SB166,2,93(a) “Affiliate” means a legal entity that controls, is controlled by, or is under
4common control with another legal entity or shares common branding with another
5legal entity. For the purposes of this definition, “control” or “controlled” means
6ownership of, or the power to vote, more than 50 percent of the outstanding shares
7of any class of voting security of a company; control in any manner over the election
8of a majority of the directors or of individuals exercising similar functions; or the
9power to exercise controlling influence over the management of a company.

SB166,3,210(b) “Authenticate” means verifying through reasonable means that the
11consumer, entitled to exercise his or her consumer rights under sub. (2), is the same

1consumer exercising such consumer rights, or is an individual with authority to
2exercise such rights of a consumer, with respect to the personal data at issue.

SB166,3,103(c) “Biometric data” means data generated by automatic measurements of an
4individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas,
5irises, or other unique biological patterns or characteristics that are used to identify
6a specific individual. “Biometric data” does not include a physical or digital
7photograph, a video or audio recording or data generated therefrom unless such
8data is generated to identify a specific individual, or information collected, used, or
9stored for health care treatment, payment, or operations under the federal Health
10Insurance Portability and Accountability Act of 1996.

SB166,3,1111(d) “Business associate” has the meaning given in 45 CFR 160.103.

SB166,3,1212(e) “Child” means an individual younger than 13 years of age.

SB166,3,1713(f) “Consent” means a clear affirmative act signifying a consumer’s freely
14given, specific, informed, and unambiguous agreement to process personal data
15relating to the consumer. “Consent” may include a written statement, including a
16statement written by electronic means, or any other unambiguous affirmative
17action. “Consent” does not include any of the following:

SB166,3,20181. Acceptance of a general terms-of-use document or similar document that
19contains descriptions of personal data processing along with other, unrelated
20information.

SB166,3,21212. Hovering over, muting, pausing, or closing a given piece of content.

SB166,3,22223. Agreements obtained by using dark patterns.

SB166,4,223(g) “Consumer” means an individual who is a resident of this state acting only

1in an individual or household context. “Consumer” does not include an individual
2acting in a commercial or employment context.

SB166,4,43(h) “Controller” means a person that, alone or jointly with others, determines
4the purpose and means of processing personal data.

SB166,4,55(i) “Covered entity” has the meaning given in 45 CFR 160.103.

SB166,4,76(ja) “Cures Act” means the federal 21st Century Cures Act and valid federal
7regulations enacted pursuant to such provisions.

SB166,4,108(jd) “Dark pattern” means a user interface designed or manipulated with the
9substantial effect of subverting or impairing user autonomy, decision making, or
10choice.

SB166,4,1511(jg) “Decisions that produce legal or similarly significant effects concerning a
12consumer” means a decision made by the controller that results in the provision or
13denial by the controller of financial and lending services, housing, insurance,
14education enrollment, criminal justice, employment opportunities, health care
15services, or access to basic necessities, such as food and water.

SB166,4,1716(ka) “Deidentified data” means data that cannot reasonably be linked to an
17identified or identifiable individual, or a device linked to such person.

SB166,4,2018(kb) “Identified or identifiable individual” means a person who can be readily
19identified, directly or indirectly, in particular by reference to an identifier such as a
20name, an identification number, specific geolocation data, or an online identifier.

SB166,4,2321(La) “HIPAA” means the federal Health Insurance Portability and
22Accountability Act and valid federal regulations enacted pursuant to the act,
23including 45 CFR 164.500 to 164.534.

SB166,5,3

1(Lg) “HITECH” means the federal Health Information Technology for
2Economic and Clinical Health Act and valid federal regulations enacted pursuant
3to the act.

SB166,5,44(m) “Institution of higher education” has the meaning given in s. 39.32 (1) (a).

SB166,5,75(n) “Nonprofit organization” means any corporation organized under ch. 181,
6any organization identified under s. 895.486 (2) (e), or any organization exempt
7from taxation under section 501 (c) (3), (6), or (12) of the Internal Revenue Code.

SB166,5,108(o) “Personal data” means any information that is linked or reasonably
9linkable to an identified or identifiable individual. “Personal data” does not include
10deidentified data or publicly available information.

SB166,5,1711(p) “Precise geolocation data” means information derived from technology,
12including global positioning system level latitude and longitude coordinates or other
13mechanisms, that directly identifies the specific location of an individual with
14precision and accuracy within a radius of 1,750 feet. “Precise geolocation data”
15does not include the content of communications or any data generated by or
16connected to advanced utility metering infrastructure systems or equipment for use
17by a utility.

SB166,5,2118(q) “Process” or “processing” means any operation or set of operations
19performed, whether by manual or automated means, on personal data or on sets of
20personal data, such as the collection, use, storage, disclosure, analysis, deletion, or
21modification of personal data.