Wisconsin 2025-2026 Regular Session

Wisconsin Senate Bill SB166 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	2025 - 2026 LEGISLATURE
2	2	LRB-2468/1
3	3	MDE:cdc&emw
4	4	2025 SENATE BILL 166
5	5	March 27, 2025 - Introduced by Senators QUINN, NASS, ROYS and MARKLEIN,
6	6	cosponsored by Representatives ZIMMERMAN, SORTWELL, ALLEN, ARMSTRONG,
7	7	BEHNKE, DITTRICH, DUCHOW, GOEBEN, GUSTAFSON, KNODL, KREIBICH, KRUG,
8	8	KURTZ, MAXEY, MELOTIK, MURPHY, MURSAU, NEDWESKI, O'CONNOR,
9	9	PENTERMAN, PIWOWARCZYK, PRONSCHINSKE, SNYDER, STEFFEN, TITTL,
10	10	TUSLER, WITTKE and MOSES. Referred to Committee on Licensing, Regulatory
11	11	Reform, State and Federal Affairs.
12	12
13	13	*AUTHORS SUBJECT TO CHANGE*
14	14	AN ACT to repeal 100.80 (9) (b) 1.; to renumber and amend 100.80 (9) (b) 2.;
15	15	to create 100.80 of the statutes; relating to: consumer data protection and
16	16	providing a penalty.
17	17	Analysis by the Legislative Reference Bureau
18	18	This bill establishes requirements for controllers and processors of the
19	19	personal data of consumers. The bill defines a XcontrollerY as a person that, alone
20	20	or jointly with others, determines the purpose and means of processing personal
21	21	data, and the bill applies to controllers that control or process the personal data of
22	22	at least 100,000 consumers or that control or process the personal data of at least
23	23	25,000 consumers and derive over 50 percent of their gross revenue from the sale of
24	24	personal data. Under the bill, Xpersonal dataY means any information that is linked
25	25	or reasonably linkable to an individual except for publicly available information.
26	26	The bill provides consumers with the following rights regarding their personal
27	27	data: 1) to confirm whether a controller is processing the consumer[s personal data
28	28	and to access the personal data; 2) to correct inaccuracies in the consumer[s
29	29	personal data; 3) to require a controller to delete personal data provided by or about
30	30	the consumer; 4) to obtain a copy of the personal data that the consumer previously
31	31	provided to the controller; and 5) to opt out of the processing of the consumer[s
32	32	personal data for targeted advertising; the sale of the consumer[s personal data;
33	33	and certain forms of automated processing of the consumer[s personal data. These
34	34	1
35	35	2
36	36	3 2025 - 2026 Legislature
37	37	SENATE BILL 166
38	38	- 2 - LRB-2468/1
39	39	MDE:cdc&emw
40	40	rights are subject to certain exceptions specified in the bill. Controllers may not
41	41	discriminate against a consumer for exercising rights under the bill, including by
42	42	charging different prices for goods or providing a different level of quality of goods
43	43	or services.
44	44	A controller must establish one or more secure and reliable means for
45	45	consumers to submit a request to exercise their consumer rights under the bill.
46	46	Such means must include a clear and conspicuous link on the controller[s website to
47	47	a webpage that enables a consumer or an agent of a consumer to opt out of the
48	48	targeted advertising or sale of the consumer[s personal data and, on or after July 1,
49	49	2028, an opt-out preference signal sent, with a consumer[s intent, by a platform,
50	50	technology, or mechanism to the controller indicating the consumer[s intent to opt
51	51	out of any processing of the consumer[s personal data for the purpose of targeted
52	52	advertising or sale of the consumer[s personal data.
53	53	The bill requires controllers to respond to consumers[ requests to invoke rights
54	54	under the bill without undue delay. If a controller declines to take action regarding
55	55	a consumer[s request, the controller must inform the consumer of its justification
56	56	without undue delay. The bill also requires that information provided in response
57	57	to a consumer[s request be provided free of charge once annually per consumer.
58	58	Controllers must also establish processes for consumers to appeal a refusal to take
59	59	action on a consumer[s request. Within 60 days of receiving an appeal, a controller
60	60	must inform the consumer in writing of any action taken or not taken in response to
61	61	the appeal, including a written explanation of the reasons for its decisions. If the
62	62	appeal is denied, the controller must provide the consumer with a method through
63	63	which the consumer can contact the Department of Agriculture, Trade and
64	64	Consumer Protection to submit a complaint.
65	65	Under the bill, a controller must provide consumers with a privacy notice that
66	66	discloses the categories of personal data processed by the controller; the purpose of
67	67	processing the personal data; the categories of third parties, if any, with whom the
68	68	controller shares personal data; the categories of personal data that the controller
69	69	shares with third parties; and information about how consumers may exercise their
70	70	rights under the bill. Controllers may not collect or process personal data for
71	71	purposes that are not relevant to or reasonably necessary for the purposes disclosed
72	72	in the privacy notice. The bill[s requirements do not restrict a controller[s ability to
73	73	collect, use, or retain data for conducting internal research, effectuating a product
74	74	recall, identifying and repairing technical errors, or performing internal operations
75	75	that are reasonably aligned with consumer expectations or reasonably anticipated
76	76	on the basis of a consumer[s relationship with the controller.
77	77	Persons that process personal data on behalf of a controller must adhere to a
78	78	contract between the controller and the processor, and such contracts must satisfy
79	79	certain requirements specified in the bill. The bill also requires controllers to
80	80	conduct data protection assessments related to certain activities, including
81	81	processing personal data for targeted advertising, selling personal data, processing
82	82	personal data for profiling purposes, and processing sensitive data, as defined in 2025 - 2026 Legislature
83	83	SENATE BILL 166
84	84	- 3 - LRB-2468/1
85	85	MDE:cdc&emw
86	86	SECTION 1
87	87	the bill. DATCP may request that a controller disclose a data protection assessment
88	88	that is relevant to an investigation being conducted by DATCP.
89	89	DATCP and the Department of Justice have exclusive authority to enforce
90	90	violations of the bill[s requirements. A controller or processor that violates the bill[s
91	91	requirements is subject to a forfeiture of up to $10,000 per violation, and DATCP or
92	92	DOJ may recover reasonable investigation and litigation expenses incurred.
93	93	During the time between the bill[s effective date and July 1, 2031, before bringing
94	94	an action to enforce the bill[s requirements, DATCP or DOJ must first provide a
95	95	controller or processor with a written notice identifying the violations. If within 30
96	96	days of receiving the notice the controller or processor cures the violation and
97	97	provides DATCP or DOJ with an express written statement that the violation is
98	98	cured and that no such further violations will occur, then DATCP or DOJ may not
99	99	bring an action against the controller or processor.
100	100	The bill also prohibits cities, villages, towns, and counties from enacting or
101	101	enforcing ordinances that regulate the collection, processing, or sale of personal
102	102	data.
103	103	For further information see the state fiscal estimate, which will be printed as
104	104	an appendix to this bill.
105	105	The people of the state of Wisconsin, represented in senate and assembly, do
106	106	enact as follows:
107	107	SECTION 1. 100.80 of the statutes is created to read:
108	108	100.80 Consumer data protection. (1) DEFINITIONS. In this section:
109	109	(a) XAffiliateY means a legal entity that controls, is controlled by, or is under
110	110	common control with another legal entity or shares common branding with another
111	111	legal entity. For the purposes of this definition, XcontrolY or XcontrolledY means
112	112	ownership of, or the power to vote, more than 50 percent of the outstanding shares
113	113	of any class of voting security of a company; control in any manner over the election
114	114	of a majority of the directors or of individuals exercising similar functions; or the
115	115	power to exercise controlling influence over the management of a company.
