified in ORS 746.665.(2)(a) Except as provided in paragraph (b) of this subsection, a licensee shall provide a clear and conspicuous notice to a customer that accurately reflects the licensee's privacy policies and practices not less than annually during the continuation of the relationship described in subsection (1)(a) of this section. For the purpose of this subsection, a notice is given annually if the notice is given at least once in any period of 12 consecutive months during which the relationship exists. A licensee may define the period of 12 consecutive months, but the licensee must apply the period to the customer on a consistent basis.(b) A licensee need not provide the notice described in paragraph (a) of this subsection each year if the licensee provides personal information to an unaffiliated third party only in accordance with ORS 746.665 and does not change the policies and practices related to disclosing personal information about which the licensee last notified customers in accordance with this section. If the licensee changes the licensee's privacy policies and practices, the licensee shall notify customers in accordance with this section.(3) The privacy notice required by subsections (1) and (2) of this section must be in writing and must be clear and conspicuous. The notice may be provided in electronic form if the recipient agrees. In addition to any other personal information the licensee wishes to provide, the notice must include the following items of personal information that apply to the licensee and to the individuals to whom the licensee sends the notice:(a) The categories of personal information that the licensee collects.(b) The categories of personal information that the licensee discloses.(c) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses personal information other than persons to whom the licensee discloses information under ORS 746.665.(d) The categories of personal information about former customers of the licensee that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses personal information about the licensee's former customers, other than persons to whom the licensee discloses personal information under ORS 746.665.(e) If a licensee discloses personal information to a nonaffiliated third party under ORS 746.665, a separate description of the categories of personal information the licensee discloses and the categories of nonaffiliated third parties with whom the licensee has contracted.(f) An explanation of the individual's right under ORS 746.630 to authorize disclosure of personal information, including the methods by which the individual may exercise that right.(g) Any disclosure that the licensee makes under section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) regarding the ability to opt out of disclosures of personal information among affiliates.(h) The policies and practices of the licensee with respect to protecting the confidentiality and security of personal information.(i) Any disclosure that the licensee makes under subsection (4) of this section.(j) A description of the rights established under ORS 746.640 and 746.645 and the manner in which such rights may be exercised.(4) If a licensee discloses personal information as authorized under ORS 746.665, the licensee is not required to list those exceptions in the privacy notices required by this section. When describing the categories of parties to whom disclosure is made, the licensee shall state only that the licensee makes disclosures to other affiliated parties or nonaffiliated third parties, as applicable, as authorized by law.(5) In lieu of the notice required in subsection (3) of this section, the licensee may provide to a consumer an abbreviated notice, in writing or in electronic form if the consumer agrees, informing the consumer that: (a) Personal information may be collected from persons other than the consumer proposed for coverage;(b) Such information as well as other personal or privileged information subsequently collected by the licensee may in certain circumstances be disclosed to third parties without authorization;(c) A right of access and correction exists with respect to all personal information collected; and(d) The licensee shall provide the notice prescribed in subsection (3) of this section to the consumer upon request.(6) The Director of the Department of Consumer and Business Services by rule may apply the categories of consumer and customer as defined in ORS 746.600 for the purpose of establishing specific requirements for notice of personal information practices, authorization for disclosure of personal information, conditions for disclosure of personal information under this section and ORS 746.630 and 746.665, and exceptions. The director shall consider applicable definitions and terms used in the federal Gramm-Leach-Bliley Act (P.L. 106-102), applicable definitions and requirements used in the model "Privacy of Consumer Financial and Health Information Regulation" adopted by the National Association of Insurance Commissioners and other sources as may be needed so that the terms defined in ORS 746.600 and applicable to this section and ORS 746.630 and 746.665: (a) Facilitate compliance with requirements in federal law and the laws of other states that establish protections of nonpublic personal information; and(b) Establish separate and discrete requirements relating to the privacy notice and the contents and delivery of the privacy notice for customers and consumers, so that the requirements provide reasonable notice and facilitate compliance with requirements in federal law and in the laws of other states.(7) The director shall determine by rule: (a) When a privacy notice must be provided to a certificate holder or beneficiary of a group policy and to a third-party claimant.(b) When the obligation to provide annual notice ceases.(c) Requirements for revision of the notice by a licensee.(8) An insurance producer is not subject to the requirements of this section when the insurer on whose behalf the insurance producer acts otherwise complies with the requirements of this section and the insurance producer does not disclose any personal information to any person other than the insurer or its affiliate, or as otherwise authorized by law.(9) A licensee may provide a joint notice from the licensee and one or more of the licensee's affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee may also provide a notice on behalf of a financial institution.(10) The obligations imposed by this section upon a licensee may be satisfied by another licensee authorized to act on behalf of the first licensee.(11) For purposes of this section and ORS 746.630 and 746.665, an individual is not the consumer of a licensee solely because the individual is covered under a group life insurance policy issued by the licensee or is a participant or beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary, if: (a) The licensee provides to the policyholder the initial, annual and revised notices under this section; and(b) The licensee does not disclose to a nonaffiliated third party personal information about the individual other than as permitted by ORS 746.665.(12) When an individual becomes a consumer of a licensee under subsection (11) of this section, this section and ORS 746.630 and 746.665 apply to the licensee with respect to the individual.Amended by 2017 Ch. 365, § 1, eff. 1/1/2018.1981 c.649 §6; 2001 c.377 §26; 2003 c. 87, § 10; 2003 c. 364, § 155