Minnesota Legislature
SF 1543
as introduced - 82nd Legislature (2001 - 2002) Posted on 12/15/2009 12:00am
KEY: stricken = removed, old language.
underscored = added, new language.
Current Version - as introduced
1.1 A bill for an act 1.2 relating to commerce; enacting the Financial 1.3 Information Privacy Model Act from the National 1.4 Conference of Insurance Legislators; amending 1.5 Minnesota Statutes 2000, section 72A.501; proposing 1.6 coding for new law as Minnesota Statutes, chapter 60M; 1.7 repealing Minnesota Statutes 2000, sections 72A.494; 1.8 and 72A.502. 1.9 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 1.10 TITLE, PURPOSE, AND DEFINITIONS 1.11 Section 1. [60M.101] [SHORT TITLE.] 1.12 This chapter may be cited as the "Financial Information 1.13 Privacy Protection Model Act." 1.14 Sec. 2. [60M.102] [PURPOSE.] 1.15 This chapter must be liberally construed and applied to 1.16 promote uniformity and functional regulation by: 1.17 (1) implementing Title V of the Gramm-Leach-Bliley Act 1.18 (GLBA), United States Code, title 15, sections 6801 to 6827, 1.19 that requires financial institutions, including insurers, to 1.20 respect the privacy of their customers and to protect the 1.21 security and confidentiality of those customers' nonpublic 1.22 personal financial information; 1.23 (2) establishing appropriate consumer privacy standards for 1.24 insurance providers to be administered by this state's insurance 1.25 regulatory authorities; 1.26 (3) ensuring, pursuant to section section 6805(c) of GLBA, 1.27 that this state is eligible to override, pursuant to section 2.1 47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the 2.2 insurance customer protections prescribed by a federal banking 2.3 agency under section 45(a) of that act; 2.4 (4) requiring, pursuant to sections 6802 and 6803 of GLBA 2.5 that insurers maintain a privacy policy that is clearly 2.6 communicated to customers and, under certain circumstances, to 2.7 consumers and, that, subject to appropriate exceptions, no 2.8 "nonpublic personal financial information" be disclosed to 2.9 nonaffiliated third parties unless a consumer has been given a 2.10 chance to "opt out" of having the consumer's information 2.11 disclosed, that disclosure is authorized in the case of 2.12 personally identifiable health information, and that no specific 2.13 account information be given to direct marketing firms, as 2.14 provided in section 60M.501; 2.15 (5) providing for the enforcement of this chapter by the 2.16 department of commerce; and 2.17 (6) authorizing the department of commerce to adopt rules 2.18 necessary to effectuate the purposes of this chapter. 2.19 Sec. 3. [60M.103] [SCOPE.] 2.20 This chapter: 2.21 (1) requires a licensee to provide notice to customers and, 2.22 under certain circumstances, to consumers about its privacy 2.23 policies and practices; 2.24 (2) describes the conditions under which a licensee may 2.25 disclose nonpublic personal information about consumers and 2.26 customers to nonaffiliated third parties; 2.27 (3) provides a method for consumers and customers to 2.28 prevent a licensee from disclosing that information unless 2.29 otherwise exempted as routine business disclosures in section 2.30 60M.401, 60M.402, 60M.403, or 60M.501; 2.31 (4) establishes reasonable exceptions in sections 60M.401, 2.32 60M.402, and 60M.403 to the notice requirements of licensees and 2.33 the ability of consumers and customers to opt out of or to 2.34 authorize certain disclosures; and 2.35 (5) applies only to nonpublic personal information about 2.36 individuals who obtain financial products or services in this 3.1 state from an insurer for personal, family, or household 3.2 purposes. This chapter does not apply to information about 3.3 companies or individuals who obtain financial products or 3.4 services for business, commercial, or agricultural purposes. In 3.5 particular, this chapter does not apply to commercial insurance 3.6 policies issued by the licensee. 3.7 Sec. 4. [60M.104] [DEFINITIONS.] 3.8 Subdivision 1. [SCOPE.] For the purposes of this chapter, 3.9 the terms defined in subdivisions 2 to 24 have the meaning given. 3.10 Subd. 2. [AFFILIATE.] "Affiliate" means any company that 3.11 controls, is controlled by, or is under common control with, 3.12 another company. 3.13 Subd. 3. [AGENT.] "Agent" means an insurance agent or 3.14 insurance agency as defined by section 60A.02, subdivision 7. 3.15 Subd. 4. [CLEAR AND CONSPICUOUS.] "Clear and conspicuous" 3.16 means that a notice is reasonably understandable and designed to 3.17 call attention to the nature and significance of the information 3.18 in the notice. 3.19 Subd. 5. [COLLECT.] "Collect" means to obtain information 3.20 that the licensee organizes or can retrieve by the name of an 3.21 individual or by identifying number, symbol, or other 3.22 identifying particular assigned to the individual, irrespective 3.23 of the source of the underlying information. 3.24 Subd. 6. [COMPANY.] "Company" means any corporation, 3.25 limited liability company, business trust, general or limited 3.26 partnership, association, sole proprietorship, or similar 3.27 organization. 3.28 Subd. 7. [CONSUMER.] "Consumer" means an individual who 3.29 seeks to obtain, obtains, or has obtained an insurance product 3.30 or service in this state from a licensee, or that individual's 3.31 legal representative, that is to be used primarily for personal, 3.32 family, or household purposes, and about whom the licensee has 3.33 nonpublic personal information, including, but not limited to: 3.34 (1) an individual who provides nonpublic personal 3.35 information to a licensee in connection with seeking to obtain 3.36 or obtaining financial, insurance, investment, or economic 4.1 advisory services regardless of whether the licensee establishes 4.2 an ongoing relationship; 4.3 (2) an applicant for insurance before the inception of 4.4 insurance coverage; 4.5 (3) an individual who provides nonpublic personal 4.6 information to a licensee in order to obtain a determination 4.7 about whether the individual may qualify for a loan to be used 4.8 primarily for personal, family, or household purposes, 4.9 regardless of whether the loan is extended; 4.10 (4) an individual is not a licensee's consumer, including, 4.11 but not limited to, because the individual: 4.12 (i) is a beneficiary of a trust for which the licensee is a 4.13 trustee; 4.14 (ii) is a third-party liability claimant; 4.15 (iii) has designated the licensee as trustee for a trust; 4.16 (iv) is a consumer of another financial institution to 4.17 which the licensee acts as agent for, or provides processing or 4.18 other services; and 4.19 (5) an individual is not a licensee's consumer because the 4.20 individual is: 4.21 (i) a participant or a beneficiary of an employee benefit 4.22 plan that the licensee administers or sponsors or for which the 4.23 licensee acts as a trustee, insurer or fiduciary; or 4.24 (ii) covered under a group or blanket insurance policy or 4.25 group annuity contract issued by the licensee: 4.26 (A) provided that the licensee provides the initial, 4.27 annual, and revised notices under sections 60M.201, 60M.202, and 4.28 60M.203 to the plan sponsor, group, or blanket insurance 4.29 policyholder or group annuity contract holder, workers' 4.30 compensation plan participant; 4.31 (B) and further provided that the licensee does not 4.32 disclose to a nonaffiliated third-party nonpublic personal 4.33 financial information about such an individual other than as 4.34 permitted under sections 60M.401, 60M.402, and 60M.403. 4.35 In no event shall the individuals, solely by virtue of the 4.36 status described in clause (5), be deemed to be customers for 5.1 purposes of this chapter. 5.2 Subd. 8. [CONSUMER REPORTING AGENCY.] "Consumer reporting 5.3 agency" has the same meaning as in section 603(f) of the federal 5.4 Fair Credit Reporting Act, United States Code, title 15, section 5.5 1681a(f), and section 13C.001. 5.6 Subd. 9. [CONTROL.] "Control" means: 5.7 (1) ownership, control, or power to vote 25 percent or more 5.8 of the outstanding shares of any class of voting security of the 5.9 company, directly or indirectly, or acting through one or more 5.10 other persons; 5.11 (2) control in any manner over the election of a majority 5.12 of the directors, trustees, or general partners, or individuals 5.13 exercising similar functions, of the company; or 5.14 (3) the power to exercise, directly or indirectly, a 5.15 controlling influence over the management or policies of the 5.16 company, as the commissioner determines. 5.17 Subd. 10. [CUSTOMER.] "Customer" means a consumer who has 5.18 a customer relationship with a licensee. In no event, however, 5.19 shall a beneficiary or a claimant under a policy of insurance, 5.20 solely by virtue of their status as a beneficiary or claimant, 5.21 be deemed to be a customer for the purposes of this chapter. 