116	116	(b) XAuthenticateY means verifying through reasonable means that the
117	117	consumer, entitled to exercise his or her consumer rights under sub. (2), is the same
118	118	1
119	119	2
120	120	3
121	121	4
122	122	5
123	123	6
124	124	7
125	125	8
126	126	9
127	127	10
128	128	11 2025 - 2026 Legislature
129	129	SENATE BILL 166
130	130	- 4 - LRB-2468/1
131	131	MDE:cdc&emw
132	132	SECTION 1
133	133	consumer exercising such consumer rights, or is an individual with authority to
134	134	exercise such rights of a consumer, with respect to the personal data at issue.
135	135	(c) XBiometric dataY means data generated by automatic measurements of an
136	136	individual[s biological characteristics, such as a fingerprint, voiceprint, eye retinas,
137	137	irises, or other unique biological patterns or characteristics that are used to identify
138	138	a specific individual. XBiometric dataY does not include a physical or digital
139	139	photograph, a video or audio recording or data generated therefrom unless such
140	140	data is generated to identify a specific individual, or information collected, used, or
141	141	stored for health care treatment, payment, or operations under the federal Health
142	142	Insurance Portability and Accountability Act of 1996.
143	143	(d) XBusiness associateY has the meaning given in 45 CFR 160.103.
144	144	(e) XChildY means an individual younger than 13 years of age.
145	145	(f) XConsentY means a clear affirmative act signifying a consumer[s freely
146	146	given, specific, informed, and unambiguous agreement to process personal data
147	147	relating to the consumer. XConsentY may include a written statement, including a
148	148	statement written by electronic means, or any other unambiguous affirmative
149	149	action. XConsentY does not include any of the following:
150	150	1. Acceptance of a general terms-of-use document or similar document that
151	151	contains descriptions of personal data processing along with other, unrelated
152	152	information.
153	153	2. Hovering over, muting, pausing, or closing a given piece of content.
154	154	3. Agreements obtained by using dark patterns.
155	155	(g) XConsumerY means an individual who is a resident of this state acting only
156	156	1
157	157	2
158	158	3
159	159	4
160	160	5
161	161	6
162	162	7
163	163	8
164	164	9
165	165	10
166	166	11
167	167	12
168	168	13
169	169	14
170	170	15
171	171	16
172	172	17
173	173	18
174	174	19
175	175	20
176	176	21
177	177	22
178	178	23 2025 - 2026 Legislature
179	179	SENATE BILL 166
180	180	- 5 - LRB-2468/1
181	181	MDE:cdc&emw
182	182	SECTION 1
183	183	in an individual or household context. XConsumerY does not include an individual
184	184	acting in a commercial or employment context.
185	185	(h) XControllerY means a person that, alone or jointly with others, determines
186	186	the purpose and means of processing personal data.
187	187	(i) XCovered entityY has the meaning given in 45 CFR 160.103.
188	188	(ja) XCures ActY means the federal 21st Century Cures Act and valid federal
189	189	regulations enacted pursuant to such provisions.
190	190	(jd) XDark patternY means a user interface designed or manipulated with the
191	191	substantial effect of subverting or impairing user autonomy, decision making, or
192	192	choice.
193	193	(jg) XDecisions that produce legal or similarly significant effects concerning a
194	194	consumerY means a decision made by the controller that results in the provision or
195	195	denial by the controller of financial and lending services, housing, insurance,
196	196	education enrollment, criminal justice, employment opportunities, health care
197	197	services, or access to basic necessities, such as food and water.
198	198	(ka) XDeidentified dataY means data that cannot reasonably be linked to an
199	199	identified or identifiable individual, or a device linked to such person.
200	200	(kb) XIdentified or identifiable individualY means a person who can be readily
201	201	identified, directly or indirectly, in particular by reference to an identifier such as a
202	202	name, an identification number, specific geolocation data, or an online identifier.
203	203	(La) XHIPAAY means the federal Health Insurance Portability and
204	204	Accountability Act and valid federal regulations enacted pursuant to the act,
205	205	including 45 CFR 164.500 to 164.534.
206	206	1
207	207	2
208	208	3
209	209	4
210	210	5
211	211	6
212	212	7
213	213	8
214	214	9
215	215	10
216	216	11
217	217	12
218	218	13
219	219	14
220	220	15
221	221	16
222	222	17
223	223	18
224	224	19
225	225	20
226	226	21
227	227	22
228	228	23 2025 - 2026 Legislature
229	229	SENATE BILL 166
230	230	- 6 - LRB-2468/1
231	231	MDE:cdc&emw
232	232	SECTION 1
233	233	(Lg) XHITECHY means the federal Health Information Technology for
234	234	Economic and Clinical Health Act and valid federal regulations enacted pursuant
235	235	to the act.
236	236	(m) XInstitution of higher educationY has the meaning given in s. 39.32 (1) (a).
237	237	(n) XNonprofit organizationY means any corporation organized under ch. 181,
238	238	any organization identified under s. 895.486 (2) (e), or any organization exempt
239	239	from taxation under section 501 (c) (3), (6), or (12) of the Internal Revenue Code.
240	240	(o) XPersonal dataY means any information that is linked or reasonably
241	241	linkable to an identified or identifiable individual. XPersonal dataY does not include
242	242	deidentified data or publicly available information.
243	243	(p) XPrecise geolocation dataY means information derived from technology,
244	244	including global positioning system level latitude and longitude coordinates or other
245	245	mechanisms, that directly identifies the specific location of an individual with
246	246	precision and accuracy within a radius of 1,750 feet. XPrecise geolocation dataY
247	247	does not include the content of communications or any data generated by or
248	248	connected to advanced utility metering infrastructure systems or equipment for use
249	249	by a utility.
250	250	(q) XProcessY or XprocessingY means any operation or set of operations
251	251	performed, whether by manual or automated means, on personal data or on sets of
252	252	personal data, such as the collection, use, storage, disclosure, analysis, deletion, or
253	253	modification of personal data.
254	254	(r) XProcessorY means an individual or person that processes personal data on
255	255	behalf of a controller.
256	256	1
257	257	2
258	258	3
259	259	4
260	260	5
261	261	6
262	262	7
263	263	8
264	264	9
265	265	10
266	266	11
267	267	12
268	268	13
269	269	14
270	270	15
271	271	16
272	272	17
273	273	18
274	274	19
275	275	20
276	276	21
277	277	22
278	278	23 2025 - 2026 Legislature
279	279	SENATE BILL 166
280	280	- 7 - LRB-2468/1
281	281	MDE:cdc&emw
282	282	SECTION 1
283	283	(s) XProfilingY means any form of automated processing performed on
284	284	personal data to evaluate, analyze, or predict personal aspects related to an
285	285	identified or identifiable individual[s economic situation, health, personal
286	286	preferences, interests, reliability, behavior, location, or movements.
287	287	(t) XPseudonymous dataY means personal data that cannot be attributed to a
288	288	specific individual without the use of additional information, provided that such
289	289	additional information is kept separately and is subject to appropriate technical
290	290	and organizational measures to ensure that the personal data is not attributed to
291	291	an identified or identifiable individual.
292	292	(u) XPublicly available informationY means information that is lawfully made
293	293	available through federal, state, or local government records, or information that a
294	294	business has a reasonable basis to believe is lawfully made available to the general
295	295	public through widely distributed media, by the consumer, or by a person to whom
296	296	the consumer has disclosed the information, unless the consumer has restricted the
297	297	information to a specific audience.
298	298	(v) XSale of personal dataY means the exchange of personal data for monetary
299	299	or other valuable consideration by the controller to a 3rd party. XSale of personal
300	300	dataY does not include any of the following:
301	301	1. The disclosure of personal data to a processor that processes the personal
302	302	data on behalf of the controller.
303	303	2. The disclosure of personal data to a 3rd party for purposes of providing a
304	304	product or service requested by the consumer.
