When This Policy Applies to Your Personal Information
This Policy applies to California consumers (referenced in this Policy as "consumer," "you," or "your") as defined by the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, "CPRA"). The purpose of this Policy is to provide you with a description of your rights and our information practices. This Policy also supplements our Online Privacy Statement.
When This Policy Does Not Apply to Your Personal Information
Please note that this Policy does not apply when your Personal Information is protected under other laws, such as Gramm-Leach-Bliley Act (GLBA); the California Financial Information Protection Act; the Health Insurance Portability and Accountability Act (HIPAA); the Fair Credit Reporting Act (FCRA); and/or the Driver's License Protection Act. Therefore, this Policy does not apply to Personal Information collected in relation to the products and services we offer for personal, family, or household purposes, such as insurance products, investment products and services, or financial planning. For a description of your rights and our information practices in these instances, please read our Privacy Notices.
Who We Are
References to the "Northwestern Mutual Family of Companies," "Northwestern Mutual," "NM," "we," "us," or "our" within this Policy mean The Northwestern Mutual Life Insurance Company, Northwestern Long Term Care Company, Northwestern Mutual Investment Services Company, Northwestern Mutual Wealth Management Company, Northwestern Mutual Investment Management Company, and the network offices of our sales force. Our sales force includes the agents who sell our products and services, along with their staff.
For purposes of this Policy, the terms "Personal Information," "Sensitive Personal Information," "consumer," "business purpose," "commercial purpose," "third party," "service provider," "share," "sell," and "sold" have the same meaning as provided in the CPRA.
We collect Personal Information as part of our business. The Personal Information we collect will vary depending on your relationship with us. Over the prior 12 months we may have collected the following categories of Personal Information from consumers:
Category of Personal Information Examples A. Personal Information and Identifiers Name, alias, date of birth, home address, driver's license number or state identification card, passport number, Social Security number, email address, contact information, physical or electronic signature B. Demographics Age, gender identification, sex, disability status, citizenship, marital status, family member information C. Professional or Employment Information Salary, employment history, professional designations, veteran or military status, and other information collected from job applications or resumes D. Education Information School(s) attended, dates attended, degree(s) earned, academic achievements, transcripts and other information collected from job applications or resumes E. Financial Information Bank accounts; investment or brokerage accounts; information regarding estate or tax planning; debts; trusts; credit or debit card number(s) F. Medical Information Medical history; medical questionnaires; information regarding physical, mental, and behavioral health; genetic information; physical characteristics or description; medical condition; information regarding payment for health care services G. Biometric Information Fingerprints or voice recognition H. Internet or Network Activity Browser or device information; browsing information; IP address; cookies, web beacons, pixel tags, and clickstream or other traffic data; interaction with our websites, mobile app, and advertisements I. Profile Information Profiles reflecting a person's preferences, such as interests, hobbies, characteristic tendencies, behaviors, attitudes, or aptitudes, including inferences drawn from Personal Information like browsing information and clickstream or other website traffic data J. Product and Commercial Information Policy/account number; policy/account values; beneficiary; ownership arrangements; transaction history; records of personal property; products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies K. Audiovisual Information On-site security cameras, pictures, video, and audio recordings
We receive the categories of Personal Information listed above from the following categories of sources:
- Directly from you or your authorized agent
- Indirectly from you or your interactions with our technologies, websites, or mobile app
- Inferences drawn from other Personal Information to create a profile about, for example, your preferences and characteristics
- Publicly available information
- Our Northwestern Mutual Family of Companies, including our sales force
- Research or analytics companies
- Marketing or media companies
- Medical providers
- Consumer reporting agencies
- Other service providers
We may use or disclose the Personal Information we collect, depending on our relationship or interaction with you, for purposes that may be described to you at the time of collection and/or for one or more of the following business or commercial purposes:
a. Marketing and advertising of our company and its products and services:
information collected to offer NM products and services, personalize an individual's NM website or mobile app experience, and to deliver content or product and service offerings relevant to an individual's interests, including targeted ads and promotional offers.
b. Research & strategic development:
information collected for business, product, strategy, and technological development, excluding marketing and advertising activities.
c. Legal/Compliance/Regulatory purposes:
information collected to meet internal and regulatory compliance requirements, respond to regulatory exams, conduct internal and external audits, respond to subpoenas and other law enforcement requests, record keeping, and enforce or defend our rights and property.
d. Online auditing:
auditing related to an interaction with a consumer and a concurrent transaction, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with standards that may apply.
e. Detecting and protecting:
detecting and protecting against security incidents and malicious, deceptive, fraudulent, or illegal activity.
activities to identify and repair errors in technological functionality.
g. Backups and archives:
data that is kept to ensure business continuity, for historical reference, and to meet record-keeping obligations.
h. Analytic activities:
analysis of data to improve NM marketing, advertising, websites, mobile app, products, and services; to complete behavioral research; and to do other scientific research, reporting, or evaluation. Further, to enable us to continually improve on the content we offer you, as well as for purposes of personalization, analyzing user behavior, enhancing navigation, systems administration, site security, and fraud detection and prevention we capture IP addresses and track your activity on our websites.
i. NM-provided products and services:
issuing and servicing of NM products and services, including but not limited to: customer service; verifying consumer information; responding to consumer requests; illustrations; applications; underwriting; issuance; transactions; claims processing; and account maintenance related to NM's insurance products, investment products and services, and financial planning.
j. Short-term, transient use:
data collected, but not retained, other than to facilitate a one-time transaction or non-personalized advertising shown as part of a consumer's current interaction with the business when information is not disclosed to another third party or used to build a profile or to alter consumer experience outside of with the current interaction with the business.
Sensitive Personal Information is Personal Information that is not publicly available, is collected for the purpose of inferring characteristics about a consumer and reveals:
- Social Security, driver's license, state identification card, or passport number
- Account login or financial account number in combination with any required security or access code, password, or credentials allowing access to an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of email and text messages, unless NM is the intended recipient
- Genetic information
- Processing of biometric information for the purpose of uniquely identifying a consumer
- Personal Information collected and analyzed concerning a consumer's health, sex life, and/or sexual orientation
When we collect Sensitive Personal Information about you, we only use or disclose it for the following purposes:
- a. To perform services or provide goods reasonably expected by an average consumer who requests those goods or services.
- b. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information.
- c. To resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions.
- d. To ensure the physical safety of natural persons.
- e. For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with us when Personal Information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with us.
- f. To perform services on our behalf, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services.
- g. To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
- h. For purposes that do not infer characteristics about a consumer.
Because we do not use or disclose Sensitive Personal Information for the purpose of inferring characteristics about you, and because we limit our use and disclosure of Sensitive Personal Information to those purposes specified above, you do not have the right to limit its use and disclosure.
In the preceding 12 months, we have not sold any Personal Information to third parties. This includes Personal Information of consumers under the age of 16. In the preceding 12 months, we may have shared Personal Information for our marketing purposes. You have the right to opt out of this type of sharing by clicking on the "Do Not Sell or Share My Personal Information" link or by using an industry accepted opt-out preference signal.
Category of Personal Information Examples H. Internet or Network Activity Browser or device information; browsing information; IP address; cookies, web beacons, pixel tags, and clickstream or other traffic data; interaction with our websites, mobile app, and advertisements
In the preceding 12 months, we may have disclosed your Personal Information for a business or commercial purpose, as permitted or required by law or as otherwise set forth in this Policy. When we disclose Personal Information to a service provider, we enter into a contract that describes our business purpose for disclosing and requires the service provider to keep Personal Information confidential and to use it only for purposes of performing the contract between us.
We may disclose all categories of your Personal Information for a business or commercial purpose to the following:
- Parties to whom you have directed or authorized our disclosure
- Our Northwestern Mutual Family of Companies, including our sales force
- Research or analytics companies
- Marketing or media companies
- Regulators and others with legal authority, such as law enforcement agencies, government authorities, parties with a valid subpoena, and others as permitted or required by law
- Other contracted service providers, including individuals, firms, consultants, vendors and technologies providing services, software, platforms, or tools that are used to perform business functions for our Northwestern Mutual Family of Companies and sales force.
We have policies and practices requiring the secure deletion of Personal Information when there is no applicable regulatory retention requirement and we no longer have a business need to use the information for a purpose that is compatible with our disclosed purposes of collection. Personal Information that has been aggregated or deidentified so that it cannot reasonably be used to infer information about you or otherwise be linked to you may be retained indefinitely.
You have the right to access your specific Personal Information and to know about our collection, use, disclosure, and sharing of your Personal Information.
When you or your authorized agent submits a request to know or access, we will verify the identity and authority of the person making the request, confirm we have Personal Information about you, and validate that the CPRA applies to your information. Once we have taken these steps, we will disclose:
- The categories of Personal Information we have collected about you;
- The categories of sources from which Personal Information was collected;
- Our business or commercial purpose(s) for collecting, selling, or sharing Personal Information;
- The categories of third parties to whom we disclose Personal Information;
- The specific pieces of Personal Information obtained from you that we are authorized and required to produce under CPRA; and
- If we have disclosed, shared or sold your Personal Information, two separate lists identifying:
- i. the categories of Personal Information disclosed for a business purpose and the categories of persons to whom Personal Information was disclosed; and
- ii. the categories of Personal Information shared or sold and the categories of third parties with whom Personal Information was shared or sold.
You have the right to request that we delete Personal Information we collected from you, subject to certain exceptions allowed under applicable law. Once we receive and confirm your verifiable consumer request, we will delete your Personal Information from our records unless an exception applies. We will also notify, if possible, our service providers, contractors and third parties of your deletion request. If we do not delete your Personal Information, we will provide you with an explanation of why and limit our use of your Personal Information to the reasons we are retaining it.
You have the right to request that we correct any Personal Information we maintain about you to ensure that it is complete, accurate, and as current as possible. We may elect to delete your Personal Information rather than correct it, and we may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause information to be incorrect. If you have an online account with us, you can review and correct Personal Information by logging into the website or mobile app and visiting your "Account" page.
If you prefer not to receive cross-context behavioral advertising, you have the right, at any time, to opt out of our sharing of your Personal Information for this purpose.
We limit our use and disclosure of Sensitive Personal Information to those purposes set forth in this Policy and we do not use or disclose Sensitive Personal Information for the purpose of inferring characteristics about any consumer. Should this change in the future, we will update this Policy and provide you with methods to limit our use and disclosure of Sensitive Personal Information.
We will not discriminate against you for exercising your rights, including by:
- Denying you goods or services
- Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
- Providing you a different level or quality of goods or services
- Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services
We may, however, charge you a different price or rate or provide a different level or quality of goods or services to you if that difference is reasonably related to the value your data provides to us.
To exercise the Right to Access, Delete, or Correct, please submit a verifiable consumer request to us by either:
- Completing the California Consumer Right to Access, Correct, or Delete Form
- Calling us toll-free at 1-866-950-4644; when prompted say "California Consumer Privacy Act," "CCPA," "California Privacy Rights Act," or "CPRA"
We are not obligated to provide information to you in response to your access request more than twice in a 12-month period.
For websites that use marketing cookies, you may exercise your right to Opt Out of Sharing through:
- The "Do Not Sell or Share My Personal Information" link found in the website footer
- An industry accepted opt-out preference signal (e.g., the Global Privacy Control signal). The opt-out preference signal applies to the browser you are using to visit our website. If you are a known visitor to our site (e.g., you log into your online account), we will association the opt-out preference signal to your account.
Only you or your authorized agent (i.e., a person we can validate as being authorized by you) may make a verifiable consumer request related to your Personal Information. If your authorized agent makes a verifiable consumer request and provides proof that you gave them authority to submit the request on your behalf, we will provide the information to you unless your authorized agent requests, and we approve, disclosure directly to them.
Whether you submit a request directly on your own behalf, or through an authorized agent, we will take reasonable steps to verify your identity prior to responding to your request. Upon receiving a request to know, delete, or correct your Personal Information, we will confirm receipt within 10 business days. For all requests, we will need your first and last name plus the following information: (i) date of birth and (ii) residential address.
When your request is submitted through an authorized agent, we will also take reasonable steps to verify the agent's identity and authorization to make the request on your behalf. To do this, we will need your agent to provide their first and last name, address, telephone number, date of birth, plus documentation verifying they are authorized to act on your behalf. Examples include:
- Court Order of Guardianship or Conservatorship
- Notice of Retainer
- Authorization from you, signed and independently witnessed
- Letters of Guardianship or Conservatorship
- Power of Attorney provided pursuant to California Probate Code sections 4121 to 4130
To protect the privacy and security of your Personal Information, we may request additional information from you to help us verify your identity and process your request. Of course, we cannot respond to your request or provide you with Personal Information if we cannot (i) verify your identity, or the identify of your authorized agent, and (ii) confirm that Personal Information we have directly relates to you. You will also be asked to make a declaration under penalty of perjury that you are the consumer who is the subject of the request.
Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a request to access, correct, or delete to verify the requestor's identity or authority to make the request and to confirm Personal Information we have directly relates to the person who is the subject of the request.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you in writing of the reason and extension period. We will deliver our response by mail or electronically, at your option. Any response we provide will cover the 12-month period preceding our receipt of the verifiable consumer request unless you specifically request information beyond such period. The response will also explain the reasons we cannot comply with a request, if applicable.
Requests to exercise your privacy rights are generally free. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a reasonable cost estimate before completing your request.
We may change this Policy from time to time. When we make changes to this Policy, we will post the updated Policy on the Privacy pages of our website and mobile app with a new "Last Updated" date. Any changes will become effective when we post the updated Policy. Your use of the website or mobile app following these changes means that you accept the updated Policy.
We strive to provide an accessible digital experience to all consumers and are committed to providing all consumers with the same level of access to this Policy, including those with disabilities. Therefore, this Policy is compatible with standard screen readers.