AB870,3,1614
(f) “Processor” means a person who processes personal data on behalf of a
15controller, but does not include a law enforcement agency or a unit or instrumentality
16of the federal government, the state, or a local government.
AB870,3,1717
(g) “Recipient” means a person to which personal data is disclosed.
AB870,3,20
18(2) Notice required. (a) Except as provided in par. (b), at the time when a
19controller collects personal data from a consumer, the controller shall provide the
20consumer with the following information:
AB870,3,2121
1. The identity and contact information of the controller.
AB870,3,2322
2. The purposes for which the controller intends to process the consumer's
23personal data and the legal authority for conducting the processing.
AB870,3,2524
3. The recipients or categories of recipients to whom the consumer's personal
25data will be disclosed.
AB870,4,3
14. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,4,54
5. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,4,96
6. Whether the controller will use the consumer's personal data to conduct
7automated decision-making related to the consumer, and, if so, the purpose for
8which automated decision-making will be used and meaningful information about
9the automated decision-making procedure.
AB870,4,1210
(b) A controller is not required to provide a consumer with information under
11par. (a) if the consumer has previously been provided with the information required
12under par. (a).
AB870,4,1613
(c) Except as provided in par. (d), if a controller intends to process a consumer's
14personal data and the controller did not collect the personal data from the consumer,
15within one month of obtaining the personal data, the controller shall provide the
16consumer with the following information:
AB870,4,1717
1. The identity and contact information of the controller.
AB870,4,1918
2. The purposes for which the controller intends to process the consumer's
19personal data and the legal authority for conducting the processing.
AB870,4,2120
3. The categories of the consumer's personal data that the controller intends
21to process.
AB870,4,2322
4. The recipients or categories of recipients to whom the consumer's personal
23data will be disclosed.
AB870,5,3
15. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,5,54
6. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,5,76
7. The controller's source for the personal data, including whether the personal
7data was obtained from publicly accessible sources.
AB870,5,118
8. Whether the controller will use the consumer's personal data to conduct
9automated decision-making related to the consumer, and, if so, the purpose for
10which automated decision-making will be used and meaningful information about
11the automated decision-making procedure.
AB870,5,1312
(d) A controller is not required to provide a consumer with information under
13par. (c) if any of the following applies:
AB870,5,1514
1. The consumer has previously been provided with the information required
15under par. (c).
AB870,5,1616
2. Providing the information is impossible or involves unreasonable effort.
AB870,5,1717
3. Federal, state, or local law requires that the information not be disclosed.
AB870,5,20
18(3) Access to personal data. (a) Upon a consumer's request, a controller shall
19inform the consumer as to whether or not the controller processes the consumer's
20personal data.
AB870,5,2321
(b) 1. If a controller processes a consumer's personal data, upon the consumer's
22request, the controller shall provide the consumer with a copy of the consumer's
23personal data and all of the following information:
AB870,5,2524
a. The purposes for which the controller processes the consumer's personal
25data.
AB870,6,1
1b. The categories of the consumer's personal data that the controller processes.
AB870,6,32
c. The recipients or categories of recipients to whom the consumer's personal
3data have been or will be disclosed.
AB870,6,64
d. If known, the estimated period of time that the controller will store the
5consumer's personal data, or, if not known, the criteria the controller will use to
6determine the amount of time that the controller will store the personal data.
AB870,6,87
e. If the controller did not collect the personal data from the consumer, any
8available information on the controller's source for the personal data.
AB870,6,129
2. If the consumer makes a request under this paragraph to the controller by
10electronic means, the controller shall provide the information required under subd.
111. to the consumer in a commonly used electronic form, unless otherwise requested
12by the consumer.
AB870,6,1413
3. a. Except as provided in subd. 3. b., a controller shall provide copies and
14information required under subd. 1. free of charge.
AB870,6,1915
b. If a request from a consumer is manifestly unfounded or excessive, including
16by being repetitive, a controller may either charge the consumer a reasonable fee
17based on the administrative costs of providing a copy or information or refuse to act
18on the request. The controller bears the burden of demonstrating the a consumer's
19request is manifestly unfounded or excessive.
AB870,6,2120
4. a. Except as provided in subd. 4. b., a controller shall provide a copy and
21information under subd. 1. within one month of receiving a consumer's request.
AB870,7,322
b. A controller may provide a copy and information under subd. 1. within 3
23months of receiving a consumer's request if necessary due to the complexity and
24number of requests received by the controller. If the controller does not provide a
25copy and information under subd. 1. to a consumer within one month of the
1consumer's request, the controller shall within one month of the consumer's request
2inform the consumer about the delay and notify the consumer of the reason for the
3delay.
AB870,7,54
5. A controller is not required to provide a consumer with a copy and
5information under subd. 1. if any of the following applies:
AB870,7,86
a. The controller processes the consumer's personal data out of necessity for
7performing a task carried out in the public interest or out of necessity for exercising
8official authority vested in the controller.
AB870,7,99
b. Providing a copy would adversely affect the rights of others.
AB870,7,1010
(c) This subsection does not require a controller to do any of the following:
AB870,7,1111
1. Reidentify data that does not identify a consumer.
AB870,7,1412
2. Retain, link, or combine personal data concerning a consumer that the
13controller would not otherwise retain, link, or combine in its ordinary course of
14business.
