The bill also allows consumers to request that a controller restrict the
processing of the consumer's personal data, and the controller may store but not
otherwise process the personal data if certain conditions apply, such as the following:
1) if the controller has no legitimate ground to process the personal data that
overrides the consumer's request; or 2) if processing the personal data is unlawful.
The controller generally must notify other controllers to which the controller
discloses the consumer's personal data, unless notification is impossible or involves
unreasonable effort, and those controllers generally must not process, other than by
storing, the personal data. A controller may continue processing a consumer's
personal data under the bill under certain conditions, including 1) if the consumer
consents; 2) if processing occurs for important public interest reasons under federal,
state, or local law; or 3) if processing occurs to protect the rights of another person.
Also, under the bill, controllers and processors must maintain records of
processing of personal data that contain certain information including the purpose
of the processing, the categories of personal data involved in the processing, and the
categories of consumers whose personal data is involved in the processing. The bill
also requires a controller or processor to make the records available to the
Department of Justice upon request.
Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller or processor who violates the bill's
record-keeping requirements is subject to a fine of up to $10,000,000 or of up to 2
percent of the controller's total annual revenue, whichever is greater. For violating
the bill's requirements related to processing a consumer's personal data, a controller
or processor may be fined up to $20,000,000 or up to 4 percent of the controller's total
annual revenue, whichever is greater.
Because this bill creates a new crime or revises a penalty for an existing crime,
the Joint Review Committee on Criminal Penalties may be requested to prepare a
report.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB872,1
1Section
1. 134.985 of the statutes is created to read:
AB872,2,3
2134.985 Processing personal data; restrictions. (1) Definitions. In this
3section:
AB872,3,3
1(a) “Biometric data” means personal data resulting from specific technical
2processing relating to the physical, physiological, or behavioral characteristics of a
3consumer that uniquely identify the consumer.
AB872,3,44
(b) “Consumer” means an individual who is a resident of this state.
AB872,3,85
(c) “Controller” means a person that alone or jointly with others determines the
6purposes and means of the processing of personal data but does not include a law
7enforcement agency or a unit or instrumentality of the federal government, the state,
8or a local government.
AB872,3,109
(d) “Data concerning health” means personal data related to the physical or
10mental health of a consumer.
AB872,3,1411
(e) “Genetic data” means personal data resulting from an analysis of a
12biological sample from a consumer that relates to the consumer's inherited or
13acquired genetic characteristics that provide unique information about the
14consumer's physiology or health.
AB872,3,2115
(f) “Personal data” means information relating to a consumer that allows the
16consumer to be identified, either directly or indirectly, including by reference to an
17identifier such as a name, an identification number, location data, an online
18identifier, or one or more factors related to the physical, physiological, genetic,
19mental, economic, cultural, or social identity of the consumer, but does not include
20any information lawfully made available from federal, state, or local government
21records.
AB872,3,2522
(g) “Process,” when used in reference to personal data, means to perform an
23operation or set of operations on personal data, including to collect, record, organize,
24store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
25destroy the personal data.
AB872,4,3
1(h) “Processor” means a person who processes personal data on behalf of a
2controller, but does not include a law enforcement agency or a unit or instrumentality
3of the federal government, the state, or a local government.
AB872,4,44
(i) “Recipient” means a person to which personal data is disclosed.
AB872,4,7
5(2) Requirements for processing personal data. Subject to sub. (4), no
6controller or processor may process a consumer's personal data unless any of the
7following applies:
AB872,4,88
(a) All of the following applies:
AB872,4,119
1. The processing is conducted for a purpose to which the consumer, or if the
10consumer is less than 16 years of age, the consumer's parent or guardian, consents
11by a statement or clear affirmative action.
AB872,4,1312
2. The consent under par. (a) 1. is freely given, specific, informed, and
13unambiguous.
AB872,4,1514
3. The consumer is able to withdraw any consent provided under par. (a) 1. at
15any time, and before giving consent is informed that consent may be withdrawn.
AB872,4,1716
4. The consent provided under par. (a) 1. is as easy for the consumer to
17withdraw as to give.
