Ins 25.20 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.25(1)
(1)
How to provide notices. A licensee shall provide any notices that this chapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
Ins 25.25(2)(a)(a)
Examples of reasonable expectation of actual notice. A licensee may reasonably expect that a consumer will receive actual notice of its privacy policies and practices if the licensee does any of the following:
Ins 25.25(2)(a)2.
2. Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication.
Ins 25.25(2)(a)3.
3. For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.
Ins 25.25(2)(a)4.
4. For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
Ins 25.25(2)(b)
(b)
Examples of unreasonable expectation of actual notice. A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it does any of the following:
Ins 25.25(2)(b)1.
1. Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices.
Ins 25.25(2)(b)2.
2. Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
Ins 25.25(3)
(3) Annual notices only. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if it does any of the following:
Ins 25.25(3)(a)
(a) The customer uses the licensee's web site to access insurance products and services electronically and agrees to receive notices at the web site and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site.
Ins 25.25(3)(b)
(b) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, the licensee maintains a record of the request and the licensee's current privacy notice remains available to the customer upon request.
Ins 25.25(4)
(4) Oral description of notice insufficient. A licensee may not provide any notice required by this chapter solely by orally explaining the notice, either in person or over the telephone.
Ins 25.25(5)
(5) Retention or accessibility of notices for customers. Ins 25.25(5)(a)(a) For customers only, a licensee shall provide the initial notice required by
s. Ins 25.10 (1) (a), the annual notice required by
s. Ins 25.13 (1), and the revised notice required by
s. Ins 25.20 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
Ins 25.25(5)(b)
(b)
Examples of retention or accessibility. A licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee does any of the following:
Ins 25.25(5)(b)2.
2. Mails a printed copy of the notice to the last known address of the customer.
Ins 25.25(5)(b)3.
3. Makes its current privacy notice available on a web site or a link to another web site for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the web site.
Ins 25.25(6)
(6) Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
Ins 25.25(7)
(7) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual and revised notice requirements of
ss. Ins 25.10 (1),
25.13 (1), and
25.20 (1), respectively, by providing one notice to those consumers jointly.
Ins 25.25(8)
(8) Multiple insurance products or services. If a consumer or two or more consumers jointly seek to obtain or obtain multiple insurance products or services from a licensee or its affiliates, the licensee may satisfy the initial, annual and revised notice requirements of
ss. Ins 25.10 (1),
25.13 (1), and
25.20 (1), respectively, for the licensee and its affiliates by providing one notice to those consumers.
Ins 25.25 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.30
Ins 25.30 Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. Ins 25.30(1)(a)(a)
Conditions for disclosure. Except as otherwise authorized in this chapter, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following have occurred:
Ins 25.30(1)(a)3.
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure.
Ins 25.30(1)(b)
(b)
Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by
ss. Ins 25.50,
25.55, and
25.60.
Ins 25.30(1)(c)
(c)
Examples of reasonable opportunity to opt out. A licensee provides a consumer with a reasonable opportunity to opt out if it does any of the following:
Ins 25.30(1)(c)1.
1. `By mail.' The licensee mails the notices required in
par. (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within thirty days from the date the licensee mailed the notices.
Ins 25.30(1)(c)2.
2. `By electronic means.' A customer purchases an insurance service or product from a licensee and agrees to receive the notices required in
par. (a) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction the transaction.
Ins 25.30(1)(c)3.
3. `Isolated transaction with consumer.' For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in
par. (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
Ins 25.30(2)
(2) Application of opt out to all consumers and all nonpublic personal financial information. Ins 25.30(2)(a)(a) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
Ins 25.30(2)(b)
(b) Unless a licensee complies with this section, the licensee may not, except as permitted in
ss. Ins 25.50,
25.55, and
25.60, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.
Ins 25.30(3)
(3) Partial opt out. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
Ins 25.30 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.35
Ins 25.35 Limits on re-disclosure and reuse of nonpublic personal financial information. Ins 25.35(1)(a)(a)
Information the licensee receives under an exception. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in
s. Ins 25.55 or
25.60, the licensee may use or disclose that information only under the following conditions:
Ins 25.35(1)(a)1.
1. The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
Ins 25.35(1)(a)2.
2. The licensee may disclose the information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.
Ins 25.35(1)(a)3.
3. The licensee may disclose and use the information pursuant to an exception in
s. Ins 25.55 or
25.60, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
Ins 25.35(1)(b)
(b)
Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
Ins 25.35(2)(a)(a)
Information a licensee receives outside of an exception. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in
s. Ins 25.55 or
25.60, the licensee may not disclose the information except to any of the following:
Ins 25.35(2)(a)1.
1. To the affiliates of the financial institution from which the licensee received the information.
Ins 25.35(2)(a)2.
2. To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information.
Ins 25.35(2)(a)3.
3. To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
Ins 25.35(2)(b)
(b)
Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in
s. Ins 25.55 or
25.60 it may do any of the following:
Ins 25.35(2)(b)2.
2. The licensee may disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in
s. Ins 25.55 or
25.60, such as to the licensee's attorneys or accountants.
Ins 25.35(3)
(3) Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in
s. Ins 25.55 or
25.60, the third party may not
disclose or use that information except under any of the following circumstances:
Ins 25.35(3)(a)
(a) The third party may disclose the information to the licensee's affiliates.
Ins 25.35(3)(b)
(b) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information.
Ins 25.35(3)(c)
(c) The third party may disclose and use the information pursuant to an exception in
s. Ins 25.55 or
25.60 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
Ins 25.35(4)
(4) Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in
s. Ins 25.55 or
25.60, the third party may not
disclose the information except under any of the following circumstances:
Ins 25.35(4)(b)
(b) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information.
Ins 25.35(4)(c)
(c) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
Ins 25.35 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.40
Ins 25.40 Limits on sharing account number information for marketing purposes. Ins 25.40(1)
(1)
General prohibition on disclosure of account numbers. A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
Ins 25.40(2)
(2) Exceptions. Subsection (1) does not apply if a licensee discloses a policy number or similar form of access number or access code to any of the following:
Ins 25.40(2)(a)
(a) To the licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
Ins 25.40(2)(b)
(b) To a licensee who is a producer solely in order to perform marketing for the licensee's own products or services.
Ins 25.40(2)(c)
(c) To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
Ins 25.40(3)(a)(a)
Policy number. A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.
Ins 25.40(3)(b)
(b)
Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
Ins 25.40 History
History: Cr.
Register, June, 2001, No. 546, eff. 7-1-01.
Ins 25.50
Ins 25.50 Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. Ins 25.50(1)(a)(a) General rule. The opt out requirements in
ss. Ins 25.17 and
25.30 do not apply when a licensee provides nonpublic personal financial information to either of the following:
Ins 25.50(1)(a)1.
1. A nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee complies with all of the following:
Ins 25.50(1)(a)1.b.
b. It enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in
s. Ins 25.55 or
25.60 in the ordinary course of business to carry out those purposes.
Ins 25.50(1)(a)2.
2. A nonaffiliated third party for the purpose of marketing goods or services under the brand name of a licensee under
ch. Ins 15, or an affiliate of such a licensee, if the licensee complies with all of the following:
Ins 25.50(1)(a)2.b.
b. The licensee or its affiliate enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee or its affiliate disclosed the information, including use under an exception in
s. Ins 25.55 or
25.60 in the ordinary course of business to carry out those purposes.
Ins 25.50(1)(a)2.c.
c. The licensee or its affiliate contractually requires the third party to comply with the licensee's or its affiliate's standards that are reasonably designed to ensure the quality of the goods or services, and customer services.