KP:cjs
2021 - 2022 LEGISLATURE
February 9, 2022 - Introduced by Senators Larson,
Carpenter, Roys, Agard and
Smith, cosponsored by Representatives Brostoff, Hebl,
Anderson, Sinicki,
Shelton, Stubbs and Cabrera. Referred to Committee on Government
Operations, Legal Review and Consumer Protection.
SB977,1,2
1An Act to create 134.985 of the statutes;
relating to: the privacy of consumer
2data, granting rule-making authority, and providing a penalty.
Analysis by the Legislative Reference Bureau
Generally, this bill establishes requirements for businesses related to personal
information collected about consumers. The bill's requirements apply to
“businesses,” which is defined in the bill to mean a sole proprietorship, limited
liability company, corporation, association, or other entity operated for profit that
satisfies all of the following: 1) collects consumers' personal information or alone or
jointly with others determines the purposes and means of the processing of personal
information; 2) does business in this state; and 3) either has annual gross revenues
exceeding $25,000,000; buys, receives, sells, or shares the personal information of
50,000 or more consumers annually; or derives 50 percent or more of its annual
revenues from selling consumers' personal information. The bill defines “
personal
information” as information that identifies, relates to, describes, or is capable of
being associated or linked with a particular consumer or household other than
certain information that is lawfully made available from federal, state, or local
government records.
The bill requires a business to disclose certain information to consumers if the
business has an online privacy policy or a Wisconsin-specific description of
consumers' privacy rights, including the following: 1) information about how a
consumer can make a request for a copy of the personal information collected about
the consumer; 2) the categories of personal information collected by the business in
the past twelve months; 3) the categories of sources from which the business collected
personal information in the past twelve months; 4) the business's purposes for
collecting consumers' personal information; and 5) if the business sells consumers'
personal information, the purpose for selling the personal information. If the
business has an Internet site but not an online privacy policy or a Wisconsin-specific
description of consumers' privacy rights, the business must disclose the above
information on the Internet site.
Under the bill, a consumer may request a business to disclose certain
information if the business collects personal information about the consumer,
including the following: 1) the categories of personal information about the
consumer collected by the business in the past twelve months; 2) the categories of
sources from which the business collected personal information about the consumer
in the past twelve months; 3) the purposes for collecting the personal information
about the consumer; 4) if the business has sold the consumer's personal information
in the past twelve months, the purpose for selling the personal information; and 5)
the specific pieces of personal information about the consumer that the business
collected in the past twelve months. In addition, the business must deliver this
information within 45 days or within 90 days if the longer duration is reasonably
necessary and the business notifies the consumer about the delay within 45 days.
The business must disclose the information in a portable and readily useable format.
A consumer may request this information twice in a twelve-month period.
A consumer may request a business that sells the consumer's personal
information to disclose certain information, including the categories of personal
information collected about the consumer in the past twelve months, the categories
of personal information about the consumer that the business sold in the past twelve
months, and the categories of personal information about the consumer sold to each
third party in the past twelve months. The business must disclose the information
in a portable and readily useable format and within 45 days or within 90 days if the
longer duration is reasonably necessary.
The bill also requires a business, before collecting a consumer's personal
information, to inform the consumer about the categories of personal information
that the business will collect and the purpose for which the business will use the
personal information collected. Under the bill, in order for a business to sell a
consumer's personal information, certain requirements apply, including the
following: 1) if the business has an Internet site, it must provide a link titled “Do Not
Sell My Personal Information” that enables consumers to object to the selling of the
consumer's personal information; 2) if the business has an online privacy policy, the
business must include the link described above in that policy; 3) a business may not
sell the personal information if a consumer is 16 or older and the consumer directs
the business not to sell the consumer's personal information; 4) a business may sell
the personal information of a consumer aged 13 to 16 only if the consumer
affirmatively authorizes selling the personal information; 5) a business may sell the
personal information of a consumer under the age of 13 only if the consumer's parent
or guardian affirmatively authorizes it; and 6) a third party must notify a consumer
before selling the consumer's personal information. A business must also implement
reasonable security procedures to protect the personal information of consumers.
The bill also requires that if a consumer requests that a business delete the
personal information that the business has collected about the consumer, the
business must delete that personal information. The bill provides certain exceptions
to that requirement, including the cases in which it is necessary for the business to
maintain the personal information to do any of the following: 1) complete a
transaction or contract with a consumer; 2) detect security incidents; 3) identify
errors; 4) exercise free speech or ensure the right of another consumer to exercise free
speech; 5) comply with a legal obligation; or 6) otherwise use the personal
information internally in a lawful manner.
The bill provides that a business may not discriminate against a consumer
because the consumer requests information about the business's collection or sale of
personal information, requests the business not to sell the consumer's personal
information, or requests that the business delete the consumer's personal
information. Under the bill, a business is allowed to charge a consumer a different
price or provide a different level of services if the difference is reasonably related to
the value provided to the consumer by the consumer's personal data, and a business
may offer financial incentives to a consumer for collecting the consumer's personal
information, subject to certain requirements described in the bill.
The bill requires the Department of Justice to promulgate various rules to
implement the bill's requirements. The bill also authorizes businesses to request
advice from the attorney general on how to comply with the bill's requirements and
requires the attorney general to respond to those requests.
Additionally, a provision in a contract is void and unenforceable if it would
waive or limit one or more of the bill's requirements. The bill also provides a
consumer with a private cause of action against a business if the business does not
implement reasonable security procedures to protect the consumer's personal
information and the personal information is subject to unauthorized access. A
business, service provider, or person that violates the bill is subject to a forfeiture of
up to $2,500 for each violation and a forfeiture of up to $7,500 for each intentional
violation.
For further information see the state fiscal estimate, which will be printed as
an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB977,1
1Section
1. 134.985 of the statutes is created to read:
SB977,3,2
2134.985 Consumer data. (1) Definitions. In this section:
SB977,4,23
(a) “Aggregate consumer information” means information that relates to a
4group or category of consumers, from which individual consumer identities have
1been removed, and that is not linked or reasonably linkable to any consumer or
2household.
SB977,4,93
(b) “Biometric information” means an individual's physiological, biological, or
4behavioral characteristics, including deoxyribonucleic acid, that can be used singly
5or in combination with each other or with other identifying data to establish
6individual identity. “Biometric information” includes imagery of the iris, retina,
7fingerprint, face, hand, palm, vein patterns, voice recordings, keystroke patterns or
8rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain
9identifying information.
SB977,4,1010
(c) “Business” means any of the following:
SB977,4,1611
1. A sole proprietorship, partnership, limited liability company, corporation,
12association, or other legal entity that is organized or operated for the profit or
13financial benefit of its shareholders or other owners, that collects consumers'
14personal information or, on the behalf of consumers, alone or jointly with others
15determines the purposes and means of the processing of consumers' personal
16information, that does business in this state, and that satisfies any of the following:
SB977,4,1717
a. Has annual gross revenues exceeding $25,000,000.
SB977,4,2018
b. Annually, alone or jointly with others buys, receives for commercial
19purposes, sells, or shares for commercial purposes the personal information of 50,000
20or more consumers, households, or devices.
SB977,4,2221
c. Derives 50 percent or more of its annual revenues from selling consumers'
22personal information.
SB977,4,2423
2. An entity that controls or is controlled by an entity described in subd. 1. and
24that shares a name, service mark, or trademark with that entity.
SB977,5,6
1(d) “Business purpose” means a use of personal information for a business's or
2a service provider's operational purposes or other notified purposes that is
3reasonably necessary and proportionate to achieving the operational purpose for
4which the personal information was collected or processed or for another operational
5purpose that is compatible with the context in which the personal information was
6collected.
SB977,5,97
(e) “Collect” means to gather, obtain, receive, buy, rent, or access personal
8information pertaining to a consumer by any means, including by receiving
9information from the consumer or by observing the consumer's behavior.
SB977,5,1010
(f) “Consumer” means an individual who is a resident of this state.
SB977,5,1111
(g) “Deidentified” means information to which all of the following apply:
SB977,5,1412
1. The information does not reasonably identify, relate to, or describe a
13consumer and is not capable of being associated with or linked to an individual
14consumer.
