LRB-3381/2
KP:amn&cjs
2019 - 2020 LEGISLATURE
February 20, 2020 - Introduced by Senators Larson, Carpenter and L. Taylor,
cosponsored by Representatives
Brostoff, Anderson, Cabrera, Sinicki,
Stubbs and Shankland. Referred to Committee on Government Operations,
Technology and Consumer Protection.
SB851,1,2
1An Act to create 134.985 of the statutes;
relating to: the privacy of consumer
2data, granting rule-making authority, and providing a penalty.
Analysis by the Legislative Reference Bureau
Generally, this bill establishes requirements for businesses related to personal
information collected about consumers. The bill's requirements apply to
“businesses,” which is defined in the bill to mean a sole proprietorship, limited
liability company, corporation, association, or other entity operated for profit that
satisfies all of the following: 1) collects consumers' personal information or alone or
jointly with others determines the purposes and means of the processing of personal
information; 2) does business in this state; and 3) either has annual gross revenues
exceeding $25,000,000; buys, receives, sells, or shares the personal information of
50,000 or more consumers annually; or derives 50 percent or more of its annual
revenues from selling consumers' personal information. The bill defines “
personal
information” as information that identifies, relates to, describes, or is capable of
being associated or linked with a particular consumer or household other than
certain information that is lawfully made available from federal, state, or local
government records.
The bill requires a business to disclose certain information to consumers if the
business has an online privacy policy or a Wisconsin-specific description of
consumers' privacy rights, including the following: 1) information about how a
consumer can make a request for a copy of the personal information collected about
the consumer; 2) the categories of personal information collected by the business in
the past twelve months; 3) the categories of sources from which the business collected
personal information in the past twelve months; 4) the business's purposes for
collecting consumers' personal information; and 5) if the business sells consumers'
personal information, the purpose for selling the personal information. If the
business has an Internet site but not an online privacy policy or a Wisconsin-specific
description of consumers' privacy rights, the business must disclose the above
information on the Internet site.
Under the bill, a consumer may request a business to disclose certain
information if the business collects personal information about the consumer,
including the following: 1) the categories of personal information about the
consumer collected by the business in the past twelve months; 2) the categories of
sources from which the business collected personal information about the consumer
in the past twelve months; 3) the purposes for collecting the personal information
about the consumer; 4) if the business has sold the consumer's personal information
in the past twelve months, the purpose for selling the personal information; and 5)
the specific pieces of personal information about the consumer that the business
collected in the past twelve months. In addition, the business must deliver this
information within 45 days or within 90 days if the longer duration is reasonably
necessary and the business notifies the consumer about the delay within 45 days.
The business must disclose the information in a portable and readily useable format.
A consumer may request this information twice in a twelve-month period.
A consumer may request a business that sells the consumer's personal
information to disclose certain information, including the categories of personal
information collected about the consumer in the past twelve months, the categories
of personal information about the consumer that the business sold in the past twelve
months, and the categories of personal information about the consumer sold to each
third party in the past twelve months. The business must disclose the information
in a portable and readily useable format and within 45 days or within 90 days if the
longer duration is reasonably necessary.
The bill also requires a business, before collecting a consumer's personal
information, to inform the consumer about the categories of personal information
that the business will collect and the purpose for which the business will use the
personal information collected. Under the bill, in order for a business to sell a
consumer's personal information, certain requirements apply, including the
following: 1) if the business has an Internet site, it must provide a link titled “Do Not
Sell My Personal Information” that enables consumers to object to the selling of the
consumer's personal information; 2) if the business has an online privacy policy, the
business must include the link described above in that policy; 3) a business may not
sell the personal information if a consumer is 16 or older and the consumer directs
the business not to sell the consumer's personal information; 4) a business may sell
the personal information of a consumer aged 13 to 16 only if the consumer
affirmatively authorizes selling the personal information; 5) a business may sell the
personal information of a consumer under the age of 13 only if the consumer's parent
or guardian affirmatively authorizes it; and 6) a third party must notify a consumer
before selling the consumer's personal information. A business must also implement
reasonable security procedures to protect the personal information of consumers.
The bill also requires that if a consumer requests that a business delete the
personal information that the business has collected about the consumer, the
business must delete that personal information. The bill provides certain exceptions
to that requirement, including the cases in which it is necessary for the business to
maintain the personal information to do any of the following: 1) complete a
transaction or contract with a consumer; 2) detect security incidents; 3) identify
errors; 4) exercise free speech or ensure the right of another consumer to exercise free
speech; 5) comply with a legal obligation; or 6) otherwise use the personal
information internally in a lawful manner.
The bill provides that a business may not discriminate against a consumer
because the consumer requests information about the business's collection or sale of
personal information, requests the business not to sell the consumer's personal
information, or requests that the business delete the consumer's personal
information. Under the bill, a business is allowed to charge a consumer a different
price or provide a different level of services if the difference is reasonably related to
the value provided to the consumer by the consumer's personal data, and a business
may offer financial incentives to a consumer for collecting the consumer's personal
information, subject to certain requirements described in the bill.
The bill requires the Department of Justice to promulgate various rules to
implement the bill's requirements. The bill also authorizes businesses to request
advice from the attorney general on how to comply with the bill's requirements and
requires the attorney general to respond to those requests.
Additionally, a provision in a contract is void and unenforceable if it would
waive or limit one or more of the bill's requirements. The bill also provides a
consumer with a private cause of action against a business if the business does not
implement reasonable security procedures to protect the consumer's personal
information and the personal information is subject to unauthorized access. A
business, service provider, or person that violates the bill is subject to a forfeiture of
up to $2,500 for each violation and a forfeiture of up to $7,500 for each intentional
violation.
For further information see the state fiscal estimate, which will be printed as
an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows: