Ins 25.04(20)(c)2.
2. Nonpublic personal financial information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
Ins 25.04(21)
(21) “Nonpublic personal health information" means any of the following health information:
Ins 25.04(21)(a)
(a) Health information that identifies an individual who is the subject of the information.
Ins 25.04(21)(b)
(b) Health information with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
Ins 25.04(22)(a)(a) “Personally identifiable financial information" means any of the following information:
Ins 25.04(22)(a)1.
1. Information a consumer provides to a licensee to obtain an insurance product or service from the licensee.
Ins 25.04(22)(a)2.
2. Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer.
Ins 25.04(22)(a)3.
3. Information the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
Ins 25.04(22)(b)
(b) The following are examples of personally identifiable financial information:
Ins 25.04(22)(b)1.
1. Personally identifiable financial information includes any of the following:
Ins 25.04(22)(b)1.a.
a. Information a consumer provides to a licensee on an application to obtain an insurance product or service.
Ins 25.04(22)(b)1.c.
c. The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee.
Ins 25.04(22)(b)1.d.
d. Any information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer.
Ins 25.04(22)(b)1.e.
e. Any information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
Ins 25.04(22)(b)1.f.
f. Any information the licensee collects through an internet information-collecting device from a web server.
Ins 25.04(22)(b)2.
2. Personally identifiable financial information does not include any of the following:
Ins 25.04(22)(b)2.b.
b. A list of names and addresses of customers of an entity that is not a financial institution.
Ins 25.04(22)(b)2.c.
c. Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
Ins 25.04(23)(a)(a) “Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from any of the following:
Ins 25.04(23)(a)3.
3. Disclosures to the general public that are required to be made by federal, state or local law.
Ins 25.04(23)(b)
(b) A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine all of the following:
Ins 25.04(23)(b)1.
1. That the information is of the type that is available to the general public.
Ins 25.04(23)(b)2.
2. Whether an individual can direct that the information not be made available to the general public and, if so, that the licensee's consumer has not done so.
Ins 25.04(23)(c)
(c) The following are examples of publicly available information.
Ins 25.04(23)(c)1.
1. Publicly available information in government records includes information in government real estate records and security interest filings.
Ins 25.04(23)(c)2.
2. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
Ins 25.04(23)(c)3.a.a. A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
Ins 25.04(23)(c)3.b.
b. A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed the licensee that the telephone number is not unlisted.
Ins 25.04 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.10
Ins 25.10 Initial privacy notice to consumers required. Ins 25.10(1)(1)
Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices regarding nonpublic personal financial information to all of the following:
Ins 25.10(1)(a)
(a)
Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in
sub. (5).
Ins 25.10(1)(b)
(b)
Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by
ss. Ins 25.55 and
25.60.
Ins 25.10(2)
(2) When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under
sub. (1) (b) if any of the following conditions apply:
Ins 25.10(2)(a)
(a) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by
ss. Ins 25.55 and
25.60, and the licensee does not have a customer relationship with the consumer.
Ins 25.10(2)(b)
(b) An affiliated licensee has provided a notice, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
Ins 25.10(3)
(3) When the licensee establishes a customer relationship. Ins 25.10(3)(a)(a)
General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship.
Ins 25.10(3)(b)
(b)
Examples of establishing customer relationship. A licensee establishes a customer relationship when the consumer does any of the following:
Ins 25.10(3)(b)1.
1. Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an intermediary who is not acting as agent for an insurer licensee, obtains insurance through that licensee. A licensee does not establish a customer relationship due to issuance of a binder of coverage until the policy is issued, if the licensee allows the consumer to request delivery of the initial notice required under
sub. (1) (a) and the licensee delivers the initial notice within a reasonable time after the licensee receives such a request.
Ins 25.10(3)(b)2.
2. Agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the licensee.
Ins 25.10(4)
(4) Existing customers. When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, the licensee satisfies the initial notice requirements of
sub. (1) if any of the following conditions are met:
Ins 25.10(4)(a)
(a) The licensee may provide a revised policy notice, under
s. Ins 25.20, that covers the customer's new insurance product or service.
