Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsWisconsin Introduces Three New Data Privacy Bills
On February 12, 2020, Wisconsin held its first public hearing on the three new data privacy bills. Assembly Bills 870, 871, and 872 join a slew of data privacy laws introduced across the states in the wake of the California Consumer Privacy Act.
AB 870 creates certain disclosure obligations for “controllers” of consumer data. Controllers must inform the consumers of what data they are collecting and for what purpose. If requested, they must provide a copy of the data to the consumers. In the case they do not collect data directly from the consumers and intend to process that personal data, the controllers are obliged to inform the consumers of the data collected, the purpose for which it was collected, and any other parties with whom data is shared.
There are of course the common exceptions to the prescribed controller obligations in the cases of processing out of necessity, disclosure adversely affecting the rights of others, or other types of information already restricted by federal law.
In the case of a breach that is likely to result in a risk to the rights and freedoms of the consumer, the controller must notify the Department of Justice as well as any consumers whose personal data is affected within 30 days or provide a reason for the delay. The bill further creates an obligation upon any processor who processes data for the controller to notify the controller of the breach.
AB 870 and its companion bills provide for fairly significant penalties enforceable by the state attorney general but do not create a private right of action. Controllers found to be in violation of the data breach disclosure requirements can be subject to fines of up to $10 million or 2% of their total revenue, and further may be fined up to $20 million or 4% of total annual revenue for failure to comply with the consumers’ request for a copy of their personal data.
AB 871 deals with the consumers’ right to request deletion of personal data and obliges compliance by the controller when: (1) the data is no longer necessary for purposes of accomplishing what it was collected for or (2) the data is being used for direct marketing purposes, in which case the controller must take reasonable steps to inform all controllers that may be processing that personal data to delete it according to the consumer’s request.
Again, there are exception to this requirement where the data is necessary for performing a contract, for security purposes, complying with legal obligations, and performing tasks for the public interest. Additionally, an exception is carved out for philosophical, political, or religious non-profit organizations that process data of members, former members, or persons who have regular contact with the organization.
This bill is enforceable by the attorney general and does not create a private right of action. A violation of deletion request can result in fines up to $20 million or 4% of total annual revenue, whichever is greater.
AB 872 deals with restricting the use of personal data by the controllers. This bill creates an express requirement of consent as opposed to the opt-out option we are seeing in most other states as well as the CCPA. Unless certain conditions are met, the controller must obtain the consumer’s consent to process personal data and in the case of those under 16 years of age, it must have the consent of a parent or legal guardian. In the absence of consent, personal information may be processed to complete a contract, to perform a legal obligation, or for security purposes. Even in the case of having the consumer’s affirmative consent, the consumer could always withdraw that consent down the line. Controllers cannot require a consumer to grant consent in order to obtain services. The consumer would also have the power to request that the controller store, but not otherwise process the personal data, if processing the personal data is unlawful, storing the personal data is necessary for the consumer to establish, exercise, or defend a legal claim, or the controller has no legitimate ground to process the personal data that overrides the consumer’s request.
There are further limitations on certain types of personal data that reveal consumer’s ethnicity, religious political or philosophical beliefs, trade union membership, biometric data, genetic data, health, information, and personal information concerning a consumer’s sex life or sexual orientation.
A controller would be required to maintain records of processing personal data, the categories of personal data processed, the purpose of processing, and the categories of the consumers.
This bill would be enforceable by the attorney general and would not create a private right of action. A violation of the recordkeeping requirement could result in fines of up to $10 million or 2% of the controller’s total annual revenue, whichever is greater. In the case the controller violates provisions with respect to the processing of personal data, it could be liable for up to $20 million in fines or 4% of total annual revenue, whichever is greater.
If enacted, the Wisconsin data privacy bills would go into effect on July 31, 2022.
Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653
