LRB-4120/1
KP:ahe&amn
2019 - 2020 LEGISLATURE
February 10, 2020 - Introduced by Representatives Zimmerman, Wittke, Quinn,
Duchow, Wichgers, Plumer, Sortwell, Kulp, Thiesfeldt, Knodl, Gundrum,
Brostoff, Macco and Steffen, cosponsored by Senator Risser. Referred to
Committee on Science and Technology.
AB870,1,2
1An Act to create 134.985 of the statutes;
relating to: consumer access to
2personal data processed by a controller and providing a penalty.
Analysis by the Legislative Reference Bureau
This bill generally requires controllers of consumers' personal data to provide
a consumer with copies of the consumer's personal data processed by the controller.
Under the bill, a “controller” is a person that alone or jointly with others
determines the purposes and means of the processing of personal data. The bill
defines “personal data” as information relating to a consumer that allows the
consumer to be identified other than information lawfully made available from
federal, state, or local government records.
The bill requires a controller, when collecting personal data from a consumer,
to inform the consumer that it is collecting personal data and to provide the consumer
with certain other information. Additionally, if a controller intends to process a
consumer's personal data and the controller did not collect the personal data from
the consumer, the controller must, within one month of obtaining the personal data,
identify itself to the consumer and provide the consumer with certain information,
such as the purposes for which the controller intends to process the personal data and
where the controller obtained the personal data.
Also, under the bill, if a controller processes a consumer's personal data, the
controller must provide a copy of the personal data to a consumer who requests a
copy. The controller must also provide the consumer with certain other information,
including the purposes for which the controller processes the personal data, the
categories of the personal data that the controller processes, and the persons to
whom the controller discloses the personal data. If a consumer requests a copy of
personal data electronically, the controller must provide the copy and requested
information in a commonly used electronic form, unless the consumer requests
otherwise. A controller is not required to provide a consumer with a copy of the
consumer's personal data 1) if providing the copy would adversely affect the rights
of others; 2) if the controller processes a consumer's personal data out of necessity
in performing a task for the public interest; or 3) if the personal data is certain health,
financial, or other personal information, including information restricted by federal
law.
The bill also requires a controller to notify the Department of Justice if the
controller is aware of a personal data breach involving consumer personal data it
maintains and the data breach is likely to result in a risk to the rights and freedoms
of consumers. The notification must describe the nature of the personal data breach
and provide certain additional information. Also, if the personal data breach is likely
to result in a high risk to the rights and freedoms of consumers, a controller generally
must notify the consumers whose personal data is involved in the personal data
breach. The bill also requires a processor to notify a controller about a personal data
breach of personal data that it maintains on behalf of the controller.
Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller who violates the bill's personal data breach
notification requirements is subject to a fine of up to $10,000,000 or up to 2 percent
of the controller's total annual revenue, whichever is greater. For violating the bill's
requirements related to providing copies of a consumer's personal data, a controller
may be fined up to $20,000,000 or up to 4 percent of the controller's total annual
revenue, whichever is greater.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB870,1
1Section
1. 134.985 of the statutes is created to read:
AB870,2,2
2134.985 Access to personal data.
(1) Definitions. In this section:
AB870,2,33
(a) “Consumer” means an individual who is a resident of this state.
AB870,2,74
(b) “Controller” means a person that alone or jointly with others determines the
5purposes and means of the processing of personal data, but does not include a law
6enforcement agency or a unit or instrumentality of the federal government, the state,
7or a local government.
AB870,3,6
1(c) “Personal data” means information relating to an consumer that allows the
2consumer to be identified, either directly or indirectly, including by reference to an
3identifier such as a name, identification number, location data, online identifier, or
4one or more factors related to the physical, physiological, genetic, mental, economic,
5cultural, or social identity of the consumer, but does not include any information
6lawfully made available from federal, state, or local government records.
AB870,3,97
(d) “Personal data breach” means a breach of security leading to the accidental
8or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
9personal data.
AB870,3,1310
(e) “Process,” when used in reference to personal data, means to perform an
11operation or set of operations on personal data, including to collect, record, organize,
12store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
13destroy the personal data.
AB870,3,1614
(f) “Processor” means a person who processes personal data on behalf of a
15controller, but does not include a law enforcement agency or a unit or instrumentality
16of the federal government, the state, or a local government.
AB870,3,1717
(g) “Recipient” means a person to which personal data is disclosed.
AB870,3,20
18(2) Notice required. (a) Except as provided in par. (b), at the time when a
19controller collects personal data from a consumer, the controller shall provide the
20consumer with the following information:
AB870,3,2121
1. The identity and contact information of the controller.
AB870,3,2322
2. The purposes for which the controller intends to process the consumer's
23personal data and the legal authority for conducting the processing.
AB870,3,2524
3. The recipients or categories of recipients to whom the consumer's personal
25data will be disclosed.
AB870,4,3
14. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,4,54
5. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,4,96
6. Whether the controller will use the consumer's personal data to conduct
7automated decision-making related to the consumer, and, if so, the purpose for
8which automated decision-making will be used and meaningful information about
9the automated decision-making procedure.
AB870,4,1210
(b) A controller is not required to provide a consumer with information under
11par. (a) if the consumer has previously been provided with the information required
12under par. (a).
AB870,4,1613
(c) Except as provided in par. (d), if a controller intends to process a consumer's
14personal data and the controller did not collect the personal data from the consumer,
15within one month of obtaining the personal data, the controller shall provide the
16consumer with the following information:
AB870,4,1717
1. The identity and contact information of the controller.
AB870,4,1918
2. The purposes for which the controller intends to process the consumer's
19personal data and the legal authority for conducting the processing.
AB870,4,2120
3. The categories of the consumer's personal data that the controller intends
21to process.
AB870,4,2322
4. The recipients or categories of recipients to whom the consumer's personal
23data will be disclosed.
AB870,5,3
15. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,5,54
6. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,5,76
7. The controller's source for the personal data, including whether the personal
7data was obtained from publicly accessible sources.
AB870,5,118
8. Whether the controller will use the consumer's personal data to conduct
9automated decision-making related to the consumer, and, if so, the purpose for
10which automated decision-making will be used and meaningful information about
11the automated decision-making procedure.
AB870,5,1312
(d) A controller is not required to provide a consumer with information under
13par. (c) if any of the following applies:
AB870,5,1514
1. The consumer has previously been provided with the information required
15under par. (c).
AB870,5,1616
2. Providing the information is impossible or involves unreasonable effort.
AB870,5,1717
3. Federal, state, or local law requires that the information not be disclosed.
AB870,5,20
18(3) Access to personal data. (a) Upon a consumer's request, a controller shall
19inform the consumer as to whether or not the controller processes the consumer's
20personal data.
AB870,5,2321
(b) 1. If a controller processes a consumer's personal data, upon the consumer's
22request, the controller shall provide the consumer with a copy of the consumer's
23personal data and all of the following information:
AB870,5,2524
a. The purposes for which the controller processes the consumer's personal
25data.
AB870,6,1
1b. The categories of the consumer's personal data that the controller processes.
AB870,6,32
c. The recipients or categories of recipients to whom the consumer's personal
3data have been or will be disclosed.
AB870,6,64
d. If known, the estimated period of time that the controller will store the
5consumer's personal data, or, if not known, the criteria the controller will use to
6determine the amount of time that the controller will store the personal data.
AB870,6,87
e. If the controller did not collect the personal data from the consumer, any
8available information on the controller's source for the personal data.