305	305	3. The disclosure of personal data based on the consumer directing the
306	306	1
307	307	2
308	308	3
309	309	4
310	310	5
311	311	6
312	312	7
313	313	8
314	314	9
315	315	10
316	316	11
317	317	12
318	318	13
319	319	14
320	320	15
321	321	16
322	322	17
323	323	18
324	324	19
325	325	20
326	326	21
327	327	22
328	328	23 2025 - 2026 Legislature
329	329	SENATE BILL 166
330	330	- 8 - LRB-2468/1
331	331	MDE:cdc&emw
332	332	SECTION 1
333	333	controller to disclose the personal data or intentionally using the controller to
334	334	interact with a 3rd party.
335	335	4. The disclosure or transfer of personal data to an affiliate of the controller.
336	336	5. The disclosure of information that a consumer intentionally made available
337	337	to the general public via a channel of mass media and did not restrict to a specific
338	338	audience.
339	339	6. The disclosure or transfer of personal data to a 3rd party as an asset that is
340	340	part of a merger, acquisition, bankruptcy, or other transaction in which the 3rd
341	341	party assumes control of all or part of the controller[s assets.
342	342	(w) XSensitive dataY includes the following:
343	343	1. Personal data revealing racial or ethnic origin, religious beliefs, mental or
344	344	physical health diagnosis, sexual orientation, or citizenship or immigration status.
345	345	2. The processing of genetic or biometric data for the purpose of uniquely
346	346	identifying an individual.
347	347	3. The personal data collected from a known child.
348	348	4. Precise geolocation data.
349	349	(x) XTargeted advertisingY means displaying advertisements to a consumer
350	350	where the advertisement is selected based on personal data obtained or inferred
351	351	from that consumer[s activities over time and across nonaffiliated websites or
352	352	online applications to predict such consumer[s preferences or interests. XTargeted
353	353	advertisingY does not include any of the following:
354	354	1. Advertisements based on activities within a controller[s own websites or
355	355	online applications.
356	356	1
357	357	2
358	358	3
359	359	4
360	360	5
361	361	6
362	362	7
363	363	8
364	364	9
365	365	10
366	366	11
367	367	12
368	368	13
369	369	14
370	370	15
371	371	16
372	372	17
373	373	18
374	374	19
375	375	20
376	376	21
377	377	22
378	378	23 2025 - 2026 Legislature
379	379	SENATE BILL 166
380	380	- 9 - LRB-2468/1
381	381	MDE:cdc&emw
382	382	SECTION 1
383	383	2. Advertisements based on the context of a consumer[s current search query,
384	384	visit to a website, or online application.
385	385	3. Advertisements directed to a consumer in response to the consumer[s
386	386	request for information or feedback.
387	387	4. Processing personal data processed solely for measuring or reporting
388	388	advertising performance, reach, or frequency.
389	389	(y) XThird partyY means a person or association, authority, board,
390	390	department, commission, independent agency, institution, office, society, or other
391	391	body in state or local government created or authorized to be created by the
392	392	constitution or any law, other than a consumer, controller, processor, or an affiliate
393	393	of the processor or the controller.
394	394	(z) XTrade secretY has the meaning given in s. 134.90.
395	395	(2) PERSONAL DATA RIGHTS; CONSUMERS. (a) A consumer or a consumer[s
396	396	authorized agent may invoke the consumer rights authorized under this subsection
397	397	at any time by submitting a request to a controller specifying the consumer rights
398	398	the consumer wishes to invoke. A known child[s parent or legal guardian may
399	399	invoke such consumer rights on behalf of the child regarding processing personal
400	400	data belonging to the known child. A controller shall comply with an authenticated
401	401	consumer request to exercise any of the following rights:
402	402	1. To confirm whether or not a controller is processing the consumer[s
403	403	personal data and to access such personal data, unless such confirmation or access
404	404	would require the controller to reveal a trade secret.
405	405	2. To correct inaccuracies in the consumer[s personal data, taking into
406	406	1
407	407	2
408	408	3
409	409	4
410	410	5
411	411	6
412	412	7
413	413	8
414	414	9
415	415	10
416	416	11
417	417	12
418	418	13
419	419	14
420	420	15
421	421	16
422	422	17
423	423	18
424	424	19
425	425	20
426	426	21
427	427	22
428	428	23 2025 - 2026 Legislature
429	429	SENATE BILL 166
430	430	- 10 - LRB-2468/1
431	431	MDE:cdc&emw
432	432	SECTION 1
433	433	account the nature of the personal data and the purposes of the processing of the
434	434	consumer[s personal data.
435	435	3. To delete personal data provided by or obtained about the consumer.
436	436	4. To obtain a copy of the consumer[s personal data that the consumer
437	437	previously provided to the controller in a portable and, to the extent technically
438	438	feasible, readily usable format that allows the consumer to transmit the data to
439	439	another controller without hindrance, where the processing is carried out by
440	440	automated means, provided such controller shall not be required to reveal any trade
441	441	secret.
442	442	5. To opt out of the processing of the personal data for purposes of targeted
443	443	advertising, the sale of personal data, or profiling in furtherance of decisions that
444	444	produce legal or similarly significant effects concerning the consumer. A consumer
445	445	may exercise the consumer[s rights through user-enabled global privacy controls,
446	446	such as a browser plugin or privacy setting, device setting, or other mechanism, that
447	447	communicate or signal the consumer[s choice to opt out of processing for the
448	448	purpose of targeted advertising or sale of the consumer[s personal data.
449	449	(b) 1. Except as otherwise provided in this section, a controller shall comply
450	450	with a request by a consumer to exercise the consumer rights authorized under par.
451	451	(a).
452	452	2. A controller shall respond to a consumer without undue delay, but in all
453	453	cases within 45 days of receipt of a request submitted under par. (a). The response
454	454	period may be extended once by 45 additional days when reasonably necessary,
455	455	taking into account the complexity and number of the consumer[s requests, so long
456	456	1
457	457	2
458	458	3
459	459	4
460	460	5
461	461	6
462	462	7
463	463	8
464	464	9
465	465	10
466	466	11
467	467	12
468	468	13
469	469	14
470	470	15
471	471	16
472	472	17
473	473	18
474	474	19
475	475	20
476	476	21
477	477	22
478	478	23 2025 - 2026 Legislature
479	479	SENATE BILL 166
480	480	- 11 - LRB-2468/1
481	481	MDE:cdc&emw
482	482	SECTION 1
483	483	as the controller informs the consumer of any such extension within the initial 45-
484	484	day response period, together with the reason for the extension.
485	485	3. If a controller declines to take action regarding a consumer[s request, the
486	486	controller shall inform the consumer without undue delay, but in all cases and at
487	487	the latest within 45 days of receipt of the request, of the justification for declining to
488	488	take action and instructions for how to appeal the decision under par. (c).
489	489	4. Information provided in response to a consumer request shall be provided
490	490	by a controller free of charge, once annually per consumer. If requests from a
491	491	consumer are manifestly unfounded, technically infeasible, excessive, or repetitive,
492	492	the controller may charge the consumer a reasonable fee to cover the administrative
493	493	costs of complying with the request or decline to act on the request. The controller
494	494	bears the burden of demonstrating the manifestly unfounded, technically infeasible,
495	495	excessive, or repetitive nature of the request.
496	496	5. If a controller is unable to authenticate the request using commercially
497	497	reasonable efforts, the controller may not be required to comply with a request to
498	498	initiate an action under par. (a) and may request that the consumer provide
499	499	additional information reasonably necessary to authenticate the consumer and the
500	500	consumer[s request.
