Wisconsin 2023-2024 Regular Session

Wisconsin Assembly Bill AB466 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	LRB-2054/1
2	2	MDE:cdc
3	3	2023 - 2024 LEGISLATURE
4	4	2023 ASSEMBLY BILL 466
5	5	October 5, 2023 - Introduced by Representatives ZIMMERMAN, GUSTAFSON, ALLEN,
6	6	ARMSTRONG, BEHNKE, BINSFELD, DITTRICH, DUCHOW, GREEN, KITCHENS, KURTZ,
7	7	MACCO, MURPHY, MURSAU, NOVAK, O'CONNOR, PENTERMAN, PLUMER,
8	8	PRONSCHINSKE, RETTINGER, SORTWELL, SPIROS, STEFFEN, TITTL, WICHGERS and
9	9	WITTKE, cosponsored by Senators Q UINN and MARKLEIN. Referred to
10	10	Committee on Consumer Protection.
11	11	*AUTHORS SUBJECT TO CHANGE*
12	12	AN ACT to create 134.985 of the statutes; relating to: consumer data protection
13	13	and providing a penalty.
14	14	Analysis by the Legislative Reference Bureau
15	15	This bill establishes requirements for controllers and processors of the personal
16	16	data of consumers. The bill defines a “controller” as a person that, alone or jointly
17	17	with others, determines the purpose and means of processing personal data, and the
18	18	bill applies to controllers that control or process the personal data of at least 100,000
19	19	consumers or that control or process the personal data of at least 25,000 consumers
20	20	and derive over 50 percent of their gross revenue from the sale of personal data.
21	21	Under the bill, “personal data” means any information that is linked or reasonably
22	22	linkable to an individual except for publicly available information.
23	23	The bill provides consumers with the following rights regarding their personal
24	24	data: 1) to confirm whether a controller is processing the consumer's personal data
25	25	and to access the personal data; 2) to correct inaccuracies in the consumer's personal
26	26	data; 3) to require a controller to delete personal data provided by or about the
27	27	consumer; 4) to obtain a copy of the personal data that the consumer previously
28	28	provided to the controller; and 5) to opt out of the processing of the consumer's
29	29	personal data for targeted advertising; the sale of the consumer's personal data; and
30	30	certain forms of automated processing of the consumer's personal data. These rights
31	31	are subject to certain exceptions specified in the bill. Controllers may not
32	32	discriminate against a consumer for exercising rights under the bill, including by
33	33	charging different prices for goods or providing a different level of quality of goods
34	34	or services.
35	35	1
36	36	2 - 2 -2023 - 2024 Legislature LRB-2054/1
37	37	MDE:cdc
38	38	ASSEMBLY BILL 466
39	39	The bill requires controllers to respond to consumers' requests to invoke rights
40	40	under the bill without undue delay. If a controller declines to take action regarding
41	41	a consumer's request, the controller must inform the consumer of its justification
42	42	without undue delay. The bill also requires that information provided in response
43	43	to a consumer's request be provided free of charge once annually per consumer.
44	44	Controllers must also establish processes for consumers to appeal a refusal to take
45	45	action on a consumer's request. Within 60 days of receiving an appeal, a controller
46	46	must inform the consumer in writing of any action taken or not taken in response to
47	47	the appeal, including a written explanation of the reasons for its decisions. If the
48	48	appeal is denied, the controller must provide the consumer with a method through
49	49	which the consumer can contact the attorney general to submit a complaint.
50	50	Under the bill, a controller must provide consumers with a privacy notice that
51	51	discloses the categories of personal data processed by the controller; the purpose of
52	52	processing the personal data; the categories of third parties, if any, with whom the
53	53	controller shares personal data; the categories of personal data that the controller
54	54	shares with third parties; and information about how consumers may exercise their
55	55	rights under the bill. Controllers may not collect or process personal data for
56	56	purposes that are not relevant to or reasonably necessary for the purposes disclosed
57	57	in the privacy notice. The bill's requirements do not restrict a controller's ability to
58	58	collect, use, or retain data for conducting internal research, effectuating a product
59	59	recall, identifying and repairing technical errors, or performing internal operations
60	60	that are reasonably aligned with consumer expectations or reasonably anticipated
61	61	on the basis of a consumer's relationship with the controller.
62	62	Persons that process personal data on behalf of a controller must adhere to a
63	63	contract between the controller and the processor, and such contracts must satisfy
64	64	certain requirements specified in the bill. The bill also requires controllers to
65	65	conduct data protection assessments related to certain activities, including
66	66	processing personal data for targeted advertising, selling personal data, processing
67	67	personal data for profiling purposes, and processing sensitive data, as defined in the
68	68	bill. The attorney general may request that a controller disclose a data protection
69	69	assessment that is relevant to an investigation being conducted by the attorney
70	70	general.
71	71	The attorney general has exclusive authority to enforce violations of the bill's
72	72	requirements. A controller or processor that violates the bill's requirements is
73	73	subject to a forfeiture of up to $7,500 per violation, and the attorney general may
74	74	recover reasonable investigation and litigation expenses incurred. Before bringing
75	75	an action to enforce the bill's requirements, the attorney general must first provide
76	76	a controller or processor with a written notice identifying the violations. If within
77	77	30 days of receiving the notice the controller or processor cures the violation and
78	78	provides the attorney general with an express written statement that the violation
79	79	is cured and that no such further violations will occur, then the attorney general may
80	80	not bring an action against the controller or processor. The bill also prohibits cities,
81	81	villages, towns, and counties from enacting or enforcing ordinances that regulate the
82	82	collection, processing, or sale of personal data. - 3 -2023 - 2024 Legislature
83	83	LRB-2054/1
84	84	MDE:cdc
85	85	ASSEMBLY BILL 466
86	86	For further information see the state fiscal estimate, which will be printed as
87	87	an appendix to this bill.
88	88	The people of the state of Wisconsin, represented in senate and assembly, do
89	89	enact as follows:
90	90	SECTION 1. 134.985 of the statutes is created to read:
91	91	134.985 Consumer data protection. (1) DEFINITIONS. In this section:
92	92	(a) “Affiliate” means a legal entity that controls, is controlled by, or is under
93	93	common control with another legal entity or shares common branding with another
94	94	legal entity. For the purposes of this definition, “control" or “controlled" means
95	95	ownership of, or the power to vote, more than 50 percent of the outstanding shares
96	96	of any class of voting security of a company; control in any manner over the election
97	97	of a majority of the directors or of individuals exercising similar functions; or the
98	98	power to exercise controlling influence over the management of a company.
99	99	(b) “Authenticate" means verifying through reasonable means that the
100	100	consumer, entitled to exercise his or her consumer rights under sub. (2), is the same
101	101	consumer exercising such consumer rights with respect to the personal data at issue.
