AB872,4,3

---

1(h) “Processor” means a person who processes personal data on behalf of a
2controller, but does not include a law enforcement agency or a unit or instrumentality
3of the federal government, the state, or a local government.

AB872,4,44 (i) “Recipient” means a person to which personal data is disclosed.

AB872,4,7 5(2) Requirements for processing personal data. Subject to sub. (4), no
6controller or processor may process a consumer's personal data unless any of the
7following applies:

AB872,4,88 (a) All of the following applies:

AB872,4,119 1. The processing is conducted for a purpose to which the consumer, or if the
10consumer is less than 16 years of age, the consumer's parent or guardian, consents
11by a statement or clear affirmative action.

AB872,4,1312 2. The consent under par. (a) 1. is freely given, specific, informed, and
13unambiguous.

AB872,4,1514 3. The consumer is able to withdraw any consent provided under par. (a) 1. at
15any time, and before giving consent is informed that consent may be withdrawn.

AB872,4,1716 4. The consent provided under par. (a) 1. is as easy for the consumer to
17withdraw as to give.

AB872,4,2118 5. If the consumer grants consent as part of a written declaration that also
19concerns other matters, the request for consent is clearly distinguishable from the
20other matters in an intelligible and easily accessible form using clear and plain
21language.

AB872,4,2322 6. The controller or processor is able to demonstrate that the consumer
23provided consent under par. (a) 1.

AB872,5,224 7. The controller or processor does not require as a condition of using the
25controller's or processor's service that the consumer consent to processing of personal

---

1data, unless processing the consumer's personal data is necessary to perform the
2service.

AB872,5,53 (b) The processing is necessary to perform a contract to which the consumer is
4party or in order to take steps at the request of the consumer before entering a
5contract.

AB872,5,66 (c) The processing is necessary for complying with a legal obligation.

AB872,5,87 (d) The processing is necessary to protect the vital interests of the consumer
8or another person.

AB872,5,109 (e) The processing is necessary to perform a task carried out in the public
10interest or to exercise official authority vested in the controller.

AB872,5,1311 (f) The processing is conducted to detect security incidents; to protect against
12malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person
13responsible for that activity.

AB872,5,1514 (g) The controller or a 3rd party has a legitimate ground to process the personal
15data.

AB872,5,17 16(3) Processing of certain types of personal data. (a) Except as provided in
17par. (b), a controller or processor may not process any of the following:

AB872,5,1918 1. Personal data revealing a consumer's racial or ethnic origin, political
19opinions, religious or philosophical beliefs, or trade union membership.

AB872,5,2120 2. Genetic data, data concerning health, or personal data concerning a
21consumer's sex life or sexual orientation.

AB872,5,2322 3. Biometric data, if the purpose of the processing is to uniquely identify a
23consumer.

AB872,5,2524 (b) A controller or processor may process information described in par. (a) if any
25of the following applies:

AB872,6,2

---

11. The processing is conducted for a purpose to which the consumer explicitly
2consents.

AB872,6,33 2. The processing is necessary for complying with a legal obligation.

AB872,6,64 3. The consumer is physically or legally incapable of giving consent and the
5processing is necessary to protect the vital interests of the consumer or another
6individual.

AB872,6,87 4. The processing is conducted by a nonprofit organization having a political,
8philosophical, or religious purpose and all of the following applies:

AB872,6,119 a. The processing relates only to members or former members of the
10organization or to persons who have regular contact with the organization related
11to the organization's purposes.

AB872,6,1212 b. The personal data processed is not disclosed outside the organization.

AB872,6,1313 5. The processing relates to personal data that the consumer makes public.