501	501	6. A controller that has obtained personal data about a consumer from a
502	502	source other than the consumer shall be deemed in compliance with a consumer[s
503	503	request to delete the personal data under par. (a) 3. by doing any of the following:
504	504	a. Deleting the personal data, retaining a record of the request and the
505	505	1
506	506	2
507	507	3
508	508	4
509	509	5
510	510	6
511	511	7
512	512	8
513	513	9
514	514	10
515	515	11
516	516	12
517	517	13
518	518	14
519	519	15
520	520	16
521	521	17
522	522	18
523	523	19
524	524	20
525	525	21
526	526	22 2025 - 2026 Legislature
527	527	SENATE BILL 166
528	528	- 12 - LRB-2468/1
529	529	MDE:cdc&emw
530	530	SECTION 1
531	531	minimum data necessary to ensure the consumer[s personal data remains deleted
532	532	from the controller[s records, and not using the retained data for any other purpose.
533	533	b. Not processing the consumer[s personal data except as otherwise
534	534	authorized under this section.
535	535	(c) A controller shall establish a process for a consumer to appeal the
536	536	controller[s refusal to take action on a request within a reasonable period of time
537	537	after the consumer[s receipt of the decision pursuant to par. (b) 3. The appeal
538	538	process shall be conspicuously available and similar to the process for submitting
539	539	requests to initiate action under par. (a). Within 60 days of receipt of an appeal, a
540	540	controller shall inform the consumer in writing of any action taken or not taken in
541	541	response to the appeal, including a written explanation of the reasons for the
542	542	decisions. If the appeal is denied, the controller shall also provide the consumer
543	543	with an online mechanism, if available, or other method through which the
544	544	consumer may contact the department to submit a complaint.
545	545	(3) DATA CONTROLLER RESPONSIBILITIES; TRANSPARENCY. (a) 1. A controller
546	546	shall limit the collection of personal data to what is adequate, relevant, and
547	547	reasonably necessary in relation to the purposes for which such data is processed,
548	548	as disclosed to the consumer.
549	549	2. Except as otherwise provided in this section, a controller may not process
550	550	personal data for purposes that are not reasonably necessary to and not compatible
551	551	with the disclosed purposes for which such personal data is processed, as disclosed
552	552	to the consumer, unless the controller obtains the consumer[s consent.
553	553	3. A controller shall establish, implement, and maintain reasonable
554	554	1
555	555	2
556	556	3
557	557	4
558	558	5
559	559	6
560	560	7
561	561	8
562	562	9
563	563	10
564	564	11
565	565	12
566	566	13
567	567	14
568	568	15
569	569	16
570	570	17
571	571	18
572	572	19
573	573	20
574	574	21
575	575	22
576	576	23 2025 - 2026 Legislature
577	577	SENATE BILL 166
578	578	- 13 - LRB-2468/1
579	579	MDE:cdc&emw
580	580	SECTION 1
581	581	administrative, technical, and physical data security practices to protect the
582	582	confidentiality, integrity, and accessibility of personal data. Such data security
583	583	practices shall be appropriate to the volume and nature of the personal data at
584	584	issue.
585	585	4. A controller may not process personal data in violation of state and federal
586	586	laws that prohibit unlawful discrimination against consumers. A controller may
587	587	not discriminate against a consumer for exercising any of the consumer rights
588	588	contained in this section, including denying goods or services, charging different
589	589	prices or rates for goods or services, or providing a different level of quality of goods
590	590	and services to the consumer. Nothing in this subdivision shall be construed to
591	591	require a controller to provide a product or service that requires the personal data
592	592	of a consumer that the controller does not collect or maintain, or to prohibit a
593	593	controller from offering a different price, rate, level, quality, or selection of goods or
594	594	services to a consumer, including offering goods or services for no fee, if the offer is
595	595	related to a consumer[s voluntary participation in a bona fide loyalty, rewards,
596	596	premium features, discounts, or club card program.
597	597	5. A controller may not process sensitive data concerning a consumer without
598	598	obtaining the consumer[s consent, or, in the case of the processing of sensitive data
599	599	concerning a known child, without processing such data in accordance with the
600	600	federal Children[s Online Privacy Protection Act, 15 USC 6501 et seq.
601	601	(b) Any provision of a contract or agreement that purports to waive or limit
602	602	consumer rights under sub. (2) is void and unenforceable.
603	603	1
604	604	2
605	605	3
606	606	4
607	607	5
608	608	6
609	609	7
610	610	8
611	611	9
612	612	10
613	613	11
614	614	12
615	615	13
616	616	14
617	617	15
618	618	16
619	619	17
620	620	18
621	621	19
622	622	20
623	623	21
624	624	22 2025 - 2026 Legislature
625	625	SENATE BILL 166
626	626	- 14 - LRB-2468/1
627	627	MDE:cdc&emw
628	628	SECTION 1
629	629	(c) A controller shall provide consumers with a reasonably accessible, clear,
630	630	and meaningful privacy notice that includes all of the following:
631	631	1. The categories of personal data processed by the controller.
632	632	2. The purpose of processing personal data.
633	633	3. How consumers may exercise their consumer rights under sub. (2),
634	634	including how a consumer may appeal a controller[s decision with regard to the
635	635	consumer[s request.
636	636	4. The categories of 3rd parties, if any, with whom the controller shares
637	637	personal data.
638	638	5. The categories of personal data that the controller shares with 3rd parties,
639	639	if any.
640	640	(d) If a controller sells personal data to 3rd parties or processes personal data
641	641	for targeted advertising, the controller shall clearly and conspicuously disclose such
642	642	processing, as well as the manner in which a consumer may exercise the right to opt
643	643	out of such processing.
644	644	(e) A controller shall establish, and shall describe in a privacy notice, one or
645	645	more secure and reliable means for consumers to submit a request to exercise their
646	646	consumer rights under this section. Such means shall take into account the ways in
647	647	which consumers normally interact with the controller, the need for secure and
648	648	reliable communication of such requests, and the ability of the controller to
649	649	authenticate the identity of the consumer making the request. Controllers may not
650	650	require a consumer to create a new account in order to exercise consumer rights
651	651	under sub. (2) but may require a consumer to use an existing account. A controller
652	652	1
653	653	2
654	654	3
655	655	4
656	656	5
657	657	6
658	658	7
659	659	8
660	660	9
661	661	10
662	662	11
663	663	12
664	664	13
665	665	14
666	666	15
667	667	16
668	668	17
669	669	18
670	670	19
671	671	20
672	672	21
673	673	22
674	674	23 2025 - 2026 Legislature
675	675	SENATE BILL 166
676	676	- 15 - LRB-2468/1
677	677	MDE:cdc&emw
678	678	SECTION 1
679	679	that recognizes signals approved by other states shall be considered in compliance
680	680	with this paragraph. Such means shall include all of the following:
681	681	1. A clear and conspicuous link on the controller[s website to a webpage that
682	682	enables a consumer or an agent of a consumer to opt out of the targeted advertising
683	683	or sale of the consumer[s personal data.
684	684	2. On or after July 1, 2028, an opt-out preference signal sent, with a
685	685	consumer[s consent, by a platform, technology, or mechanism to the controller
686	686	indicating the consumer[s intent to opt out of any processing of the consumer[s
687	687	personal data for the purpose of targeted advertising or sale of the consumer[s
688	688	personal data. Such platform, technology, or mechanism shall do all of the
689	689	following:
690	690	a. Not unfairly advantage one controller over another.
691	691	b. Require the consumer to make an affirmative and unambiguous choice to
692	692	opt out of any processing of the consumer[s personal data.
693	693	c. Be easy to use by the average consumer.
694	694	d. Enable the controller to accurately determine whether the consumer is a
695	695	resident of this state and whether the consumer has made a legitimate request to
696	696	opt out of any targeted advertising or sale of the consumer[s personal data.