102	102	(c) “Biometric data" means data generated by automatic measurements of an
103	103	individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas,
104	104	irises, or other unique biological patterns or characteristics that are used to identify
105	105	a specific individual. “Biometric data" does not include a physical or digital
106	106	photograph, a video or audio recording or data generated therefrom, or information
107	107	collected, used, or stored for health care treatment, payment, or operations under the
108	108	federal Health Insurance Portability and Accountability Act of 1996.
109	109	(d) “Business associate” has the meaning given in 45 CFR 160.103.
110	110	(e) “Child” means an individual younger than 13 years of age.
111	111	1
112	112	2
113	113	3
114	114	4
115	115	5
116	116	6
117	117	7
118	118	8
119	119	9
120	120	10
121	121	11
122	122	12
123	123	13
124	124	14
125	125	15
126	126	16
127	127	17
128	128	18
129	129	19
130	130	20
131	131	21 - 4 -2023 - 2024 Legislature LRB-2054/1
132	132	MDE:cdc
133	133	SECTION 1 ASSEMBLY BILL 466
134	134	(f) “Consent" means a clear affirmative act signifying a consumer's freely given,
135	135	specific, informed, and unambiguous agreement to process personal data relating to
136	136	the consumer. “Consent” may include a written statement, including a statement
137	137	written by electronic means, or any other unambiguous affirmative action.
138	138	(g) “Consumer" means an individual who is a resident of this state acting only
139	139	in an individual or household context. “Consumer" does not include an individual
140	140	acting in a commercial or employment context.
141	141	(h) “Controller" means a person that, alone or jointly with others, determines
142	142	the purpose and means of processing personal data.
143	143	(i) “Covered entity” has the meaning given in 45 CFR 160.103.
144	144	(ja) “Cures Act” means the federal 21st Century Cures Act and valid federal
145	145	regulations enacted pursuant to such provisions.
146	146	(jg) “Decisions that produce legal or similarly significant effects concerning a
147	147	consumer" means a decision made by the controller that results in the provision or
148	148	denial by the controller of financial and lending services, housing, insurance,
149	149	education enrollment, criminal justice, employment opportunities, health care
150	150	services, or access to basic necessities, such as food and water.
151	151	(ka) “Deidentified data" means data that cannot reasonably be linked to an
152	152	identified or identifiable individual, or a device linked to such person.
153	153	(kb) “Identified or identifiable individual" means a person who can be readily
154	154	identified, directly or indirectly.
155	155	(La) “HIPAA” means the federal Health Insurance Portability and
156	156	Accountability Act and valid federal regulations enacted pursuant to the act,
157	157	including 45 CFR 164.500 to 164.534.
158	158	1
159	159	2
160	160	3
161	161	4
162	162	5
163	163	6
164	164	7
165	165	8
166	166	9
167	167	10
168	168	11
169	169	12
170	170	13
171	171	14
172	172	15
173	173	16
174	174	17
175	175	18
176	176	19
177	177	20
178	178	21
179	179	22
180	180	23
181	181	24 - 5 -2023 - 2024 Legislature
182	182	LRB-2054/1
183	183	MDE:cdc
184	184	SECTION 1
185	185	ASSEMBLY BILL 466
186	186	(Lg) “HITECH” means the federal Health Information T echnology for
187	187	Economic and Clinical Health Act and valid federal regulations enacted pursuant to
188	188	the act.
189	189	(m) “Institution of higher education” has the meaning given in s. 39.32 (1) (a).
190	190	(n) “Nonprofit organization" means any corporation organized under ch. 181,
191	191	any organization identified under s. 895.486 (2) (e), or any organization exempt from
192	192	taxation under section 501 (c) (3), (6), or (12) of the Internal Revenue Code.
193	193	(o) “Personal data" means any information that is linked or reasonably linkable
194	194	to an identified or identifiable individual. “Personal data" does not include
195	195	deidentified data or publicly available information.
196	196	(p) “Precise geolocation data" means information derived from technology,
197	197	including global positioning system level latitude and longitude coordinates or other
198	198	mechanisms, that directly identifies the specific location of an individual with
199	199	precision and accuracy within a radius of 1,750 feet. “Precise geolocation data" does
200	200	not include the content of communications or any data generated by or connected to
201	201	advanced utility metering infrastructure systems or equipment for use by a utility.
202	202	(q) “Process" or “processing" means any operation or set of operations
203	203	performed, whether by manual or automated means, on personal data or on sets of
204	204	personal data, such as the collection, use, storage, disclosure, analysis, deletion, or
205	205	modification of personal data.
206	206	(r) “Processor” means an individual or person that processes personal data on
207	207	behalf of a controller.
208	208	(s) “Profiling" means any form of automated processing performed on personal
209	209	data to evaluate, analyze, or predict personal aspects related to an identified or
210	210	1
211	211	2
212	212	3
213	213	4
214	214	5
215	215	6
216	216	7
217	217	8
218	218	9
219	219	10
220	220	11
221	221	12
222	222	13
223	223	14
224	224	15
225	225	16
226	226	17
227	227	18
228	228	19
229	229	20
230	230	21
231	231	22
232	232	23
233	233	24 - 6 -2023 - 2024 Legislature LRB-2054/1
234	234	MDE:cdc
235	235	SECTION 1 ASSEMBLY BILL 466
236	236	identifiable individual's economic situation, health, personal preferences, interests,
237	237	reliability, behavior, location, or movements.
238	238	(t) “Pseudonymous data" means personal data that cannot be attributed to a
239	239	specific individual without the use of additional information, provided that such
240	240	additional information is kept separately and is subject to appropriate technical and
241	241	organizational measures to ensure that the personal data is not attributed to an
242	242	identified or identifiable individual.
243	243	(u) “Publicly available information" means information that is lawfully made
244	244	available through federal, state, or local government records, or information that a
245	245	business has a reasonable basis to believe is lawfully made available to the general
246	246	public through widely distributed media, by the consumer, or by a person to whom
247	247	the consumer has disclosed the information, unless the consumer has restricted the
248	248	information to a specific audience.
249	249	(v) “Sale of personal data" means the exchange of personal data for monetary
250	250	consideration by the controller to a 3rd party. “Sale of personal data" does not include
251	251	any of the following:
252	252	1. The disclosure of personal data to a processor that processes the personal
253	253	data on behalf of the controller.
254	254	2. The disclosure of personal data to a 3rd party for purposes of providing a
255	255	product or service requested by the consumer.
256	256	3. The disclosure or transfer of personal data to an affiliate of the controller.
257	257	4. The disclosure of information that a consumer intentionally made available
258	258	to the general public via a channel of mass media and did not restrict to a specific
259	259	audience.
