SB166,21,2321(b) The obligations imposed on controllers or processors under this section
22shall not restrict a controller’s or processor’s ability to collect, use, or retain data to
23do any of the following:

11. Conduct internal research to develop, improve, or repair products, services,
2or technology.

SB166,22,332. Effectuate a product recall.

SB166,22,543. Identify and repair technical errors that impair existing or intended
5functionality.

SB166,22,1164. Perform internal operations that are reasonably aligned with the
7expectations of the consumer or reasonably anticipated on the basis of the
8consumer’s existing relationship with the controller or are otherwise compatible
9with processing data in furtherance of the provision of a product or service
10specifically requested by a consumer or the performance of a contract to which the
11consumer is a party.

SB166,22,1712(c) The obligations imposed on controllers or processors under this section
13shall not apply where compliance by the controller or processor with this section
14would violate an evidentiary privilege under ch. 905. Nothing in this section shall
15be construed to prevent a controller or processor from providing personal data
16concerning a consumer to a person covered by an evidentiary privilege under ch.
17905 as part of a privileged communication.

SB166,23,418(d) A controller or processor that discloses personal data to a 3rd-party
19controller or processor, in compliance with the requirements of this section, is not in
20violation of this section if the 3rd-party controller or processor that receives and
21processes such personal data is in violation of this section, provided that, at the
22time of disclosing the personal data, the disclosing controller or processor did not
23have actual knowledge that the recipient intended to commit a violation. A 3rd-

1party controller or processor receiving personal data from a controller or processor
2in compliance with the requirements of this section is likewise not in violation of
3this section for the transgressions of the controller or processor from which it
4receives such personal data.

SB166,23,95(e) Nothing in this section shall be construed as an obligation imposed on
6controllers and processors that adversely affects the rights or freedoms of any
7persons, such as exercising the right of free speech pursuant to the First
8Amendment to the U.S. Constitution, or applies to the processing of personal data
9by a person in the course of a purely personal or household activity.

SB166,23,1410(f) Personal data processed by a controller pursuant to this subsection may
11not be processed for any purpose other than those expressly listed in this subsection
12unless otherwise allowed by this section. Personal data processed by a controller
13pursuant to this subsection may be processed to the extent that such processing is
14both of the following:

SB166,23,16151. Reasonably necessary and proportionate to the purposes listed in this
16subsection.

SB166,24,2172. Adequate, relevant, and limited to what is necessary in relation to the
18specific purposes listed in this subsection. Personal data collected, used, or
19retained pursuant to par. (b) shall, where applicable, take into account the nature
20and purpose or purposes of such collection, use, or retention. Such data shall be
21subject to reasonable administrative, technical, and physical measures to protect
22the confidentiality, integrity, and accessibility of the personal data and to reduce

1reasonably foreseeable risks of harm to consumers relating to such collection, use,
2or retention of personal data.

SB166,24,53(g) If a controller processes personal data pursuant to an exemption in this
4section, the controller bears the burden of demonstrating that such processing
5qualifies for the exemption and complies with the requirements in par. (f).

SB166,24,76(h) Processing personal data for the purposes expressly identified in par. (a)
7shall not solely make an entity a controller with respect to such processing.

SB166,24,108(8) Scope; exemptions. (a) This section applies to persons that conduct
9business in this state or produce products or services that are targeted to residents
10of this state and who satisfy either of the following:

SB166,24,12111. During a calendar year, the person controls or processes personal data of at
12least 100,000 consumers.

SB166,24,14132. The person controls or processes personal data of at least 25,000 consumers
14and derives over 50 percent of gross revenue from the sale of personal data.

SB166,24,1515(b) This section shall not apply to any of the following:

SB166,24,19161. An association, authority, board, department, commission, independent
17agency, institution, office, society, entity regulated by the federal Farm Credit
18Administration, or other body in state or local government created or authorized to
19be created by the constitution or any law.

SB166,24,21202. Financial institutions, affiliates of financial institutions, or data subject to
21Title V of the federal Gramm-Leach-Bliley Act, 15 USC 6801 et seq.

SB166,24,22223. A covered entity or business associate governed by HIPAA or HITECH.

SB166,24,23234. A nonprofit organization.

SB166,25,1

15. An institution of higher education.

SB166,25,426. A state agency or political subdivision of this state, including agents and
3entities that use public safety technologies for the purposes of bona fide law
4enforcement investigation.

SB166,25,557. The entity under contract under s. 153.05 (2m) (a) and its contractors.

SB166,25,768. The data organization under contract under s. 153.05 (2r) and its
7contractors.

SB166,25,88(c) The following information and data are exempt from this section:

SB166,25,1391. Any health care information or record that is governed by HIPAA,
10HITECH, Cures Act, or any other federal law governing the use, disclosure, access
11or creation of health care information or records, including any derived,
12identifiable, de-identifiable, confidential or non-confidential health care
13information or records as defined by such federal laws.

SB166,25,18142. Any health care information or record that is governed by s. 51.30, 146.816,
15146.82, 146.83, or 146.84, chapter 153, or other Wisconsin law governing the use,
16disclosure, access or creation of health care information or records, including any
17derived, identifiable, de-identifiable, confidential or non-confidential health care
18information or records as defined by such Wisconsin laws.