AB870,7,1010
(c) This subsection does not require a controller to do any of the following:
AB870,7,1111
1. Reidentify data that does not identify a consumer.
AB870,7,1412
2. Retain, link, or combine personal data concerning a consumer that the
13controller would not otherwise retain, link, or combine in its ordinary course of
14business.
AB870,7,1715
3. Comply with a request under this subsection if the controller is unable to
16verify, using commercially reasonable efforts, the identity of the consumer making
17the request.
AB870,7,25
18(4) Personal data breach notification. (a) 1. Except as provided in subd. 2.,
19if a controller is aware of a personal data breach of personal data maintained by the
20controller, the controller shall notify the department of justice of the personal data
21breach without undue delay. If feasible, the controller shall notify the department
22within 30 days of becoming aware of the personal data breach. If the controller does
23not notify the department within 30 days of becoming aware of the personal data
24breach, the controller shall provide a reason for not notifying within 30 days. The
25notification shall do all of the following:
AB870,8,3
1a. Describe the nature of the personal data breach including, if known, the
2categories and approximate number of consumers involved and the categories and
3approximate number of personal data records involved.
AB870,8,44
b. Describe the likely consequences of the personal data breach.
AB870,8,75
c. Describe the measures taken or proposed by the controller to address the
6personal data breach, including, if appropriate, measures to mitigate the possible
7adverse effects.
AB870,8,108
2. A controller is not required to make a notification under this paragraph if
9the personal data breach is unlikely to result in a risk to the rights and freedoms of
10consumers.
AB870,8,1211
3. If it is not possible to provide the information required under subd. 1. at the
12same time, the controller may provide the information in stages without undue delay.
AB870,8,1513
4. If a processor is aware of a personal data breach of personal data that the
14processor maintains on behalf of a controller, the processor shall notify the controller
15without undue delay.
AB870,8,2116
(b) 1. Except as provided in subd. 2., if a controller is aware of a personal data
17breach of personal data maintained by the controller and the personal data breach
18is likely to result in a high risk to the rights and freedoms of consumers, the controller
19shall notify the consumers whose personal data is involved in the personal data
20breach. The notification shall describe in clear and plain language the nature of the
21personal data breach and contain the information described in par. (a) 1. b. and c.
AB870,8,2322
2. A controller is not required to make a notification under this paragraph if
23any of the following applies:
AB870,9,224
a. The controller has implemented appropriate technical and organizational
25protection measures to the personal data involved in the personal data breach that
1render the personal data unintelligible to any person who is not authorized to access
2it.
AB870,9,43
b. The controller takes measures after the personal data breach that ensure
4that a high risk to the rights and freedoms of consumers is not likely to exist.
AB870,9,75
c. Making the notification involves unreasonable effort. If this subd. 2. c.
6applies, the controller shall publicly communicate about the personal data breach to
7consumers in an effective manner.
AB870,9,9
8(5) Applicability. (a) This section does not require a controller to confirm
9processing or provide a copy of the following types of information:
AB870,9,1110
1. Health information protected by the federal Health Insurance Portability
11and Accountability Act of 1996.
AB870,9,12122. Information identifying a patient covered by
42 USC 290dd-2.
AB870,9,1413
3. Information collected as part of research subject to the Federal Policy for the
14Protection of Human Subjects,
45 CFR part 46, or subject to
21 CFR parts 50 and
56.
AB870,9,1615
4. Information and documents created specifically for and collected and
16maintained by a hospital.
AB870,9,1817
5. Information and documents created for purposes of the federal Health Care
18Quality Improvement Act of 1986,
42 USC 11101 et seq.
AB870,9,20196. Patient safety work product information for purposes of
42 USC 299b-21 to
20299b-26.
AB870,9,2321
7. Information maintained by a health care provider, a health care facility, or
22an entity covered by the federal Health Insurance Portability and Accountability Act
23of 1996.
AB870,10,3
18. Personal information provided to or from or held by a consumer reporting
2agency, as defined in s. 422.501 (1m), if the use of the information complies with the
3federal Fair Credit Reporting Act,
15 USC 1681 et seq.
AB870,10,54
9. Personal information collected, processed, sold, or disclosed pursuant to the
5federal Gramm-Leach-Bliley Act, P.L.
106-102.
AB870,10,76
10. Personal information collected, processed, sold, or disclosed pursuant to the
7federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
AB870,10,88
11. Information maintained for employment records.
AB870,10,109
(b) This section does not apply to a consumer who processes personal data in
10connection with a purely personal or household activity.
AB870,10,1211
(c) This section does not apply to a controller that processes a consumer's
12personal data for literary or artistic purposes.
AB870,10,1513
(d) This section does not apply to a controller that processes a consumer's
14personal data, that intends to publish the personal data, and that believes that
15publication of the personal data is in the public interest.
AB870,10,17
16(6) Enforcement; penalties. (a) The attorney general may investigate
17violations of this section and may bring actions for enforcement of this section.
AB870,10,2018
(b) 1. A controller who violates sub. (4) shall be fined not more than $10,000,000
19or not more than 2 percent of the controller's total annual revenue during the
20preceding financial year, whichever is greater.
AB870,10,2321
2. A controller who violates sub. (2) or (3) shall be fined not more than
22$20,000,000 or not more than 4 percent of the controller's total annual revenue
23during the preceding financial year, whichever is greater.
AB870,11,3
13. A court may not impose in the same action more than one fine on a controller
2under this paragraph unless the additional fine is imposed for a violation that does
3not involve the same or linked processing activities by the controller.
AB870,2
4Section
2.
Effective date.
AB870,11,55
(1)
This act takes effect on July 31, 2022.