260	260	1
261	261	2
262	262	3
263	263	4
264	264	5
265	265	6
266	266	7
267	267	8
268	268	9
269	269	10
270	270	11
271	271	12
272	272	13
273	273	14
274	274	15
275	275	16
276	276	17
277	277	18
278	278	19
279	279	20
280	280	21
281	281	22
282	282	23
283	283	24 - 7 -2023 - 2024 Legislature
284	284	LRB-2054/1
285	285	MDE:cdc
286	286	SECTION 1
287	287	ASSEMBLY BILL 466
288	288	5. The disclosure or transfer of personal data to a 3rd party as an asset that is
289	289	part of a merger, acquisition, bankruptcy, or other transaction in which the 3rd party
290	290	assumes control of all or part of the controller's assets.
291	291	(w) “Sensitive data” includes the following:
292	292	1. Personal data revealing racial or ethnic origin, religious beliefs, mental or
293	293	physical health diagnosis, sexual orientation, or citizenship or immigration status.
294	294	2. The processing of genetic or biometric data for the purpose of uniquely
295	295	identifying an individual.
296	296	3. The personal data collected from a known child.
297	297	4. Precise geolocation data.
298	298	(x) “Targeted advertising" means displaying advertisements to a consumer
299	299	where the advertisement is selected based on personal data obtained from that
300	300	consumer's activities over time and across nonaffiliated websites or online
301	301	applications to predict such consumer's preferences or interests. “Targeted
302	302	advertising" does not include any of the following:
303	303	1. Advertisements based on activities within a controller's own websites or
304	304	online applications.
305	305	2. Advertisements based on the context of a consumer's current search query,
306	306	visit to a website, or online application.
307	307	3. Advertisements directed to a consumer in response to the consumer's request
308	308	for information or feedback.
309	309	4. Processing personal data processed solely for measuring or reporting
310	310	advertising performance, reach, or frequency.
311	311	(y) “Third party” means a person or association, authority, board, department,
312	312	commission, independent agency, institution, office, society, or other body in state or
313	313	1
314	314	2
315	315	3
316	316	4
317	317	5
318	318	6
319	319	7
320	320	8
321	321	9
322	322	10
323	323	11
324	324	12
325	325	13
326	326	14
327	327	15
328	328	16
329	329	17
330	330	18
331	331	19
332	332	20
333	333	21
334	334	22
335	335	23
336	336	24
337	337	25 - 8 -2023 - 2024 Legislature LRB-2054/1
338	338	MDE:cdc
339	339	SECTION 1 ASSEMBLY BILL 466
340	340	local government created or authorized to be created by the constitution or any law,
341	341	other than a consumer, controller, processor, or an affiliate of the processor or the
342	342	controller.
343	343	(z) “Trade secret” has the meaning given in s. 134.90.
344	344	(2) PERSONAL DATA RIGHTS; CONSUMERS. (a) A consumer may invoke the
345	345	consumer rights authorized under this subsection at any time by submitting a
346	346	request to a controller specifying the consumer rights the consumer wishes to invoke.
347	347	A known child's parent or legal guardian may invoke such consumer rights on behalf
348	348	of the child regarding processing personal data belonging to the known child. A
349	349	controller shall comply with an authenticated consumer request to exercise any of
350	350	the following rights:
351	351	1. To confirm whether or not a controller is processing the consumer's personal
352	352	data and to access such personal data, unless such confirmation or access would
353	353	require the controller to reveal a trade secret.
354	354	2. To correct inaccuracies in the consumer's personal data, taking into account
355	355	the nature of the personal data and the purposes of the processing of the consumer's
356	356	personal data.
357	357	3. To delete personal data provided by or obtained about the consumer.
358	358	4. To obtain a copy of the consumer's personal data that the consumer
359	359	previously provided to the controller in a portable and, to the extent technically
360	360	feasible, readily usable format that allows the consumer to transmit the data to
361	361	another controller without hindrance, where the processing is carried out by
362	362	automated means, provided such controller shall not be required to reveal any trade
363	363	secret.
364	364	1
365	365	2
366	366	3
367	367	4
368	368	5
369	369	6
370	370	7
371	371	8
372	372	9
373	373	10
374	374	11
375	375	12
376	376	13
377	377	14
378	378	15
379	379	16
380	380	17
381	381	18
382	382	19
383	383	20
384	384	21
385	385	22
386	386	23
387	387	24 - 9 -2023 - 2024 Legislature
388	388	LRB-2054/1
389	389	MDE:cdc
390	390	SECTION 1
391	391	ASSEMBLY BILL 466
392	392	5. To opt out of the processing of the personal data for purposes of targeted
393	393	advertising, the sale of personal data, or profiling in furtherance of decisions that
394	394	produce legal or similarly significant effects concerning the consumer.
395	395	(b) 1. Except as otherwise provided in this section, a controller shall comply
396	396	with a request by a consumer to exercise the consumer rights authorized under par.
397	397	(a).
398	398	2. A controller shall respond to a consumer without undue delay, but in all cases
399	399	within 45 days of receipt of a request submitted under par. (a). The response period
400	400	may be extended once by 45 additional days when reasonably necessary, taking into
401	401	account the complexity and number of the consumer's requests, so long as the
402	402	controller informs the consumer of any such extension within the initial 45-day
403	403	response period, together with the reason for the extension.
404	404	3. If a controller declines to take action regarding a consumer's request, the
405	405	controller shall inform the consumer without undue delay, but in all cases and at the
406	406	latest within 45 days of receipt of the request, of the justification for declining to take
407	407	action and instructions for how to appeal the decision under par. (c).
408	408	4. Information provided in response to a consumer request shall be provided
409	409	by a controller free of charge, once annually per consumer. If requests from a
410	410	consumer are manifestly unfounded, technically infeasible, excessive, or repetitive,
411	411	the controller may charge the consumer a reasonable fee to cover the administrative
412	412	costs of complying with the request or decline to act on the request. The controller
413	413	bears the burden of demonstrating the manifestly unfounded, technically infeasible,
414	414	excessive, or repetitive nature of the request.
415	415	5. If a controller is unable to authenticate the request using commercially
416	416	reasonable efforts, the controller may not be required to comply with a request to
417	417	1
418	418	2
419	419	3
420	420	4
421	421	5
422	422	6
423	423	7
424	424	8
425	425	9
426	426	10
427	427	11
428	428	12
429	429	13
430	430	14
431	431	15
432	432	16
433	433	17
434	434	18
435	435	19
436	436	20
437	437	21
438	438	22
439	439	23
440	440	24
441	441	25 - 10 -2023 - 2024 Legislature LRB-2054/1
442	442	MDE:cdc
443	443	SECTION 1 ASSEMBLY BILL 466
444	444	initiate an action under par. (a) and may request that the consumer provide
445	445	additional information reasonably necessary to authenticate the consumer and the
446	446	consumer's request.
447	447	6. A controller that has obtained personal data about a consumer from a source
448	448	other than the consumer shall be deemed in compliance with a consumer's request
449	449	to delete the personal data under par. (a) 3. by doing any of the following:
450	450	a. Deleting the personal data, retaining a record of the request and the
451	451	minimum data necessary to ensure the consumer's personal data remains deleted
452	452	from the controller's records, and not using the retained data for any other purpose.