697	697	(4) RESPONSIBILITY ACCORDING TO ROLE; CONTROLLER AND PROCESSOR. (a) A
698	698	processor shall adhere to the instructions of a controller and shall assist the
699	699	controller in meeting its obligations under this section. Such assistance shall
700	700	include the following:
701	701	1. Taking into account the nature of processing and the information available
702	702	1
703	703	2
704	704	3
705	705	4
706	706	5
707	707	6
708	708	7
709	709	8
710	710	9
711	711	10
712	712	11
713	713	12
714	714	13
715	715	14
716	716	15
717	717	16
718	718	17
719	719	18
720	720	19
721	721	20
722	722	21
723	723	22
724	724	23 2025 - 2026 Legislature
725	725	SENATE BILL 166
726	726	- 16 - LRB-2468/1
727	727	MDE:cdc&emw
728	728	SECTION 1
729	729	to the processor, by appropriate technical and organizational measures, insofar as
730	730	this is reasonably practicable, to fulfill the controller[s obligation to respond to
731	731	consumer rights requests under sub. (2).
732	732	2. Taking into account the nature of processing and the information available
733	733	to the processor, by assisting the controller in meeting the controller[s obligations in
734	734	relation to the security of processing the personal data and in relation to giving
735	735	notice of unauthorized acquisition of personal information under s. 134.98.
736	736	3. Providing necessary information to enable the controller to conduct and
737	737	document data protection assessments under sub. (5).
738	738	(b) A contract between a controller and a processor shall govern the
739	739	processor[s data processing procedures with respect to processing performed on
740	740	behalf of the controller. The contract shall be binding and clearly set forth
741	741	instructions for processing data, the nature and purpose of processing, the type of
742	742	data subject to processing, the duration of processing, and the rights and obligations
743	743	of both parties. The contract shall also include requirements that the processor
744	744	shall do all of the following:
745	745	1. Ensure that each person processing personal data is subject to a duty of
746	746	confidentiality with respect to the data.
747	747	2. At the controller[s direction, delete or return all personal data to the
748	748	controller as requested at the end of the provision of services, unless retention of
749	749	the personal data is required by law.
750	750	3. Upon the reasonable request of the controller, make available to the
751	751	1
752	752	2
753	753	3
754	754	4
755	755	5
756	756	6
757	757	7
758	758	8
759	759	9
760	760	10
761	761	11
762	762	12
763	763	13
764	764	14
765	765	15
766	766	16
767	767	17
768	768	18
769	769	19
770	770	20
771	771	21
772	772	22 2025 - 2026 Legislature
773	773	SENATE BILL 166
774	774	- 17 - LRB-2468/1
775	775	MDE:cdc&emw
776	776	SECTION 1
777	777	controller all information in its possession necessary to demonstrate the processor[s
778	778	compliance with the obligations in this section.
779	779	4. At least one of the following:
780	780	a. Allow, and cooperate with, reasonable assessments by the controller or the
781	781	controller[s designated assessor.
782	782	b. Arrange for a qualified and independent assessor to conduct an assessment
783	783	of the processor[s policies and technical and organizational measures in support of
784	784	the obligations under this section using an appropriate and accepted control
785	785	standard or framework and assessment procedure for such assessments. The
786	786	processor shall provide a report of such assessment to the controller upon request.
787	787	5. Engage any subcontractor pursuant to a written contract in accordance
788	788	with par. (c) that requires the subcontractor to meet the obligations of the processor
789	789	with respect to the personal data.
790	790	(c) Nothing in this section shall be construed to relieve a controller or a
791	791	processor from the liabilities imposed on it by virtue of its role in the processing
792	792	relationship as defined by this section.
793	793	(d) Determining whether a person is acting as a controller or processor with
794	794	respect to a specific processing of data is a fact-based determination that depends
795	795	upon the context in which personal data is to be processed. A processor that
796	796	continues to adhere to a controller[s instructions with respect to a specific
797	797	processing of personal data remains a processor.
798	798	(5) DATA PROTECTION ASSESSMENTS. (a) A controller shall regularly conduct
799	799	1
800	800	2
801	801	3
802	802	4
803	803	5
804	804	6
805	805	7
806	806	8
807	807	9
808	808	10
809	809	11
810	810	12
811	811	13
812	812	14
813	813	15
814	814	16
815	815	17
816	816	18
817	817	19
818	818	20
819	819	21
820	820	22 2025 - 2026 Legislature
821	821	SENATE BILL 166
822	822	- 18 - LRB-2468/1
823	823	MDE:cdc&emw
824	824	SECTION 1
825	825	and document a data protection assessment of each of the following processing
826	826	activities involving personal data:
827	827	1. The processing of personal data for purposes of targeted advertising.
828	828	2. The sale of personal data.
829	829	3. The processing of personal data for purposes of profiling, where such
830	830	profiling presents a reasonably foreseeable risk of any of the following:
831	831	a. Unfair or deceptive treatment of, or unlawful disparate impact on,
832	832	consumers.
833	833	b. Financial, physical, or reputational injury to consumers.
834	834	c. Physical or other intrusion upon the solitude or seclusion, or the private
835	835	affairs or concerns, of consumers, where such intrusion would be offensive to a
836	836	reasonable person.
837	837	d. Other substantial injury to consumers.
838	838	4. The processing of sensitive data.
839	839	5. Any processing activities involving personal data that present a heightened
840	840	risk of harm to consumers.
841	841	6. The processing of personal data related to any good, service, or product
842	842	feature likely to be accessed by a child.
843	843	(b) Data protection assessments conducted under par. (a) shall identify and
844	844	weigh the benefits that may flow, directly and indirectly, from the processing to the
845	845	controller, the consumer, other stakeholders, and the public against the potential
846	846	risks to the rights of the consumer associated with such processing, as mitigated by
847	847	safeguards that can be employed by the controller to reduce such risks. The use of
848	848	1
849	849	2
850	850	3
851	851	4
852	852	5
853	853	6
854	854	7
855	855	8
856	856	9
857	857	10
858	858	11
859	859	12
860	860	13
861	861	14
862	862	15
863	863	16
864	864	17
865	865	18
866	866	19
867	867	20
868	868	21
869	869	22
870	870	23 2025 - 2026 Legislature
871	871	SENATE BILL 166
872	872	- 19 - LRB-2468/1
873	873	MDE:cdc&emw
874	874	SECTION 1
875	875	deidentified data and the reasonable expectations of consumers, as well as the
876	876	context of the processing and the relationship between the controller and the
877	877	consumer whose personal data will be processed, shall be factored into this
878	878	assessment by the controller.
879	879	(c) The department may request, pursuant to sub. (10), that a controller
880	880	disclose any data protection assessment that is relevant to an investigation
881	881	conducted by the department, and the controller shall make the data protection
882	882	assessment available to the department. The department may evaluate the data
883	883	protection assessment for compliance with the responsibilities set forth in sub. (3).
884	884	Data protection assessments shall be confidential and not subject to the right of
885	885	inspection and copying under s. 19.35 (1). The disclosure of a data protection
886	886	assessment pursuant to a request from the department shall not constitute a
887	887	waiver of attorney-client privilege or work product protection with respect to the
888	888	assessment and any information contained in the assessment.
889	889	(d) A single data protection assessment may address a comparable set of
890	890	processing operations that include similar activities.
891	891	(e) Data protection assessments conducted by a controller for the purpose of
892	892	compliance with other laws or regulations may comply under this section if the
893	893	assessments have a reasonably comparable scope and effect.
894	894	(f) Data protection assessment requirements shall apply to processing
895	895	activities created or generated after January 1, 2026, and are not retroactive.
896	896	(6) PROCESSING DEIDENTIFIED DATA; EXEMPTIONS. (a) A controller in
897	897	possession of deidentified data shall do all of the following:
898	898	1
899	899	2
900	900	3
901	901	4
902	902	5
903	903	6
904	904	7
905	905	8
906	906	9
907	907	10
908	908	11
909	909	12
910	910	13
911	911	14
912	912	15
913	913	16
914	914	17
915	915	18
916	916	19
917	917	20
918	918	21
919	919	22
920	920	23 2025 - 2026 Legislature
921	921	SENATE BILL 166
922	922	- 20 - LRB-2468/1
923	923	MDE:cdc&emw
924	924	SECTION 1
925	925	1. Take reasonable measures to ensure that the data cannot be associated
926	926	with an individual.