Ins 25.10(4)(b)
(b) If the initial, revised or annual notice that the licensee most recently provided to that customer was accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under
sub. (1).
Ins 25.10(5)
(5) Exceptions to allow subsequent delivery of notice. Ins 25.10(5)(a)(a) A licensee may provide the initial notice required by
sub. (1) (a) within a reasonable time after the licensee establishes a customer relationship if any of the following conditions exist:
Ins 25.10(5)(a)1.
1. Establishing the customer relationship is not at the customer's election.
Ins 25.10(5)(a)2.
2. Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
Ins 25.10(5)(b)
(b) The following are examples of when exceptions may or may not apply:
Ins 25.10(5)(b)1.
1. Establishing a customer relationship is not at the customer's election if a licensee acquires or is assigned a customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee's acquisition or assignment.
Ins 25.10(5)(b)2.
2. Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer's transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
Ins 25.10(5)(b)3.
3. Providing notice not later than when a licensee establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a web site.
Ins 25.10(6)
(6) Delivery. When a licensee is required to deliver an initial privacy notice by this section, the licensee shall deliver it according to
s. Ins 25.25. If the licensee uses a short-form initial notice for non-customers according to
s. Ins 25.15 (4), the licensee may deliver its privacy notice according to
s. Ins 25.15 (4) (c).
Ins 25.10 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.13
Ins 25.13 Annual privacy notice to customers required. Ins 25.13(1)(a)(a)
General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices with regard to nonpublic personal financial information not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve consecutive months during which that relationship exists. A licensee may define the twelve consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.
Ins 25.13(1)(b)
(b)
Example. A licensee provides a notice annually if it defines the twelve consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.
Ins 25.13(2)(a)(a)
Termination of customer relationship. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.
Ins 25.13(2)(b)
(b) Examples. The following are examples of the termination of a customer relationship:
Ins 25.13(2)(b)1.
1. A licensee no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
Ins 25.13(2)(b)2.
2. A licensee no longer has a continuing relationship with an individual if the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.
Ins 25.13(2)(b)3.
3. For the purposes of this chapter, a licensee no longer has a continuing relationship with an individual if the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
Ins 25.13(2)(b)4.
4. A licensee no longer has a continuing relationship with a customer in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
Ins 25.13(3)
(3) Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to
s. Ins 25.25.
Ins 25.13(4)
(4) exceptions. The annual privacy notice requirement in this section does not apply when a licensee complies with either of the following:
Ins 25.13(4)(b)1.
1. The licensee provides nonpublic personal information only in accordance with the provisions of this chapter.
Ins 25.13(4)(b)2.
2. The licensee has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the licensee's most recent disclosure to consumers in accordance with this section.
Ins 25.13 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01;
CR 03-083: cr. (4)
Register March 2004 No. 579, eff. 4-1-04;
CR 17-039: am. (4) (title), renum and am. (4) to (4) (intro.), (a), cr. (4) (b), Register February 2018 No. 746 eff. 3-1-18. Ins 25.15
Ins 25.15 Information to be included in privacy notices. Ins 25.15(1)(1)
General rule. The initial, annual and revised privacy notices that a licensee provides under
ss. Ins 25.10,
25.13, and
25.20 shall include all of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
Ins 25.15(1)(a)
(a) The categories of nonpublic personal financial information that the licensee collects.
Ins 25.15 Note
Note: See sample clause A-1 in Appendix A
Ins 25.15(1)(b)
(b) The categories of nonpublic personal financial information that the licensee discloses.
Ins 25.15 Note
Note: See sample clauses A-2 and A-3 in Appendix A
Ins 25.15(1)(c)
(c) The categories of affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under
ss. Ins 25.55 and
25.60.
Ins 25.15 Note
Note: See sample clauses A-2, A-3 and A-4 in Appendix A