453	453	b. Not processing the consumer's personal data except as otherwise authorized
454	454	under this section.
455	455	(c) A controller shall establish a process for a consumer to appeal the
456	456	controller's refusal to take action on a request within a reasonable period of time
457	457	after the consumer's receipt of the decision pursuant to par. (b) 3. The appeal process
458	458	shall be conspicuously available and similar to the process for submitting requests
459	459	to initiate action under par. (a). Within 60 days of receipt of an appeal, a controller
460	460	shall inform the consumer in writing of any action taken or not taken in response to
461	461	the appeal, including a written explanation of the reasons for the decisions. If the
462	462	appeal is denied, the controller shall also provide the consumer with an online
463	463	mechanism, if available, or other method through which the consumer may contact
464	464	the attorney general to submit a complaint.
465	465	(3) DATA CONTROLLER RESPONSIBILITIES; TRANSPARENCY. (a) 1. A controller shall
466	466	limit the collection of personal data to what is adequate, relevant, and reasonably
467	467	necessary in relation to the purposes for which such data is processed, as disclosed
468	468	to the consumer.
469	469	1
470	470	2
471	471	3
472	472	4
473	473	5
474	474	6
475	475	7
476	476	8
477	477	9
478	478	10
479	479	11
480	480	12
481	481	13
482	482	14
483	483	15
484	484	16
485	485	17
486	486	18
487	487	19
488	488	20
489	489	21
490	490	22
491	491	23
492	492	24
493	493	25 - 11 -2023 - 2024 Legislature
494	494	LRB-2054/1
495	495	MDE:cdc
496	496	SECTION 1
497	497	ASSEMBLY BILL 466
498	498	2. Except as otherwise provided in this section, a controller may not process
499	499	personal data for purposes that are not reasonably necessary to and not compatible
500	500	with the disclosed purposes for which such personal data is processed, as disclosed
501	501	to the consumer, unless the controller obtains the consumer's consent.
502	502	3. A controller shall establish, implement, and maintain reasonable
503	503	administrative, technical, and physical data security practices to protect the
504	504	confidentiality, integrity, and accessibility of personal data. Such data security
505	505	practices shall be appropriate to the volume and nature of the personal data at issue.
506	506	4. A controller may not process personal data in violation of state and federal
507	507	laws that prohibit unlawful discrimination against consumers. A controller may not
508	508	discriminate against a consumer for exercising any of the consumer rights contained
509	509	in this section, including denying goods or services, charging different prices or rates
510	510	for goods or services, or providing a different level of quality of goods and services to
511	511	the consumer. Nothing in this subdivision shall be construed to require a controller
512	512	to provide a product or service that requires the personal data of a consumer that the
513	513	controller does not collect or maintain, or to prohibit a controller from offering a
514	514	different price, rate, level, quality, or selection of goods or services to a consumer,
515	515	including offering goods or services for no fee, if the consumer has exercised his or
516	516	her right to opt out under sub. (2) (a) 5. or the offer is related to a consumer's
517	517	voluntary participation in a bona fide loyalty, rewards, premium features, discounts,
518	518	or club card program.
519	519	5. A controller may not process sensitive data concerning a consumer without
520	520	obtaining the consumer's consent, or, in the case of the processing of sensitive data
521	521	concerning a known child, without processing such data in accordance with the
522	522	federal Children's Online Privacy Protection Act, 15 USC 6501 et seq.
523	523	1
524	524	2
525	525	3
526	526	4
527	527	5
528	528	6
529	529	7
530	530	8
531	531	9
532	532	10
533	533	11
534	534	12
535	535	13
536	536	14
537	537	15
538	538	16
539	539	17
540	540	18
541	541	19
542	542	20
543	543	21
544	544	22
545	545	23
546	546	24
547	547	25 - 12 -2023 - 2024 Legislature LRB-2054/1
548	548	MDE:cdc
549	549	SECTION 1 ASSEMBLY BILL 466
550	550	(b) Any provision of a contract or agreement that purports to waive or limit
551	551	consumer rights under sub. (2) is void and unenforceable.
552	552	(c) A controller shall provide consumers with a reasonably accessible, clear, and
553	553	meaningful privacy notice that includes all of the following:
554	554	1. The categories of personal data processed by the controller.
555	555	2. The purpose of processing personal data.
556	556	3. How consumers may exercise their consumer rights under sub. (2), including
557	557	how a consumer may appeal a controller's decision with regard to the consumer's
558	558	request.
559	559	4. The categories of personal data that the controller shares with 3rd parties,
560	560	if any.
561	561	5. The categories of 3rd parties, if any, with whom the controller shares
562	562	personal data.
563	563	(d) If a controller sells personal data to 3rd parties or processes personal data
564	564	for targeted advertising, the controller shall clearly and conspicuously disclose such
565	565	processing, as well as the manner in which a consumer may exercise the right to opt
566	566	out of such processing.
567	567	(e) A controller shall establish, and shall describe in a privacy notice, one or
568	568	more secure and reliable means for consumers to submit a request to exercise their
569	569	consumer rights under this section. Such means shall take into account the ways in
570	570	which consumers normally interact with the controller, the need for secure and
571	571	reliable communication of such requests, and the ability of the controller to
572	572	authenticate the identity of the consumer making the request. Controllers may not
573	573	require a consumer to create a new account in order to exercise consumer rights
574	574	under sub. (2) but may require a consumer to use an existing account.
575	575	1
576	576	2
577	577	3
578	578	4
579	579	5
580	580	6
581	581	7
582	582	8
583	583	9
584	584	10
585	585	11
586	586	12
587	587	13
588	588	14
589	589	15
590	590	16
591	591	17
592	592	18
593	593	19
594	594	20
595	595	21
596	596	22
597	597	23
598	598	24
599	599	25 - 13 -2023 - 2024 Legislature
600	600	LRB-2054/1
601	601	MDE:cdc
602	602	SECTION 1
603	603	ASSEMBLY BILL 466
604	604	(4) RESPONSIBILITY ACCORDING TO ROLE; CONTROLLER AND PROCESSOR. (a) A
605	605	processor shall adhere to the instructions of a controller and shall assist the
606	606	controller in meeting its obligations under this section. Such assistance shall include
607	607	the following:
608	608	1. Taking into account the nature of processing and the information available
609	609	to the processor, by appropriate technical and organizational measures, insofar as
610	610	this is reasonably practicable, to fulfill the controller's obligation to respond to
611	611	consumer rights requests under sub. (2).
612	612	2. Taking into account the nature of processing and the information available
613	613	to the processor, by assisting the controller in meeting the controller's obligations in
614	614	relation to the security of processing the personal data and in relation to giving notice
615	615	of unauthorized acquisition of personal information under s. 134.98.