5.22 Subd. 11. [CUSTOMER RELATIONSHIP.] "Customer relationship" 5.23 means a continuing relationship between a consumer and a 5.24 licensee under which the licensee provides one or more financial 5.25 products or services to the consumer that are to be used 5.26 primarily for personal, family, or household purposes, 5.27 including, but not limited to, if the consumer: 5.28 (1) is a current policyholder of an insurance product, or 5.29 other product issued by, through, or from a licensee; 5.30 (2) holds an investment product through a licensee; or 5.31 (3) obtains financial, insurance, investment, or economic 5.32 advisory services relating to an insurance product or service 5.33 from a licensee for a fee. 5.34 Subd. 12. [FINANCIAL INSTITUTION.] "Financial institution" 5.35 means the same as that term as defined in section 509(3) of 5.36 GLBA, and means any institution the business of which is 6.1 engaging in financial activities as described in section 4(k) of 6.2 the Bank Holding Company Act of 1956. 6.3 The term financial institution does not include any person 6.4 or entity with respect to any financial activity that is subject 6.5 to the jurisdiction of the Commodity Futures Trading Commission 6.6 under the Commodity Exchange Act. 6.7 The term financial institution does not include the Federal 6.8 Agricultural Mortgage Corporation or any entity chartered and 6.9 operating under the Farm Credit Act of 1971. 6.10 The term financial institution does not include 6.11 institutions charted by Congress specifically to engage in 6.12 transactions described in section 502(e)(1)(c) of GLBA, as long 6.13 as these institutions do not sell or transfer nonpublic personal 6.14 information to a nonaffiliated third party. 6.15 Subd. 13. [FINANCIAL PRODUCT OR SERVICE.] "Financial 6.16 product or service" means any product or service that is offered 6.17 by a licensee under the insurance laws of this state, including, 6.18 but not limited to, a licensee's evaluation or brokerage of 6.19 information that the licensee collects in connection with a 6.20 request or an application from a consumer for a financial 6.21 product or service. 6.22 Subd. 14. [HEALTH INFORMATION.] "Health information" means 6.23 any information or data, except age or gender, whether oral or 6.24 recorded in any form or medium created by or derived from a 6.25 health care provider or the consumer or customer that relates to: 6.26 (1) the past, present, or future physical, mental, or 6.27 behavioral health or condition of consumer or a member of the 6.28 consumer's family; 6.29 (2) the provision of health care to a consumer; or 6.30 (3) payment for the provision of health care to a consumer. 6.31 Subd. 15. [LICENSEE.] (a) "Licensee" means a person 6.32 licensed or required to be licensed, authorized or required to 6.33 be authorized, or registered or required to be registered under 6.34 the insurance laws of this state, a health maintenance 6.35 organization holding, or required to hold, a certificate of 6.36 authority under chapter 62D, or other covered entities. A 7.1 licensee that is a producer or independent insurance agent is 7.2 subject to all the requirements of this chapter, except when the 7.3 producer or agent is acting as agent for a licensee. In that 7.4 case, the producer acting as agent for a licensee is exempt only 7.5 from the notice requirements, rather than all requirements, of 7.6 this chapter, and only if the producer does not disclose 7.7 consumer information other than as permitted by sections 7.8 60M.401, 60M.402, and 60M.403. 7.9 (b) Subject to paragraph (c), covered entities include 7.10 unauthorized insurers who place business through licensed 7.11 surplus lines brokers in this state, but only in regard to the 7.12 surplus lines placements placed pursuant to section 60A.201. 7.13 (c) Licensed surplus lines brokers placing business 7.14 underwritten by covered entities and those covered entities are 7.15 considered to be in compliance with the notice and opt out 7.16 requirements for nonpublic personal financial information set 7.17 forth in this chapter, provided: 7.18 (1) the licensed surplus lines brokers and covered entities 7.19 do not disclose nonpublic personal information of a consumer or 7.20 a customer to nonaffiliated third parties for any purpose, 7.21 including joint servicing or marketing under section 60M.401, 7.22 except as permitted by section 60M.402 or 60M.403; and 7.23 (2) at the time the customer relationship is established, a 7.24 single notice is delivered to the consumer on behalf of all such 7.25 licensed surplus lines brokers and covered entities involved in 7.26 the provision of a financial product or service to a consumer or 7.27 customer on which the following is printed in 16-point type: 7.28 PRIVACY NOTICE 7.29 "NEITHER THE U.S. BROKER(S) THAT HANDLES THIS INSURANCE NOR THE 7.30 INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE 7.31 NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO 7.32 NONAFFILIATES OF THE BROKER(S) OR THE INSURER(S) EXCEPT AS 7.33 PERMITTED BY LAW." 7.34 Subd. 16. [NONAFFILIATED THIRD PARTY.] "Nonaffiliated 7.35 third party" means any person, including, but not limited to, 7.36 any company that is an affiliate solely by virtue of the 8.1 licensee's or its affiliate's direct or indirect ownership or 8.2 control of the company conducting: 8.3 (1) merchant banking or investment banking activities of 8.4 the type described in section 4(k)(4)(H) of the federal Bank 8.5 Holding Company Act; or 8.6 (2) insurance company investment activities of the type 8.7 described in section 4(k)(4)(I) of the federal Bank Holding 8.8 Company Act, United States Code, section 1843(k)(4)(h) and (i), 8.9 except: 8.10 (i) the licensee's affiliate; or 8.11 (ii) a person employed jointly by a licensee and any 8.12 company that is not the licensee's affiliate. Nonaffiliated 8.13 third party includes the other company that jointly employs the 8.14 person. 8.15 Subd. 17. [NONPUBLIC PERSONAL INFORMATION] "Nonpublic 8.16 personal information" means nonpublic personal financial 8.17 information and nonpublic personal health information. 8.18 Subd. 18. [NONPUBLIC PERSONAL FINANCIAL INFORMATION.] (a) 8.19 "Nonpublic personal financial information" means: 8.20 (1) personally identifiable information; 8.21 (2) any list, description, or other grouping of consumers, 8.22 and publicly available information pertaining to them, that is 8.23 derived using any personally identifiable financial information 8.24 that is not publicly available; and 8.25 (3) any list of individual's names and street addresses 8.26 that is derived in whole or in part using personally 8.27 identifiable financial information that is not publicly 8.28 available, such as policy or contract numbers. 8.29 (b) Nonpublic personal financial information does not 8.30 include: 8.31 (1) health information; 8.32 (2) publicly available information, except as included on a 8.33 list as described in clause (4); 8.34 (3) any list, description, or other grouping of consumers, 8.35 and publicly available information pertaining to them, that is 8.36 derived without using any personally identifiable financial 9.1 information that is not publicly available; or 9.2 (4) any list of individual's names and addresses that 9.3 contains only publicly available information that is not 9.4 derived, in whole or in part, using personally identifiable 9.5 information that is not publicly available, and that is not 9.6 disclosed in a manner that indicates that any of the individuals 9.7 on the list is a consumer of a financial institution. 9.8 Subd. 19. [NONPUBLIC PERSONAL HEALTH 9.9 INFORMATION.] "Nonpublic personal health information" means 9.10 health information: 9.11 (1) that identifies an individual who is the subject of the 9.12 information; or 9.13 (2) with respect to which there is a reasonable basis to 9.14 believe that the information could be used to identify an 9.15 individual. 9.16 Subd. 20. [OPT OUT.] "Opt out" means a direction by the 9.17 consumer that a licensee not disclose nonpublic personal 9.18 financial information about that consumer to a nonaffiliated 9.19 third party, other than as permitted by sections 60M.401, 9.20 60M.402, and 60M.403. 9.21 Subd. 21. [PERSONALLY IDENTIFIABLE FINANCIAL 9.22 INFORMATION.] "Personally identifiable financial information" 9.23 means financial information: 9.24 (1) a consumer provides to a licensee to obtain a financial 9.25 product or service from the licensee; 9.26 (2) about a consumer resulting from any transaction 9.27 involving a financial product or service between a licensee and 9.28 a consumer; or 9.29 (3) a licensee otherwise obtains about a consumer in 9.30 connection with providing a financial product or service to that 9.31 consumer. 9.32 Subd. 22. [PERSONALLY IDENTIFIABLE HEALTH 9.33 INFORMATION.] "Personally identifiable health information" means 9.34 health information: 9.35 (1) a consumer provides to a licensee to obtain a financial 9.36 product or service from the licensee; 10.1 (2) about a consumer resulting from any transaction 10.2 involving a financial product or service between a licensee and 10.3 a consumer; or 10.4 (3) the licensee otherwise obtains about a consumer in 10.5 connection with providing a financial product or service to that 10.6 consumer; and 10.7 (4) that identifies a consumer who is the subject of the 10.8 information; or 10.9 (5) with respect to which there is a reasonable basis to 10.10 believe that the information could be used to identify a 10.11 consumer. 10.12 Personally identifiable health information does not include 10.13 personally identifiable, nonmedical information such as name, 10.14 address, social security number, age, and gender, if legally 10.15 obtained by the licensee from a source other than the consumer's 10.16 medical record, even if the information is also part of the 10.17 consumer's medical record. 10.18 Subd. 23. [PUBLICLY AVAILABLE INFORMATION.] "Publicly 10.19 available information" means any information that the licensee 10.20 has a reasonable basis to believe is lawfully made available to 10.21 the general public from: 10.22 (1) federal, state, or local government records; 10.23 (2) widely distributed media; or 10.24 (3) disclosures to the general public that are required to 10.25 be made by federal, state, or local law. 10.26 Subd. 24. [REASONABLE BASIS.] "Reasonable basis" means the 10.27 licensee has a reasonable basis to believe that information is 10.28 lawfully made available to the general public because the 10.29 licensee has taken steps to determine: 10.30 (1) that the information is of the type that is available 10.31 to the general public; and 10.32 (2) whether an individual can direct that the information 10.33 not be made available to the general public and, if so, that a 10.34 licensee's consumer has not done so. 10.35 PRIVACY AND OPT OUT NOTICES 10.36 Sec. 5. [60M.201] [INITIAL PRIVACY NOTICE TO CONSUMERS 11.1 REQUIRED.] 11.2 Subdivision 1. [INITIAL NOTICE REQUIREMENT.] A licensee 11.3 must provide a clear and conspicuous notice that accurately 11.4 reflects the licensee's privacy policies and practices to: 11.5 (1) an individual who becomes a licensee's customer, not 11.6 later than the time that the licensee establishes a customer 11.7 relationship, except as provided in subdivision 5; and 11.8 (2) a consumer, before a licensee discloses any nonpublic 11.9 personal financial information about the consumer to any 11.10 nonaffiliated third party, if a licensee makes such a disclosure 11.11 other than as authorized by sections 60M.402, 60M.403, and 11.12 60M.501. 11.13 Subd. 2. [WHEN INITIAL NOTICE TO A CONSUMER IS NOT 11.14 REQUIRED.] A licensee is not required to provide an initial 11.15 notice to a consumer under subdivision 1 if: 11.16 (1) the licensee does not disclose any nonpublic personal 11.17 financial information about the consumer to any nonaffiliated 11.18 third party, other than as authorized by sections 60M.402, 11.19 60M.403, and 60M.501; 11.20 (2) the licensee does not have a customer relationship with 11.21 the consumer; or 11.22 (3) a notice has been provided by an affiliated licensee, 11.23 as long as the notice clearly identifies all licensees to whom 11.24 the notice applies or states that it applies to all affiliates 11.25 of the named licensee, and is accurate with respect to the 11.26 licensee and the other institutions. 11.27 Subd. 3. [WHEN A LICENSEE ESTABLISHES A CUSTOMER 11.28 RELATIONSHIP.] (a) A licensee establishes a customer 11.29 relationship at the time the licensee and the consumer enter 11.30 into a continuing relationship, other than solely as a 11.31 beneficiary or claimant. 11.32 (b) A licensee establishes a customer relationship under 11.33 circumstances including, but not limited to, the following: 11.34 (1) when the consumer becomes a policyholder. This occurs 11.35 when an insurance policy or contract is delivered to the 11.36 consumer; or 12.1 (2) when the consumer agrees to obtain financial, 12.2 insurance, economic, or investment advisory services from the 12.3 licensee for a fee. 12.4 Subd. 4. [EXISTING CUSTOMERS.] When an existing customer 12.5 obtains a new financial product or service from a licensee that 12.6 is to be used primarily for personal, family, or household 12.7 purposes, a licensee satisfies the initial notice requirements 12.8 of subdivision 1 as follows: 12.9 (1) a licensee may provide a revised policy notice, under 12.10 section 60M.205, that covers the customer's new financial 12.11 product or service; or 12.12 (2) if the initial, revised, or annual notice that a 12.13 licensee most recently provided to that customer was accurate 12.14 with respect to the new financial product or service, a licensee 12.15 does not need to provide a new privacy notice under subdivision 12.16 1. 12.17 Subd. 5. [EXCEPTIONS TO ALLOW SUBSEQUENT DELIVERY OF 12.18 NOTICE.] A licensee may provide the initial notice required by 12.19 subdivision 1, clause (1), within a reasonable time after the 12.20 licensee establishes a customer relationship if: 12.21 (1) establishing the customer relationship is not at the 12.22 customer's election, including, but not limited to, if the 12.23 licensee acquires or is assigned the insurance policy or related 12.24 records from another financial institution or residual market 12.25 mechanism and the customer does not have a choice about the 12.26 acquisition or assignment; or 12.27 (2) providing notice not later than when the licensee 12.28 establishes the customer relationship would substantially delay 12.29 the customer's transaction, including, but not limited to, when 12.30 the licensee and the individual agree over the telephone to 12.31 enter into a customer relationship involving prompt delivery of 12.32 the financial product or service, and the customer agrees to 12.33 receive the notice at a later time. 12.34 Subd. 6. [JOINT RELATIONSHIPS.] If two or more consumers 12.35 jointly obtain a financial product or service from a licensee, 12.36 the licensee may satisfy the requirements of subdivision 1 by 13.1 providing one initial notice to those consumers jointly. 13.2 Subd. 7. [DELIVERY.] When a licensee is required to 13.3 deliver an initial privacy notice by this section, a licensee 13.4 must deliver it according to section 60M.206. If a licensee 13.5 uses a short-form initial notice for noncustomers according to 13.6 section 60M.203, subdivision 3, the licensee may deliver its 13.7 privacy notice according to section 60M.203, subdivision 3, 13.8 paragraph (c). 13.9 Sec. 6. [60M.202] [ANNUAL PRIVACY NOTICE TO CUSTOMERS 13.10 REQUIRED.] 13.11 Subdivision 1. [GENERAL RULE.] A licensee must provide a 13.12 clear and conspicuous notice to a customer that accurately 13.13 reflects the licensee's privacy policies and practices not less 13.14 than annually during the continuation of the customer 13.15 relationship. Annually means at least once in any period of 12 13.16 consecutive months during which that relationship exists. A 13.17 licensee may define the 12-consecutive-month period, but the 13.18 licensee must apply it to the customer on a consistent basis. 13.19 Subd. 2. [TERMINATION OF CUSTOMER RELATIONSHIP.] A 13.20 licensee is not required to provide an annual notice to a former 13.21 customer. A former customer is an individual with whom a 13.22 licensee no longer has a continuing relationship. A licensee no 13.23 longer has a continuing relationship with an individual: 13.24 (1) if the individual no longer is a current policyholder 13.25 of an insurance product or no longer obtains insurance services 13.26 with or through the licensee; 13.27 (2) if the individual's policy is lapsed, expired, or 13.28 otherwise inactive or dormant under the licensee's business 13.29 practices, and the licensee has not communicated with the 13.30 customer about the relationship for a period of 12 consecutive 13.31 months, other than to provide annual privacy notices, materials 13.32 required by law or rule, or promotional materials; 13.33 (3) if the individual's last known address according to the 13.34 licensee's records is deemed to be invalid. An address of 13.35 record is deemed invalid if mail sent to that address by the 13.36 licensee has been returned by the postal authorities as 14.1 undeliverable and if subsequent attempts by the licensee to 14.2 obtain a valid current address for the individual have been 14.3 unsuccessful; or 14.4 (4) in the case of providing real estate settlement 14.5 services, at the time the customer completes execution of all 14.6 documents related to the real estate closing, payment for those 14.7 services has been received, or the licensee has completed all of 14.8 its responsibilities with respect to the settlement, including 14.9 filing documents on the public record, whichever is later. 14.10 Subd. 3. [DELIVERY.] When the licensee is required to 14.11 deliver an annual privacy notice by this section, the licensee 14.12 must deliver it according to section 60M.206. 14.13 This annual notice may be provided by an affiliated 14.14 licensee, as long as the notice clearly identifies all licensees 14.15 to which the notice applies or states that it applies to all 14.16 affiliates of the named licensee, and is accurate with respect 14.17 to the licensee and other institutions. 