AB870,7,1715
3. Comply with a request under this subsection if the controller is unable to
16verify, using commercially reasonable efforts, the identity of the consumer making
17the request.
AB870,7,25
18(4) Personal data breach notification. (a) 1. Except as provided in subd. 2.,
19if a controller is aware of a personal data breach of personal data maintained by the
20controller, the controller shall notify the department of justice of the personal data
21breach without undue delay. If feasible, the controller shall notify the department
22within 30 days of becoming aware of the personal data breach. If the controller does
23not notify the department within 30 days of becoming aware of the personal data
24breach, the controller shall provide a reason for not notifying within 30 days. The
25notification shall do all of the following:
AB870,8,3
1a. Describe the nature of the personal data breach including, if known, the
2categories and approximate number of consumers involved and the categories and
3approximate number of personal data records involved.
AB870,8,44
b. Describe the likely consequences of the personal data breach.
AB870,8,75
c. Describe the measures taken or proposed by the controller to address the
6personal data breach, including, if appropriate, measures to mitigate the possible
7adverse effects.
AB870,8,108
2. A controller is not required to make a notification under this paragraph if
9the personal data breach is unlikely to result in a risk to the rights and freedoms of
10consumers.
AB870,8,1211
3. If it is not possible to provide the information required under subd. 1. at the
12same time, the controller may provide the information in stages without undue delay.
AB870,8,1513
4. If a processor is aware of a personal data breach of personal data that the
14processor maintains on behalf of a controller, the processor shall notify the controller
15without undue delay.
AB870,8,2116
(b) 1. Except as provided in subd. 2., if a controller is aware of a personal data
17breach of personal data maintained by the controller and the personal data breach
18is likely to result in a high risk to the rights and freedoms of consumers, the controller
19shall notify the consumers whose personal data is involved in the personal data
20breach. The notification shall describe in clear and plain language the nature of the
21personal data breach and contain the information described in par. (a) 1. b. and c.
AB870,8,2322
2. A controller is not required to make a notification under this paragraph if
23any of the following applies:
AB870,9,224
a. The controller has implemented appropriate technical and organizational
25protection measures to the personal data involved in the personal data breach that
1render the personal data unintelligible to any person who is not authorized to access
2it.
AB870,9,43
b. The controller takes measures after the personal data breach that ensure
4that a high risk to the rights and freedoms of consumers is not likely to exist.
AB870,9,75
c. Making the notification involves unreasonable effort. If this subd. 2. c.
6applies, the controller shall publicly communicate about the personal data breach to
7consumers in an effective manner.
AB870,9,9
8(5) Applicability. (a) This section does not require a controller to confirm
9processing or provide a copy of the following types of information:
AB870,9,1110
1. Health information protected by the federal Health Insurance Portability
11and Accountability Act of 1996.
AB870,9,12122. Information identifying a patient covered by
42 USC 290dd-2.
AB870,9,1413
3. Information collected as part of research subject to the Federal Policy for the
14Protection of Human Subjects,
45 CFR part 46, or subject to
21 CFR parts 50 and
56.
AB870,9,1615
4. Information and documents created specifically for and collected and
16maintained by a hospital.
AB870,9,1817
5. Information and documents created for purposes of the federal Health Care
18Quality Improvement Act of 1986,
42 USC 11101 et seq.
AB870,9,20196. Patient safety work product information for purposes of
42 USC 299b-21 to
20299b-26.
AB870,9,2321
7. Information maintained by a health care provider, a health care facility, or
22an entity covered by the federal Health Insurance Portability and Accountability Act
23of 1996.
AB870,10,3
18. Personal information provided to or from or held by a consumer reporting
2agency, as defined in s. 422.501 (1m), if the use of the information complies with the
3federal Fair Credit Reporting Act,
15 USC 1681 et seq.
AB870,10,54
9. Personal information collected, processed, sold, or disclosed pursuant to the
5federal Gramm-Leach-Bliley Act, P.L.
106-102.
AB870,10,76
10. Personal information collected, processed, sold, or disclosed pursuant to the
7federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
AB870,10,88
11. Information maintained for employment records.
AB870,10,109
(b) This section does not apply to a consumer who processes personal data in
10connection with a purely personal or household activity.
AB870,10,1211
(c) This section does not apply to a controller that processes a consumer's
12personal data for literary or artistic purposes.
AB870,10,1513
(d) This section does not apply to a controller that processes a consumer's
14personal data, that intends to publish the personal data, and that believes that
15publication of the personal data is in the public interest.
AB870,10,17
16(6) Enforcement; penalties. (a) The attorney general may investigate
17violations of this section and may bring actions for enforcement of this section.
AB870,10,2018
(b) 1. A controller who violates sub. (4) shall be fined not more than $10,000,000
19or not more than 2 percent of the controller's total annual revenue during the
20preceding financial year, whichever is greater.
AB870,10,2321
2. A controller who violates sub. (2) or (3) shall be fined not more than
22$20,000,000 or not more than 4 percent of the controller's total annual revenue
23during the preceding financial year, whichever is greater.
AB870,11,3
13. A court may not impose in the same action more than one fine on a controller
2under this paragraph unless the additional fine is imposed for a violation that does
3not involve the same or linked processing activities by the controller.
AB870,2
4Section
2.
Effective date.
AB870,11,55
(1)
This act takes effect on July 31, 2022.