AB872,3,2522
(g) “Process,” when used in reference to personal data, means to perform an
23operation or set of operations on personal data, including to collect, record, organize,
24store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
25destroy the personal data.
AB872,4,3
1(h) “Processor” means a person who processes personal data on behalf of a
2controller, but does not include a law enforcement agency or a unit or instrumentality
3of the federal government, the state, or a local government.
AB872,4,44
(i) “Recipient” means a person to which personal data is disclosed.
AB872,4,7
5(2) Requirements for processing personal data. Subject to sub. (4), no
6controller or processor may process a consumer's personal data unless any of the
7following applies:
AB872,4,88
(a) All of the following applies:
AB872,4,119
1. The processing is conducted for a purpose to which the consumer, or if the
10consumer is less than 16 years of age, the consumer's parent or guardian, consents
11by a statement or clear affirmative action.
AB872,4,1312
2. The consent under par. (a) 1. is freely given, specific, informed, and
13unambiguous.
AB872,4,1514
3. The consumer is able to withdraw any consent provided under par. (a) 1. at
15any time, and before giving consent is informed that consent may be withdrawn.
AB872,4,1716
4. The consent provided under par. (a) 1. is as easy for the consumer to
17withdraw as to give.
AB872,4,2118
5. If the consumer grants consent as part of a written declaration that also
19concerns other matters, the request for consent is clearly distinguishable from the
20other matters in an intelligible and easily accessible form using clear and plain
21language.
AB872,4,2322
6. The controller or processor is able to demonstrate that the consumer
23provided consent under par. (a) 1.
AB872,5,224
7. The controller or processor does not require as a condition of using the
25controller's or processor's service that the consumer consent to processing of personal
1data, unless processing the consumer's personal data is necessary to perform the
2service.
AB872,5,53
(b) The processing is necessary to perform a contract to which the consumer is
4party or in order to take steps at the request of the consumer before entering a
5contract.
AB872,5,66
(c) The processing is necessary for complying with a legal obligation.
AB872,5,87
(d) The processing is necessary to protect the vital interests of the consumer
8or another person.
AB872,5,109
(e) The processing is necessary to perform a task carried out in the public
10interest or to exercise official authority vested in the controller.
AB872,5,1311
(f) The processing is conducted to detect security incidents; to protect against
12malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person
13responsible for that activity.
AB872,5,1514
(g) The controller or a 3rd party has a legitimate ground to process the personal
15data.
AB872,5,17
16(3) Processing of certain types of personal data. (a) Except as provided in
17par. (b), a controller or processor may not process any of the following:
AB872,5,1918
1. Personal data revealing a consumer's racial or ethnic origin, political
19opinions, religious or philosophical beliefs, or trade union membership.
AB872,5,2120
2. Genetic data, data concerning health, or personal data concerning a
21consumer's sex life or sexual orientation.
AB872,5,2322
3. Biometric data, if the purpose of the processing is to uniquely identify a
23consumer.
AB872,5,2524
(b) A controller or processor may process information described in par. (a) if any
25of the following applies:
AB872,6,2
11. The processing is conducted for a purpose to which the consumer explicitly
2consents.
AB872,6,33
2. The processing is necessary for complying with a legal obligation.
AB872,6,64
3. The consumer is physically or legally incapable of giving consent and the
5processing is necessary to protect the vital interests of the consumer or another
6individual.
AB872,6,87
4. The processing is conducted by a nonprofit organization having a political,
8philosophical, or religious purpose and all of the following applies:
AB872,6,119
a. The processing relates only to members or former members of the
10organization or to persons who have regular contact with the organization related
11to the organization's purposes.
AB872,6,1212
b. The personal data processed is not disclosed outside the organization.
AB872,6,1313
5. The processing relates to personal data that the consumer makes public.
AB872,6,1514
6. The processing is necessary for establishing, exercising, or defending a legal
15claim or a court authorizes the processing.
AB872,6,1616
7. The processing is necessary for reasons of substantial public interest.
AB872,6,2017
8. The processing is necessary for reasons of public interest in the area of public
18health, if the personal data is processed by or under the responsibility of a
19professional subject to confidentiality obligations under federal, state, or local law
20and any of the following applies:
AB872,6,2221
a. Processing the personal data is necessary to provide health care or treatment
22to a person in a medical emergency.
AB872,6,2523
b. Processing the personal data is necessary to protect against serious threats
24to health or for ensuring the quality and safety of health care, medical products, or
25medical devices.
AB872,7,2
19. The processing is necessary for archiving purposes that are in the public
2interest, scientific or historic research purposes, or statistical purposes.
AB872,7,5
3(4) Request to restrict processing of personal data. (a)
Except as provided
4in par. (c) 1., upon a consumer's request, a controller may store but may not otherwise
5process the consumer's personal data if any of the following applies:
AB872,7,66
1. Processing the personal data is unlawful.
AB872,7,87
2. Storing the personal data is necessary for the consumer to establish,
8exercise, or defend a legal claim.
AB872,7,109
3. The controller has no legitimate ground to process the personal data that
10overrides the consumer's request.