AB872,4,2118
5. If the consumer grants consent as part of a written declaration that also
19concerns other matters, the request for consent is clearly distinguishable from the
20other matters in an intelligible and easily accessible form using clear and plain
21language.
AB872,4,2322
6. The controller or processor is able to demonstrate that the consumer
23provided consent under par. (a) 1.
AB872,5,224
7. The controller or processor does not require as a condition of using the
25controller's or processor's service that the consumer consent to processing of personal
1data, unless processing the consumer's personal data is necessary to perform the
2service.
AB872,5,53
(b) The processing is necessary to perform a contract to which the consumer is
4party or in order to take steps at the request of the consumer before entering a
5contract.
AB872,5,66
(c) The processing is necessary for complying with a legal obligation.
AB872,5,87
(d) The processing is necessary to protect the vital interests of the consumer
8or another person.
AB872,5,109
(e) The processing is necessary to perform a task carried out in the public
10interest or to exercise official authority vested in the controller.
AB872,5,1311
(f) The processing is conducted to detect security incidents; to protect against
12malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person
13responsible for that activity.
AB872,5,1514
(g) The controller or a 3rd party has a legitimate ground to process the personal
15data.
AB872,5,17
16(3) Processing of certain types of personal data. (a) Except as provided in
17par. (b), a controller or processor may not process any of the following:
AB872,5,1918
1. Personal data revealing a consumer's racial or ethnic origin, political
19opinions, religious or philosophical beliefs, or trade union membership.
AB872,5,2120
2. Genetic data, data concerning health, or personal data concerning a
21consumer's sex life or sexual orientation.
AB872,5,2322
3. Biometric data, if the purpose of the processing is to uniquely identify a
23consumer.
AB872,5,2524
(b) A controller or processor may process information described in par. (a) if any
25of the following applies:
AB872,6,2
11. The processing is conducted for a purpose to which the consumer explicitly
2consents.
AB872,6,33
2. The processing is necessary for complying with a legal obligation.
AB872,6,64
3. The consumer is physically or legally incapable of giving consent and the
5processing is necessary to protect the vital interests of the consumer or another
6individual.
AB872,6,87
4. The processing is conducted by a nonprofit organization having a political,
8philosophical, or religious purpose and all of the following applies:
AB872,6,119
a. The processing relates only to members or former members of the
10organization or to persons who have regular contact with the organization related
11to the organization's purposes.
AB872,6,1212
b. The personal data processed is not disclosed outside the organization.
AB872,6,1313
5. The processing relates to personal data that the consumer makes public.
AB872,6,1514
6. The processing is necessary for establishing, exercising, or defending a legal
15claim or a court authorizes the processing.
AB872,6,1616
7. The processing is necessary for reasons of substantial public interest.
AB872,6,2017
8. The processing is necessary for reasons of public interest in the area of public
18health, if the personal data is processed by or under the responsibility of a
19professional subject to confidentiality obligations under federal, state, or local law
20and any of the following applies:
AB872,6,2221
a. Processing the personal data is necessary to provide health care or treatment
22to a person in a medical emergency.
AB872,6,2523
b. Processing the personal data is necessary to protect against serious threats
24to health or for ensuring the quality and safety of health care, medical products, or
25medical devices.
AB872,7,2
19. The processing is necessary for archiving purposes that are in the public
2interest, scientific or historic research purposes, or statistical purposes.
AB872,7,5
3(4) Request to restrict processing of personal data. (a)
Except as provided
4in par. (c) 1., upon a consumer's request, a controller may store but may not otherwise
5process the consumer's personal data if any of the following applies:
AB872,7,66
1. Processing the personal data is unlawful.
AB872,7,87
2. Storing the personal data is necessary for the consumer to establish,
8exercise, or defend a legal claim.
AB872,7,109
3. The controller has no legitimate ground to process the personal data that
10overrides the consumer's request.
AB872,7,1711
(b) If a controller is required under par. (a) to not process, other than by storing,
12a consumer's personal data and the controller has disclosed the personal data to
13other controllers, the controller shall notify each recipient to whom the controller
14disclosed the personal data about the consumer's request under par. (a), unless
15notification is impossible or involves unreasonable effort. Except as provided in par.
