On November 14, 2023, the Wisconsin State Assembly passed Assembly Bill 466, otherwise known as the Wisconsin Data Privacy Act (WDPA). The bill passed on its third reading and was immediately ordered to the Wisconsin State Senate. If passed by the senate and signed by the governor, the WDPA will become effective on January 1, 2025. As written, the WDPA closely mirrors other comprehensive state consumer privacy laws including Virginia, Colorado, and Connecticut, all of which are currently in effect.
Subject to the exceptions described below, the WDPA is applicable to all persons that conduct business in Wisconsin or produce products or services that are targeted to Wisconsin residents and that meet either of the following criteria:
- Controls or processes the personal data of at least 100,000 Wisconsin residents (“consumers”) during a calendar year; and/or
- Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data.
These persons are referred to as “controllers” under the WDPA. Like other state-level comprehensive consumer privacy laws except California, the WDPA does not have a revenue threshold.
The WDPA has broad entity and information exceptions. The entity exceptions include state and local agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), HIPAA-covered entities or business associates, nonprofit organizations, and higher education institutions.
The WDPA also exempts employment and business-to-business information, unlike California. Other key exemptions include publicly available information, information governed by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, the Farm Credit Act, and the Children’s Online Privacy Protection Act. The WDPA also has a broad range of health-related exceptions, including information that is protected health information (PHI) regulated by HIPAA, the Cures Act of 2021, or any other federal or Wisconsin law governing health care information or records, and certain identifiable patient information related to clinical research and trials, among others.
The WDPA will provide Wisconsin residents with the following rights concerning their personal data:
- Right to Know/Access. Consumers have the right to confirm if a controller is processing the consumer’s personal data and to gain access to that personal data unless the confirmation requires the controller to reveal a trade secret.
- Right to Data Portability. Consumers have the right to receive a copy of their personal data in a portable and readily usable format so the data can be transmitted to a third party where processing is conducted by automated means; however, the controller will not be required to reveal a trade secret.
- Right to Correct. Consumers have the right to have inaccurate personal data corrected.
- Right to Delete. Consumers have the right to have their personal data deleted.
- Right to Opt-Out. Consumers have the right to opt-out of the following uses of their personal information:
- Processing of their personal data for purposes of targeted advertising.
- Selling their personal data for monetary consideration.
- Automated decision-making that produce legal or similarly significant effects concerning the consumer.
Controllers will have 45 days to respond to consumer requests, with the option for one additional 45-day extension when reasonably necessary.
The WDPA requires controllers to comply with certain obligations when processing personal data as follows:
- Consent for Processing Sensitive Data. A controller is prohibited from processing “sensitive data” about a consumer without the consumer’s consent. Under the WDPA, “sensitive data” includes personal data that reveals race or ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive data also includes genetic or biometric data, the personal data collected from a child known to be younger than 13 years of age, and precise geolocation data within a radius of 1,750 feet.
- Data Processing Agreements. The WDPA will require controllers to enter into a data processing agreement (DPA) with each processor that processes personal data on behalf of the controller. The DPA must include clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and each party’s rights and obligations under the agreement.
- Data Protection Assessments. A controller must conduct and document a data protection assessment of the following processing activities: the processing of personal data for targeted advertising purposes, the sale of personal data, and the processing of personal information for the purpose of profiling (where the profiling presents a reasonably foreseeable risk of harm to the consumer). A controller is also required to weigh the benefits of each processing activity against the potential risks to the rights of consumers.
- Privacy Notices. A controller must provide a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose of processing personal data, how consumers can exercise their rights and how a consumer may appeal a controller’s decision not to comply with a consumer rights request, the categories of personal data that the controller shares with third parties, and the categories of third parties with whom the controller shares personal data. The privacy notice must also describe whether it sells personal data to a third party or whether it processes personal data for targeted advertising and clearly and conspicuously disclose such processing and how a consumer may exercise their right to opt-out of such processing. Finally, the privacy notice must describe one or more secure and reliable means for consumers to submit requests to exercise their rights.
- Other Requirements/Prohibitions. A controller must (i) limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed; and (ii) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. A controller cannot (i) process personal data for purposes that are not reasonably necessary to the disclosed purposes unless the controller has received the consumer’s consent; or (ii) deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of good to the consumer because the consumer exercised their rights.
As written, the WDPA does not contain a private cause of action and will be enforced by the Wisconsin Attorney General. The WDPA provides that each violation by a controller may result in up to a US$7,500 penalty, plus recovery of the Attorney General’s reasonable expenses.
Impact to Businesses
Wisconsin is among a handful of other states looking to add to the existing patchwork of consumer privacy laws at the state level. Although the WDPA closely mirrors other comprehensive state consumer privacy laws, this is a good opportunity for organizations conducting business in Wisconsin to review their data programs to confirm these requirements are met. Organizations not subject to other state consumer privacy laws at this time will want to confirm if they will meet the thresholds in the WDPA (as currently proposed) and if so, ensure the organization will be ready to implement these requirements expeditiously should the WDPA be passed into law.
For more information about complying with the WDPA or any other consumer privacy laws, please contact any of the partners or senior counsel in Foley & Lardner’s Cybersecurity and Data Privacy team.
The author gratefully acknowledges the contributions of Lauren Hudon, a student at Marquette University Law School and Law Clerk at Foley & Lardner LLP.