616	616	3. Providing necessary information to enable the controller to conduct and
617	617	document data protection assessments under sub. (5).
618	618	(b) A contract between a controller and a processor shall govern the processor's
619	619	data processing procedures with respect to processing performed on behalf of the
620	620	controller. The contract shall be binding and clearly set forth instructions for
621	621	processing data, the nature and purpose of processing, the type of data subject to
622	622	processing, the duration of processing, and the rights and obligations of both parties.
623	623	The contract shall also include requirements that the processor shall do all of the
624	624	following:
625	625	1. Ensure that each person processing personal data is subject to a duty of
626	626	confidentiality with respect to the data.
627	627	1
628	628	2
629	629	3
630	630	4
631	631	5
632	632	6
633	633	7
634	634	8
635	635	9
636	636	10
637	637	11
638	638	12
639	639	13
640	640	14
641	641	15
642	642	16
643	643	17
644	644	18
645	645	19
646	646	20
647	647	21
648	648	22
649	649	23 - 14 -2023 - 2024 Legislature LRB-2054/1
650	650	MDE:cdc
651	651	SECTION 1 ASSEMBLY BILL 466
652	652	2. At the controller's direction, delete or return all personal data to the
653	653	controller as requested at the end of the provision of services, unless retention of the
654	654	personal data is required by law.
655	655	3. Upon the reasonable request of the controller, make available to the
656	656	controller all information in its possession necessary to demonstrate the processor's
657	657	compliance with the obligations in this section.
658	658	4. At least one of the following:
659	659	a. Allow, and cooperate with, reasonable assessments by the controller or the
660	660	controller's designated assessor.
661	661	b. Arrange for a qualified and independent assessor to conduct an assessment
662	662	of the processor's policies and technical and organizational measures in support of
663	663	the obligations under this section using an appropriate and accepted control
664	664	standard or framework and assessment procedure for such assessments. The
665	665	processor shall provide a report of such assessment to the controller upon request.
666	666	5. Engage any subcontractor pursuant to a written contract in accordance with
667	667	par. (c) that requires the subcontractor to meet the obligations of the processor with
668	668	respect to the personal data.
669	669	(c) Nothing in this section shall be construed to relieve a controller or a
670	670	processor from the liabilities imposed on it by virtue of its role in the processing
671	671	relationship as defined by this section.
672	672	(d) Determining whether a person is acting as a controller or processor with
673	673	respect to a specific processing of data is a fact-based determination that depends
674	674	upon the context in which personal data is to be processed. A processor that
675	675	continues to adhere to a controller's instructions with respect to a specific processing
676	676	of personal data remains a processor.
677	677	1
678	678	2
679	679	3
680	680	4
681	681	5
682	682	6
683	683	7
684	684	8
685	685	9
686	686	10
687	687	11
688	688	12
689	689	13
690	690	14
691	691	15
692	692	16
693	693	17
694	694	18
695	695	19
696	696	20
697	697	21
698	698	22
699	699	23
700	700	24
701	701	25 - 15 -2023 - 2024 Legislature
702	702	LRB-2054/1
703	703	MDE:cdc
704	704	SECTION 1
705	705	ASSEMBLY BILL 466
706	706	(5) DATA PROTECTION ASSESSMENTS. (a) A controller shall conduct and document
707	707	a data protection assessment of each of the following processing activities involving
708	708	personal data:
709	709	1. The processing of personal data for purposes of targeted advertising.
710	710	2. The sale of personal data.
711	711	3. The processing of personal data for purposes of profiling, where such
712	712	profiling presents a reasonably foreseeable risk of any of the following:
713	713	a. Unfair or deceptive treatment of, or unlawful disparate impact on,
714	714	consumers.
715	715	b. Financial, physical, or reputational injury to consumers.
716	716	c. Physical or other intrusion upon the solitude or seclusion, or the private
717	717	affairs or concerns, of consumers, where such intrusion would be offensive to a
718	718	reasonable person.
719	719	d. Other substantial injury to consumers.
720	720	4. The processing of sensitive data.
721	721	5. Any processing activities involving personal data that present a heightened
722	722	risk of harm to consumers.
723	723	(b) Data protection assessments conducted under par. (a) shall identify and
724	724	weigh the benefits that may flow, directly and indirectly, from the processing to the
725	725	controller, the consumer, other stakeholders, and the public against the potential
726	726	risks to the rights of the consumer associated with such processing, as mitigated by
727	727	safeguards that can be employed by the controller to reduce such risks. The use of
728	728	deidentified data and the reasonable expectations of consumers, as well as the
729	729	context of the processing and the relationship between the controller and the
730	730	1
731	731	2
732	732	3
733	733	4
734	734	5
735	735	6
736	736	7
737	737	8
738	738	9
739	739	10
740	740	11
741	741	12
742	742	13
743	743	14
744	744	15
745	745	16
746	746	17
747	747	18
748	748	19
749	749	20
750	750	21
751	751	22
752	752	23
753	753	24 - 16 -2023 - 2024 Legislature LRB-2054/1
754	754	MDE:cdc
755	755	SECTION 1 ASSEMBLY BILL 466
756	756	consumer whose personal data will be processed, shall be factored into this
757	757	assessment by the controller.
758	758	(c) The attorney general may request, pursuant to a civil investigative demand
759	759	issued under sub. (10) (a), that a controller disclose any data protection assessment
760	760	that is relevant to an investigation conducted by the attorney general, and the
761	761	controller shall make the data protection assessment available to the attorney
762	762	general. The attorney general may evaluate the data protection assessment for
763	763	compliance with the responsibilities set forth in sub. (3). Data protection
764	764	assessments shall be confidential and not subject to the right of inspection and
765	765	copying under s. 19.35 (1). The disclosure of a data protection assessment pursuant
766	766	to a request from the attorney general shall not constitute a waiver of attorney-client
767	767	privilege or work product protection with respect to the assessment and any
768	768	information contained in the assessment.
769	769	(d) A single data protection assessment may address a comparable set of
770	770	processing operations that include similar activities.
771	771	(e) Data protection assessments conducted by a controller for the purpose of
772	772	compliance with other laws or regulations may comply under this section if the
773	773	assessments have a reasonably comparable scope and effect.
774	774	(f) Data protection assessment requirements shall apply to processing
775	775	activities created or generated after January 1, 2024, and are not retroactive.
776	776	(6) PROCESSING DEIDENTIFIED DATA; EXEMPTIONS. (a) A controller in possession
777	777	of deidentified data shall do all of the following:
778	778	1. Take reasonable measures to ensure that the data cannot be associated with
779	779	an individual.
