California Privacy Laws and Insurance: What Agents Must Disclose to Clients

California has some of the strongest consumer privacy laws in the country, and insurance agents are directly subject to them. How you collect, store, and share client information is heavily regulated — and getting it wrong can result in regulatory action, civil liability, and damaged client trust.

Here's what California agents must disclose and how to stay compliant with state privacy requirements.

The Privacy Framework California Agents Operate Under

Multiple overlapping laws shape how California insurance agents handle client information:

The California Insurance Information and Privacy Protection Act (IIPPA). The primary insurance-specific privacy statute in California. It governs how insurance licensees collect, disclose, and use nonpublic personal information.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Broader consumer privacy laws that affect businesses generally, including insurance agencies in specific contexts.

The Gramm-Leach-Bliley Act (GLBA). The federal privacy framework that applies to financial institutions, including insurance agents.

Health Insurance Portability and Accountability Act (HIPAA). Federal health information privacy standards that apply when agents handle health information.

California's IIPPA generally applies to insurance-specific information handling, while CCPA and CPRA apply more broadly to consumer data. Both can apply to insurance agents depending on context.

What Qualifies as Protected Information

California privacy laws protect nonpublic personal information (NPI) about clients. This typically includes:

• Names and addresses combined with financial information
• Social Security numbers and tax identification numbers
• Birth dates when combined with identifying information
• Financial account numbers and balances
• Health information and medical records
• Information obtained in connection with insurance transactions
• Employment information gathered as part of the insurance process
• Other personally identifiable information a client would reasonably expect to remain private
• Information that's genuinely public (names alone, publicly listed addresses) typically doesn't qualify as protected.

Required Disclosures to Clients

California requires insurance agents and agencies to provide clients with specific privacy disclosures:

Initial Privacy Notice. At the beginning of the relationship, clients must receive information about:

• What categories of information are collected
• How the information is used
• Categories of third parties with whom information may be shared
• The client's right to opt out of certain information sharing (when applicable)
• How clients can contact the agency about privacy concerns

Annual Privacy Notice. Many agencies are required to provide updated privacy notices on an annual basis.

Opt-Out Rights. Clients generally have the right to opt out of certain types of information sharing with unaffiliated third parties. The notices must explain how clients exercise this right.

Additional CCPA/CPRA disclosures. When CCPA/CPRA applies, additional consumer rights apply, including rights to know what information is collected, rights to deletion, rights to correct information, and rights to non-discrimination for exercising these rights.

When Information Can Be Shared Without Consent

Certain sharing is permitted without specific client consent:

• Sharing necessary to conduct the insurance transaction (with the insurer being placed, for example)
• Sharing required by law or regulatory request
• Sharing for fraud prevention
• Sharing with service providers performing functions on the agency's behalf
• Sharing with the client's explicit direction
• Outside of these categories, sharing NPI typically requires either client consent or compliance with specific legal provisions.

What California Agents Must Do

Provide required notices. Ensure clients receive initial and ongoing privacy notices that comply with applicable law.

Safeguard information. Implement reasonable security measures — secure file storage, password-protected systems, encrypted electronic communications where appropriate, secure disposal of old records.

Train staff. Anyone in your agency who handles client information needs to understand the privacy requirements.

Honor opt-out requests. When clients opt out of information sharing, respect that decision in your operations.

Respond to consumer requests under CCPA/CPRA. When applicable, be prepared to provide clients with information about what data you have, delete data upon valid request, and correct errors.

Document everything. Keep records of notices provided, opt-out elections, and responses to consumer requests.

Common Privacy Violations Agents Should Avoid

Discussing client information in public spaces. Even casual discussion of client details in coffee shops, elevators, or phone calls in public places can constitute unauthorized disclosure.

Leaving client files unattended. Physical documents in cars, desks, or common areas create exposure.

Sharing information with family members or business partners inappropriately. Unless specifically authorized, client information shouldn't be discussed with anyone outside the need-to-know context.

Using client information for unrelated marketing. Cross-selling to existing clients is usually fine; using their information to market to their friends or family without authorization isn't.

Inadequate disposal of records. Tossing old client files in unsecured trash exposes the agency to significant liability.

What Happens When Privacy Is Violated

Consequences can include:

• CDI enforcement action, including fines and license sanctions
• Civil liability to affected clients
• Attorney general action under CCPA/CPRA
• Reputational damage that outlasts any regulatory penalty
• Client loss and referral source damage
• The cost of compliance is small compared to the cost of a significant privacy incident.

Best Practices for Privacy Compliance

Have written privacy policies. Document your agency's practices so everyone on the team follows consistent standards.

Use secure systems. Encrypted email for sensitive information, password-protected client portals, and secure document storage.

Limit access. Only team members who need access to specific client information should have it.

Train regularly. Privacy requirements evolve. Annual training keeps your team current.

Audit periodically. Review your practices regularly to catch gaps before they become problems.

When in doubt, ask. If you're unsure whether a disclosure is permitted, consult with counsel or CDI guidance before acting.

5 Frequently Asked Questions

1. Do CCPA and CPRA apply to all insurance agents? They apply to businesses meeting specific thresholds (revenue, number of consumers, or specific data processing activities). Many smaller agencies fall outside the direct application, but practices aligned with CCPA/CPRA are still good defensive practice.

2. Can I share client information with another agent in my agency? Typically yes, within the agency, for legitimate business purposes. Sharing with unaffiliated third parties generally requires notice and often consent.

3. Are text and email communications with clients covered? Yes. Any electronic communication containing protected information is subject to privacy standards. Use secure methods for sensitive information.

4. What if a client asks me to share their information with a family member? Get the request in writing and document it. Client direction to share with specific parties is a recognized basis for disclosure, but documentation protects you.

5. Do I need to provide privacy notices to every client I quote, or just those who purchase? Privacy notice obligations generally apply when you collect NPI from consumers, which often includes the quoting and application process. When in doubt, provide the notice.

Protect Your Clients and Your Career

California's privacy laws are strict, but they exist to protect the trust that makes insurance relationships work. At JustInsurance, our California CE and prelicense courses cover privacy requirements in practical detail.

Enroll today and stay compliant with California's strict privacy laws.