Wisconsin 2025-2026 Regular Session

Wisconsin Assembly Bill AB172 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	2025 - 2026 LEGISLATURE
2	2	LRB-0314/1
3	3	MDE:cdc&emw
4	4	2025 ASSEMBLY BILL 172
5	5	April 9, 2025 - Introduced by Representatives ZIMMERMAN, SORTWELL, ALLEN,
6	6	ARMSTRONG, BEHNKE, DITTRICH, DUCHOW, GOEBEN, GUSTAFSON, KNODL,
7	7	KREIBICH, KRUG, KURTZ, MAXEY, MELOTIK, MURPHY, MURSAU, NEDWESKI,
8	8	O'CONNOR, PENTERMAN, PIWOWARCZYK, PRONSCHINSKE, SNYDER, STEFFEN,
9	9	TITTL, TUSLER, WITTKE and MOSES, cosponsored by Senators QUINN, NASS,
10	10	ROYS and MARKLEIN. Referred to Committee on Consumer Protection.
11	11
12	12	*AUTHORS SUBJECT TO CHANGE*
13	13	AN ACT to repeal 100.80 (9) (b) 1.; to renumber and amend 100.80 (9) (b) 2.;
14	14	to create 100.80 of the statutes; relating to: consumer data protection and
15	15	providing a penalty.
16	16	Analysis by the Legislative Reference Bureau
17	17	This bill establishes requirements for controllers and processors of the
18	18	personal data of consumers. The bill defines a XcontrollerY as a person that, alone
19	19	or jointly with others, determines the purpose and means of processing personal
20	20	data, and the bill applies to controllers that control or process the personal data of
21	21	at least 100,000 consumers or that control or process the personal data of at least
22	22	25,000 consumers and derive over 50 percent of their gross revenue from the sale of
23	23	personal data. Under the bill, Xpersonal dataY means any information that is linked
24	24	or reasonably linkable to an individual except for publicly available information.
25	25	The bill provides consumers with the following rights regarding their personal
26	26	data: 1) to confirm whether a controller is processing the consumer[s personal data
27	27	and to access the personal data; 2) to correct inaccuracies in the consumer[s
28	28	personal data; 3) to require a controller to delete personal data provided by or about
29	29	the consumer; 4) to obtain a copy of the personal data that the consumer previously
30	30	provided to the controller; and 5) to opt out of the processing of the consumer[s
31	31	personal data for targeted advertising; the sale of the consumer[s personal data;
32	32	and certain forms of automated processing of the consumer[s personal data. These
33	33	1
34	34	2
35	35	3 2025 - 2026 Legislature
36	36	ASSEMBLY BILL 172
37	37	- 2 - LRB-0314/1
38	38	MDE:cdc&emw
39	39	rights are subject to certain exceptions specified in the bill. Controllers may not
40	40	discriminate against a consumer for exercising rights under the bill, including by
41	41	charging different prices for goods or providing a different level of quality of goods
42	42	or services.
43	43	A controller must establish one or more secure and reliable means for
44	44	consumers to submit a request to exercise their consumer rights under the bill.
45	45	Such means must include a clear and conspicuous link on the controller[s website to
46	46	a webpage that enables a consumer or an agent of a consumer to opt out of the
47	47	targeted advertising or sale of the consumer[s personal data and, on or after July 1,
48	48	2028, an opt-out preference signal sent, with a consumer[s intent, by a platform,
49	49	technology, or mechanism to the controller indicating the consumer[s intent to opt
50	50	out of any processing of the consumer[s personal data for the purpose of targeted
51	51	advertising or sale of the consumer[s personal data.
52	52	The bill requires controllers to respond to consumers[ requests to invoke rights
53	53	under the bill without undue delay. If a controller declines to take action regarding
54	54	a consumer[s request, the controller must inform the consumer of its justification
55	55	without undue delay. The bill also requires that information provided in response
56	56	to a consumer[s request be provided free of charge once annually per consumer.
57	57	Controllers must also establish processes for consumers to appeal a refusal to take
58	58	action on a consumer[s request. Within 60 days of receiving an appeal, a controller
59	59	must inform the consumer in writing of any action taken or not taken in response to
60	60	the appeal, including a written explanation of the reasons for its decisions. If the
61	61	appeal is denied, the controller must provide the consumer with a method through
62	62	which the consumer can contact the Department of Agriculture, Trade and
63	63	Consumer Protection to submit a complaint.
64	64	Under the bill, a controller must provide consumers with a privacy notice that
65	65	discloses the categories of personal data processed by the controller; the purpose of
66	66	processing the personal data; the categories of third parties, if any, with whom the
67	67	controller shares personal data; the categories of personal data that the controller
68	68	shares with third parties; and information about how consumers may exercise their
69	69	rights under the bill. Controllers may not collect or process personal data for
70	70	purposes that are not relevant to or reasonably necessary for the purposes disclosed
71	71	in the privacy notice. The bill[s requirements do not restrict a controller[s ability to
72	72	collect, use, or retain data for conducting internal research, effectuating a product
73	73	recall, identifying and repairing technical errors, or performing internal operations
74	74	that are reasonably aligned with consumer expectations or reasonably anticipated
75	75	on the basis of a consumer[s relationship with the controller.
76	76	Persons that process personal data on behalf of a controller must adhere to a
77	77	contract between the controller and the processor, and such contracts must satisfy
78	78	certain requirements specified in the bill. The bill also requires controllers to
79	79	conduct data protection assessments related to certain activities, including
80	80	processing personal data for targeted advertising, selling personal data, processing
81	81	personal data for profiling purposes, and processing sensitive data, as defined in 2025 - 2026 Legislature
82	82	ASSEMBLY BILL 172
83	83	- 3 - LRB-0314/1
84	84	MDE:cdc&emw
85	85	SECTION 1
86	86	the bill. DATCP may request that a controller disclose a data protection assessment
87	87	that is relevant to an investigation being conducted by DATCP.
88	88	DATCP and the Department of Justice have exclusive authority to enforce
89	89	violations of the bill[s requirements. A controller or processor that violates the bill[s
90	90	requirements is subject to a forfeiture of up to $10,000 per violation, and DATCP or
91	91	DOJ may recover reasonable investigation and litigation expenses incurred.
92	92	During the time between the bill[s effective date and July 1, 2031, before bringing
93	93	an action to enforce the bill[s requirements, DATCP or DOJ must first provide a
94	94	controller or processor with a written notice identifying the violations. If within 30
95	95	days of receiving the notice the controller or processor cures the violation and
96	96	provides DATCP or DOJ with an express written statement that the violation is
97	97	cured and that no such further violations will occur, then DATCP or DOJ may not
98	98	bring an action against the controller or processor.
99	99	The bill also prohibits cities, villages, towns, and counties from enacting or
100	100	enforcing ordinances that regulate the collection, processing, or sale of personal
101	101	data.
102	102	For further information see the state fiscal estimate, which will be printed as
103	103	an appendix to this bill.
104	104	The people of the state of Wisconsin, represented in senate and assembly, do
105	105	enact as follows:
106	106	SECTION 1. 100.80 of the statutes is created to read:
107	107	100.80 Consumer data protection. (1) DEFINITIONS. In this section:
108	108	(a) XAffiliateY means a legal entity that controls, is controlled by, or is under
109	109	common control with another legal entity or shares common branding with another
110	110	legal entity. For the purposes of this definition, XcontrolY or XcontrolledY means
111	111	ownership of, or the power to vote, more than 50 percent of the outstanding shares
112	112	of any class of voting security of a company; control in any manner over the election
113	113	of a majority of the directors or of individuals exercising similar functions; or the
114	114	power to exercise controlling influence over the management of a company.
115	115	(b) XAuthenticateY means verifying through reasonable means that the
116	116	consumer, entitled to exercise his or her consumer rights under sub. (2), is the same
117	117	1
118	118	2
119	119	3
120	120	4
121	121	5
122	122	6
123	123	7
124	124	8
125	125	9
126	126	10
127	127	11 2025 - 2026 Legislature
128	128	ASSEMBLY BILL 172
129	129	- 4 - LRB-0314/1
130	130	MDE:cdc&emw
131	131	SECTION 1
132	132	consumer exercising such consumer rights, or is an individual with authority to
133	133	exercise such rights of a consumer, with respect to the personal data at issue.