780	780	1
781	781	2
782	782	3
783	783	4
784	784	5
785	785	6
786	786	7
787	787	8
788	788	9
789	789	10
790	790	11
791	791	12
792	792	13
793	793	14
794	794	15
795	795	16
796	796	17
797	797	18
798	798	19
799	799	20
800	800	21
801	801	22
802	802	23
803	803	24 - 17 -2023 - 2024 Legislature
804	804	LRB-2054/1
805	805	MDE:cdc
806	806	SECTION 1
807	807	ASSEMBLY BILL 466
808	808	2. Publicly commit to maintaining and using deidentified data without
809	809	attempting to reidentify the data.
810	810	3. Contractually obligate any recipients of the deidentified data to comply with
811	811	all provisions of this section.
812	812	(b) Nothing in this section shall be construed to require a controller or processor
813	813	to do any of the following:
814	814	1. Reidentify deidentified data or pseudonymous data.
815	815	2. Maintain data in identifiable form.
816	816	3. Collect, obtain, retain, or access any data or technology, in order to be capable
817	817	of associating an authenticated consumer request with personal data.
818	818	(c) Nothing in this section shall be construed to require a controller or processor
819	819	to comply with an authenticated consumer rights request under sub. (2) if all of the
820	820	following are true:
821	821	1. The controller is not reasonably capable of associating the request with the
822	822	personal data or it would be unreasonably burdensome for the controller to associate
823	823	the request with the personal data.
824	824	2. The controller does not use the personal data to recognize or respond to the
825	825	specific consumer who is the subject of the personal data, or associate the personal
826	826	data with other personal data about the same specific consumer.
827	827	3. The controller does not sell the personal data to any 3rd party or otherwise
828	828	voluntarily disclose the personal data to any 3rd party other than a processor, except
829	829	as otherwise permitted in this subsection.
830	830	(d) The consumer rights contained in subs. (2) (a) 1. to 4. and (3) shall not apply
831	831	to pseudonymous data in cases where the controller is able to demonstrate any
832	832	information necessary to identify the consumer is kept separately and is subject to
833	833	1
834	834	2
835	835	3
836	836	4
837	837	5
838	838	6
839	839	7
840	840	8
841	841	9
842	842	10
843	843	11
844	844	12
845	845	13
846	846	14
847	847	15
848	848	16
849	849	17
850	850	18
851	851	19
852	852	20
853	853	21
854	854	22
855	855	23
856	856	24
857	857	25 - 18 -2023 - 2024 Legislature LRB-2054/1
858	858	MDE:cdc
859	859	SECTION 1 ASSEMBLY BILL 466
860	860	effective technical and organizational controls that prevent the controller from
861	861	accessing such information.
862	862	(e) A controller that discloses pseudonymous data or deidentified data shall
863	863	exercise reasonable oversight to monitor compliance with any contractual
864	864	commitments to which the pseudonymous data or deidentified data is subject and
865	865	shall take appropriate steps to address any breaches of those contractual
866	866	commitments.
867	867	(7) LIMITATIONS. (a) Nothing in this section shall be construed to restrict a
868	868	controller's or processor's ability to do any of the following:
869	869	1. Comply with federal, state, or local laws, rules, or regulations.
870	870	2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena,
871	871	or summons by federal, state, local, or other governmental authorities.
872	872	3. Cooperate with law enforcement agencies concerning conduct or activity that
873	873	the controller or processor reasonably and in good faith believes may violate federal,
874	874	state, or local laws, rules, or regulations.
875	875	4. Investigate, establish, exercise, prepare for, or defend legal claims.
876	876	5. Provide a product or service specifically requested by a consumer or the
877	877	parent or guardian of a child, perform a contract to which the consumer is a party,
878	878	including fulfilling the terms of a written warranty, or take steps at the request of
879	879	the consumer prior to entering into a contract.
880	880	6. Take immediate steps to protect an interest that is essential for the life or
881	881	physical safety of the consumer or of another individual, and where the processing
882	882	cannot be manifestly based on another legal basis.
883	883	7. Prevent, detect, protect against, or respond to security incidents, identity
884	884	theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
885	885	1
886	886	2
887	887	3
888	888	4
889	889	5
890	890	6
891	891	7
892	892	8
893	893	9
894	894	10
895	895	11
896	896	12
897	897	13
898	898	14
899	899	15
900	900	16
901	901	17
902	902	18
903	903	19
904	904	20
905	905	21
906	906	22
907	907	23
908	908	24
909	909	25 - 19 -2023 - 2024 Legislature
910	910	LRB-2054/1
911	911	MDE:cdc
912	912	SECTION 1
913	913	ASSEMBLY BILL 466
914	914	preserve the integrity or security of systems; or investigate, report, or prosecute
915	915	those responsible for any such action.
916	916	8. Engage in public or peer-reviewed scientific or statistical research in the
917	917	public interest that adheres to all other applicable ethics and privacy laws and is
918	918	approved, monitored, and governed by an institutional review board, or similar
919	919	independent oversight entities that determine all of the following:
920	920	a. If the deletion of the information is likely to provide substantial benefits that
921	921	do not exclusively accrue to the controller.
922	922	b. The expected benefits of the research outweigh the privacy risks.
923	923	c. If the controller has implemented reasonable safeguards to mitigate privacy
924	924	risks associated with research, including any risks associated with reidentification.
925	925	9. Assist another controller, processor, or 3rd party with any of the obligations
926	926	under this section.
927	927	(b) The obligations imposed on controllers or processors under this section shall
928	928	not restrict a controller's or processor's ability to collect, use, or retain data to do any
929	929	of the following:
930	930	1. Conduct internal research to develop, improve, or repair products, services,
931	931	or technology.
932	932	2. Effectuate a product recall.
933	933	3. Identify and repair technical errors that impair existing or intended
934	934	functionality.
935	935	4. Perform internal operations that are reasonably aligned with the
936	936	expectations of the consumer or reasonably anticipated on the basis of the
937	937	consumer's existing relationship with the controller or are otherwise compatible
938	938	with processing data in furtherance of the provision of a product or service
939	939	1
940	940	2
941	941	3
942	942	4
943	943	5
944	944	6
945	945	7
946	946	8
947	947	9
948	948	10
949	949	11
950	950	12
951	951	13
952	952	14
953	953	15
954	954	16
955	955	17
956	956	18
957	957	19
958	958	20
959	959	21
960	960	22
961	961	23
962	962	24
963	963	25 - 20 -2023 - 2024 Legislature LRB-2054/1
964	964	MDE:cdc
965	965	SECTION 1 ASSEMBLY BILL 466
966	966	specifically requested by a consumer or the performance of a contract to which the
967	967	consumer is a party.
968	968	(c) The obligations imposed on controllers or processors under this section shall
969	969	not apply where compliance by the controller or processor with this section would
970	970	violate an evidentiary privilege under ch. 905. Nothing in this section shall be
971	971	construed to prevent a controller or processor from providing personal data
972	972	concerning a consumer to a person covered by an evidentiary privilege under ch. 905
973	973	as part of a privileged communication.
