Keypoint: The Wisconsin Data Privacy Act would create CCPA and GDPR-like rights for Wisconsin residents and would strengthen Wisconsin’s data security and breach notification requirements.
Lawmakers in Wisconsin have proposed three bills that, if enacted, would create privacy rights for Wisconsin residents and compliance burdens for entities that process or control consumer data. All three bills were introduced on February 10, 2020 and an initial public hearing was held on February 12, 2020.
The bills – Assembly Bill 870, Assembly Bill 871 and Assembly Bill 872 – are designed to “fundamentally reset consumer relationships with companies” and are “based off of the European General Data Protection Regulation (GDPR), which is considered the gold standard among privacy advocates.” See legislation memorandum dated January 29, 2019 by the bills’ author, Representative Shannon Zimmerman, as well as the February 12, 2020 hearing materials.
The Wisconsin Data Privacy Act, if enacted, would create CCPA and GDPR-like rights for Wisconsin residents. The law would also impose significant new obligations on businesses. While it does not provide for a private right of action, the law would be enforceable by the attorney general and violations could result in penalties of up to $20,000,000 or up to four percent (4%) of the entity’s total annual revenue, whichever is greater.
Who are the Bills Designed to Protect?
All three bills define a “Consumer” as an individual who is a resident of the state of Wisconsin.
What Persons and Entities are Required to Comply?
The Wisconsin Data Privacy Act does not include threshold numbers of individuals from whom data is collected or minimal gross revenues.
A “Controller” is broadly defined as a person that alone or jointly with others determines the purposes and means of processing of personal data, but does not include a law enforcement agency or a unit or instrumentality of the federal, state or local government.
How is “Personal Data” Defined?
Personal data is defined broadly as “information relating to an consumer that allows the consumer to be identified, either directly or indirectly, including by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the consumer.” Personal Data does not include any information lawfully made available from federal, state, or local government records.
What are the Bills Designed to Do?
Each of the three bills are summarized below:
1. Assembly Bill 870 requires controllers of consumer’s personal data to:
- NOTICE: Controllers must provide consumers with notice at the time personal data is collected. Notice must include: (1) the identify and contact information of the controller, (2) the purpose for collection and legal authority for processing, (3) the categories of the consumer’s personal data that the controller intends to process; (4) the recipients or categories of recipients to whom the consumer’s personal data will be disclosed, (5) if known, the estimated period of time the controller will store the data or, if not known, the criteria the controller will use to determine how long to store the data; (6) information on how the consumer may make requests to access their personal data processed by the controller; (7) information on how the controller obtained the consumer’s personal information; (8) whether the controller will use the consumer’s personal data to conduct automated decision-making related to the consumer and, if so, the purpose for the decision-making and information about the decision-making procedure.
- ACCESS: Upon request by a consumer, a controller shall inform the consumer whether or not the controller processes the consumer’s personal data. If the controller does process the consumer’s personal data, the controller shall provide the consumer with a copy of the consumer’s personal data, along with all of the following information: (a) purposes for collecting information; (b) categories of information being processed; (c) the recipients or categories of recipients to whom the consumer’s personal data has been or will be disclosed; (d) if known, the estimated time of storage or, if unknown, criteria controller will use to determine the amount of time; (e) if the controller did not collect the personal data from the consumer, information on the controller’s source of the data.
- BREACH NOTIFICATION: If controller is aware of a data breach of personal information maintained by the controller, the controller shall notify the Wisconsin Department of Justice without undue delay and, if feasible, within 30 days of becoming aware of the breach. If the controller does not provide notice within 30 days, the controller must provide the Wisconsin Department of Justice with a reason for the delay. The bill also provides specific information required in any breach notification, as well as some exceptions, such as if the breach is unlikely to result in “a risk to the rights and freedoms of the consumers.” In addition to notifying the DOJ, the controller must also provide notice to consumers impacted in clear and plain language.
- EXCEPTIONS: The bill contains several exceptions. For example, the legislation, if enacted, would not apply to various categories of health information, various categories of personal financial information or information maintained for employment records.