14.18 Sec. 7. [60M.203] [INFORMATION TO BE INCLUDED IN PRIVACY 14.19 NOTICES.] 14.20 Subdivision 1. [GENERAL RULE.] The initial, annual, and 14.21 revised privacy notices that a licensee provides under sections 14.22 60M.201, 60M.202, and 60M.205 must include each of the following 14.23 items of information that applies to the licensee or to the 14.24 consumers to whom the licensee sends its privacy notice, in 14.25 addition to any other information the licensee wishes to provide: 14.26 (1) the categories of nonpublic personal financial 14.27 information that the licensee collects; 14.28 (2) the categories of nonpublic personal financial 14.29 information that the licensee discloses; 14.30 (3) the categories of affiliates and nonaffiliated third 14.31 parties to whom the licensee disclosed nonpublic personal 14.32 financial information, other than those parties to whom the 14.33 licensee discloses information under sections 60M.402 and 14.34 60M.403; 14.35 (4) the categories of nonpublic personal financial 14.36 information about the licensee's former customers that it 15.1 discloses and the categories of affiliates and nonaffiliated 15.2 third parties to whom the licensee discloses nonpublic personal 15.3 financial information about its former customers, other than 15.4 those parties to whom it discloses information under sections 15.5 60M.402 and 60M.403; 15.6 (5) if a licensee discloses nonpublic personal financial 15.7 information to a nonaffiliated third party under section 15.8 60M.401, and no other exception applies to that disclosure, a 15.9 separate statement of the categories of information the licensee 15.10 discloses and the categories of third parties with whom the 15.11 licensee has contracted; 15.12 (6) an explanation of the right under section 60M.301 to 15.13 opt out of the disclosure of nonpublic personal financial 15.14 information to nonaffiliated third parties and under section 15.15 60M.501 to authorize the disclosure of personally identifiable 15.16 health information for marketing purposes, including the methods 15.17 by which the consumer may exercise those rights at that time; 15.18 (7) any disclosures that the licensee makes under section 15.19 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act, 15.20 United States Code, title 15, section 1681a(d)(2)(A)(iii), 15.21 regarding the ability to opt out of disclosures of information 15.22 among affiliates; 15.23 (8) the licensee's policies and practices with respect to 15.24 protecting the confidentiality and security of nonpublic 15.25 personal information; and 15.26 (9) a statement to the effect that the licensee makes 15.27 disclosures under subdivision 2, if the disclosures are made. 15.28 Subd. 2. [DESCRIPTION OF NONAFFILIATED THIRD PARTIES 15.29 SUBJECT TO EXCEPTIONS.] If a licensee discloses nonpublic 15.30 personal financial information about a consumer to third parties 15.31 only as authorized under sections 60M.402 and 60M.403, the 15.32 licensee is not required to list those exceptions in the initial 15.33 or annual privacy notices required by this chapter. When 15.34 describing the categories with respect to those parties, a 15.35 licensee is only required to state that it makes disclosures to 15.36 other nonaffiliated third parties as permitted by law. 16.1 Subd. 3. [SHORT FORM INITIAL NOTICE WITH OPT OUT NOTICE 16.2 FOR NONCUSTOMERS.] (a) The licensee may satisfy the initial 16.3 notice requirements of this chapter for a consumer who is not a 16.4 customer by providing a short form initial notice at the same 16.5 time as the licensee delivers an opt out notice as required in 16.6 section 60M.206 and, if appropriate, an authorization as 16.7 required in section 60M.501. 16.8 (b) A short form initial notice must: 16.9 (1) be clear and conspicuous; 16.10 (2) state that a licensee's privacy notice is available 16.11 upon request; and 16.12 (3) explain a reasonable means by which the consumer may 16.13 obtain that notice, including, but not limited to, providing a 16.14 toll-free telephone number the consumer may call to request the 16.15 notice or, for a consumer who conducts business in person in the 16.16 licensee's office, providing notice to the consumer immediately 16.17 upon request. 16.18 (c) The licensee must deliver its short form notice 16.19 according to section 60M.206. A licensee is not required to 16.20 deliver its privacy notice with its short form initial notice. 16.21 A licensee may instead simply provide the consumer with a 16.22 reasonable means to obtain the licensee's privacy notice. If a 16.23 consumer who receives the licensee's short form notice requests 16.24 the licensee's privacy notice, the licensee must deliver its 16.25 privacy notice according to section 60M.206. 16.26 Subd. 4. [FUTURE DISCLOSURES.] A licensee's notice may 16.27 include: 16.28 (1) categories of nonpublic personal financial information 16.29 that the licensee reserves the right to disclose in the future, 16.30 but does not currently disclose; and 16.31 (2) categories of affiliates or nonaffiliated third parties 16.32 to whom the licensee reserves the right in the future to 16.33 disclose, but to whom it does not currently disclose, nonpublic 16.34 personal financial information. 16.35 Sec. 8. [60M.204] [FORM OF OPT OUT NOTICE TO CONSUMERS; 16.36 OPT OUT METHODS.] 17.1 Subdivision 1. [FORM OF OPT OUT NOTICE.] If a licensee is 17.2 required to provide an opt out notice under section 60M.301, the 17.3 licensee must provide a clear and conspicuous notice to each of 17.4 its consumers that accurately explains the right to opt out 17.5 under that section. The notice must state: 17.6 (1) that the licensee discloses or reserves the right to 17.7 disclose nonpublic personal financial information about its 17.8 consumer to a nonaffiliated third party; 17.9 (2) that the consumer has the right to opt out of that 17.10 disclosure; and 17.11 (3) a reasonable means by which the consumer may exercise 17.12 the opt out right, provided that the licensee may require the 17.13 consumer opt out through a specific means, as long as the means 17.14 is reasonable for that consumer. 17.15 Subd. 2. [REASONABLE OPT OUT MEANS.] A licensee provides a 17.16 reasonable means to exercise an opt out right if it: 17.17 (1) designates check off boxes in a prominent position on 17.18 the relevant forms with the opt out notice; 17.19 (2) includes a reply form together with the opt out notice; 17.20 (3) provides an electronic means to opt out, such as a form 17.21 that can be sent via electronic mail or a process at the 17.22 licensee's Web site, if the consumer agrees to the electronic 17.23 delivery of information; 17.24 (4) provides a toll-free telephone number that consumers 17.25 may call to opt out; or 17.26 (5) provides the opt out notice together with or on the 17.27 same written or electronic form as the initial notice the 17.28 licensee provides in accordance with section 60M.201. 17.29 Subd. 3. [INITIAL NOTICE REQUIRED WHEN OPT OUT NOTICE 17.30 DELIVERED SUBSEQUENT TO INITIAL NOTICE.] If a licensee provides 17.31 the opt out notice later than required for the initial notice in 17.32 accordance with section 60M.201, subdivision 5, the licensee 17.33 must also include a copy of the initial notice in writing or, if 17.34 the consumer agrees, electronically. 17.35 Subd. 4. [JOINT RELATIONSHIPS.] If two or more consumers 17.36 jointly obtain a financial product or service from a licensee, 18.1 the licensee may provide a single opt out notice. The 18.2 licensee's opt out notice must explain how the licensee will 18.3 treat an opt out direction by a joint consumer, as explained in 18.4 paragraph (b). 18.5 (b) Any of the joint consumers may exercise the right to 18.6 opt out. The licensee may either: 18.7 (1) treat an opt out direction by a joint consumer as 18.8 applying to all of the associated joint consumers; or 18.9 (2) permit each joint consumer to opt out separately. 18.10 (c) if the licensee permits each joint consumer to opt out 18.11 separately, the licensee must permit one of the joint consumers 18.12 to opt out on behalf of all the joint consumers. 18.13 (d) A licensee may not require all joint consumers to opt 18.14 out before the licensee implements any opt out direction. 18.15 Subd. 5. [TIME TO COMPLY WITH OPT OUT.] A license must 18.16 comply with a consumer's opt out direction as soon as reasonably 18.17 practicable after the licensee receives it. 18.18 Subd. 6. [CONTINUING RIGHT TO OPT OUT.] A consumer may 18.19 exercise the right to opt out at any time. 18.20 Subd. 7. [DURATION OF CONSUMER'S OPT OUT DIRECTION.] (a) A 18.21 consumer's direction to opt out under this section is effective 18.22 until the consumer revokes it in writing or, if the consumer 18.23 agrees, electronically. 18.24 (b) When a customer relationship terminates, the customer's 18.25 opt out direction continues to apply to the nonpublic personal 18.26 financial information the licensee collected during or related 18.27 to that relationship. If the individual subsequently 18.28 establishes a new customer relationship with the licensee, the 18.29 opt out direction that applied to the former relationship does 18.30 not apply to the new relationship. 