November 7, 2023 - Introduced by Senators Quinn and Marklein, cosponsored by Representatives Zimmerman, Gustafson, Allen, Armstrong, Behnke, Binsfeld, Dittrich, Duchow, Green, Kitchens, Kurtz, Macco, Murphy, Mursau, Novak, O’Connor, Penterman, Plumer, Pronschinske, Rettinger, Sortwell, Spiros, Steffen, Tittl, Wichgers and Wittke. Referred to Committee on Shared Revenue, Elections and Consumer Protection.

This bill establishes requirements for controllers and processors of the personal data of consumers. The bill defines a “controller” as a person that, alone or jointly with others, determines the purpose and means of processing personal data, and the bill applies to controllers that control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. Under the bill, “personal data” means any information that is linked or reasonably linkable to an individual except for publicly available information.

The bill provides consumers with the following rights regarding their personal data: 1) to confirm whether a controller is processing the consumer’s personal data and to access the personal data; 2) to correct inaccuracies in the consumer’s personal data; 3) to require a controller to delete personal data provided by or about the consumer; 4) to obtain a copy of the personal data that the consumer previously provided to the controller; and 5) to opt out of the processing of the consumer’s personal data for targeted advertising; the sale of the consumer’s personal data; and certain forms of automated processing of the consumer’s personal data. These rights are subject to certain exceptions specified in the bill. Controllers may not discriminate against a consumer for exercising rights under the bill, including by charging different prices for goods or providing a different level of quality of goods or services.

The bill requires controllers to respond to consumers’ requests to invoke rights under the bill without undue delay. If a controller declines to take action regarding a consumer’s request, the controller must inform the consumer of its justification without undue delay. The bill also requires that information provided in response to a consumer’s request be provided free of charge once annually per consumer. Controllers must also establish processes for consumers to appeal a refusal to take action on a consumer’s request. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint.

Under the bill, a controller must provide consumers with a privacy notice that discloses the categories of personal data processed by the controller; the purpose of processing the personal data; the categories of third parties, if any, with whom the controller shares personal data; the categories of personal data that the controller shares with third parties; and information about how consumers may exercise their rights under the bill. Controllers may not collect or process personal data for purposes that are not relevant to or reasonably necessary for the purposes disclosed in the privacy notice. The bill’s requirements do not restrict a controller’s ability to collect, use, or retain data for conducting internal research, effectuating a product recall, identifying and repairing technical errors, or performing internal operations that are reasonably aligned with consumer expectations or reasonably anticipated on the basis of a consumer’s relationship with the controller.

Persons that process personal data on behalf of a controller must adhere to a contract between the controller and the processor, and such contracts must satisfy certain requirements specified in the bill. The bill also requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill. The attorney general may request that a controller disclose a data protection assessment that is relevant to an investigation being conducted by the attorney general.

The attorney general has exclusive authority to enforce violations of the bill’s requirements. A controller or processor that violates the bill’s requirements is subject to a forfeiture of up to $7,500 per violation, and the attorney general may recover reasonable investigation and litigation expenses incurred. Before bringing an action to enforce the bill’s requirements, the attorney general must first provide a controller or processor with a written notice identifying the violations. If within 30 days of receiving the notice the controller or processor cures the violation and provides the attorney general with an express written statement that the violation is cured and that no such further violations will occur, then the attorney general may not bring an action against the controller or processor. The bill also prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data.

SB642,,77(a) “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, “control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise controlling influence over the management of a company.

SB642,,88(b) “Authenticate” means verifying through reasonable means that the consumer, entitled to exercise his or her consumer rights under sub. (2), is the same consumer exercising such consumer rights with respect to the personal data at issue.

SB642,,99(c) “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

SB642,,1212(f) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

SB642,,1313(g) “Consumer” means an individual who is a resident of this state acting only in an individual or household context. “Consumer” does not include an individual acting in a commercial or employment context.

SB642,,1717(jg) “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.