SB977,19,1818
5. Rules that establish procedures for the following:
SB977,19,1919
a. The submission of a direction under sub. (4) (c) 1. a.
SB977,19,2020
b. Business compliance with a direction submitted under sub. (4) (c) 1. a.
SB977,19,2321
c. The use of a recognizable and uniform logo or button by all businesses to
22promote consumer awareness of the option to make a direction under sub. (4) (c) 1.
23a.
SB977,20,224
6. Rules that ensure that the notices and information that business are
25required to provide under this section are provided in a manner that may be easily
1understood by the average consumer, are accessible to consumers with disabilities,
2and are available in the language primarily used to interact with the consumer.
SB977,20,123
7. Rules that facilitate a consumer's or, under sub. (4) (c) 1. b., a representative's
4ability to make a request or submit a direction under this section, with the goal of
5minimizing the administrative burden on consumers, taking into account available
6technology, security concerns, and the burden on the business, to govern a business's
7determination that a request by a consumer is a verifiable consumer request,
8including by treating a request submitted through a password-protected account
9maintained by the consumer with the business while the consumer is logged into the
10account as a verifiable consumer request and providing a mechanism for a business
11to authenticate the identity of a consumer who does not maintain an account with
12the business and requests information or submits a direction under this section.
SB977,20,1713
(c) The department of justice shall adjust the monetary threshold amount in
14sub. (1) (c) 1. a. in January of every odd-numbered year by the percentage change
15in the U.S. consumer price index for all urban consumers, U.S. city average, as
16determined by the federal department of labor for the period since the last
17adjustment under this paragraph.
SB977,20,20
18(8) Contracts in violation. A provision in a contract or agreement that
19purports to waive or limit a requirement under this section is void and
20unenforceable.
SB977,20,25
21(9) Private cause of action. (a) 1. A consumer may initiate an action against
22a business to enforce a written statement under subd. 2. and may pursue injunctive
23or declaratory relief, damages in an amount not less than $100 and not more than
24$750 per consumer per incident or actual damages, whichever is greater, or any other
25relief the court deems proper if all of the following apply:
SB977,21,4
1a. The consumer, on an individual or class-wide basis, provides the business
2with written notice identifying that the consumer's nonencrypted or nonredacted
3personal information is subject to an unauthorized access and exfiltration, theft, or
4disclosure as a result of the business's violation of sub. (4) (f).
SB977,21,65
b. The business continues to violate sub. (4) (f) more than 30 days after
6receiving the written notice under subd. 1. a.
SB977,21,107
2. No action may be brought under subd. 1. if within 30 days of receiving a
8written notice under subd. 1. a., a business cures the noticed violation of sub. (4) (f)
9and provides the consumer that provided the written notice with an express written
10statement that the violation has been cured.
SB977,21,1611
3. In assessing the amount of damages under subd. 1., a court shall consider
12the relevant circumstances presented by any of the parties to the case, including the
13nature and seriousness of the misconduct, the number of violations, the persistence
14of the misconduct, the length of time over which the misconduct occurred, the
15willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and
16net worth.
SB977,21,1817
(b) A consumer may initiate an action against a business solely for actual
18pecuniary damages suffered as a result of the business's violation of sub. (4) (f).
SB977,21,19
19(10) Inapplicability. (a) This section does not do any of the following:
SB977,21,2120
1. Restrict a business from complying with federal or state laws or local
21ordinances.
SB977,21,2322
2. Restrict a business from complying with a civil, criminal, or regulatory
23inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
SB977,22,224
3. Restrict a business, service provider, or 3rd party from cooperating with law
25enforcement agencies concerning conduct or activity that the business, service
1provider, or 3rd party reasonably and in good faith believes might violate federal,
2state, or local law.
SB977,22,33
4. Restrict a business from exercising or defending legal claims.
SB977,22,54
5. Restrict the collection, use, retention, sale, or disclosure of consumer
5information that is deidentified or aggregate consumer information.
SB977,22,96
6. Restrict the collection or sale of a consumer's personal information if the
7information is collected while the consumer was outside of this state, no part of any
8sale of the consumer's personal information occurs in this state, and no personal
9information collected from a consumer while the consumer is in this state is sold.
SB977,22,1010
(b) This section does not apply to any of the following:
SB977,22,1211
1. Medical information that is collected by a health care provider or entity and
12covered by federal law.
SB977,22,1513
2. Information collected as part of a clinical trial subject to the Federal Policy
14for the Protection of Human Subjects while following standards developed by
15international organizations of federal agencies.
SB977,22,1916
3. Personal information sold to or from a consumer reporting agency, as defined
17in s. 422.501 (1m), if the information is reported in or used to generate a consumer
18report, as defined in s. 100.54 (1) (b), and the use of the information complies with
19the federal Fair Credit Reporting Act,
15 USC 1681 et seq.
SB977,22,2120
4. Personal information collected, processed, sold, or disclosed pursuant to the
21federal Gramm-Leach-Bliley Act, Public Law 106-102.
SB977,22,2322
5. Personal information collected, processed, sold, or disclosed pursuant to the
23the federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
SB977,23,3
24(11) Violations; penalty. (a) If a series of steps or transactions are component
25parts of a single transaction intended from the beginning to be taken with the
1intention of avoiding the requirements of this section, including the disclosure of
2information by a business to a 3rd party in order to avoid constituting a sale, a court
3shall disregard the intermediate steps or transactions for purposes of this section.
SB977,23,94
(b) The department of justice may, if a business, service provider, or person
5violates this section more than 30 days after receiving notification of the violation
6from the department of justice, commence an action in the name of the state against
7the business, service provider, or other person to recover a forfeiture to the state of
8not more than $2,500 for each violation or a forfeiture of not more than $7,500 for
9each intentional violation.
SB977,2
10Section 2
.
Initial applicability.
SB977,23,1211
(1)
This act first applies to a contract that is entered into, renewed, or modified
12on the effective date of this subsection.
SB977,3
13Section 3
.
Effective date.
SB977,23,1514
(1)
This act takes effect on the first day of the 7th month beginning after
15publication.