2. Assembly Bill 871 provides a right of deletion, with certain exceptions:
DELETION. AB 871 requires controllers of consumer’s personal data to delete a consumer’s personal data without “undue delay” if the consumer requests deletion and any of the following apply: (a) it is no longer necessary for the controller to process the personal data to accomplish the purposes for which the data was collected or processed; (b) the personal data is processed for direct marketing purposes; (c) the personal data has been unlawfully processed; or (d) deleting the personal data is necessary to comply with a legal obligation to which the controller is subject.
If the controller is required to delete a consumer’s personal data and the controller has disclosed the personal data, the controller must take reasonable steps based on the available technology and implementation cost to notify other controllers that are processing the consumer’s personal data that the consumer has requested deletion.
A controller has up to 3 months to act upon receiving a consumer’s request if necessary due to the complexity and number of requests received by the controller.
The bill also includes many exceptions to when deletion is required, such as when it is necessary for the controller to maintain the personal data for various reasons.
3. Assembly Bill 872 restricts the manner in which controllers may process personal data:
PROCESSING: A controller may not process the personal data of a consumer unless the controller obtains clear and unambiguous consent or can demonstrate that the processing is:
- Necessary to perform a contract to which the consumer is a party or to take steps at the request of a consumer prior to entering a contract;
- Necessary for complying with a legal obligation;
- Necessary to protect the vital interests of the consumer or another person;
- Necessary to perform a task carried out in the public interest or to exercise official authority vested in the controller;
- Conducted to detect security incidents, to protect against malicious, deceptive, fraudulent or illegal activity, or to prosecute a person responsible for that activity; or
- Where the controller or third party has a legitimate ground for processing the personal data.
- a controller may not process the personal data of a consumer without specific, informed and unambiguous consent unless one of the other purposes for processing set forth above can be demonstrated.
- If the consumer is under the age of 16, the controller must also obtain clear affirmative consent from a parent or guardian.
- Consumers may withdraw any consent as easily as it is provided.
- The controller has the burden of demonstrating consumer consent.
- The controller cannot require a consumer to consent to the processing of personal data to receive services, unless the processing is necessary to perform the service.
LIMITATIONS ON CERTAIN TYPES OF PERSONAL DATA: The proposed bill prohibits a controller from processing certain types of personal data, including data revealing the below categories of information unless the consumer explicitly consents or a specific purpose applies:
- a consumer’s ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic data, data concerning health, or personal data concerning a consumer’s sex life of sexual orientation; or
- biometric data, if the purpose of the processing is to uniquely identify the consumer.
EXCEPTIONS: The bill sets forth numerous circumstances under which controllers may collect the prohibited categories of personal data set forth above, including when processing is necessary to comply with a legal obligation, etc. The bill language also includes exclusions similar to AB 870 and AB 871.
RIGHT TO REQUEST RESTRICTIONS ON PROCESSING: In certain (and relatively undefined) instances, a consumer may request a controller to restrict the processing of consumer personal data the processor stores, such as if processing is unlawful, or if storing the information is necessary for the consumer to exercise or defend a legal claim (but the consumer does not want the information processed) or if the “controller has no legitimate ground to process the personal data that overrides the consumer’s request.”
RECORDS: A controller would be required to maintain detailed records of processing of personal data.
Would Companies Need to Update their Online Privacy Policies?
How Would it be Enforced?
All three bills provide the Wisconsin attorney general with authority to investigate violations of the Act and bring enforcement actions. Penalties are dependent on the nature of the violation, but may not be more than $20,000,000 or more than 4% of the controller’s total annual revenue during the preceding financial year, whichever is greater.
The Act does not include a private right of action.
When Would it be Effective?
The Act, if enacted, would become effective on July 31, 2022.
What is the Status of this Legislation?
The Act was recently introduced and has been discussed in only one public hearing. There appears to be fairly strong opposition to the bills already, so it is unclear whether the bills will receive any traction. Stay tuned to Byte Back for updates.