18.31 Subd. 8. [DELIVERY.] When a licensee is required to 18.32 deliver an opt out notice by this section, the licensee must 18.33 deliver it according to section 60M.206. 18.34 Sec. 9. [60M.205] [REVISED PRIVACY NOTICES.] 18.35 Subdivision 1. [GENERAL RULE.] Except as otherwise 18.36 authorized in this chapter, a licensee shall not, directly or 19.1 through any affiliate, disclose any nonpublic personal financial 19.2 information about a consumer to a nonaffiliated third party 19.3 other than as described in the initial notice that the licensee 19.4 provided to that consumer under section 60M.201, unless: 19.5 (1) the licensee has provided to the consumer a revised 19.6 notice that accurately describes the licensee's policies and 19.7 practices; 19.8 (2) the licensee has provided to the consumer a new opt out 19.9 notice and, if appropriate, an authorization as required in 19.10 section 60M.401; 19.11 (3) the licensee has given the consumer a reasonable 19.12 opportunity, before the licensee discloses the information to 19.13 the nonaffiliated third party, to opt out of or, if appropriate, 19.14 authorize the disclosure; and 19.15 (4) the consumer does not opt out or, if appropriate, the 19.16 consumer authorizes the disclosure. 19.17 Subd. 2. [DELIVERY.] When the licensee is required to 19.18 deliver a revised privacy notice by this section, the licensee 19.19 must deliver it according to section 60M.206. 19.20 Sec. 10. [60M.206] [DELIVERING PRIVACY AND OPT OUT 19.21 NOTICES.] 19.22 Subdivision 1. [PROVISION OF NOTICES.] (a) A licensee must 19.23 provide any privacy notices and opt out notices, including short 19.24 form initial notices, that this chapter requires so that each 19.25 consumer can reasonably be expected to receive actual notice in 19.26 writing or, if the consumer agrees, electronically. 19.27 (b) The licensee may reasonably expect that a consumer will 19.28 receive actual notice if the licensee: 19.29 (1) hand delivers a printed copy of the notice to the 19.30 consumer; 19.31 (2) mails a printed copy of the notice to the last known 19.32 address of the consumer separately, or in a policy, billing, or 19.33 other written communication; and 19.34 (3) electronically, clearly, and conspicuously posts the 19.35 notice on the electronic site for the consumer who regularly 19.36 accesses the licensee's Web site to conduct transactions; or 20.1 (4) for an isolated transaction with the consumer, such as 20.2 the licensee providing an insurance quote or selling the 20.3 consumer travel insurance, posts the notice and requires the 20.4 consumer to acknowledge receipt of the notice as a necessary 20.5 step to obtaining the particular financial product or service. 20.6 (c) A licensee may not reasonably expect that a consumer 20.7 will receive actual notice of the licensee's privacy policies 20.8 and practices if the licensee: 20.9 (1) only posts a sign in its branch or office or generally 20.10 publishes advertisements of its privacy policies and practices; 20.11 or 20.12 (2) sends the notice via electronic mail to a consumer who 20.13 does not agree to receive the notice electronically or obtain a 20.14 financial product or service from the licensee electronically. 20.15 Subd. 2. [ANNUAL NOTICES ONLY.] A licensee may reasonably 20.16 expect that a customer will receive actual notice of the 20.17 licensee's annual privacy notice if: 20.18 (1) the customer agrees to receive notices at the Web site, 20.19 and the licensee posts its current privacy notice continuously 20.20 in a clear and conspicuous manner on the Web site; or 20.21 (2) the customer has requested that the licensee refrain 20.22 from sending any information regarding the customer 20.23 relationship, and the licensee's current privacy notice remains 20.24 available to the customer upon request. 20.25 Subd. 3. [ORAL DESCRIPTION OF NOTICE INSUFFICIENT.] A 20.26 licensee may not provide any notice required by this chapter 20.27 solely by orally explaining the notice, either in person or over 20.28 the telephone. 20.29 Subd. 4. [RETENTION OR ACCESSIBILITY OF NOTICES FOR 20.30 CUSTOMERS.] For customers only, a licensee must provide the 20.31 initial notice, the annual notice, and the revised notice 20.32 required by this chapter, so that the customer can retain them 20.33 or obtain them later in writing or, if the customer agrees, 20.34 electronically, including, but not limited to, hand delivering a 20.35 printed copy of the notice to the customer; mailing a printed 20.36 copy of the notice to the last known address of the customer 21.1 upon the request of the customer; or making the licensee's 21.2 current privacy notice available on a Web site, or a link to 21.3 another Web site, for the customer who agrees to receive the 21.4 notice at the Web site. 21.5 Subd. 5. [JOINT NOTICE WITH OTHER FINANCIAL INSTITUTIONS.] 21.6 A licensee may provide a joint notice from the licensee and one 21.7 or more of the licensee's affiliates, other licensees or other 21.8 financial institutions, or on behalf of another financial 21.9 institution, as long as the notice is accurate with respect to 21.10 the licensee and the other institutions. 21.11 Subd. 6. [JOINT RELATIONSHIPS.] If two or more consumers 21.12 jointly obtain a financial product or service from a licensee, 21.13 the licensee may satisfy the initial, annual, and revised notice 21.14 requirements of sections 60M.201, 60M.202, and 60M.205, 21.15 irrespectively, by providing one notice to those consumers 21.16 jointly. 21.17 Sec. 11. [60M.207] [NONDISCRIMINATION.] 21.18 (a) No licensee shall unfairly discriminate against any 21.19 customer or consumer on the basis of the customer's or 21.20 consumer's exercise of the right to opt out of the sharing of 21.21 nonpublic personal information in the manner provided in this 21.22 chapter. Nothing in this section prohibits licensees from 21.23 engaging in their usual, appropriate, or acceptable method for 21.24 insurance underwriting. 21.25 (b) Nothing in this chapter requires a licensee to provide 21.26 a benefit or begin or continue payment of a claim in the absence 21.27 of personally identifiable health information, nonpublic 21.28 personal health information, or nonpublic personal financial 21.29 information to support or deny the claim. 21.30 LIMITS ON DISCLOSURE 21.31 Sec. 12. [60M.301] [LIMITS ON DISCLOSURE OF NONPUBLIC 21.32 PERSONAL FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES.] 21.33 Subdivision 1. [CONDITIONS FOR DISCLOSURE.] (a) Except as 21.34 otherwise authorized in this chapter, a licensee may not, 21.35 directly or through any affiliate, disclose any nonpublic 21.36 personal financial information about a consumer to a 22.1 nonaffiliated third party unless: 22.2 (1) the licensee has provided to the consumer an initial 22.3 notice as required under section 60M.201; 22.4 (2) the licensee has provided to the consumer an opt out 22.5 notice as required in section 60M.204; 22.6 (3) the licensee has given the consumer a reasonable 22.7 opportunity, before the licensee discloses the information to 22.8 the nonaffiliated third party, to opt out of the disclosure. 22.9 Methods of complying with this clause include, but are not 22.10 limited to the methods in paragraph (b). 22.11 (b) A licensee complies with paragraph (a), clause (3), if 22.12 the licensee mails the notices required in paragraph (a), clause 22.13 (1), to the consumer and allows the consumer to opt out by 22.14 mailing a form, calling a toll-free telephone number, or any 22.15 other reasonable means within 30 days from the date the licensee 22.16 mailed the notices. 22.17 A licensee complies with paragraph (a), clause (3), if a 22.18 customer opens an on-line account with the licensee and agrees 22.19 to receive the notices required in paragraph (a), clause (1), 22.20 electronically, and the licensee makes the notices available to 22.21 the customer on its Web site and the licensee allows the 22.22 customer to opt out by any reasonable means within 30 days after 22.23 the date that the customer acknowledges receipt of the notices 22.24 in conjunction with opening the account. 22.25 For an isolated transaction, such as providing the consumer 22.26 with an insurance quote, a licensee complies with paragraph (a), 22.27 clause (3), if the licensee provides a reasonable opportunity to 22.28 opt out and the consumer does not opt out and if the licensee 22.29 provides the consumer the notices required in paragraph (a), 22.30 clause (1), at the time of the transaction and requests that the 22.31 consumer decide, as a necessary act of the transaction, whether 22.32 to opt out before completing the transaction. 22.33 Subd. 2. [APPLICATION OF OPT OUT TO ALL CONSUMERS AND ALL 22.34 NONPUBLIC PERSONAL FINANCIAL INFORMATION.] (a) A licensee must 22.35 comply with this section, regardless of whether the licensee and 22.36 the consumer have established a customer relationship. 