134	134	(c) XBiometric dataY means data generated by automatic measurements of an
135	135	individual[s biological characteristics, such as a fingerprint, voiceprint, eye retinas,
136	136	irises, or other unique biological patterns or characteristics that are used to identify
137	137	a specific individual. XBiometric dataY does not include a physical or digital
138	138	photograph, a video or audio recording or data generated therefrom unless such
139	139	data is generated to identify a specific individual, or information collected, used, or
140	140	stored for health care treatment, payment, or operations under the federal Health
141	141	Insurance Portability and Accountability Act of 1996.
142	142	(d) XBusiness associateY has the meaning given in 45 CFR 160.103.
143	143	(e) XChildY means an individual younger than 13 years of age.
144	144	(f) XConsentY means a clear affirmative act signifying a consumer[s freely
145	145	given, specific, informed, and unambiguous agreement to process personal data
146	146	relating to the consumer. XConsentY may include a written statement, including a
147	147	statement written by electronic means, or any other unambiguous affirmative
148	148	action. XConsentY does not include any of the following:
149	149	1. Acceptance of a general terms-of-use document or similar document that
150	150	contains descriptions of personal data processing along with other, unrelated
151	151	information.
152	152	2. Hovering over, muting, pausing, or closing a given piece of content.
153	153	3. Agreements obtained by using dark patterns.
154	154	(g) XConsumerY means an individual who is a resident of this state acting only
155	155	1
156	156	2
157	157	3
158	158	4
159	159	5
160	160	6
161	161	7
162	162	8
163	163	9
164	164	10
165	165	11
166	166	12
167	167	13
168	168	14
169	169	15
170	170	16
171	171	17
172	172	18
173	173	19
174	174	20
175	175	21
176	176	22
177	177	23 2025 - 2026 Legislature
178	178	ASSEMBLY BILL 172
179	179	- 5 - LRB-0314/1
180	180	MDE:cdc&emw
181	181	SECTION 1
182	182	in an individual or household context. XConsumerY does not include an individual
183	183	acting in a commercial or employment context.
184	184	(h) XControllerY means a person that, alone or jointly with others, determines
185	185	the purpose and means of processing personal data.
186	186	(i) XCovered entityY has the meaning given in 45 CFR 160.103.
187	187	(ja) XCures ActY means the federal 21st Century Cures Act and valid federal
188	188	regulations enacted pursuant to such provisions.
189	189	(jd) XDark patternY means a user interface designed or manipulated with the
190	190	substantial effect of subverting or impairing user autonomy, decision making, or
191	191	choice.
192	192	(jg) XDecisions that produce legal or similarly significant effects concerning a
193	193	consumerY means a decision made by the controller that results in the provision or
194	194	denial by the controller of financial and lending services, housing, insurance,
195	195	education enrollment, criminal justice, employment opportunities, health care
196	196	services, or access to basic necessities, such as food and water.
197	197	(ka) XDeidentified dataY means data that cannot reasonably be linked to an
198	198	identified or identifiable individual, or a device linked to such person.
199	199	(kb) XIdentified or identifiable individualY means a person who can be readily
200	200	identified, directly or indirectly, in particular by reference to an identifier such as a
201	201	name, an identification number, specific geolocation data, or an online identifier.
202	202	(La) XHIPAAY means the federal Health Insurance Portability and
203	203	Accountability Act and valid federal regulations enacted pursuant to the act,
204	204	including 45 CFR 164.500 to 164.534.
205	205	1
206	206	2
207	207	3
208	208	4
209	209	5
210	210	6
211	211	7
212	212	8
213	213	9
214	214	10
215	215	11
216	216	12
217	217	13
218	218	14
219	219	15
220	220	16
221	221	17
222	222	18
223	223	19
224	224	20
225	225	21
226	226	22
227	227	23 2025 - 2026 Legislature
228	228	ASSEMBLY BILL 172
229	229	- 6 - LRB-0314/1
230	230	MDE:cdc&emw
231	231	SECTION 1
232	232	(Lg) XHITECHY means the federal Health Information Technology for
233	233	Economic and Clinical Health Act and valid federal regulations enacted pursuant
234	234	to the act.
235	235	(m) XInstitution of higher educationY has the meaning given in s. 39.32 (1) (a).
236	236	(n) XNonprofit organizationY means any corporation organized under ch. 181,
237	237	any organization identified under s. 895.486 (2) (e), or any organization exempt
238	238	from taxation under section 501 (c) (3), (6), or (12) of the Internal Revenue Code.
239	239	(o) XPersonal dataY means any information that is linked or reasonably
240	240	linkable to an identified or identifiable individual. XPersonal dataY does not include
241	241	deidentified data or publicly available information.
242	242	(p) XPrecise geolocation dataY means information derived from technology,
243	243	including global positioning system level latitude and longitude coordinates or other
244	244	mechanisms, that directly identifies the specific location of an individual with
245	245	precision and accuracy within a radius of 1,750 feet. XPrecise geolocation dataY
246	246	does not include the content of communications or any data generated by or
247	247	connected to advanced utility metering infrastructure systems or equipment for use
248	248	by a utility.
249	249	(q) XProcessY or XprocessingY means any operation or set of operations
250	250	performed, whether by manual or automated means, on personal data or on sets of
251	251	personal data, such as the collection, use, storage, disclosure, analysis, deletion, or
252	252	modification of personal data.
253	253	(r) XProcessorY means an individual or person that processes personal data on
254	254	behalf of a controller.
255	255	1
256	256	2
257	257	3
258	258	4
259	259	5
260	260	6
261	261	7
262	262	8
263	263	9
264	264	10
265	265	11
266	266	12
267	267	13
268	268	14
269	269	15
270	270	16
271	271	17
272	272	18
273	273	19
274	274	20
275	275	21
276	276	22
277	277	23 2025 - 2026 Legislature
278	278	ASSEMBLY BILL 172
279	279	- 7 - LRB-0314/1
280	280	MDE:cdc&emw
281	281	SECTION 1
282	282	(s) XProfilingY means any form of automated processing performed on
283	283	personal data to evaluate, analyze, or predict personal aspects related to an
284	284	identified or identifiable individual[s economic situation, health, personal
285	285	preferences, interests, reliability, behavior, location, or movements.
286	286	(t) XPseudonymous dataY means personal data that cannot be attributed to a
287	287	specific individual without the use of additional information, provided that such
288	288	additional information is kept separately and is subject to appropriate technical
289	289	and organizational measures to ensure that the personal data is not attributed to
290	290	an identified or identifiable individual.
291	291	(u) XPublicly available informationY means information that is lawfully made
292	292	available through federal, state, or local government records, or information that a
293	293	business has a reasonable basis to believe is lawfully made available to the general
294	294	public through widely distributed media, by the consumer, or by a person to whom
295	295	the consumer has disclosed the information, unless the consumer has restricted the
296	296	information to a specific audience.
297	297	(v) XSale of personal dataY means the exchange of personal data for monetary
298	298	or other valuable consideration by the controller to a 3rd party. XSale of personal
299	299	dataY does not include any of the following:
300	300	1. The disclosure of personal data to a processor that processes the personal
301	301	data on behalf of the controller.
302	302	2. The disclosure of personal data to a 3rd party for purposes of providing a
303	303	product or service requested by the consumer.
304	304	3. The disclosure of personal data based on the consumer directing the
305	305	1
306	306	2
307	307	3
308	308	4
309	309	5
310	310	6
311	311	7
312	312	8
313	313	9
314	314	10
315	315	11
316	316	12
317	317	13
318	318	14
319	319	15
320	320	16
321	321	17
322	322	18
323	323	19
324	324	20
325	325	21
326	326	22
327	327	23 2025 - 2026 Legislature
328	328	ASSEMBLY BILL 172
329	329	- 8 - LRB-0314/1
330	330	MDE:cdc&emw
331	331	SECTION 1
332	332	controller to disclose the personal data or intentionally using the controller to
333	333	interact with a 3rd party.
