SB642,,1381384. Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated on the basis of the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

SB642,,139139(c) The obligations imposed on controllers or processors under this section shall not apply where compliance by the controller or processor with this section would violate an evidentiary privilege under ch. 905. Nothing in this section shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under ch. 905 as part of a privileged communication.

SB642,,140140(d) A controller or processor that discloses personal data to a 3rd-party controller or processor, in compliance with the requirements of this section, is not in violation of this section if the 3rd-party controller or processor that receives and processes such personal data is in violation of this section, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A 3rd-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this section is likewise not in violation of this section for the transgressions of the controller or processor from which it receives such personal data.

SB642,,141141(e) Nothing in this section shall be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech pursuant to the First Amendment to the U.S. Constitution, or applies to the processing of personal data by a person in the course of a purely personal or household activity.

SB642,,142142(f) Personal data processed by a controller pursuant to this subsection may not be processed for any purpose other than those expressly listed in this subsection unless otherwise allowed by this section. Personal data processed by a controller pursuant to this subsection may be processed to the extent that such processing is both of the following:

SB642,,1431431. Reasonably necessary and proportionate to the purposes listed in this subsection.

SB642,,1441442. Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this subsection. Personal data collected, used, or retained pursuant to par. (b) shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

SB642,,145145(g) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in par. (f).

SB642,,146146(h) Processing personal data for the purposes expressly identified in par. (a) shall not solely make an entity a controller with respect to such processing.

SB642,,147147(8) Scope; exemptions. (a) This section applies to persons that conduct business in this state or produce products or services that are targeted to residents of this state and who satisfy either of the following:

SB642,,1481481. During a calendar year, the person controls or processes personal data of at least 100,000 consumers.

SB642,,1491492. The person controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

SB642,,150150(b) This section shall not apply to any of the following:

SB642,,1511511. An association, authority, board, department, commission, independent agency, institution, office, society, or other body in state or local government created or authorized to be created by the constitution or any law.

SB642,,1521522. Financial institutions, affiliates of financial institutions, or data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 USC 6801 et seq.

SB642,,1531533. A covered entity or business associate governed by HIPAA or HITECH.

SB642,,1541544. A nonprofit organization.

SB642,,1551555. An institution of higher education.

SB642,,1561566. The entity under contract under s. 153.05 (2m) (a) and its contractors.

SB642,,1571577. The data organization under contract under s. 153.05 (2r) and its contractors.

SB642,,158158(c) The following information and data are exempt from this section:

SB642,,1591591. Any health care information or record that is governed by HIPAA, HITECH, Cures Act, or any other federal law governing the use, disclosure, access or creation of health care information or records, including any derived, identifiable, de-identifiable, confidential or non-confidential health care information or records as defined by such federal laws.

SB642,,1601602. Any health care information or record that is governed by s. 51.30, 146.816, 146.82, 146.83, or 146.84, chapter 153, or other Wisconsin law governing the use, disclosure, access or creation of health care information or records, including any derived, identifiable, de-identifiable, confidential or non-confidential health care information or records as defined by such Wisconsin laws.

SB642,,1611613. Any of the following:

SB642,,162162a. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR Part 46.

SB642,,163163b. Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or under 21 CFR Parts 50 and 56.

SB642,,164164c. Personal data used or shared in research conducted in accordance with the requirements set forth in this section, or other research conducted in accordance with applicable law.