16(c) 1., upon receiving the notice, a controller may store but may not otherwise process
17the consumer's personal data if any of the conditions of par. (a) applies.
AB872,7,1918
(c) 1. Paragraphs (a) and (b) do not prohibit a controller from processing, other
19than by storing, a consumer's personal data if any of the following apply:
AB872,7,2020
a. The consumer consents to the processing.
AB872,7,2221
b. The controller processes the personal data for establishing, exercising, or
22defending a legal claim.
AB872,7,2423
c. The controller processes the personal data to protect the rights of another
24person.
AB872,8,2
1d. The controller processes the personal data for important public interest
2reasons under federal, state, or local law.
AB872,8,43
2. A controller may not process, other than by storing, personal data under this
4paragraph unless the controller first notifies the consumer.
AB872,8,75
(d) A controller is not required to restrict processing of a consumer's personal
6data under this subsection if the controller is unable to verify, using commercially
7reasonable efforts, the identity of the consumer making the request.
AB872,8,10
8(5) Records of processing activities. (a) A controller shall maintain records
9of processing of personal data conducted by the controller that contain all of the
10following information:
AB872,8,1111
1. The controller's name and contact information.
AB872,8,1212
2. The purpose of the processing.
AB872,8,1413
3. An identification of the categories of personal data involved in the
14processing.
AB872,8,1615
4. An identification of the categories of consumers whose personal data is
16involved in the processing.
AB872,8,1817
5. If consent is provided for the processing, documentation of consent from
18consumers for the consumers' personal data to be processed.
AB872,8,2019
6. The name and contact information of a person to whom the controller
20discloses personal data, and the purpose for the disclosure.
AB872,8,2221
(b) A processor shall maintain records of processing of personal data conducted
22by the processor that contain all of the following:
AB872,8,2423
1. The processor's name and contact information, and the name and contact
24information of the controller on behalf of which the processor is acting.
AB872,8,2525
2. The categories of processing conducted on behalf of each controller.
AB872,9,2
1(c) A controller or processor shall make records required under this subsection
2available to the department upon request.
AB872,9,4
3(6) Applicability. (a) A controller or processor is not prohibited under this
4section from processing any of the following types of information:
AB872,9,65
1. Health information protected by the federal Health Insurance Portability
6and Accountability Act of 1996.
AB872,9,772. Information identifying a patient covered by
42 USC 290dd-2.
AB872,9,98
3. Information collected as part of research subject to the Federal Policy for the
9Protection of Human Subjects,
45 CFR part 46, or subject to
21 CFR parts 50 and
56.
AB872,9,1110
4. Information and documents created specifically for and collected and
11maintained by a hospital.
AB872,9,1312
5. Information and documents created for purposes of the federal Health Care
13Quality Improvement Act of 1986,
42 USC 11101 et seq.
AB872,9,15146. Patient safety work product information for purposes of
42 USC 299b-21 to
15299b-26.
AB872,9,1816
7. Information maintained by a health care provider, a health care facility, or
17an entity covered by the federal Health Insurance Portability and Accountability Act
18of 1996.
AB872,9,2119
8. Personal information provided to or from or held by a consumer reporting
20agency, as defined in s. 422.501 (1m), if the use of the information complies with the
21federal Fair Credit Reporting Act,
15 USC 1681 et seq.
AB872,9,2322
9. Personal information collected, processed, sold, or disclosed pursuant to the
23federal Gramm-Leach-Bliley Act, P.L.
106-102.
AB872,9,2524
10. Personal information collected, processed, sold, or disclosed pursuant to the
25federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
AB872,10,1
111. Information maintained for employment records.
AB872,10,32
(b) This section does not apply to a consumer processing personal data in
3connection with a purely personal or household activity.
AB872,10,54
(c) This section does not apply to a controller that processes a consumer's
5personal data for literary or artistic purposes.
AB872,10,86
(d) This section does not apply to a controller that processes a consumer's
7personal data, that intends to publish the personal data, and that believes that
8publication of the personal data is in the public interest.
AB872,10,10
9(7) Enforcement; penalties. (a) The attorney general may investigate
10violations of this section and may bring actions for enforcement of this section.