Wisconsin assembly passes comprehensive data privacy bill

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Wisconsin

On February 23, the Wisconsin assembly passed AB 957, which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include:

• Applicability. The bill will apply to controllers (defined “as a person that, alone or jointly with others, determines the purpose and means of processing personal data”) that “control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.” Personal data is defined as any information linked or reasonably linkable to an individual minus publicly available information. Certain entities are exempt from the bill’s requirements, including “governmental bodies, financial institutions subject to federal privacy disclosure requirements [including affiliates of financial institutions], certain entities subject to federal health privacy laws, nonprofits, and institutions of higher education.” Data collected, processed, and maintained in compliance with the Children’s Online Privacy Protection Act is also exempt.
• Consumer rights. Under the bill consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) make corrections; (iii) request deletion of their data; (iv) obtain a copy of their previously provided data; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, and certain forms of automated processing of their data. Controllers will be prohibited from taking discriminatory actions against consumers who exercise certain rights.
• Controllers’ responsibilities. Data controllers under the bill will be responsible for responding to consumers’ requests without undue delay, including if a controller declines to take action regarding a consumer’s request. Responses to consumers’ requests must be provided free of charge once annually per consumer, and controllers will be required to establish an appeals process for denied requests, wherein “[w]ithin 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint.” The bill will also require controllers to disclose certain information regarding data collection and sharing practices to consumers, as well as how consumers may exercise their rights under the bill. Controllers will also be prohibited from collecting or processing personal data for purposes not relevant to or reasonably necessary for the purposes disclosed in the privacy notice.
• Data processing contracts. The bill requires controllers to enter into data processing contracts with data processors and “requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill.” The state attorney general may also request controllers to disclose any data protection assessments relevant to an investigation.
• Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law and seek forfeiture of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses. The bill further “prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data.”
• Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.

If enacted in its current form, the bill would take effect January 1, 2024. The bill still needs to be approved by the state senate and any differences reconciled before the measure can be sent to the governor.