334	334	4. The disclosure or transfer of personal data to an affiliate of the controller.
335	335	5. The disclosure of information that a consumer intentionally made available
336	336	to the general public via a channel of mass media and did not restrict to a specific
337	337	audience.
338	338	6. The disclosure or transfer of personal data to a 3rd party as an asset that is
339	339	part of a merger, acquisition, bankruptcy, or other transaction in which the 3rd
340	340	party assumes control of all or part of the controller[s assets.
341	341	(w) XSensitive dataY includes the following:
342	342	1. Personal data revealing racial or ethnic origin, religious beliefs, mental or
343	343	physical health diagnosis, sexual orientation, or citizenship or immigration status.
344	344	2. The processing of genetic or biometric data for the purpose of uniquely
345	345	identifying an individual.
346	346	3. The personal data collected from a known child.
347	347	4. Precise geolocation data.
348	348	(x) XTargeted advertisingY means displaying advertisements to a consumer
349	349	where the advertisement is selected based on personal data obtained or inferred
350	350	from that consumer[s activities over time and across nonaffiliated websites or
351	351	online applications to predict such consumer[s preferences or interests. XTargeted
352	352	advertisingY does not include any of the following:
353	353	1. Advertisements based on activities within a controller[s own websites or
354	354	online applications.
355	355	1
356	356	2
357	357	3
358	358	4
359	359	5
360	360	6
361	361	7
362	362	8
363	363	9
364	364	10
365	365	11
366	366	12
367	367	13
368	368	14
369	369	15
370	370	16
371	371	17
372	372	18
373	373	19
374	374	20
375	375	21
376	376	22
377	377	23 2025 - 2026 Legislature
378	378	ASSEMBLY BILL 172
379	379	- 9 - LRB-0314/1
380	380	MDE:cdc&emw
381	381	SECTION 1
382	382	2. Advertisements based on the context of a consumer[s current search query,
383	383	visit to a website, or online application.
384	384	3. Advertisements directed to a consumer in response to the consumer[s
385	385	request for information or feedback.
386	386	4. Processing personal data processed solely for measuring or reporting
387	387	advertising performance, reach, or frequency.
388	388	(y) XThird partyY means a person or association, authority, board,
389	389	department, commission, independent agency, institution, office, society, or other
390	390	body in state or local government created or authorized to be created by the
391	391	constitution or any law, other than a consumer, controller, processor, or an affiliate
392	392	of the processor or the controller.
393	393	(z) XTrade secretY has the meaning given in s. 134.90.
394	394	(2) PERSONAL DATA RIGHTS; CONSUMERS. (a) A consumer or a consumer[s
395	395	authorized agent may invoke the consumer rights authorized under this subsection
396	396	at any time by submitting a request to a controller specifying the consumer rights
397	397	the consumer wishes to invoke. A known child[s parent or legal guardian may
398	398	invoke such consumer rights on behalf of the child regarding processing personal
399	399	data belonging to the known child. A controller shall comply with an authenticated
400	400	consumer request to exercise any of the following rights:
401	401	1. To confirm whether or not a controller is processing the consumer[s
402	402	personal data and to access such personal data, unless such confirmation or access
403	403	would require the controller to reveal a trade secret.
404	404	2. To correct inaccuracies in the consumer[s personal data, taking into
405	405	1
406	406	2
407	407	3
408	408	4
409	409	5
410	410	6
411	411	7
412	412	8
413	413	9
414	414	10
415	415	11
416	416	12
417	417	13
418	418	14
419	419	15
420	420	16
421	421	17
422	422	18
423	423	19
424	424	20
425	425	21
426	426	22
427	427	23 2025 - 2026 Legislature
428	428	ASSEMBLY BILL 172
429	429	- 10 - LRB-0314/1
430	430	MDE:cdc&emw
431	431	SECTION 1
432	432	account the nature of the personal data and the purposes of the processing of the
433	433	consumer[s personal data.
434	434	3. To delete personal data provided by or obtained about the consumer.
435	435	4. To obtain a copy of the consumer[s personal data that the consumer
436	436	previously provided to the controller in a portable and, to the extent technically
437	437	feasible, readily usable format that allows the consumer to transmit the data to
438	438	another controller without hindrance, where the processing is carried out by
439	439	automated means, provided such controller shall not be required to reveal any trade
440	440	secret.
441	441	5. To opt out of the processing of the personal data for purposes of targeted
442	442	advertising, the sale of personal data, or profiling in furtherance of decisions that
443	443	produce legal or similarly significant effects concerning the consumer. A consumer
444	444	may exercise the consumer[s rights through user-enabled global privacy controls,
445	445	such as a browser plugin or privacy setting, device setting, or other mechanism, that
446	446	communicate or signal the consumer[s choice to opt out of processing for the
447	447	purpose of targeted advertising or sale of the consumer[s personal data.
448	448	(b) 1. Except as otherwise provided in this section, a controller shall comply
449	449	with a request by a consumer to exercise the consumer rights authorized under par.
450	450	(a).
451	451	2. A controller shall respond to a consumer without undue delay, but in all
452	452	cases within 45 days of receipt of a request submitted under par. (a). The response
453	453	period may be extended once by 45 additional days when reasonably necessary,
454	454	taking into account the complexity and number of the consumer[s requests, so long
455	455	1
456	456	2
457	457	3
458	458	4
459	459	5
460	460	6
461	461	7
462	462	8
463	463	9
464	464	10
465	465	11
466	466	12
467	467	13
468	468	14
469	469	15
470	470	16
471	471	17
472	472	18
473	473	19
474	474	20
475	475	21
476	476	22
477	477	23 2025 - 2026 Legislature
478	478	ASSEMBLY BILL 172
479	479	- 11 - LRB-0314/1
480	480	MDE:cdc&emw
481	481	SECTION 1
482	482	as the controller informs the consumer of any such extension within the initial 45-
483	483	day response period, together with the reason for the extension.
484	484	3. If a controller declines to take action regarding a consumer[s request, the
485	485	controller shall inform the consumer without undue delay, but in all cases and at
486	486	the latest within 45 days of receipt of the request, of the justification for declining to
487	487	take action and instructions for how to appeal the decision under par. (c).
488	488	4. Information provided in response to a consumer request shall be provided
489	489	by a controller free of charge, once annually per consumer. If requests from a
490	490	consumer are manifestly unfounded, technically infeasible, excessive, or repetitive,
491	491	the controller may charge the consumer a reasonable fee to cover the administrative
492	492	costs of complying with the request or decline to act on the request. The controller
493	493	bears the burden of demonstrating the manifestly unfounded, technically infeasible,
494	494	excessive, or repetitive nature of the request.
495	495	5. If a controller is unable to authenticate the request using commercially
496	496	reasonable efforts, the controller may not be required to comply with a request to
497	497	initiate an action under par. (a) and may request that the consumer provide
498	498	additional information reasonably necessary to authenticate the consumer and the
499	499	consumer[s request.
500	500	6. A controller that has obtained personal data about a consumer from a
501	501	source other than the consumer shall be deemed in compliance with a consumer[s
502	502	request to delete the personal data under par. (a) 3. by doing any of the following:
503	503	a. Deleting the personal data, retaining a record of the request and the
504	504	1
505	505	2
506	506	3
507	507	4
508	508	5
509	509	6
510	510	7
511	511	8
512	512	9
513	513	10
514	514	11
515	515	12
516	516	13
517	517	14
518	518	15
519	519	16
520	520	17
521	521	18
522	522	19
523	523	20
524	524	21
525	525	22 2025 - 2026 Legislature
526	526	ASSEMBLY BILL 172
527	527	- 12 - LRB-0314/1
528	528	MDE:cdc&emw
529	529	SECTION 1
530	530	minimum data necessary to ensure the consumer[s personal data remains deleted
531	531	from the controller[s records, and not using the retained data for any other purpose.