SB977,5,1715
2. Technical safeguards and business processes implemented by the person
16possessing the information prohibit identifying an individual consumer to whom the
17information pertains.
SB977,5,1918
(h) “Device” means an object that is capable of directly or indirectly connecting
19to the Internet or to another device.
SB977,5,2420
(i) 1. “Personal information” means information that identifies, relates to,
21describes, or is capable of being associated or linked with a particular consumer or
22household. “Personal information” includes all of the following that identify, relate
23to, describe, or are capable of being associated or linked with a particular individual
24consumer or household:
SB977,6,3
1a. Identifiers such as a real name, alias, postal address, unique personal
2identifier, online identifier, Internet Protocol address, e-mail address, account
3name, social security number, driver's license number, or passport number.
SB977,6,64
b. A signature, telephone number, state identification card number, insurance
5policy number, employment history, bank account number, credit card number, or
6debit card number or medical information or health insurance information.
SB977,6,77
c. Characteristics of protected classifications under state or federal law.
SB977,6,108
d. Commercial information such as records of personal property, records of
9products or services purchased, obtained, or considered, or other purchasing or
10consuming histories or tendencies.
SB977,6,1111
e. Biometric information.
SB977,6,1412
f. Internet or other electronic network activity information, including browsing
13history, search history, and information regarding a consumer's interaction with an
14Internet site, application, or advertisement.
SB977,6,1515
g. Geolocation data.
SB977,6,1616
h. Audio, electronic, visual, thermal, olfactory, or similar information.
SB977,6,1717
i. Professional or employment-related information.
SB977,6,2018
j. Education information that is not publicly available personally identifiable
19information under the federal Family Educational Rights and Privacy Act,
20 USC
201232g.
SB977,6,2321
k. Inferences drawn from personal information that create a profile about a
22consumer reflecting the consumer's preferences, characteristics, psychological
23trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
SB977,7,224
2. “Personal information” does not include information that is lawfully made
25available from federal, state, or local government records if the information is used
1for a purpose that is compatible with the purpose for which the information is
2maintained and made available.
SB977,7,43
(j) “Sell” means to transfer, disseminate, disclose, release, rent, make available,
4or otherwise communicate for monetary or other valuable consideration.
SB977,7,125
(k) “Service provider” means a sole proprietorship, partnership, limited
6liability company, corporation, association, or other legal entity that is organized or
7operated for the profit of its shareholders or other owners and that processes
8information on behalf of a business and to which the business discloses a consumer's
9personal information for a business purpose pursuant to a written contract that
10prohibits the recipient of the information from retaining, using, or disclosing the
11information for any purpose other than for the specific purpose of performing the
12services specified in the contract.
SB977,7,1313
(L) “Third party” means a person that is not any of the following:
SB977,7,1414
1. A business that collects personal information from consumers.
SB977,7,1915
2. A person to whom a business discloses a consumer's personal information
16for a business purpose pursuant to a written contract that prohibits the person
17receiving the personal information from selling, retaining, using, or disclosing the
18personal information for any purpose other than for the specific purpose of
19performing the services specified in the contract.
SB977,7,2420
(m) “Verifiable consumer request” means a request, received by a business that
21has collected personal information about a consumer, that the business can
22reasonably verify to be from the consumer or the consumer's authorized
23representative or, if the consumer is under 13 years of age, the consumer's parent or
24guardian.
SB977,8,4
1(2) Required notices. (a) If a business has an online privacy policy or a
2Wisconsin-specific description of consumers' privacy rights, the business shall
3disclose all of the following information in the policy or description in a form that is
4reasonably accessible to consumers:
SB977,8,65
1. The right of a consumer to request a disclosure under sub. (3) (a) and (c) and
6one or more methods that a consumer is able to use to make a request.
SB977,8,87
2. The categories of consumers' personal information collected in the preceding
812 months.
SB977,8,109
3. The categories of sources from which consumers' personal information was
10collected in the preceding 12 months.
SB977,8,1211
4. The business or commercial purposes for collecting consumers' personal
12information.