23.1 (b) Unless a licensee complies with this section, the 23.2 licensee may not, directly or through any affiliate, disclose 23.3 any nonpublic personal financial information about a consumer 23.4 that it has collected, regardless of whether the licensee 23.5 collected it before or after receiving the direction to opt out 23.6 from the consumer. 23.7 Sec. 13. [60M.302] [LIMITS ON REDISCLOSURE AND REUSE OF 23.8 INFORMATION.] 23.9 Subdivision 1. [INFORMATION A LICENSEE RECEIVES UNDER AN 23.10 EXCEPTION.] If the licensee receives nonpublic personal 23.11 information from a nonaffiliated financial institution under an 23.12 exception of this chapter or pursuant to an authorization under 23.13 section 60M.501, the licensee's disclosure and use of that 23.14 information is limited as follows: 23.15 (1) the licensee may disclose the information to the 23.16 affiliates of the financial institution from which the licensee 23.17 received the information; 23.18 (2) the licensee may disclose the information to its 23.19 affiliates and agents, but the affiliates and agents may, in 23.20 turn, disclose and use the information only to the extent that 23.21 the licensee may disclose and use the information; and 23.22 (3) the licensee may disclose and use the information 23.23 pursuant to an exception in section 60M.402 or 60M.403, in the 23.24 ordinary course of business to carry out the activity covered by 23.25 the exception under which the licensee received the information. 23.26 Subd. 2. [INFORMATION A LICENSEE RECEIVES OUTSIDE OF AN 23.27 EXCEPTION.] If a licensee receives nonpublic personal 23.28 information from a nonaffiliated financial institution other 23.29 than under an exception in this chapter or pursuant to an 23.30 authorization under section 60M.501, the licensee may disclose 23.31 the information only: 23.32 (1) to the affiliates of the financial institution from 23.33 which the licensee received the information; 23.34 (2) to the licensee's affiliates and agents, but the 23.35 licensee's affiliates and agents may, in turn, disclose the 23.36 information only to the extent that the licensee can disclose 24.1 the information; and 24.2 (3) to any other person, if the disclosure would be lawful 24.3 if made directly to that person by the financial institution 24.4 from which the licensee received the information. 24.5 Subd. 3. [INFORMATION A LICENSEE DISCLOSES UNDER AN 24.6 EXCEPTION.] If the licensee discloses nonpublic personal 24.7 financial information to a nonaffiliated third party under an 24.8 exception in section 60M.402 or 60M.403, the third party may 24.9 disclose and use that information only as follows: 24.10 (1) the third party may disclose the information to the 24.11 license's affiliates; 24.12 (2) the third party may disclose the information to its 24.13 affiliates, but its affiliates may, in turn, disclose and use 24.14 the information only to the extent that the third party may 24.15 disclose and use the information; and 24.16 (3) the third party may disclose and use the information 24.17 pursuant to an exception in section 60M.402 or 60M.403, in the 24.18 ordinary course of business to carry out the activity covered by 24.19 the exception under which it received the information. 24.20 Subd. 4. [INFORMATION A LICENSEE DISCLOSES OUTSIDE OF AN 24.21 EXCEPTION.] If a licensee discloses nonpublic personal 24.22 information to a nonaffiliated third party other than under an 24.23 exception in section 60M.402 or 60M.403 or pursuant to an 24.24 authorization under section 60M.501, the third party may 24.25 disclose the information only: 24.26 (1) to the licensee's affiliates; 24.27 (2) to the third party's affiliates, but the third party's 24.28 affiliates, in turn, may disclose the information only to the 24.29 extent the third party can disclose the information; and 24.30 (3) to any other person, if the disclosure would be lawful 24.31 if the licensee made it directly to that person. 24.32 Sec. 14. [60M.303] [LIMITS ON SHARING POLICY OR CONTRACT 24.33 NUMBER INFORMATION FOR MARKETING PURPOSES.] 24.34 Subdivision 1. [GENERAL PROHIBITION ON DISCLOSURE OF 24.35 POLICY OR CONTRACT NUMBERS.] A licensee must not, directly or 24.36 through an affiliate, disclose, other than to a consumer 25.1 reporting agency, a policy or contract number or similar form of 25.2 access number or access code for a consumer's credit card 25.3 account, deposit account, or transaction account to any 25.4 nonaffiliated third party for use in telemarketing, direct mail 25.5 marketing, or other marketing through electronic mail to the 25.6 consumer. 25.7 Subd. 2. [EXCEPTIONS.] Subdivision 1 does not apply if the 25.8 licensee discloses a policy or contract number or similar form 25.9 of access number or access code: 25.10 (1) to the licensee's agent or service provider solely in 25.11 order to perform marketing for the licensee's products or 25.12 services, as long as the agent or service provider is not 25.13 authorized to directly initiate charges to the account; 25.14 (2) to a participant in a private label credit card program 25.15 or an affinity or similar program where the participants in the 25.16 program are identified to the customer when the customer enters 25.17 into the program; or 25.18 (3) to a licensee who is a producer solely in order to 25.19 perform marketing for the licensee's own products or services. 25.20 EXCEPTIONS 25.21 Sec. 15. [60M.401] [EXCEPTION TO OPT OUT REQUIREMENTS FOR 25.22 SERVICE PROVIDERS AND JOINT MARKETING.] 25.23 Subdivision 1. [GENERAL RULE.] The opt out requirements of 25.24 this chapter do not apply when a licensee provides nonpublic 25.25 personal financial information to a nonaffiliated third party to 25.26 perform services for, or functions on behalf of, the licensee, 25.27 if the licensee: 25.28 (1) provides the initial notice in accordance with this 25.29 chapter; and 25.30 (2) enters into a contractual agreement with the third 25.31 party that prohibits the third party from disclosing or using 25.32 the information other than to carry out the purposes for which 25.33 the licensee disclosed the information, including use under an 25.34 exception in section 60M.402 or 60M.403, in the ordinary course 25.35 of business to carry out those purposes. 25.36 Subd. 2. [INSURANCE FUNCTIONS.] A licensee may use and 26.1 disclose personally identifiable financial information to a 26.2 person acting on behalf of or at the direction of the licensee 26.3 to perform the licensee's insurance functions including, but not 26.4 limited to, claims administration, claims adjustment and 26.5 management, fraud investigation, underwriting, loss control, 26.6 rate-making functions, reinsurance, risk management, case 26.7 management, disease management, quality assessment, quality 26.8 improvement, provider credentialing verification, utilization 26.9 review, peer review activities, grievance procedure, internal 26.10 administration of compliance, managerial and information 26.11 systems, policyholder service function, account administration, 26.12 processing premium payments, processing insurance claims, 26.13 administering insurance benefits, including utilization review 26.14 activities, participating in research projects, and as otherwise 26.15 required or specifically permitted by federal or state law. 26.16 Subd. 3. [SERVICE MAY INCLUDE JOINT MARKETING.] The 26.17 services performed for a licensee by a nonaffiliated third party 26.18 under subdivision 1 may include marketing of the licensee's own 26.19 products or services or marketing of financial products or 26.20 services offered pursuant to joint agreements between the 26.21 licensee and one or more financial institutions. 26.22 Subd. 4. [DEFINITION OF JOINT AGREEMENT.] For purposes of 26.23 this section, "joint agreement" means a written contract 26.24 pursuant to which a licensee and one or more financial 26.25 institutions jointly offer, endorse, or sponsor a financial 26.26 product or service. 26.27 Sec. 16. [60M.402] [EXCEPTIONS TO NOTICE AND OPT OUT 26.28 REQUIREMENTS FOR PROCESSING AND SERVICING TRANSACTIONS.] 26.29 Subdivision 1. [EXCEPTIONS FOR PROCESSING TRANSACTIONS AT 26.30 CONSUMER'S REQUEST.] The requirements for initial notice to 26.31 consumers in section 60M.201, subdivision 1, clause (2), 26.32 providing the opt out opportunity to consumers and customers, 26.33 and the application of this chapter to service providers and 26.34 joint marketing do not apply if a licensee discloses nonpublic 26.35 personal financial information as necessary to affect, 26.36 administer, or enforce a transaction requested or authorized by 27.1 the consumer, or in connection with: 27.2 (1) servicing or processing a financial product or service 27.3 requested or authorized by the consumer, including products or 27.4 services under consideration by a consumer; 27.5 (2) maintaining or servicing the consumer's account with 27.6 the licensee or with another entity; 27.7 (3) transactions involving a person acting as agent of the 27.8 licensee, provided the agent agrees not to disclose said 27.9 nonpublic personal financial information to additional third 27.10 parties; or 27.11 (4) a proposed or actual securitization, secondary market 27.12 sale, including sales of servicing rights, or similar 27.13 transaction related to a transaction of the consumer. 