927	927	2. Publicly commit to maintaining and using deidentified data without
928	928	attempting to reidentify the data.
929	929	3. Contractually obligate any recipients of the deidentified data to comply
930	930	with all provisions of this section.
931	931	(b) Nothing in this section shall be construed to require a controller or
932	932	processor to do any of the following:
933	933	1. Reidentify deidentified data or pseudonymous data.
934	934	2. Maintain data in identifiable form.
935	935	3. Collect, obtain, retain, or access any data or technology, in order to be
936	936	capable of associating an authenticated consumer request with personal data.
937	937	(c) Nothing in this section shall be construed to require a controller or
938	938	processor to comply with an authenticated consumer rights request under sub. (2) if
939	939	all of the following are true:
940	940	1. The controller is not reasonably capable of associating the request with the
941	941	personal data or it would be unreasonably burdensome for the controller to
942	942	associate the request with the personal data.
943	943	2. The controller does not use the personal data to recognize or respond to the
944	944	specific consumer who is the subject of the personal data, or associate the personal
945	945	data with other personal data about the same specific consumer.
946	946	3. The controller does not sell the personal data to any 3rd party or otherwise
947	947	1
948	948	2
949	949	3
950	950	4
951	951	5
952	952	6
953	953	7
954	954	8
955	955	9
956	956	10
957	957	11
958	958	12
959	959	13
960	960	14
961	961	15
962	962	16
963	963	17
964	964	18
965	965	19
966	966	20
967	967	21
968	968	22 2025 - 2026 Legislature
969	969	SENATE BILL 166
970	970	- 21 - LRB-2468/1
971	971	MDE:cdc&emw
972	972	SECTION 1
973	973	voluntarily disclose the personal data to any 3rd party other than a processor,
974	974	except as otherwise permitted in this subsection.
975	975	(d) The consumer rights contained in subs. (2) (a) 1. to 4. and (3) shall not
976	976	apply to pseudonymous data in cases where the controller is able to demonstrate
977	977	any information necessary to identify the consumer is kept separately and is subject
978	978	to effective technical and organizational controls that prevent the controller from
979	979	accessing such information.
980	980	(e) A controller that discloses pseudonymous data or deidentified data shall
981	981	exercise reasonable oversight to monitor compliance with any contractual
982	982	commitments to which the pseudonymous data or deidentified data is subject and
983	983	shall take appropriate steps to address any breaches of those contractual
984	984	commitments.
985	985	(7) LIMITATIONS. (a) Nothing in this section shall be construed to restrict a
986	986	controller[s or processor[s ability to do any of the following:
987	987	1. Comply with federal, state, or local laws, rules, or regulations.
988	988	2. Comply with a civil, criminal, or regulatory inquiry, investigation,
989	989	subpoena, or summons by federal, state, local, or other governmental authorities.
990	990	3. Cooperate with law enforcement agencies concerning conduct or activity
991	991	that the controller or processor reasonably and in good faith believes may violate
992	992	federal, state, or local laws, rules, or regulations.
993	993	4. Investigate, establish, exercise, prepare for, or defend legal claims.
994	994	5. Provide a product or service specifically requested by a consumer or the
995	995	parent or guardian of a child, perform a contract to which the consumer is a party,
996	996	1
997	997	2
998	998	3
999	999	4
1000	1000	5
1001	1001	6
1002	1002	7
1003	1003	8
1004	1004	9
1005	1005	10
1006	1006	11
1007	1007	12
1008	1008	13
1009	1009	14
1010	1010	15
1011	1011	16
1012	1012	17
1013	1013	18
1014	1014	19
1015	1015	20
1016	1016	21
1017	1017	22
1018	1018	23 2025 - 2026 Legislature
1019	1019	SENATE BILL 166
1020	1020	- 22 - LRB-2468/1
1021	1021	MDE:cdc&emw
1022	1022	SECTION 1
1023	1023	including fulfilling the terms of a written warranty, or take steps at the request of
1024	1024	the consumer prior to entering into a contract.
1025	1025	6. Take immediate steps to protect an interest that is essential for the life or
1026	1026	physical safety of the consumer or of another individual, and where the processing
1027	1027	cannot be manifestly based on another legal basis.
1028	1028	7. Prevent, detect, protect against, or respond to security incidents, identity
1029	1029	theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
1030	1030	preserve the integrity or security of systems; or investigate, report, or prosecute
1031	1031	those responsible for any such action.
1032	1032	8. Engage in public or peer-reviewed scientific or statistical research in the
1033	1033	public interest that adheres to all other applicable ethics and privacy laws and is
1034	1034	approved, monitored, and governed by an institutional review board, or similar
1035	1035	independent oversight entities that determine all of the following:
1036	1036	a. If the deletion of the information is likely to provide substantial benefits
1037	1037	that do not exclusively accrue to the controller.
1038	1038	b. The expected benefits of the research outweigh the privacy risks.
1039	1039	c. If the controller has implemented reasonable safeguards to mitigate privacy
1040	1040	risks associated with research, including any risks associated with reidentification.
1041	1041	9. Assist another controller, processor, or 3rd party with any of the obligations
1042	1042	under this section.
1043	1043	(b) The obligations imposed on controllers or processors under this section
1044	1044	shall not restrict a controller[s or processor[s ability to collect, use, or retain data to
1045	1045	do any of the following:
1046	1046	1
1047	1047	2
1048	1048	3
1049	1049	4
1050	1050	5
1051	1051	6
1052	1052	7
1053	1053	8
1054	1054	9
1055	1055	10
1056	1056	11
1057	1057	12
1058	1058	13
1059	1059	14
1060	1060	15
1061	1061	16
1062	1062	17
1063	1063	18
1064	1064	19
1065	1065	20
1066	1066	21
1067	1067	22
1068	1068	23 2025 - 2026 Legislature
1069	1069	SENATE BILL 166
1070	1070	- 23 - LRB-2468/1
1071	1071	MDE:cdc&emw
1072	1072	SECTION 1
1073	1073	1. Conduct internal research to develop, improve, or repair products, services,
1074	1074	or technology.
1075	1075	2. Effectuate a product recall.
1076	1076	3. Identify and repair technical errors that impair existing or intended
1077	1077	functionality.
1078	1078	4. Perform internal operations that are reasonably aligned with the
1079	1079	expectations of the consumer or reasonably anticipated on the basis of the
1080	1080	consumer[s existing relationship with the controller or are otherwise compatible
1081	1081	with processing data in furtherance of the provision of a product or service
1082	1082	specifically requested by a consumer or the performance of a contract to which the
1083	1083	consumer is a party.
1084	1084	(c) The obligations imposed on controllers or processors under this section
1085	1085	shall not apply where compliance by the controller or processor with this section
1086	1086	would violate an evidentiary privilege under ch. 905. Nothing in this section shall
1087	1087	be construed to prevent a controller or processor from providing personal data
1088	1088	concerning a consumer to a person covered by an evidentiary privilege under ch.
1089	1089	905 as part of a privileged communication.
