Here is a summary of legislative and regulatory developments and challenges for the second quarter of 2023 and their practical implications:
State Consumer Privacy Laws:
Several states (CO, CT, FL, IA, IN, MT, OR, TN, TX & UT) enacted consumer privacy laws, joining California and Virginia, whose legislation was described in earlier Legislative Updates. These statutes follow a pattern:
Requirements:
Adoption of reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
Effective notice to consumers plus consumer consent regarding non-transactional uses of consumers’ personal data, including selling to third parties.
Prompt compliance with consumers’ requests to review or delete personal data.
Applicability thresholds: Applies to companies that annually control or process data of a large number (typically 100,000) state residents or annually sell data of a large number (typically (25,000) state residents and derive a significant part of their revenue (typically 50%) from these sales.
Protected class: Applies only to “consumers” who are natural persons acting in their individual or household context, excluding natural persons acting in a commercial or employment context.
Exemptions: Not subject to the laws are financial institutions that are regulated by the Gramm-Leach-Bliley Act and sensitive personal information that is subject to HIPAA
Implications: Recent statutes have been enacted in both conservative and progressive states, suggesting that these measures may have bipartisan support for adoption of similar laws in additional states. And while these statutes have similarities, there are a few that are distinctly different. For example, the Florida Digital Bill of Rights, while targeting large companies engaging in automated consumer marketing or software app sales, requires a broad range of companies that collect information from Florida residents to obtain consumers’ consent before selling sensitive data. The Texas Data Privacy and Security Act, as another example, broadly applies to all for-profit companies that process or sell personal data and which are not classified as a “small business.”
Relaxation of Nevada In-State Records & Claim Administration Requirements:
In what must be a relief to claim managers, the Nevada legislature recently removed a statutory requirement that WC insurers and TPAs maintain an in-state claim office in order to provide access to claim files, which must be physically maintained at that office. Senate Bill 274, signed by Governor Joe Lombardo on June 16, permits claim handlers to make claim files available for inspection and reproduction by electronic means and to keep physical claim records at a location outside Nevada if those records are made available electronically for inspection and reproduction.
Implications: The new law makes clear that claim office accessibility requirements have not been relaxed: adjusters who are permitted to work from an-out-of-state location must maintain their availability “to communicate in real time with the claimant or a representative of the claimant Monday through Friday, 9 a.m. to 5 p.m. local time in this State” excluding legal holidays. Further, the measure empowers the Insurance Commissioner to discipline TPAs who don’t comply with the new out-of-state access requirements. The statute takes effect January 1, 2024, except that rulemaking entities can adopt rules for implementation immediately.