AB872,7,1711
(b) If a controller is required under par. (a) to not process, other than by storing,
12a consumer's personal data and the controller has disclosed the personal data to
13other controllers, the controller shall notify each recipient to whom the controller
14disclosed the personal data about the consumer's request under par. (a), unless
15notification is impossible or involves unreasonable effort. Except as provided in par.
16(c) 1., upon receiving the notice, a controller may store but may not otherwise process
17the consumer's personal data if any of the conditions of par. (a) applies.
AB872,7,1918
(c) 1. Paragraphs (a) and (b) do not prohibit a controller from processing, other
19than by storing, a consumer's personal data if any of the following apply:
AB872,7,2020
a. The consumer consents to the processing.
AB872,7,2221
b. The controller processes the personal data for establishing, exercising, or
22defending a legal claim.
AB872,7,2423
c. The controller processes the personal data to protect the rights of another
24person.
AB872,8,2
1d. The controller processes the personal data for important public interest
2reasons under federal, state, or local law.
AB872,8,43
2. A controller may not process, other than by storing, personal data under this
4paragraph unless the controller first notifies the consumer.
AB872,8,75
(d) A controller is not required to restrict processing of a consumer's personal
6data under this subsection if the controller is unable to verify, using commercially
7reasonable efforts, the identity of the consumer making the request.
AB872,8,10
8(5) Records of processing activities. (a) A controller shall maintain records
9of processing of personal data conducted by the controller that contain all of the
10following information:
AB872,8,1111
1. The controller's name and contact information.
AB872,8,1212
2. The purpose of the processing.
AB872,8,1413
3. An identification of the categories of personal data involved in the
14processing.
AB872,8,1615
4. An identification of the categories of consumers whose personal data is
16involved in the processing.
AB872,8,1817
5. If consent is provided for the processing, documentation of consent from
18consumers for the consumers' personal data to be processed.
AB872,8,2019
6. The name and contact information of a person to whom the controller
20discloses personal data, and the purpose for the disclosure.
AB872,8,2221
(b) A processor shall maintain records of processing of personal data conducted
22by the processor that contain all of the following:
AB872,8,2423
1. The processor's name and contact information, and the name and contact
24information of the controller on behalf of which the processor is acting.
AB872,8,2525
2. The categories of processing conducted on behalf of each controller.
AB872,9,2
1(c) A controller or processor shall make records required under this subsection
2available to the department upon request.
AB872,9,4
3(6) Applicability. (a) A controller or processor is not prohibited under this
4section from processing any of the following types of information:
AB872,9,65
1. Health information protected by the federal Health Insurance Portability
6and Accountability Act of 1996.
AB872,9,772. Information identifying a patient covered by
42 USC 290dd-2.
AB872,9,98
3. Information collected as part of research subject to the Federal Policy for the
9Protection of Human Subjects,
45 CFR part 46, or subject to
21 CFR parts 50 and
56.
AB872,9,1110
4. Information and documents created specifically for and collected and
11maintained by a hospital.
AB872,9,1312
5. Information and documents created for purposes of the federal Health Care
13Quality Improvement Act of 1986,
42 USC 11101 et seq.
AB872,9,15146. Patient safety work product information for purposes of
42 USC 299b-21 to
15299b-26.
AB872,9,1816
7. Information maintained by a health care provider, a health care facility, or
17an entity covered by the federal Health Insurance Portability and Accountability Act
18of 1996.
AB872,9,2119
8. Personal information provided to or from or held by a consumer reporting
20agency, as defined in s. 422.501 (1m), if the use of the information complies with the
21federal Fair Credit Reporting Act,
15 USC 1681 et seq.
AB872,9,2322
9. Personal information collected, processed, sold, or disclosed pursuant to the
23federal Gramm-Leach-Bliley Act, P.L.
106-102.
AB872,9,2524
10. Personal information collected, processed, sold, or disclosed pursuant to the
25federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
AB872,10,1
111. Information maintained for employment records.
AB872,10,32
(b) This section does not apply to a consumer processing personal data in
3connection with a purely personal or household activity.
AB872,10,54
(c) This section does not apply to a controller that processes a consumer's
5personal data for literary or artistic purposes.
AB872,10,86
(d) This section does not apply to a controller that processes a consumer's
7personal data, that intends to publish the personal data, and that believes that
8publication of the personal data is in the public interest.
AB872,10,10
9(7) Enforcement; penalties. (a) The attorney general may investigate
10violations of this section and may bring actions for enforcement of this section.
AB872,10,1311
(b) 1. A controller or processor who violates sub. (5) shall be fined not more than
12$10,000,000 or not more than 2 percent of the controller's total annual revenue
13during the preceding financial year, whichever is greater.
AB872,10,1614
2. A controller or processor who violates sub. (2), (3), or (4) shall be fined not
15more than $20,000,000 or not more than 4 percent of the controller's total annual
16revenue during the preceding financial year, whichever is greater.
AB872,10,2017
3. A court may not impose in the same action more than one fine on a controller
18or processor under this paragraph unless the additional fine is imposed for a
19violation that does not involve the same or linked processing activities by the
20controller or processor.
AB872,2
21Section
2.
Effective date.
AB872,10,2222
(1)
This act takes effect on July 31, 2022.