974	974	(d) A controller or processor that discloses personal data to a 3rd-party
975	975	controller or processor, in compliance with the requirements of this section, is not in
976	976	violation of this section if the 3rd-party controller or processor that receives and
977	977	processes such personal data is in violation of this section, provided that, at the time
978	978	of disclosing the personal data, the disclosing controller or processor did not have
979	979	actual knowledge that the recipient intended to commit a violation. A 3rd-party
980	980	controller or processor receiving personal data from a controller or processor in
981	981	compliance with the requirements of this section is likewise not in violation of this
982	982	section for the transgressions of the controller or processor from which it receives
983	983	such personal data.
984	984	(e) Nothing in this section shall be construed as an obligation imposed on
985	985	controllers and processors that adversely affects the rights or freedoms of any
986	986	persons, such as exercising the right of free speech pursuant to the First Amendment
987	987	to the U.S. Constitution, or applies to the processing of personal data by a person in
988	988	the course of a purely personal or household activity.
989	989	(f) Personal data processed by a controller pursuant to this subsection may not
990	990	be processed for any purpose other than those expressly listed in this subsection
991	991	1
992	992	2
993	993	3
994	994	4
995	995	5
996	996	6
997	997	7
998	998	8
999	999	9
1000	1000	10
1001	1001	11
1002	1002	12
1003	1003	13
1004	1004	14
1005	1005	15
1006	1006	16
1007	1007	17
1008	1008	18
1009	1009	19
1010	1010	20
1011	1011	21
1012	1012	22
1013	1013	23
1014	1014	24
1015	1015	25 - 21 -2023 - 2024 Legislature
1016	1016	LRB-2054/1
1017	1017	MDE:cdc
1018	1018	SECTION 1
1019	1019	ASSEMBLY BILL 466
1020	1020	unless otherwise allowed by this section. Personal data processed by a controller
1021	1021	pursuant to this subsection may be processed to the extent that such processing is
1022	1022	both of the following:
1023	1023	1. Reasonably necessary and proportionate to the purposes listed in this
1024	1024	subsection.
1025	1025	2. Adequate, relevant, and limited to what is necessary in relation to the
1026	1026	specific purposes listed in this subsection. Personal data collected, used, or retained
1027	1027	pursuant to par. (b) shall, where applicable, take into account the nature and purpose
1028	1028	or purposes of such collection, use, or retention. Such data shall be subject to
1029	1029	reasonable administrative, technical, and physical measures to protect the
1030	1030	confidentiality, integrity, and accessibility of the personal data and to reduce
1031	1031	reasonably foreseeable risks of harm to consumers relating to such collection, use,
1032	1032	or retention of personal data.
1033	1033	(g) If a controller processes personal data pursuant to an exemption in this
1034	1034	section, the controller bears the burden of demonstrating that such processing
1035	1035	qualifies for the exemption and complies with the requirements in par. (f).
1036	1036	(h) Processing personal data for the purposes expressly identified in par. (a)
1037	1037	shall not solely make an entity a controller with respect to such processing.
1038	1038	(8) SCOPE; EXEMPTIONS. (a) This section applies to persons that conduct
1039	1039	business in this state or produce products or services that are targeted to residents
1040	1040	of this state and who satisfy either of the following:
1041	1041	1. During a calendar year, the person controls or processes personal data of at
1042	1042	least 100,000 consumers.
1043	1043	2. The person controls or processes personal data of at least 25,000 consumers
1044	1044	and derives over 50 percent of gross revenue from the sale of personal data.
1045	1045	1
1046	1046	2
1047	1047	3
1048	1048	4
1049	1049	5
1050	1050	6
1051	1051	7
1052	1052	8
1053	1053	9
1054	1054	10
1055	1055	11
1056	1056	12
1057	1057	13
1058	1058	14
1059	1059	15
1060	1060	16
1061	1061	17
1062	1062	18
1063	1063	19
1064	1064	20
1065	1065	21
1066	1066	22
1067	1067	23
1068	1068	24
1069	1069	25 - 22 -2023 - 2024 Legislature LRB-2054/1
1070	1070	MDE:cdc
1071	1071	SECTION 1 ASSEMBLY BILL 466
1072	1072	(b) This section shall not apply to any of the following:
1073	1073	1. An association, authority, board, department, commission, independent
1074	1074	agency, institution, office, society, or other body in state or local government created
1075	1075	or authorized to be created by the constitution or any law.
1076	1076	2. Financial institutions, affiliates of financial institutions, or data subject to
1077	1077	Title V of the federal Gramm-Leach-Bliley Act, 15 USC 6801 et seq.
1078	1078	3. A covered entity or business associate governed by HIPAA or HITECH.
1079	1079	4. A nonprofit organization.
1080	1080	5. An institution of higher education.
1081	1081	6. The entity under contract under s. 153.05 (2m) (a) and its contractors.
1082	1082	7. The data organization under contract under s. 153.05 (2r) and its
1083	1083	contractors.
1084	1084	(c) The following information and data are exempt from this section:
1085	1085	1. Any health care information or record that is governed by HIPAA, HITECH,
1086	1086	Cures Act, or any other federal law governing the use, disclosure, access or creation
1087	1087	of health care information or records, including any derived, identifiable,
1088	1088	de-identifiable, confidential or non-confidential health care information or records
1089	1089	as defined by such federal laws.
1090	1090	2. Any health care information or record that is governed by s. 51.30, 146.816,
1091	1091	146.82, 146.83, or 146.84, chapter 153, or other Wisconsin law governing the use,
1092	1092	disclosure, access or creation of health care information or records, including any
1093	1093	derived, identifiable, de-identifiable, confidential or non-confidential health care
1094	1094	information or records as defined by such Wisconsin laws.
1095	1095	3. Any of the following:
1096	1096	1
1097	1097	2
1098	1098	3
1099	1099	4
1100	1100	5
1101	1101	6
1102	1102	7
1103	1103	8
1104	1104	9
1105	1105	10
1106	1106	11
1107	1107	12
1108	1108	13
1109	1109	14
1110	1110	15
1111	1111	16
1112	1112	17
1113	1113	18
1114	1114	19
1115	1115	20
1116	1116	21
1117	1117	22
1118	1118	23
1119	1119	24 - 23 -2023 - 2024 Legislature
1120	1120	LRB-2054/1
1121	1121	MDE:cdc
1122	1122	SECTION 1
1123	1123	ASSEMBLY BILL 466
1124	1124	a. Identifiable private information for purposes of the federal policy for the
1125	1125	protection of human subjects under 45 CFR Part 46.
1126	1126	b. Identifiable private information that is otherwise information collected as
1127	1127	part of human subjects research pursuant to the good clinical practice guidelines
1128	1128	issued by the International Council for Harmonisation of Technical Requirements
1129	1129	for Pharmaceuticals for Human Use or under 21 CFR Parts 50 and 56.