27.14 Subd. 2. [EXCEPTIONS FOR THE ADMINISTRATION OF AN 27.15 EMPLOYER'S BENEFIT PLAN.] The requirements of this chapter do 27.16 not apply if a licensee discloses nonpublic personal financial 27.17 information, personally identifiable health information, or 27.18 nonpublic personal information for any purpose related to 27.19 effecting, administering, or replacing a group benefit plan, a 27.20 group health plan, or a group welfare plan. 27.21 Subd. 3. [DEFINITION.] "Necessary to effect, administer, 27.22 or enforce a transaction" means, in this section, that the 27.23 disclosure is: 27.24 (1) required, or is one of the lawful or appropriate 27.25 methods, to enforce the licensee's rights or the rights of other 27.26 persons engaged in carrying out the financial transaction or 27.27 providing the product or service; or 27.28 (2) required, or is a usual, appropriate, or acceptable 27.29 method: 27.30 (i) to carry out the transaction or the product or service 27.31 business of which the transaction is a part, and record, 27.32 service, or maintain the consumer's account in the ordinary 27.33 course of providing the financial service or financial product; 27.34 (ii) to administer, adjudicate, or service benefits or 27.35 claims relating to the transaction or the product of service 27.36 business of which it is a part; 28.1 (iii) to provide a confirmation, statement, or other record 28.2 of the transaction, or information on the status or value of the 28.3 financial service or financial product to the consumer or the 28.4 consumer's agent or broker; 28.5 (iv) to accrue or recognize incentives or bonuses 28.6 associated with the transaction that are provided by the 28.7 licensee or any other party; 28.8 (v) to underwrite insurance at the consumer's request or 28.9 for reinsurance purposes, or for any of the following purposes, 28.10 as they relate to a consumer's insurance: account 28.11 administration, reporting, investigating, preventing fraud of 28.12 material misrepresentation, processing premium payments, 28.13 processing insurance claims, administering insurance benefits, 28.14 including utilization review activities, participating in 28.15 research projects, or as otherwise required or specifically 28.16 permitted by federal or state law; 28.17 (vi) in connection with: 28.18 (A) the authorization, settlement, billing, processing, 28.19 clearing, transferring, reconciling, or collection of amounts 28.20 charged, debited, or otherwise paid using a debit, credit, or 28.21 other payment card, check, or policy or contract number, or by 28.22 other payment means; 28.23 (B) the transfer of receivables or accounts, or interests 28.24 in the receivables or accounts; or 28.25 (C) the audit of debit, credit, or other payment 28.26 information. 28.27 Sec. 17. [60M.403] [OTHER EXCEPTIONS TO NOTICE AND OPT OUT 28.28 REQUIREMENTS.] 28.29 Subdivision 1. [EXCEPTIONS TO OPT OUT REQUIREMENTS.] The 28.30 requirements for initial notice to consumers in section 60M.201, 28.31 subdivision 1, clause (2), the opportunity to opt out, and the 28.32 provisions applicable to service providers and joint marketing 28.33 in this chapter do not apply when a licensee discloses nonpublic 28.34 personal financial information: 28.35 (1) with the consent or at the direction of the consumer, 28.36 provided that the consumer has not revoked the consent or 29.1 direction; 29.2 (2)(i) to protect the confidentiality or security of a 29.3 licensee's records pertaining to the consumer, service, product, 29.4 or transaction; 29.5 (ii) to protect against or prevent actual or potential 29.6 fraud, unauthorized transactions, claims, or other liability; 29.7 (iii) for required institutional risk control or for 29.8 resolving consumer disputes or inquiries; 29.9 (iv) to persons holding a legal or beneficial interest 29.10 relating to the consumer; or 29.11 (v) to persons acting in a fiduciary or representative 29.12 capacity on behalf of the consumer; 29.13 (3) to provide information to insurance rate advisory 29.14 organizations, guaranty funds or agencies, agencies that are 29.15 rating the licensee, persons that are assessing the licensee's 29.16 compliance with industry standards, and the licensee's 29.17 attorneys, accountants, and auditors; 29.18 (4) to the extent specifically permitted or required under 29.19 other provisions of law and in accordance with the Right to 29.20 Financial Privacy Act of 1978, United States Code, title 12, 29.21 section 3401, to law enforcement agencies, including a federal 29.22 functional regulator, the Secretary of the Treasury, with 29.23 respect to United States Code, title 31, chapter 53, subchapter 29.24 II (Records and Reports on Monetary Instruments and 29.25 Transactions) and United States Code, title 12, chapter 21 29.26 (Financial Recordkeeping), a state insurance authority, with 29.27 respect to any person domiciled in that insurance authority's 29.28 state that is engaged in providing insurance, and the Federal 29.29 Trade Commission, self-regulatory organizations, or for an 29.30 investigation on a matter related to public safety; 29.31 (5)(i) to a consumer reporting agency in accordance with 29.32 the federal Fair Credit Reporting Act, United States Code, title 29.33 15, section 1681, and the fair credit laws of this state; or 29.34 (ii) from a consumer report reported by a consumer 29.35 reporting agency; 29.36 (6) in connection with a proposed or actual sale, merger, 30.1 transfer, or exchange of all or a portion of a business or 30.2 operating unit if the disclosure of nonpublic personal financial 30.3 information concerns solely consumers of the business or unit; 30.4 or 30.5 (7)(i) to comply with federal, state, or local laws, rules, 30.6 and other applicable legal requirements; 30.7 (ii) to comply with a properly authorized civil, criminal, 30.8 or regulatory investigation, or subpoena or summons by federal, 30.9 state, or local authorities; or 30.10 (iii) to respond to judicial process or government 30.11 regulatory authorities having jurisdiction over a licensee for 30.12 examination, compliance, or other purposes as authorized by law; 30.13 (8) necessary to provide ongoing health care treatment; 30.14 (9) in connection with quality assessment evaluations or 30.15 investigations; 30.16 (10) to reveal a consumer's presence in a facility owned by 30.17 the licensee and the consumer's general health condition; 30.18 (11) to a reinsurer, stop-loss, or excess-loss carrier for 30.19 the purpose of underwriting, claims adjudication, and conducting 30.20 claim file audits; 30.21 (12) needed for one of the following purposes: 30.22 (i) to identify a deceased individual; 30.23 (ii) to determine the cause and manner of death by a chief 30.24 medical examiner or the medical examiner's designee; or 30.25 (iii) to provide necessary protected health information 30.26 about a deceased individual who is a donor of an anatomical 30.27 gift; 30.28 (13) to a state department of insurance that is performing 30.29 an examination, investigation, or audit of the licensee; or 30.30 (14) pursuant to a court order issued after the court's 30.31 determination that the public interest in disclosure outweighs 30.32 the consumer's privacy interest and that the personally 30.33 identifiable health information is not reasonably available by 30.34 other means. 30.35 Subd. 2. [LICENSEES ACTING AS EMPLOYERS OR PURCHASERS OF 30.36 INSURANCE.] Nothing in this chapter applies to information 31.1 disclosures by licensees in connection with the purchase of 31.2 insurance coverage by the licensee or the arrangement of 31.3 insurance coverage by the licensee for its employees. 31.4 PERSONALLY IDENTIFIABLE HEALTH INFORMATION 31.5 Sec. 18. [60M.501] [PERSONALLY IDENTIFIABLE HEALTH 31.6 INFORMATION PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION.] 31.7 Subdivision 1. [GENERAL RULE.] A licensee shall obtain an 31.8 authorization to disclose any personally identifiable health 31.9 information if the purpose of the disclosure is for the 31.10 marketing of services or goods for personal, family, or 31.11 household purposes. The authorization must be obtained before 31.12 the disclosure is made. 31.13 Subd. 2. [FORM OF NOTICE AND REQUEST FOR 31.14 AUTHORIZATION.] The notice required by this section may be 31.15 included in the notice required by section 60M.201, provided 31.16 that the notice must comply with the following requirements: 31.17 (1) the purpose of the disclosure of personally 31.18 identifiable health information must be stated in clear and 31.19 simple terms and must appear as a separate paragraph; 31.20 (2) the request for authorization must specify that the 31.21 authorization remains valid for no more than 24 months and may 31.22 be revoked at any time; and 31.23 (3) the request for authorization must specify that the 31.24 terms and conditions of all insurance policies will not be 31.25 affected in any way by a refusal to give authorization, as 31.26 provided in section 60M.207. 