532	532	b. Not processing the consumer[s personal data except as otherwise
533	533	authorized under this section.
534	534	(c) A controller shall establish a process for a consumer to appeal the
535	535	controller[s refusal to take action on a request within a reasonable period of time
536	536	after the consumer[s receipt of the decision pursuant to par. (b) 3. The appeal
537	537	process shall be conspicuously available and similar to the process for submitting
538	538	requests to initiate action under par. (a). Within 60 days of receipt of an appeal, a
539	539	controller shall inform the consumer in writing of any action taken or not taken in
540	540	response to the appeal, including a written explanation of the reasons for the
541	541	decisions. If the appeal is denied, the controller shall also provide the consumer
542	542	with an online mechanism, if available, or other method through which the
543	543	consumer may contact the department to submit a complaint.
544	544	(3) DATA CONTROLLER RESPONSIBILITIES; TRANSPARENCY. (a) 1. A controller
545	545	shall limit the collection of personal data to what is adequate, relevant, and
546	546	reasonably necessary in relation to the purposes for which such data is processed,
547	547	as disclosed to the consumer.
548	548	2. Except as otherwise provided in this section, a controller may not process
549	549	personal data for purposes that are not reasonably necessary to and not compatible
550	550	with the disclosed purposes for which such personal data is processed, as disclosed
551	551	to the consumer, unless the controller obtains the consumer[s consent.
552	552	3. A controller shall establish, implement, and maintain reasonable
553	553	1
554	554	2
555	555	3
556	556	4
557	557	5
558	558	6
559	559	7
560	560	8
561	561	9
562	562	10
563	563	11
564	564	12
565	565	13
566	566	14
567	567	15
568	568	16
569	569	17
570	570	18
571	571	19
572	572	20
573	573	21
574	574	22
575	575	23 2025 - 2026 Legislature
576	576	ASSEMBLY BILL 172
577	577	- 13 - LRB-0314/1
578	578	MDE:cdc&emw
579	579	SECTION 1
580	580	administrative, technical, and physical data security practices to protect the
581	581	confidentiality, integrity, and accessibility of personal data. Such data security
582	582	practices shall be appropriate to the volume and nature of the personal data at
583	583	issue.
584	584	4. A controller may not process personal data in violation of state and federal
585	585	laws that prohibit unlawful discrimination against consumers. A controller may
586	586	not discriminate against a consumer for exercising any of the consumer rights
587	587	contained in this section, including denying goods or services, charging different
588	588	prices or rates for goods or services, or providing a different level of quality of goods
589	589	and services to the consumer. Nothing in this subdivision shall be construed to
590	590	require a controller to provide a product or service that requires the personal data
591	591	of a consumer that the controller does not collect or maintain, or to prohibit a
592	592	controller from offering a different price, rate, level, quality, or selection of goods or
593	593	services to a consumer, including offering goods or services for no fee, if the offer is
594	594	related to a consumer[s voluntary participation in a bona fide loyalty, rewards,
595	595	premium features, discounts, or club card program.
596	596	5. A controller may not process sensitive data concerning a consumer without
597	597	obtaining the consumer[s consent, or, in the case of the processing of sensitive data
598	598	concerning a known child, without processing such data in accordance with the
599	599	federal Children[s Online Privacy Protection Act, 15 USC 6501 et seq.
600	600	(b) Any provision of a contract or agreement that purports to waive or limit
601	601	consumer rights under sub. (2) is void and unenforceable.
602	602	1
603	603	2
604	604	3
605	605	4
606	606	5
607	607	6
608	608	7
609	609	8
610	610	9
611	611	10
612	612	11
613	613	12
614	614	13
615	615	14
616	616	15
617	617	16
618	618	17
619	619	18
620	620	19
621	621	20
622	622	21
623	623	22 2025 - 2026 Legislature
624	624	ASSEMBLY BILL 172
625	625	- 14 - LRB-0314/1
626	626	MDE:cdc&emw
627	627	SECTION 1
628	628	(c) A controller shall provide consumers with a reasonably accessible, clear,
629	629	and meaningful privacy notice that includes all of the following:
630	630	1. The categories of personal data processed by the controller.
631	631	2. The purpose of processing personal data.
632	632	3. How consumers may exercise their consumer rights under sub. (2),
633	633	including how a consumer may appeal a controller[s decision with regard to the
634	634	consumer[s request.
635	635	4. The categories of 3rd parties, if any, with whom the controller shares
636	636	personal data.
637	637	5. The categories of personal data that the controller shares with 3rd parties,
638	638	if any.
639	639	(d) If a controller sells personal data to 3rd parties or processes personal data
640	640	for targeted advertising, the controller shall clearly and conspicuously disclose such
641	641	processing, as well as the manner in which a consumer may exercise the right to opt
642	642	out of such processing.
643	643	(e) A controller shall establish, and shall describe in a privacy notice, one or
644	644	more secure and reliable means for consumers to submit a request to exercise their
645	645	consumer rights under this section. Such means shall take into account the ways in
646	646	which consumers normally interact with the controller, the need for secure and
647	647	reliable communication of such requests, and the ability of the controller to
648	648	authenticate the identity of the consumer making the request. Controllers may not
649	649	require a consumer to create a new account in order to exercise consumer rights
650	650	under sub. (2) but may require a consumer to use an existing account. A controller
651	651	1
652	652	2
653	653	3
654	654	4
655	655	5
656	656	6
657	657	7
658	658	8
659	659	9
660	660	10
661	661	11
662	662	12
663	663	13
664	664	14
665	665	15
666	666	16
667	667	17
668	668	18
669	669	19
670	670	20
671	671	21
672	672	22
673	673	23 2025 - 2026 Legislature
674	674	ASSEMBLY BILL 172
675	675	- 15 - LRB-0314/1
676	676	MDE:cdc&emw
677	677	SECTION 1
678	678	that recognizes signals approved by other states shall be considered in compliance
679	679	with this paragraph. Such means shall include all of the following:
680	680	1. A clear and conspicuous link on the controller[s website to a webpage that
681	681	enables a consumer or an agent of a consumer to opt out of the targeted advertising
682	682	or sale of the consumer[s personal data.
683	683	2. On or after July 1, 2028, an opt-out preference signal sent, with a
684	684	consumer[s consent, by a platform, technology, or mechanism to the controller
685	685	indicating the consumer[s intent to opt out of any processing of the consumer[s
686	686	personal data for the purpose of targeted advertising or sale of the consumer[s
687	687	personal data. Such platform, technology, or mechanism shall do all of the
688	688	following:
689	689	a. Not unfairly advantage one controller over another.
690	690	b. Require the consumer to make an affirmative and unambiguous choice to
691	691	opt out of any processing of the consumer[s personal data.
692	692	c. Be easy to use by the average consumer.
693	693	d. Enable the controller to accurately determine whether the consumer is a
694	694	resident of this state and whether the consumer has made a legitimate request to
695	695	opt out of any targeted advertising or sale of the consumer[s personal data.
696	696	(4) RESPONSIBILITY ACCORDING TO ROLE; CONTROLLER AND PROCESSOR. (a) A
697	697	processor shall adhere to the instructions of a controller and shall assist the
698	698	controller in meeting its obligations under this section. Such assistance shall
699	699	include the following:
700	700	1. Taking into account the nature of processing and the information available
701	701	1
702	702	2
703	703	3
704	704	4
705	705	5
706	706	6
707	707	7
708	708	8
709	709	9
710	710	10
711	711	11
712	712	12
713	713	13
714	714	14
715	715	15
716	716	16
717	717	17
718	718	18
719	719	19
720	720	20
721	721	21
722	722	22
723	723	23 2025 - 2026 Legislature
724	724	ASSEMBLY BILL 172
725	725	- 16 - LRB-0314/1
726	726	MDE:cdc&emw
727	727	SECTION 1
728	728	to the processor, by appropriate technical and organizational measures, insofar as
729	729	this is reasonably practicable, to fulfill the controller[s obligation to respond to
730	730	consumer rights requests under sub. (2).