1090	1090	(d) A controller or processor that discloses personal data to a 3rd-party
1091	1091	controller or processor, in compliance with the requirements of this section, is not in
1092	1092	violation of this section if the 3rd-party controller or processor that receives and
1093	1093	processes such personal data is in violation of this section, provided that, at the
1094	1094	time of disclosing the personal data, the disclosing controller or processor did not
1095	1095	have actual knowledge that the recipient intended to commit a violation. A 3rd-
1096	1096	1
1097	1097	2
1098	1098	3
1099	1099	4
1100	1100	5
1101	1101	6
1102	1102	7
1103	1103	8
1104	1104	9
1105	1105	10
1106	1106	11
1107	1107	12
1108	1108	13
1109	1109	14
1110	1110	15
1111	1111	16
1112	1112	17
1113	1113	18
1114	1114	19
1115	1115	20
1116	1116	21
1117	1117	22
1118	1118	23 2025 - 2026 Legislature
1119	1119	SENATE BILL 166
1120	1120	- 24 - LRB-2468/1
1121	1121	MDE:cdc&emw
1122	1122	SECTION 1
1123	1123	party controller or processor receiving personal data from a controller or processor
1124	1124	in compliance with the requirements of this section is likewise not in violation of
1125	1125	this section for the transgressions of the controller or processor from which it
1126	1126	receives such personal data.
1127	1127	(e) Nothing in this section shall be construed as an obligation imposed on
1128	1128	controllers and processors that adversely affects the rights or freedoms of any
1129	1129	persons, such as exercising the right of free speech pursuant to the First
1130	1130	Amendment to the U.S. Constitution, or applies to the processing of personal data
1131	1131	by a person in the course of a purely personal or household activity.
1132	1132	(f) Personal data processed by a controller pursuant to this subsection may
1133	1133	not be processed for any purpose other than those expressly listed in this subsection
1134	1134	unless otherwise allowed by this section. Personal data processed by a controller
1135	1135	pursuant to this subsection may be processed to the extent that such processing is
1136	1136	both of the following:
1137	1137	1. Reasonably necessary and proportionate to the purposes listed in this
1138	1138	subsection.
1139	1139	2. Adequate, relevant, and limited to what is necessary in relation to the
1140	1140	specific purposes listed in this subsection. Personal data collected, used, or
1141	1141	retained pursuant to par. (b) shall, where applicable, take into account the nature
1142	1142	and purpose or purposes of such collection, use, or retention. Such data shall be
1143	1143	subject to reasonable administrative, technical, and physical measures to protect
1144	1144	the confidentiality, integrity, and accessibility of the personal data and to reduce
1145	1145	1
1146	1146	2
1147	1147	3
1148	1148	4
1149	1149	5
1150	1150	6
1151	1151	7
1152	1152	8
1153	1153	9
1154	1154	10
1155	1155	11
1156	1156	12
1157	1157	13
1158	1158	14
1159	1159	15
1160	1160	16
1161	1161	17
1162	1162	18
1163	1163	19
1164	1164	20
1165	1165	21
1166	1166	22 2025 - 2026 Legislature
1167	1167	SENATE BILL 166
1168	1168	- 25 - LRB-2468/1
1169	1169	MDE:cdc&emw
1170	1170	SECTION 1
1171	1171	reasonably foreseeable risks of harm to consumers relating to such collection, use,
1172	1172	or retention of personal data.
1173	1173	(g) If a controller processes personal data pursuant to an exemption in this
1174	1174	section, the controller bears the burden of demonstrating that such processing
1175	1175	qualifies for the exemption and complies with the requirements in par. (f).
1176	1176	(h) Processing personal data for the purposes expressly identified in par. (a)
1177	1177	shall not solely make an entity a controller with respect to such processing.
1178	1178	(8) SCOPE; EXEMPTIONS. (a) This section applies to persons that conduct
1179	1179	business in this state or produce products or services that are targeted to residents
1180	1180	of this state and who satisfy either of the following:
1181	1181	1. During a calendar year, the person controls or processes personal data of at
1182	1182	least 100,000 consumers.
1183	1183	2. The person controls or processes personal data of at least 25,000 consumers
1184	1184	and derives over 50 percent of gross revenue from the sale of personal data.
1185	1185	(b) This section shall not apply to any of the following:
1186	1186	1. An association, authority, board, department, commission, independent
1187	1187	agency, institution, office, society, entity regulated by the federal Farm Credit
1188	1188	Administration, or other body in state or local government created or authorized to
1189	1189	be created by the constitution or any law.
1190	1190	2. Financial institutions, affiliates of financial institutions, or data subject to
1191	1191	Title V of the federal Gramm-Leach-Bliley Act, 15 USC 6801 et seq.
1192	1192	3. A covered entity or business associate governed by HIPAA or HITECH.
1193	1193	4. A nonprofit organization.
1194	1194	1
1195	1195	2
1196	1196	3
1197	1197	4
1198	1198	5
1199	1199	6
1200	1200	7
1201	1201	8
1202	1202	9
1203	1203	10
1204	1204	11
1205	1205	12
1206	1206	13
1207	1207	14
1208	1208	15
1209	1209	16
1210	1210	17
1211	1211	18
1212	1212	19
1213	1213	20
1214	1214	21
1215	1215	22
1216	1216	23 2025 - 2026 Legislature
1217	1217	SENATE BILL 166
1218	1218	- 26 - LRB-2468/1
1219	1219	MDE:cdc&emw
1220	1220	SECTION 1
1221	1221	5. An institution of higher education.
1222	1222	6. A state agency or political subdivision of this state, including agents and
1223	1223	entities that use public safety technologies for the purposes of bona fide law
1224	1224	enforcement investigation.
1225	1225	7. The entity under contract under s. 153.05 (2m) (a) and its contractors.
1226	1226	8. The data organization under contract under s. 153.05 (2r) and its
1227	1227	contractors.
1228	1228	(c) The following information and data are exempt from this section:
1229	1229	1. Any health care information or record that is governed by HIPAA,
1230	1230	HITECH, Cures Act, or any other federal law governing the use, disclosure, access
1231	1231	or creation of health care information or records, including any derived,
1232	1232	identifiable, de-identifiable, confidential or non-confidential health care
1233	1233	information or records as defined by such federal laws.
1234	1234	2. Any health care information or record that is governed by s. 51.30, 146.816,
1235	1235	146.82, 146.83, or 146.84, chapter 153, or other Wisconsin law governing the use,
1236	1236	disclosure, access or creation of health care information or records, including any
1237	1237	derived, identifiable, de-identifiable, confidential or non-confidential health care
1238	1238	information or records as defined by such Wisconsin laws.
1239	1239	3. Any of the following:
1240	1240	a. Identifiable private information for purposes of the federal policy for the
1241	1241	protection of human subjects under 45 CFR Part 46.
1242	1242	b. Identifiable private information that is otherwise information collected as
1243	1243	part of human subjects research pursuant to the good clinical practice guidelines
1244	1244	1
1245	1245	2
1246	1246	3
1247	1247	4
1248	1248	5
1249	1249	6
1250	1250	7
1251	1251	8
1252	1252	9
1253	1253	10
1254	1254	11
1255	1255	12
1256	1256	13
1257	1257	14
1258	1258	15
1259	1259	16
1260	1260	17
1261	1261	18
1262	1262	19
1263	1263	20
1264	1264	21
1265	1265	22
1266	1266	23 2025 - 2026 Legislature
1267	1267	SENATE BILL 166
1268	1268	- 27 - LRB-2468/1
1269	1269	MDE:cdc&emw
1270	1270	SECTION 1
1271	1271	issued by the International Council for Harmonisation of Technical Requirements
1272	1272	for Pharmaceuticals for Human Use or under 21 CFR Parts 50 and 56.
1273	1273	c. Personal data used or shared in research conducted in accordance with the
1274	1274	requirements set forth in this section, or other research conducted in accordance
1275	1275	with applicable law.
1276	1276	4. Information and documents created for purposes of the federal Health Care
1277	1277	Quality Improvement Act of 1986, 42 USC 11101 et seq.
1278	1278	5. Patient safety work product for purposes of the federal Patient Safety and
1279	1279	Quality Improvement Act, 42 USC 299b-21 et seq.
1280	1280	6. Information originating from, and intermingled to be indistinguishable
1281	1281	with, or information treated in the same manner as information exempt under this
1282	1282	paragraph.