1130	1130	c. Personal data used or shared in research conducted in accordance with the
1131	1131	requirements set forth in this section, or other research conducted in accordance with
1132	1132	applicable law.
1133	1133	4. Information and documents created for purposes of the federal Health Care
1134	1134	Quality Improvement Act of 1986, 42 USC 11101 et seq.
1135	1135	5. Patient safety work product for purposes of the federal Patient Safety and
1136	1136	Quality Improvement Act, 42 USC 299b-21 et seq.
1137	1137	6. Information originating from, and intermingled to be indistinguishable
1138	1138	with, or information treated in the same manner as information exempt under this
1139	1139	paragraph.
1140	1140	7. The collection, maintenance, disclosure, sale, communication, or use of any
1141	1141	personal information bearing on a consumer's credit worthiness, credit standing,
1142	1142	credit capacity, character, general reputation, personal characteristics, or mode of
1143	1143	living by a consumer reporting agency, furnisher, or user that provides information
1144	1144	for use in a consumer report, and by a user of a consumer report, but only to the extent
1145	1145	that such activity is regulated by and authorized under the federal Fair Credit
1146	1146	Reporting Act, 15 USC 1681 et seq.
1147	1147	8. Personal data collected, processed, sold, or disclosed in compliance with the
1148	1148	federal Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq.
1149	1149	1
1150	1150	2
1151	1151	3
1152	1152	4
1153	1153	5
1154	1154	6
1155	1155	7
1156	1156	8
1157	1157	9
1158	1158	10
1159	1159	11
1160	1160	12
1161	1161	13
1162	1162	14
1163	1163	15
1164	1164	16
1165	1165	17
1166	1166	18
1167	1167	19
1168	1168	20
1169	1169	21
1170	1170	22
1171	1171	23
1172	1172	24
1173	1173	25 - 24 -2023 - 2024 Legislature LRB-2054/1
1174	1174	MDE:cdc
1175	1175	SECTION 1 ASSEMBLY BILL 466
1176	1176	9. Personal data regulated by the federal Family Educational Rights and
1177	1177	Privacy Act, 20 USC 1232g et seq.
1178	1178	10. Personal data collected, processed, sold, or disclosed in compliance with the
1179	1179	federal Farm Credit Act, 12 USC 2001 et seq.
1180	1180	11. Data processed or maintained for any of the following purposes:
1181	1181	a. In the course of an individual applying to, employed by, or acting as an agent
1182	1182	or independent contractor of a controller, processor, or 3rd party, to the extent that
1183	1183	the data is collected and used within the context of that role.
1184	1184	b. As the emergency contact information of an individual under this section
1185	1185	used for emergency contact purposes.
1186	1186	c. That is necessary to retain to administer benefits for another individual
1187	1187	relating to an individual described in subd. 15. a. and used for the purposes of
1188	1188	administering those benefits.
1189	1189	12. Personal data collected, processed, and maintained in compliance with the
1190	1190	Children's Online Privacy Protection Act of 1998, 15 USC 6501 et seq., as amended,
1191	1191	and regulations thereto.
1192	1192	(9) VIOLATIONS. (a) The attorney general shall have exclusive authority to
1193	1193	enforce violations of this section.
1194	1194	(b) 1. Prior to initiating any action under this section, the attorney general shall
1195	1195	provide a controller or processor 30 days' written notice identifying the specific
1196	1196	provisions of this section the attorney general, on behalf of a consumer, alleges have
1197	1197	been or are being violated. If within the 30 days the controller or processor cures the
1198	1198	noticed violation and provides the attorney general an express written statement
1199	1199	that the alleged violations have been cured and that no such further violations shall
1200	1200	1
1201	1201	2
1202	1202	3
1203	1203	4
1204	1204	5
1205	1205	6
1206	1206	7
1207	1207	8
1208	1208	9
1209	1209	10
1210	1210	11
1211	1211	12
1212	1212	13
1213	1213	14
1214	1214	15
1215	1215	16
1216	1216	17
1217	1217	18
1218	1218	19
1219	1219	20
1220	1220	21
1221	1221	22
1222	1222	23
1223	1223	24 - 25 -2023 - 2024 Legislature
1224	1224	LRB-2054/1
1225	1225	MDE:cdc
1226	1226	SECTION 1
1227	1227	ASSEMBLY BILL 466
1228	1228	occur, no action for statutory damages shall be initiated against the controller or
1229	1229	processor.
1230	1230	2. If a controller or processor continues to violate this section in breach of an
1231	1231	express written statement provided to the consumer under this section, the attorney
1232	1232	general may initiate an action and seek damages for up to $7,500 for each violation
1233	1233	under this section.
1234	1234	(c) Nothing in this section shall be construed as providing the basis for, or be
1235	1235	subject to, a private right of action to violations of this section or under any other law.
1236	1236	(10) ENFORCEMENT. (a) The attorney general retains exclusive authority to
1237	1237	enforce this section by bringing an action in the name of the state, or on behalf of
1238	1238	persons residing in the state. The attorney general may issue a civil investigative
1239	1239	demand to any controller or processor believed to be engaged in, or about to engage
1240	1240	in, any violation of this section, and by the civil investigative demand the attorney
1241	1241	general may compel the attendance of any officers or agents of the controller or
1242	1242	processor, examine the officers or agents of the controller or processor under oath,
1243	1243	require the production of any books or papers that the attorney general deems
1244	1244	relevant or material to the inquiry, and issue written interrogatories to be answered
1245	1245	by the officers or agents of the controller or processor.
1246	1246	(b) Any controller or processor that violates this section is subject to an
1247	1247	injunction and liable for a forfeiture of not more than $7,500 for each violation.
1248	1248	(c) Notwithstanding s. 814.04 (1), the attorney general may recover reasonable
1249	1249	expenses incurred in investigating and preparing the case, including attorney fees,
1250	1250	of any action initiated under this section.
1251	1251	(11) LOCAL PREEMPTION. No city, village, town, or county may enact or enforce
1252	1252	an ordinance that regulates the collection, processing, or sale of personal data.
1253	1253	1
1254	1254	2
1255	1255	3
1256	1256	4
1257	1257	5
1258	1258	6
1259	1259	7
1260	1260	8
1261	1261	9
1262	1262	10
1263	1263	11
1264	1264	12
1265	1265	13
1266	1266	14
1267	1267	15
1268	1268	16
1269	1269	17
1270	1270	18
1271	1271	19
1272	1272	20
1273	1273	21
1274	1274	22
1275	1275	23
1276	1276	24
1277	1277	25 - 26 -2023 - 2024 Legislature LRB-2054/1
1278	1278	MDE:cdc
1279	1279	SECTION 2 ASSEMBLY BILL 466
1280	1280	SECTION 2.0Effective date.
1281	1281	(1) This act takes effect on January 1, 2025.
1282	1282	(END)
1283	1283	1
1284	1284	2
1285	1285	3