AB466,,66663. A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.

AB466,,67674. A controller may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller may not discriminate against a consumer for exercising any of the consumer rights contained in this section, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. Nothing in this subdivision shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his or her right to opt out under sub. (2) (a) 5. or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

AB466,,68685. A controller may not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 USC 6501 et seq.

AB466,,6969(b) Any provision of a contract or agreement that purports to waive or limit consumer rights under sub. (2) is void and unenforceable.

AB466,,7070(c) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:

AB466,,71711. The categories of personal data processed by the controller.

AB466,,72722. The purpose of processing personal data.

AB466,,73733. How consumers may exercise their consumer rights under sub. (2), including how a consumer may appeal a controller’s decision with regard to the consumer’s request.

AB466,,74744. The categories of personal data that the controller shares with 3rd parties, if any.

AB466,,75755. The categories of 3rd parties, if any, with whom the controller shares personal data.

AB466,,7676(d) If a controller sells personal data to 3rd parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

AB466,,7777(e) A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this section. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers may not require a consumer to create a new account in order to exercise consumer rights under sub. (2) but may require a consumer to use an existing account.

AB466,,7878(4) Responsibility according to role; controller and processor. (a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under this section. Such assistance shall include the following:

AB466,,79791. Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests under sub. (2).

AB466,,80802. Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to giving notice of unauthorized acquisition of personal information under s. 134.98.

AB466,,81813. Providing necessary information to enable the controller to conduct and document data protection assessments under sub. (5).

AB466,,8282(b) A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall do all of the following:

AB466,,83831. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

AB466,,84842. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

AB466,,85853. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this section.

AB466,,86864. At least one of the following:

AB466,,8787a. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.

AB466,,8888b. Arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this section using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

AB466,,89895. Engage any subcontractor pursuant to a written contract in accordance with par. (c) that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

AB466,,9090(c) Nothing in this section shall be construed to relieve a controller or a processor from the liabilities imposed on it by virtue of its role in the processing relationship as defined by this section.

AB466,,9191(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.