31.27 Subd. 3. [EXCEPTIONS FOR THE ADMINISTRATION OF AN 31.28 EMPLOYER'S BENEFIT PLAN.] The requirements of this chapter do 31.29 not apply and, the authorization described by this section is 31.30 not required, if a licensee discloses nonpublic personal 31.31 information, personally identifiable health information, or 31.32 nonpublic personal health information for any purpose related to 31.33 effecting, administering, or replacing a group benefit plan, a 31.34 group health plan, or a group welfare plan. 31.35 Subd. 4. [EXCEPTION.] Nothing in this section prohibits, 31.36 restricts, or requires an authorization for the disclosure of 32.1 nonpublic personal health information by a licensee when sharing 32.2 the information with a vendor who is acting on behalf of the 32.3 company, or for the performance of insurance functions by or on 32.4 behalf of the licensee, including, but not limited to: claims 32.5 administration; claims adjustment and management; detection, 32.6 investigation, or reporting of actual or potential fraud, 32.7 misrepresentation, or criminal activity; underwriting; policy 32.8 placement of issuance; loss control; ratemaking and guaranty 32.9 fund functions; reinsurance and excess loss insurance; risk 32.10 management; case management; disease management; quality 32.11 assurance; quality improvement; performance evaluation; provider 32.12 credentialing verification; utilization review; peer review 32.13 activities; actuarial, scientific, medical, or public policy 32.14 research; grievance procedures; internal administration of 32.15 compliance, managerial, and information systems; policyholder 32.16 service functions; auditing; reporting; database security; 32.17 administration of consumer disputes and inquiries; external 32.18 accreditation standards; the replacement of a group benefit plan 32.19 or workers' compensation policy or program; activities in 32.20 connection with a sale, merger, transfer, or exchange of all or 32.21 part of a business or operating unit; any activity that permits 32.22 disclosure without authorization pursuant to the federal Health 32.23 Insurance Portability and Accountability Act privacy rules 32.24 promulgated by the United States Department of Health and Human 32.25 Services; disclosure that is required, or is one of the lawful 32.26 or appropriate methods, to enforce the licensee's rights or 32.27 rights of other persons engaged in carrying out a transaction or 32.28 providing a product or service that a consumer requests or 32.29 authorizes; and any activity otherwise permitted by law, 32.30 required pursuant to governmental reporting authority, or to 32.31 comply with legal process. 32.32 RELATION TO OTHER LAWS; EFFECTIVE DATE 32.33 Sec. 19. [60M.601] [PROTECTION OF FAIR CREDIT REPORTING 32.34 ACTS.] 32.35 (a) Nothing in this chapter modifies, limits, or supersedes 32.36 the operation of the federal Fair Credit Reporting Act, United 33.1 States Code, title 15, section 1681, and no inference may be 33.2 drawn on the basis of the provisions of this chapter regarding 33.3 whether information is transaction or experience information 33.4 under section 603 of that chapter. 33.5 (b) Nothing in this chapter modifies, limits, or supersedes 33.6 the operation of the fair credit law of this state. 33.7 (c) Nothing in this chapter preempts or supersedes existing 33.8 state law related to medical records, health, or insurance 33.9 information privacy. 33.10 Sec. 20. [60M.602] [PROTECTION OF HEALTH INSURANCE 33.11 PORTABILITY AND ACCOUNTABILITY ACT.] 33.12 Nothing in this chapter limits, modifies, or supersedes the 33.13 standards governing the privacy of individually identifiable 33.14 health information promulgated by the Secretary of Health and 33.15 Human Services under the authority of sections 262 and 264 of 33.16 the federal Health Insurance Portability and Accountability Act 33.17 of 1996, United States Code, title 42, sections 1320d to 1320d-8. 33.18 Sec. 21. [60M.603] [DETERMINED VIOLATION.] 33.19 Subdivision 1. [PROHIBITION.] No licensee shall knowingly 33.20 or willfully violate the provisions of this chapter. 33.21 Subd. 2. [VIOLATION.] The commissioner of commerce is 33.22 authorized to investigate any alleged violations of this chapter 33.23 and to impose fines and other sanctions as lawfully determined 33.24 to be appropriate in accordance with the applicable insurance 33.25 laws of this state. 33.26 Sec. 22. [60M.604] [ENFORCEMENT.] 33.27 A violation of this chapter is considered an unfair or 33.28 deceptive act or practice in the business of insurance and is 33.29 subject to the penalties and remedies provided under sections 33.30 72A.17 to 72A.32. 33.31 Sec. 23. [60M.605] [EFFECTIVE DATE; TRANSITION RULE.] 33.32 Subdivision 1. [EFFECTIVE DATE.] This chapter is effective 33.33 on July 1, 2001. In order to provide sufficient time for 33.34 insurers and other licensees to establish policies and systems 33.35 to comply with the requirements of this chapter, time for 33.36 compliance with this chapter is extended until July 1, 2002. 34.1 Subd. 2. [NOTICE REQUIREMENT FOR CONSUMERS WHO ARE 34.2 LICENSEE'S CUSTOMER ON THE COMPLIANCE DATE.] By July 1, 2002, 34.3 the licensee shall have provided an initial notice, as required 34.4 by section 60M.201, to consumers who are the licensee's 34.5 customers on July 1, 2002. 34.6 Subd. 3. [TWO-YEAR GRANDFATHERING OF SERVICE 34.7 AGREEMENTS.] Until July 1, 2003, a contract that the licensee 34.8 has entered into with a nonaffiliated third party to perform 34.9 services for the licensee or functions on its behalf does not 34.10 need to satisfy the provision of section 60M.401 which provides 34.11 that the third party maintain the confidentiality of nonpublic 34.12 personal information, as long as the licensee entered into the 34.13 agreement on or before July 1, 2001. 34.14 Sec. 24. Minnesota Statutes 2000, section 72A.501, is 34.15 amended to read: 34.16 72A.501 [DISCLOSUREAUTHORIZATION TO COLLECT INFORMATION.] 34.17 Subdivision 1. [AUTHORIZATION REQUIRED.] An insurer, 34.18 insurance agent, or insurance-support organization must not 34.19 collect personal information about a policyholder or an 34.20 applicant not relating to a claim from sources other than public 34.21 records without a written authorization from the person. 34.22 Subd. 1a. [REQUIREMENT;CONTENT.] An authorization used by 34.23 an insurer, insurance-support organization, or insurance agent 34.24 todisclose orcollect personal or privileged information must 34.25 be in writing and must meet the following requirements: 34.26 (1) is written in plain language; 34.27 (2) is dated; 34.28 (3) specifies the types of persons authorized todisclose34.29 provide information about the person; 34.30 (4) specifies the nature of the information authorized to 34.31 bedisclosedcollected; 34.32 (5) names the insurer or insurance agent and identifies by 34.33 generic reference representatives of the insurer to whom the 34.34 person is authorizing information to bedisclosedprovided; 34.35 (6) specifies the purposes for which the information is 34.36 collected; and 35.1 (7) specifies the length of time the authorization remains 35.2 valid. 35.3 Subd. 2. [APPLICATION.] (a) If the authorization is signed 35.4 to collect information in connection with an application for a 35.5 property and casualty insurance policy, a policy reinstatement, 35.6 or a request for a change in benefits, the authorization must 35.7 not remain valid for longer than one year from the date the 35.8 authorization is signed or the date the insurer grants or denies 35.9 coverage, reinstatement, or change in benefits, whichever is 35.10 sooner. 35.11 (b) If the authorization is signed to collect information 35.12 in connection with an application for a life, disability, and 35.13 health insurance policy or contract, reinstatement, or request 35.14 for change in benefits, the authorization may not remain valid 35.15 for longer than 26 months from the date the authorization is 35.16 signed. 35.17 Subd. 3. [CLAIMS.] If the authorization is signed to 35.18 collect information in connection with a claim for benefits 35.19 under an insurance policy, the authorization must not remain 35.20 valid for longer than: 35.21 (1) the term of coverage of the policy, if the claim is for 35.22 a health insurance benefit; or 35.23 (2) the duration of the claim, if the claim is for a claim 35.24 other than for a health insurance benefit. 35.25 Subd. 4. [AUTHORIZATION; NONINSURERS.] If an authorization 35.26 is submitted to an insurer, insurance-support organization, or 35.27 insurance agent by a person other than an insurer, 35.28 insurance-support organization, or insurance agent, the 35.29 authorization must be dated, signed by the person, and obtained 35.30 one year or less before the date a disclosure is sought. 35.31 Sec. 25. [REPEALER.] 35.32 Minnesota Statutes 2000, sections 72A.494; and 72A.502, are 35.33 repealed.