731	731	2. Taking into account the nature of processing and the information available
732	732	to the processor, by assisting the controller in meeting the controller[s obligations in
733	733	relation to the security of processing the personal data and in relation to giving
734	734	notice of unauthorized acquisition of personal information under s. 134.98.
735	735	3. Providing necessary information to enable the controller to conduct and
736	736	document data protection assessments under sub. (5).
737	737	(b) A contract between a controller and a processor shall govern the
738	738	processor[s data processing procedures with respect to processing performed on
739	739	behalf of the controller. The contract shall be binding and clearly set forth
740	740	instructions for processing data, the nature and purpose of processing, the type of
741	741	data subject to processing, the duration of processing, and the rights and obligations
742	742	of both parties. The contract shall also include requirements that the processor
743	743	shall do all of the following:
744	744	1. Ensure that each person processing personal data is subject to a duty of
745	745	confidentiality with respect to the data.
746	746	2. At the controller[s direction, delete or return all personal data to the
747	747	controller as requested at the end of the provision of services, unless retention of
748	748	the personal data is required by law.
749	749	3. Upon the reasonable request of the controller, make available to the
750	750	1
751	751	2
752	752	3
753	753	4
754	754	5
755	755	6
756	756	7
757	757	8
758	758	9
759	759	10
760	760	11
761	761	12
762	762	13
763	763	14
764	764	15
765	765	16
766	766	17
767	767	18
768	768	19
769	769	20
770	770	21
771	771	22 2025 - 2026 Legislature
772	772	ASSEMBLY BILL 172
773	773	- 17 - LRB-0314/1
774	774	MDE:cdc&emw
775	775	SECTION 1
776	776	controller all information in its possession necessary to demonstrate the processor[s
777	777	compliance with the obligations in this section.
778	778	4. At least one of the following:
779	779	a. Allow, and cooperate with, reasonable assessments by the controller or the
780	780	controller[s designated assessor.
781	781	b. Arrange for a qualified and independent assessor to conduct an assessment
782	782	of the processor[s policies and technical and organizational measures in support of
783	783	the obligations under this section using an appropriate and accepted control
784	784	standard or framework and assessment procedure for such assessments. The
785	785	processor shall provide a report of such assessment to the controller upon request.
786	786	5. Engage any subcontractor pursuant to a written contract in accordance
787	787	with par. (c) that requires the subcontractor to meet the obligations of the processor
788	788	with respect to the personal data.
789	789	(c) Nothing in this section shall be construed to relieve a controller or a
790	790	processor from the liabilities imposed on it by virtue of its role in the processing
791	791	relationship as defined by this section.
792	792	(d) Determining whether a person is acting as a controller or processor with
793	793	respect to a specific processing of data is a fact-based determination that depends
794	794	upon the context in which personal data is to be processed. A processor that
795	795	continues to adhere to a controller[s instructions with respect to a specific
796	796	processing of personal data remains a processor.
797	797	(5) DATA PROTECTION ASSESSMENTS. (a) A controller shall regularly conduct
798	798	1
799	799	2
800	800	3
801	801	4
802	802	5
803	803	6
804	804	7
805	805	8
806	806	9
807	807	10
808	808	11
809	809	12
810	810	13
811	811	14
812	812	15
813	813	16
814	814	17
815	815	18
816	816	19
817	817	20
818	818	21
819	819	22 2025 - 2026 Legislature
820	820	ASSEMBLY BILL 172
821	821	- 18 - LRB-0314/1
822	822	MDE:cdc&emw
823	823	SECTION 1
824	824	and document a data protection assessment of each of the following processing
825	825	activities involving personal data:
826	826	1. The processing of personal data for purposes of targeted advertising.
827	827	2. The sale of personal data.
828	828	3. The processing of personal data for purposes of profiling, where such
829	829	profiling presents a reasonably foreseeable risk of any of the following:
830	830	a. Unfair or deceptive treatment of, or unlawful disparate impact on,
831	831	consumers.
832	832	b. Financial, physical, or reputational injury to consumers.
833	833	c. Physical or other intrusion upon the solitude or seclusion, or the private
834	834	affairs or concerns, of consumers, where such intrusion would be offensive to a
835	835	reasonable person.
836	836	d. Other substantial injury to consumers.
837	837	4. The processing of sensitive data.
838	838	5. Any processing activities involving personal data that present a heightened
839	839	risk of harm to consumers.
840	840	6. The processing of personal data related to any good, service, or product
841	841	feature likely to be accessed by a child.
842	842	(b) Data protection assessments conducted under par. (a) shall identify and
843	843	weigh the benefits that may flow, directly and indirectly, from the processing to the
844	844	controller, the consumer, other stakeholders, and the public against the potential
845	845	risks to the rights of the consumer associated with such processing, as mitigated by
846	846	safeguards that can be employed by the controller to reduce such risks. The use of
847	847	1
848	848	2
849	849	3
850	850	4
851	851	5
852	852	6
853	853	7
854	854	8
855	855	9
856	856	10
857	857	11
858	858	12
859	859	13
860	860	14
861	861	15
862	862	16
863	863	17
864	864	18
865	865	19
866	866	20
867	867	21
868	868	22
869	869	23 2025 - 2026 Legislature
870	870	ASSEMBLY BILL 172
871	871	- 19 - LRB-0314/1
872	872	MDE:cdc&emw
873	873	SECTION 1
874	874	deidentified data and the reasonable expectations of consumers, as well as the
875	875	context of the processing and the relationship between the controller and the
876	876	consumer whose personal data will be processed, shall be factored into this
877	877	assessment by the controller.
878	878	(c) The department may request, pursuant to sub. (10), that a controller
879	879	disclose any data protection assessment that is relevant to an investigation
880	880	conducted by the department, and the controller shall make the data protection
881	881	assessment available to the department. The department may evaluate the data
882	882	protection assessment for compliance with the responsibilities set forth in sub. (3).
883	883	Data protection assessments shall be confidential and not subject to the right of
884	884	inspection and copying under s. 19.35 (1). The disclosure of a data protection
885	885	assessment pursuant to a request from the department shall not constitute a
886	886	waiver of attorney-client privilege or work product protection with respect to the
887	887	assessment and any information contained in the assessment.
888	888	(d) A single data protection assessment may address a comparable set of
889	889	processing operations that include similar activities.
890	890	(e) Data protection assessments conducted by a controller for the purpose of
891	891	compliance with other laws or regulations may comply under this section if the
892	892	assessments have a reasonably comparable scope and effect.
893	893	(f) Data protection assessment requirements shall apply to processing
894	894	activities created or generated after January 1, 2026, and are not retroactive.
895	895	(6) PROCESSING DEIDENTIFIED DATA; EXEMPTIONS. (a) A controller in
896	896	possession of deidentified data shall do all of the following:
897	897	1
898	898	2
899	899	3
900	900	4
901	901	5
902	902	6
903	903	7
904	904	8
905	905	9
906	906	10
907	907	11
908	908	12
909	909	13
910	910	14
911	911	15
912	912	16
913	913	17
914	914	18
915	915	19
916	916	20
917	917	21
918	918	22
919	919	23 2025 - 2026 Legislature
920	920	ASSEMBLY BILL 172
921	921	- 20 - LRB-0314/1
922	922	MDE:cdc&emw
923	923	SECTION 1
924	924	1. Take reasonable measures to ensure that the data cannot be associated
925	925	with an individual.
926	926	2. Publicly commit to maintaining and using deidentified data without
927	927	attempting to reidentify the data.
928	928	3. Contractually obligate any recipients of the deidentified data to comply
929	929	with all provisions of this section.
930	930	(b) Nothing in this section shall be construed to require a controller or
931	931	processor to do any of the following:
932	932	1. Reidentify deidentified data or pseudonymous data.
933	933	2. Maintain data in identifiable form.
934	934	3. Collect, obtain, retain, or access any data or technology, in order to be
935	935	capable of associating an authenticated consumer request with personal data.
936	936	(c) Nothing in this section shall be construed to require a controller or
937	937	processor to comply with an authenticated consumer rights request under sub. (2) if
938	938	all of the following are true:
939	939	1. The controller is not reasonably capable of associating the request with the
940	940	personal data or it would be unreasonably burdensome for the controller to
941	941	associate the request with the personal data.
942	942	2. The controller does not use the personal data to recognize or respond to the
943	943	specific consumer who is the subject of the personal data, or associate the personal
944	944	data with other personal data about the same specific consumer.
945	945	3. The controller does not sell the personal data to any 3rd party or otherwise
946	946	1
947	947	2
948	948	3
949	949	4
950	950	5
951	951	6
952	952	7
953	953	8
954	954	9
955	955	10
956	956	11
957	957	12
958	958	13
959	959	14
960	960	15
961	961	16
962	962	17
963	963	18
964	964	19
965	965	20
966	966	21
967	967	22 2025 - 2026 Legislature
968	968	ASSEMBLY BILL 172
969	969	- 21 - LRB-0314/1
970	970	MDE:cdc&emw
971	971	SECTION 1
972	972	voluntarily disclose the personal data to any 3rd party other than a processor,
973	973	except as otherwise permitted in this subsection.
974	974	(d) The consumer rights contained in subs. (2) (a) 1. to 4. and (3) shall not
975	975	apply to pseudonymous data in cases where the controller is able to demonstrate
976	976	any information necessary to identify the consumer is kept separately and is subject
977	977	to effective technical and organizational controls that prevent the controller from
978	978	accessing such information.
979	979	(e) A controller that discloses pseudonymous data or deidentified data shall
980	980	exercise reasonable oversight to monitor compliance with any contractual
981	981	commitments to which the pseudonymous data or deidentified data is subject and
982	982	shall take appropriate steps to address any breaches of those contractual
983	983	commitments.
984	984	(7) LIMITATIONS. (a) Nothing in this section shall be construed to restrict a
985	985	controller[s or processor[s ability to do any of the following:
986	986	1. Comply with federal, state, or local laws, rules, or regulations.
987	987	2. Comply with a civil, criminal, or regulatory inquiry, investigation,
988	988	subpoena, or summons by federal, state, local, or other governmental authorities.
989	989	3. Cooperate with law enforcement agencies concerning conduct or activity
990	990	that the controller or processor reasonably and in good faith believes may violate
991	991	federal, state, or local laws, rules, or regulations.
992	992	4. Investigate, establish, exercise, prepare for, or defend legal claims.
993	993	5. Provide a product or service specifically requested by a consumer or the
994	994	parent or guardian of a child, perform a contract to which the consumer is a party,
995	995	1
996	996	2
997	997	3
998	998	4
999	999	5
1000	1000	6
1001	1001	7
1002	1002	8
1003	1003	9
1004	1004	10
1005	1005	11
1006	1006	12
1007	1007	13
1008	1008	14
1009	1009	15
1010	1010	16
1011	1011	17
1012	1012	18
1013	1013	19
1014	1014	20
1015	1015	21
1016	1016	22
1017	1017	23 2025 - 2026 Legislature
1018	1018	ASSEMBLY BILL 172
1019	1019	- 22 - LRB-0314/1
1020	1020	MDE:cdc&emw
1021	1021	SECTION 1
1022	1022	including fulfilling the terms of a written warranty, or take steps at the request of
1023	1023	the consumer prior to entering into a contract.
1024	1024	6. Take immediate steps to protect an interest that is essential for the life or
1025	1025	physical safety of the consumer or of another individual, and where the processing
1026	1026	cannot be manifestly based on another legal basis.
1027	1027	7. Prevent, detect, protect against, or respond to security incidents, identity
1028	1028	theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
1029	1029	preserve the integrity or security of systems; or investigate, report, or prosecute
1030	1030	those responsible for any such action.
1031	1031	8. Engage in public or peer-reviewed scientific or statistical research in the
1032	1032	public interest that adheres to all other applicable ethics and privacy laws and is
1033	1033	approved, monitored, and governed by an institutional review board, or similar
1034	1034	independent oversight entities that determine all of the following:
1035	1035	a. If the deletion of the information is likely to provide substantial benefits
1036	1036	that do not exclusively accrue to the controller.
1037	1037	b. The expected benefits of the research outweigh the privacy risks.
1038	1038	c. If the controller has implemented reasonable safeguards to mitigate privacy
1039	1039	risks associated with research, including any risks associated with reidentification.
1040	1040	9. Assist another controller, processor, or 3rd party with any of the obligations
1041	1041	under this section.
1042	1042	(b) The obligations imposed on controllers or processors under this section
1043	1043	shall not restrict a controller[s or processor[s ability to collect, use, or retain data to
1044	1044	do any of the following:
1045	1045	1
1046	1046	2
1047	1047	3
1048	1048	4
1049	1049	5
1050	1050	6
1051	1051	7
1052	1052	8
1053	1053	9
1054	1054	10
1055	1055	11
1056	1056	12
1057	1057	13
1058	1058	14
1059	1059	15
1060	1060	16
1061	1061	17
1062	1062	18
1063	1063	19
1064	1064	20
1065	1065	21
1066	1066	22
1067	1067	23 2025 - 2026 Legislature
1068	1068	ASSEMBLY BILL 172
1069	1069	- 23 - LRB-0314/1
1070	1070	MDE:cdc&emw
1071	1071	SECTION 1
1072	1072	1. Conduct internal research to develop, improve, or repair products, services,
1073	1073	or technology.
1074	1074	2. Effectuate a product recall.
1075	1075	3. Identify and repair technical errors that impair existing or intended
1076	1076	functionality.
1077	1077	4. Perform internal operations that are reasonably aligned with the
1078	1078	expectations of the consumer or reasonably anticipated on the basis of the
1079	1079	consumer[s existing relationship with the controller or are otherwise compatible
1080	1080	with processing data in furtherance of the provision of a product or service
1081	1081	specifically requested by a consumer or the performance of a contract to which the
1082	1082	consumer is a party.
1083	1083	(c) The obligations imposed on controllers or processors under this section
1084	1084	shall not apply where compliance by the controller or processor with this section
1085	1085	would violate an evidentiary privilege under ch. 905. Nothing in this section shall
1086	1086	be construed to prevent a controller or processor from providing personal data
1087	1087	concerning a consumer to a person covered by an evidentiary privilege under ch.
1088	1088	905 as part of a privileged communication.
1089	1089	(d) A controller or processor that discloses personal data to a 3rd-party
1090	1090	controller or processor, in compliance with the requirements of this section, is not in
1091	1091	violation of this section if the 3rd-party controller or processor that receives and
1092	1092	processes such personal data is in violation of this section, provided that, at the
1093	1093	time of disclosing the personal data, the disclosing controller or processor did not
1094	1094	have actual knowledge that the recipient intended to commit a violation. A 3rd-
1095	1095	1
1096	1096	2
1097	1097	3
1098	1098	4
1099	1099	5
1100	1100	6
1101	1101	7
1102	1102	8
1103	1103	9
1104	1104	10
1105	1105	11
1106	1106	12
1107	1107	13
1108	1108	14
1109	1109	15
1110	1110	16
1111	1111	17
1112	1112	18
1113	1113	19
1114	1114	20
1115	1115	21
1116	1116	22
1117	1117	23 2025 - 2026 Legislature
1118	1118	ASSEMBLY BILL 172
1119	1119	- 24 - LRB-0314/1
1120	1120	MDE:cdc&emw
1121	1121	SECTION 1
1122	1122	party controller or processor receiving personal data from a controller or processor
1123	1123	in compliance with the requirements of this section is likewise not in violation of
1124	1124	this section for the transgressions of the controller or processor from which it
1125	1125	receives such personal data.
1126	1126	(e) Nothing in this section shall be construed as an obligation imposed on
1127	1127	controllers and processors that adversely affects the rights or freedoms of any
1128	1128	persons, such as exercising the right of free speech pursuant to the First
1129	1129	Amendment to the U.S. Constitution, or applies to the processing of personal data
1130	1130	by a person in the course of a purely personal or household activity.
1131	1131	(f) Personal data processed by a controller pursuant to this subsection may
1132	1132	not be processed for any purpose other than those expressly listed in this subsection
1133	1133	unless otherwise allowed by this section. Personal data processed by a controller
1134	1134	pursuant to this subsection may be processed to the extent that such processing is
1135	1135	both of the following:
1136	1136	1. Reasonably necessary and proportionate to the purposes listed in this
1137	1137	subsection.
1138	1138	2. Adequate, relevant, and limited to what is necessary in relation to the
1139	1139	specific purposes listed in this subsection. Personal data collected, used, or
1140	1140	retained pursuant to par. (b) shall, where applicable, take into account the nature
1141	1141	and purpose or purposes of such collection, use, or retention. Such data shall be
1142	1142	subject to reasonable administrative, technical, and physical measures to protect
1143	1143	the confidentiality, integrity, and accessibility of the personal data and to reduce
1144	1144	1
1145	1145	2
1146	1146	3
1147	1147	4
1148	1148	5
1149	1149	6
1150	1150	7
1151	1151	8
1152	1152	9
1153	1153	10
1154	1154	11
1155	1155	12
1156	1156	13
1157	1157	14
1158	1158	15
1159	1159	16
1160	1160	17
1161	1161	18
1162	1162	19
1163	1163	20
1164	1164	21
1165	1165	22 2025 - 2026 Legislature
1166	1166	ASSEMBLY BILL 172
1167	1167	- 25 - LRB-0314/1
1168	1168	MDE:cdc&emw
1169	1169	SECTION 1
1170	1170	reasonably foreseeable risks of harm to consumers relating to such collection, use,
1171	1171	or retention of personal data.
1172	1172	(g) If a controller processes personal data pursuant to an exemption in this
1173	1173	section, the controller bears the burden of demonstrating that such processing
1174	1174	qualifies for the exemption and complies with the requirements in par. (f).
1175	1175	(h) Processing personal data for the purposes expressly identified in par. (a)
1176	1176	shall not solely make an entity a controller with respect to such processing.
1177	1177	(8) SCOPE; EXEMPTIONS. (a) This section applies to persons that conduct
1178	1178	business in this state or produce products or services that are targeted to residents
1179	1179	of this state and who satisfy either of the following:
1180	1180	1. During a calendar year, the person controls or processes personal data of at
1181	1181	least 100,000 consumers.
1182	1182	2. The person controls or processes personal data of at least 25,000 consumers
1183	1183	and derives over 50 percent of gross revenue from the sale of personal data.
1184	1184	(b) This section shall not apply to any of the following:
1185	1185	1. An association, authority, board, department, commission, independent
1186	1186	agency, institution, office, society, entity regulated by the federal Farm Credit
1187	1187	Administration, or other body in state or local government created or authorized to
1188	1188	be created by the constitution or any law.
1189	1189	2. Financial institutions, affiliates of financial institutions, or data subject to
1190	1190	Title V of the federal Gramm-Leach-Bliley Act, 15 USC 6801 et seq.
1191	1191	3. A covered entity or business associate governed by HIPAA or HITECH.
1192	1192	4. A nonprofit organization.
1193	1193	1
1194	1194	2
1195	1195	3
1196	1196	4
1197	1197	5
1198	1198	6
1199	1199	7
1200	1200	8
1201	1201	9
1202	1202	10
1203	1203	11
1204	1204	12
1205	1205	13
1206	1206	14
1207	1207	15
1208	1208	16
1209	1209	17
1210	1210	18
1211	1211	19
1212	1212	20
1213	1213	21
1214	1214	22
1215	1215	23 2025 - 2026 Legislature
1216	1216	ASSEMBLY BILL 172
1217	1217	- 26 - LRB-0314/1
1218	1218	MDE:cdc&emw
1219	1219	SECTION 1
1220	1220	5. An institution of higher education.
1221	1221	6. A state agency or political subdivision of this state, including agents and
1222	1222	entities that use public safety technologies for the purposes of bona fide law
1223	1223	enforcement investigation.
1224	1224	7. The entity under contract under s. 153.05 (2m) (a) and its contractors.
1225	1225	8. The data organization under contract under s. 153.05 (2r) and its
1226	1226	contractors.
1227	1227	(c) The following information and data are exempt from this section:
1228	1228	1. Any health care information or record that is governed by HIPAA,
1229	1229	HITECH, Cures Act, or any other federal law governing the use, disclosure, access
1230	1230	or creation of health care information or records, including any derived,
1231	1231	identifiable, de-identifiable, confidential or non-confidential health care
1232	1232	information or records as defined by such federal laws.
1233	1233	2. Any health care information or record that is governed by s. 51.30, 146.816,
1234	1234	146.82, 146.83, or 146.84, chapter 153, or other Wisconsin law governing the use,
1235	1235	disclosure, access or creation of health care information or records, including any
1236	1236	derived, identifiable, de-identifiable, confidential or non-confidential health care
1237	1237	information or records as defined by such Wisconsin laws.
1238	1238	3. Any of the following:
1239	1239	a. Identifiable private information for purposes of the federal policy for the
1240	1240	protection of human subjects under 45 CFR Part 46.
1241	1241	b. Identifiable private information that is otherwise information collected as
1242	1242	part of human subjects research pursuant to the good clinical practice guidelines
1243	1243	1
1244	1244	2
1245	1245	3
1246	1246	4
1247	1247	5
1248	1248	6
1249	1249	7
1250	1250	8
1251	1251	9
1252	1252	10
1253	1253	11
1254	1254	12
1255	1255	13
1256	1256	14
1257	1257	15
1258	1258	16
1259	1259	17
1260	1260	18
1261	1261	19
1262	1262	20
1263	1263	21
1264	1264	22
1265	1265	23 2025 - 2026 Legislature
1266	1266	ASSEMBLY BILL 172
1267	1267	- 27 - LRB-0314/1
1268	1268	MDE:cdc&emw
1269	1269	SECTION 1
1270	1270	issued by the International Council for Harmonisation of Technical Requirements
1271	1271	for Pharmaceuticals for Human Use or under 21 CFR Parts 50 and 56.
1272	1272	c. Personal data used or shared in research conducted in accordance with the
1273	1273	requirements set forth in this section, or other research conducted in accordance
1274	1274	with applicable law.
1275	1275	4. Information and documents created for purposes of the federal Health Care
1276	1276	Quality Improvement Act of 1986, 42 USC 11101 et seq.
1277	1277	5. Patient safety work product for purposes of the federal Patient Safety and
1278	1278	Quality Improvement Act, 42 USC 299b-21 et seq.
1279	1279	6. Information originating from, and intermingled to be indistinguishable
1280	1280	with, or information treated in the same manner as information exempt under this
1281	1281	paragraph.
1282	1282	7. The collection, maintenance, disclosure, sale, communication, or use of any
1283	1283	personal information bearing on a consumer[s credit worthiness, credit standing,
1284	1284	credit capacity, character, general reputation, personal characteristics, or mode of
1285	1285	living by a consumer reporting agency, furnisher, or user that provides information
1286	1286	for use in a consumer report, and by a user of a consumer report, but only to the
1287	1287	extent that such activity is regulated by and authorized under the federal Fair
1288	1288	Credit Reporting Act, 15 USC 1681 et seq.
1289	1289	8. Personal data collected, processed, sold, or disclosed in compliance with the
1290	1290	federal Driver[s Privacy Protection Act of 1994, 18 USC 2721 et seq.
1291	1291	9. Personal data regulated by the federal Family Educational Rights and
1292	1292	Privacy Act, 20 USC 1232g et seq.
1293	1293	1
1294	1294	2
1295	1295	3
1296	1296	4
1297	1297	5
1298	1298	6
1299	1299	7
1300	1300	8
1301	1301	9
1302	1302	10
1303	1303	11
1304	1304	12
1305	1305	13
1306	1306	14
1307	1307	15
1308	1308	16
1309	1309	17
1310	1310	18
1311	1311	19
1312	1312	20
1313	1313	21
1314	1314	22
1315	1315	23 2025 - 2026 Legislature
1316	1316	ASSEMBLY BILL 172
1317	1317	- 28 - LRB-0314/1
1318	1318	MDE:cdc&emw
1319	1319	SECTION 1
1320	1320	10. Personal data collected, processed, sold, or disclosed in compliance with
1321	1321	the federal Farm Credit Act, 12 USC 2001 et seq.
1322	1322	11. Data processed or maintained for any of the following purposes:
1323	1323	a. In the course of an individual applying to, employed by, or acting as an
1324	1324	agent or independent contractor of a controller, processor, or 3rd party, to the extent
1325	1325	that the data is collected and used within the context of that role.
1326	1326	b. As the emergency contact information of an individual under this section
1327	1327	used for emergency contact purposes.
1328	1328	c. That is necessary to retain to administer benefits for another individual
1329	1329	relating to an individual described in subd. 15. a. and used for the purposes of
1330	1330	administering those benefits.
1331	1331	12. Personal data collected, processed, and maintained in compliance with the
1332	1332	Children[s Online Privacy Protection Act of 1998, 15 USC 6501 et seq., as amended,
1333	1333	and regulations thereto.
1334	1334	(9) VIOLATIONS. (a) The department and the department of justice shall have
1335	1335	authority to enforce violations of this section.
1336	1336	(b) 1. The department or the department of justice shall, at least 30 days
1337	1337	before initiating any action under this section, provide a controller or processor
1338	1338	written notice that identifies the specific provisions of this section the department
1339	1339	or the department of justice alleges have been or are being violated. If within the 30
1340	1340	days the controller or processor cures the noticed violation and provides the
1341	1341	department or the department of justice an express written statement that the
1342	1342	1
1343	1343	2
1344	1344	3
1345	1345	4
1346	1346	5
1347	1347	6
1348	1348	7
1349	1349	8
1350	1350	9
1351	1351	10
1352	1352	11
1353	1353	12
1354	1354	13
1355	1355	14
1356	1356	15
1357	1357	16
1358	1358	17
1359	1359	18
1360	1360	19
1361	1361	20
1362	1362	21
1363	1363	22 2025 - 2026 Legislature
1364	1364	ASSEMBLY BILL 172
1365	1365	- 29 - LRB-0314/1
1366	1366	MDE:cdc&emw
1367	1367	SECTION 1
1368	1368	alleged violations have been cured and that no such further violations shall occur,
1369	1369	no action shall be initiated against the controller or processor.
1370	1370	2. Notwithstanding subd. 1., if a controller or processor continues to violate
1371	1371	this section in breach of an express written statement provided to the department
1372	1372	or the department of justice under subd. 1., the department or the department of
1373	1373	justice may initiate an action under this section.
1374	1374	(c) Nothing in this section shall be construed as providing the basis for, or
1375	1375	being subject to, a private right of action to violations of this section or under any
1376	1376	other law.
1377	1377	(10) ENFORCEMENT ; PENALTIES. (a) The department or the department of
1378	1378	justice has exclusive authority to enforce violations of this section. The department
1379	1379	or the department of justice may commence an action in any court of competent
1380	1380	jurisdiction in the name of this state to restrain by temporary or permanent
1381	1381	injunction the violation of this section and any order issued under this section and
1382	1382	to recover a civil forfeiture of not less than $100 and not more than $10,000 for each
1383	1383	violation of this section or of any order, including an injunction, issued under this
1384	1384	section. The court may in its discretion, prior to the entry of final judgment, make
1385	1385	such orders or judgments as may be necessary to restore any person any pecuniary
1386	1386	loss suffered because of the acts or practices involved in the action, provided proof
1387	1387	thereof is submitted to the satisfaction of the court. The department may use its
1388	1388	authority in ss. 93.14 and 93.15 to investigate violations of this section and any
1389	1389	order issued under this section.
1390	1390	(b) The department of justice may issue a civil investigative demand to any
1391	1391	1
1392	1392	2
1393	1393	3
1394	1394	4
1395	1395	5
1396	1396	6
1397	1397	7
1398	1398	8
1399	1399	9
1400	1400	10
1401	1401	11
1402	1402	12
1403	1403	13
1404	1404	14
1405	1405	15
1406	1406	16
1407	1407	17
1408	1408	18
1409	1409	19
1410	1410	20
1411	1411	21
1412	1412	22
1413	1413	23 2025 - 2026 Legislature
1414	1414	ASSEMBLY BILL 172
1415	1415	- 30 - LRB-0314/1
1416	1416	MDE:cdc&emw
1417	1417	SECTION 1
1418	1418	controller or processor believed to be engaged in, or about to engage in, any violation
1419	1419	of this section, and by the civil investigative demand the department of justice may
1420	1420	compel the attendance of any officers or agents of the controller or processor,
1421	1421	examine the officers or agents of the controller or processor under oath, require the
1422	1422	production of any books or papers that the department of justice deems relevant or
1423	1423	material to the inquiry, and issue written interrogatories to be answered by the
1424	1424	officers or agents of the controller or processor.
1425	1425	(c) The department or the department of justice may serve a complaint,
1426	1426	notice, order, civil investigative demand, or other process in the manner provided for
1427	1427	service of a summons, or a subpoena as provided by s. 885.03, and either may be
1428	1428	served by registered mail to an address that the controller or processor previously
1429	1429	furnished to the department, the department of justice, or the department of
1430	1430	financial institutions. Service may be proved by affidavit. Service in any event may
1431	1431	also be by registered mail addressed to the controller or processor and proved by
1432	1432	post office return receipt, in which case the time of service is the date borne by the
1433	1433	receipt.
1434	1434	(d) Notwithstanding s. 814.04 (1), the department or the department of justice
1435	1435	may recover reasonable expenses incurred in investigating, preparing, and
1436	1436	prosecuting the case, including attorney fees, of any action initiated under this
1437	1437	section.
1438	1438	(11) LOCAL PREEMPTION. No city, village, town, or county may enact or
1439	1439	enforce an ordinance that regulates the collection, processing, or sale of personal
1440	1440	data.
1441	1441	1
1442	1442	2
1443	1443	3
1444	1444	4
1445	1445	5
1446	1446	6
1447	1447	7
1448	1448	8
1449	1449	9
1450	1450	10
1451	1451	11
1452	1452	12
1453	1453	13
1454	1454	14
1455	1455	15
1456	1456	16
1457	1457	17
1458	1458	18
1459	1459	19
1460	1460	20
1461	1461	21
1462	1462	22
1463	1463	23 2025 - 2026 Legislature
1464	1464	ASSEMBLY BILL 172
1465	1465	- 31 - LRB-0314/1
1466	1466	MDE:cdc&emw
1467	1467	SECTION 2
1468	1468	SECTION 2. 100.80 (9) (b) 1. of the statutes, as created by 2025 Wisconsin Act
1469	1469	.... (this act), is repealed.
1470	1470	SECTION 3. 100.80 (9) (b) 2. of the statutes, as created by 2025 Wisconsin Act
1471	1471	.... (this act), is renumbered 100.80 (9) (b) and amended to read:
1472	1472	100.80 (9) (b) Notwithstanding subd. 1., if If a controller or processor
1473	1473	continues to violate violates this section in breach of an express written statement
1474	1474	provided to the department or the department of justice under subd. 1., the
1475	1475	department or the department of justice may initiate an action under this section.
1476	1476	SECTION 4. Effective dates This act takes effect on July 1, 2027, except as
1477	1477	follows:
1478	1478	(1) The repeal of s. 100.80 (9) (b) 1. and the renumbering and amendment of s.
1479	1479	100.80 (9) (b) 2. take effect on July 1, 2031.
1480	1480	(END)
1481	1481	1
1482	1482	2
1483	1483	3
1484	1484	4
1485	1485	5
1486	1486	6
1487	1487	7
1488	1488	8
1489	1489	9
1490	1490	10
1491	1491	11
1492	1492	12
1493	1493	13