SB977,8,1413
5. If the business has sold consumers' personal information in the preceding
1412 months, the business or commercial purposes for selling the personal information.
SB977,8,1715
6. If the business has shared consumers' personal information with a 3rd party
16in the preceding 12 months, the categories of 3rd parties with whom the business has
17shared personal information.
SB977,8,2118
7. A list of the categories of consumers' personal information sold, if the
19business has sold consumers' personal information in the preceding 12 months, or
20if the business has not sold consumers' personal information in the preceding 12
21months, a disclosure of that fact.
SB977,9,222
8. A list of the categories of consumers' personal information disclosed for a
23business purpose, if the business has disclosed consumers' personal information for
24a business purpose in the preceding 12 months, or if the business has not disclosed
1consumers' personal information for a business purpose in the preceding 12 months,
2a disclosure of that fact.
SB977,9,63
(b) If a business does not have an online privacy policy or a Wisconsin-specific
4description of consumers' privacy rights under par. (a) and the business has an
5Internet site, the business shall disclose the information listed in par. (a) 1. to 8. on
6its Internet site in a form that is reasonably accessible to consumers.
SB977,9,87
(c) A business that makes a disclosure under par. (a) or (b) shall update the
8information in the disclosure at least once every 12 months.
SB977,9,12
9(3) Disclosure of information collected. (a) 1. Upon receiving a verifiable
10consumer request from a consumer, a business that has collected personal
11information about that consumer shall promptly disclose and deliver free of charge
12to the consumer all of the following:
SB977,9,1413
a. The categories of personal information it has collected about the consumer
14in the preceding 12 months.
SB977,9,1615
b. The categories of sources from which the consumer's personal information
16was collected in the preceding 12 months.
SB977,9,1817
c. The business or commercial purposes for collecting the consumer's personal
18information.
SB977,9,2019
d. If the business has sold the consumer's personal information in the preceding
2012 months, the business or commercial purposes for selling the personal information.
SB977,9,2321
e. If the business has shared the consumer's personal information with 3rd
22parties in the preceding 12 months, the categories of 3rd parties with whom the
23business has shared personal information.
SB977,9,2524
f. The specific pieces of personal information that the business has collected
25about the consumer in the preceding 12 months.
SB977,10,3
12. A business may disclose and deliver personal information to a consumer
2under this paragraph only after receiving a verifiable consumer request from the
3consumer.
SB977,10,74
3. A business shall make available to consumers 2 or more methods for
5submitting verifiable consumer requests for a disclosure under this paragraph
6including, at a minimum, a toll-free telephone number and, if the business
7maintains an Internet site, an Internet address.
SB977,10,138
4. a. Except as provided in subd. 4. b., a business shall deliver the disclosure
9required under this paragraph within 45 days of receiving a verifiable consumer
10request from a consumer. A business shall promptly take steps to determine whether
11a request received is a verifiable consumer request. The time that a business spends
12determining whether a request is a verifiable consumer request is included in the
1345-day deadline under this subd. 4. a.
SB977,10,1714
b. A business may deliver the disclosure required under this paragraph within
1590 days after receiving a verifiable consumer request if reasonably necessary and if
16the business notifies the consumer of the delayed delivery before the time period
17under subd. 4. a. expires.
SB977,11,218
5. A business shall deliver personal information under this paragraph in
19writing and through the consumer's account with the business, if the consumer
20maintains an account with the business. If the consumer does not maintain an
21account with the business, the business shall deliver personal information under this
22paragraph by mail or electronically, at the choice of the consumer. If the business
23provides personal information under this paragraph electronically, the business
24shall provide the information in a portable and, to the extent technically feasible, a
1readily useable format that allows the consumer to transmit the information to
2another entity without hindrance.
SB977,11,53
6. A business may not require a consumer to create an account in order to
4submit a verifiable consumer request for a disclosure of personal information
5required under this paragraph.
SB977,11,76
7. A business is not required to provide personal information to a consumer
7under this paragraph more than 2 times in a 12-month period.
SB977,11,88
(b) Paragraph (a) does not require any of the following: