Wisconsin State Assembly Fast Tracks Wisconsin Data Privacy Act

On November 14, 2023, the Wisconsin State Assembly passed Assembly Bill 466, otherwise known as the Wisconsin Data Privacy Act (WDPA). The bill passed on its third reading and was immediately ordered to the Wisconsin State Senate. If passed by the senate and signed by the governor, the WDPA will become effective on January 1, 2025. As written, the WDPA closely mirrors other comprehensive state consumer privacy laws including Virginia, Colorado, and Connecticut, all of which are currently in effect.

Applicability

Subject to the exceptions described below, the WDPA is applicable to all persons that conduct business in Wisconsin or produce products or services that are targeted to Wisconsin residents and that meet either of the following criteria:

Controls or processes the personal data of at least 100,000 Wisconsin residents (“consumers”) during a calendar year; and/or
Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data.

These persons are referred to as “controllers” under the WDPA. Like other state-level comprehensive consumer privacy laws except California, the WDPA does not have a revenue threshold.

Key Exemptions

The WDPA has broad entity and information exceptions. The entity exceptions include state and local agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), HIPAA-covered entities or business associates, nonprofit organizations, and higher education institutions.

The WDPA also exempts employment and business-to-business information, unlike California. Other key exemptions include publicly available information, information governed by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, the Farm Credit Act, and the Children’s Online Privacy Protection Act. The WDPA also has a broad range of health-related exceptions, including information that is protected health information (PHI) regulated by HIPAA, the Cures Act of 2021, or any other federal or Wisconsin law governing health care information or records, and certain identifiable patient information related to clinical research and trials, among others.

Consumer Rights

The WDPA will provide Wisconsin residents with the following rights concerning their personal data:

Right to Know/Access. Consumers have the right to confirm if a controller is processing the consumer’s personal data and to gain access to that personal data unless the confirmation requires the controller to reveal a trade secret.
Right to Data Portability. Consumers have the right to receive a copy of their personal data in a portable and readily usable format so the data can be transmitted to a third party where processing is conducted by automated means; however, the controller will not be required to reveal a trade secret.
Right to Correct. Consumers have the right to have inaccurate personal data corrected.
Right to Delete. Consumers have the right to have their personal data deleted.
Right to Opt-Out. Consumers have the right to opt-out of the following uses of their personal information:
- Processing of their personal data for purposes of targeted advertising.
- Selling their personal data for monetary consideration.
- Automated decision-making that produce legal or similarly significant effects concerning the consumer.

Controllers will have 45 days to respond to consumer requests, with the option for one additional 45-day extension when reasonably necessary.

Business Obligations

The WDPA requires controllers to comply with certain obligations when processing personal data as follows:

Consent for Processing Sensitive Data. A controller is prohibited from processing “sensitive data” about a consumer without the consumer’s consent. Under the WDPA, “sensitive data” includes personal data that reveals race or ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive data also includes genetic or biometric data, the personal data collected from a child known to be younger than 13 years of age, and precise geolocation data within a radius of 1,750 feet.
Data Processing Agreements. The WDPA will require controllers to enter into a data processing agreement (DPA) with each processor that processes personal data on behalf of the controller. The DPA must include clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and each party’s rights and obligations under the agreement.
Data Protection Assessments. A controller must conduct and document a data protection assessment of the following processing activities: the processing of personal data for targeted advertising purposes, the sale of personal data, and the processing of personal information for the purpose of profiling (where the profiling presents a reasonably foreseeable risk of harm to the consumer). A controller is also required to weigh the benefits of each processing activity against the potential risks to the rights of consumers.
Privacy Notices. A controller must provide a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose of processing personal data, how consumers can exercise their rights and how a consumer may appeal a controller’s decision not to comply with a consumer rights request, the categories of personal data that the controller shares with third parties, and the categories of third parties with whom the controller shares personal data. The privacy notice must also describe whether it sells personal data to a third party or whether it processes personal data for targeted advertising and clearly and conspicuously disclose such processing and how a consumer may exercise their right to opt-out of such processing. Finally, the privacy notice must describe one or more secure and reliable means for consumers to submit requests to exercise their rights.
Other Requirements/Prohibitions. A controller must (i) limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed; and (ii) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. A controller cannot (i) process personal data for purposes that are not reasonably necessary to the disclosed purposes unless the controller has received the consumer’s consent; or (ii) deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of good to the consumer because the consumer exercised their rights.

Enforcement

As written, the WDPA does not contain a private cause of action and will be enforced by the Wisconsin Attorney General. The WDPA provides that each violation by a controller may result in up to a US$7,500 penalty, plus recovery of the Attorney General’s reasonable expenses.

Impact to Businesses

Wisconsin is among a handful of other states looking to add to the existing patchwork of consumer privacy laws at the state level. Although the WDPA closely mirrors other comprehensive state consumer privacy laws, this is a good opportunity for organizations conducting business in Wisconsin to review their data programs to confirm these requirements are met. Organizations not subject to other state consumer privacy laws at this time will want to confirm if they will meet the thresholds in the WDPA (as currently proposed) and if so, ensure the organization will be ready to implement these requirements expeditiously should the WDPA be passed into law.

For more information about complying with the WDPA or any other consumer privacy laws, please contact any of the partners or senior counsel in Foley & Lardner’s Cybersecurity and Data Privacy team.

The author gratefully acknowledges the contributions of Lauren Hudon, a student at Marquette University Law School and Law Clerk at Foley & Lardner LLP.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.