1283	1283	7. The collection, maintenance, disclosure, sale, communication, or use of any
1284	1284	personal information bearing on a consumer[s credit worthiness, credit standing,
1285	1285	credit capacity, character, general reputation, personal characteristics, or mode of
1286	1286	living by a consumer reporting agency, furnisher, or user that provides information
1287	1287	for use in a consumer report, and by a user of a consumer report, but only to the
1288	1288	extent that such activity is regulated by and authorized under the federal Fair
1289	1289	Credit Reporting Act, 15 USC 1681 et seq.
1290	1290	8. Personal data collected, processed, sold, or disclosed in compliance with the
1291	1291	federal Driver[s Privacy Protection Act of 1994, 18 USC 2721 et seq.
1292	1292	9. Personal data regulated by the federal Family Educational Rights and
1293	1293	Privacy Act, 20 USC 1232g et seq.
1294	1294	1
1295	1295	2
1296	1296	3
1297	1297	4
1298	1298	5
1299	1299	6
1300	1300	7
1301	1301	8
1302	1302	9
1303	1303	10
1304	1304	11
1305	1305	12
1306	1306	13
1307	1307	14
1308	1308	15
1309	1309	16
1310	1310	17
1311	1311	18
1312	1312	19
1313	1313	20
1314	1314	21
1315	1315	22
1316	1316	23 2025 - 2026 Legislature
1317	1317	SENATE BILL 166
1318	1318	- 28 - LRB-2468/1
1319	1319	MDE:cdc&emw
1320	1320	SECTION 1
1321	1321	10. Personal data collected, processed, sold, or disclosed in compliance with
1322	1322	the federal Farm Credit Act, 12 USC 2001 et seq.
1323	1323	11. Data processed or maintained for any of the following purposes:
1324	1324	a. In the course of an individual applying to, employed by, or acting as an
1325	1325	agent or independent contractor of a controller, processor, or 3rd party, to the extent
1326	1326	that the data is collected and used within the context of that role.
1327	1327	b. As the emergency contact information of an individual under this section
1328	1328	used for emergency contact purposes.
1329	1329	c. That is necessary to retain to administer benefits for another individual
1330	1330	relating to an individual described in subd. 15. a. and used for the purposes of
1331	1331	administering those benefits.
1332	1332	12. Personal data collected, processed, and maintained in compliance with the
1333	1333	Children[s Online Privacy Protection Act of 1998, 15 USC 6501 et seq., as amended,
1334	1334	and regulations thereto.
1335	1335	(9) VIOLATIONS. (a) The department and the department of justice shall have
1336	1336	authority to enforce violations of this section.
1337	1337	(b) 1. The department or the department of justice shall, at least 30 days
1338	1338	before initiating any action under this section, provide a controller or processor
1339	1339	written notice that identifies the specific provisions of this section the department
1340	1340	or the department of justice alleges have been or are being violated. If within the 30
1341	1341	days the controller or processor cures the noticed violation and provides the
1342	1342	department or the department of justice an express written statement that the
1343	1343	1
1344	1344	2
1345	1345	3
1346	1346	4
1347	1347	5
1348	1348	6
1349	1349	7
1350	1350	8
1351	1351	9
1352	1352	10
1353	1353	11
1354	1354	12
1355	1355	13
1356	1356	14
1357	1357	15
1358	1358	16
1359	1359	17
1360	1360	18
1361	1361	19
1362	1362	20
1363	1363	21
1364	1364	22 2025 - 2026 Legislature
1365	1365	SENATE BILL 166
1366	1366	- 29 - LRB-2468/1
1367	1367	MDE:cdc&emw
1368	1368	SECTION 1
1369	1369	alleged violations have been cured and that no such further violations shall occur,
1370	1370	no action shall be initiated against the controller or processor.
1371	1371	2. Notwithstanding subd. 1., if a controller or processor continues to violate
1372	1372	this section in breach of an express written statement provided to the department
1373	1373	or the department of justice under subd. 1., the department or the department of
1374	1374	justice may initiate an action under this section.
1375	1375	(c) Nothing in this section shall be construed as providing the basis for, or
1376	1376	being subject to, a private right of action to violations of this section or under any
1377	1377	other law.
1378	1378	(10) ENFORCEMENT ; PENALTIES. (a) The department or the department of
1379	1379	justice has exclusive authority to enforce violations of this section. The department
1380	1380	or the department of justice may commence an action in any court of competent
1381	1381	jurisdiction in the name of this state to restrain by temporary or permanent
1382	1382	injunction the violation of this section and any order issued under this section and
1383	1383	to recover a civil forfeiture of not less than $100 and not more than $10,000 for each
1384	1384	violation of this section or of any order, including an injunction, issued under this
1385	1385	section. The court may in its discretion, prior to the entry of final judgment, make
1386	1386	such orders or judgments as may be necessary to restore any person any pecuniary
1387	1387	loss suffered because of the acts or practices involved in the action, provided proof
1388	1388	thereof is submitted to the satisfaction of the court. The department may use its
1389	1389	authority in ss. 93.14 and 93.15 to investigate violations of this section and any
1390	1390	order issued under this section.
1391	1391	(b) The department of justice may issue a civil investigative demand to any
1392	1392	1
1393	1393	2
1394	1394	3
1395	1395	4
1396	1396	5
1397	1397	6
1398	1398	7
1399	1399	8
1400	1400	9
1401	1401	10
1402	1402	11
1403	1403	12
1404	1404	13
1405	1405	14
1406	1406	15
1407	1407	16
1408	1408	17
1409	1409	18
1410	1410	19
1411	1411	20
1412	1412	21
1413	1413	22
1414	1414	23 2025 - 2026 Legislature
1415	1415	SENATE BILL 166
1416	1416	- 30 - LRB-2468/1
1417	1417	MDE:cdc&emw
1418	1418	SECTION 1
1419	1419	controller or processor believed to be engaged in, or about to engage in, any violation
1420	1420	of this section, and by the civil investigative demand the department of justice may
1421	1421	compel the attendance of any officers or agents of the controller or processor,
1422	1422	examine the officers or agents of the controller or processor under oath, require the
1423	1423	production of any books or papers that the department of justice deems relevant or
1424	1424	material to the inquiry, and issue written interrogatories to be answered by the
1425	1425	officers or agents of the controller or processor.
1426	1426	(c) The department or the department of justice may serve a complaint,
1427	1427	notice, order, civil investigative demand, or other process in the manner provided for
1428	1428	service of a summons, or a subpoena as provided by s. 885.03, and either may be
1429	1429	served by registered mail to an address that the controller or processor previously
1430	1430	furnished to the department, the department of justice, or the department of
1431	1431	financial institutions. Service may be proved by affidavit. Service in any event may
1432	1432	also be by registered mail addressed to the controller or processor and proved by
1433	1433	post office return receipt, in which case the time of service is the date borne by the
1434	1434	receipt.
1435	1435	(d) Notwithstanding s. 814.04 (1), the department or the department of justice
1436	1436	may recover reasonable expenses incurred in investigating, preparing, and
1437	1437	prosecuting the case, including attorney fees, of any action initiated under this
1438	1438	section.
1439	1439	(11) LOCAL PREEMPTION. No city, village, town, or county may enact or
1440	1440	enforce an ordinance that regulates the collection, processing, or sale of personal
1441	1441	data.
1442	1442	1
1443	1443	2
1444	1444	3
1445	1445	4
1446	1446	5
1447	1447	6
1448	1448	7
1449	1449	8
1450	1450	9
1451	1451	10
1452	1452	11
1453	1453	12
1454	1454	13
1455	1455	14
1456	1456	15
1457	1457	16
1458	1458	17
1459	1459	18
1460	1460	19
1461	1461	20
1462	1462	21
1463	1463	22
1464	1464	23 2025 - 2026 Legislature
1465	1465	SENATE BILL 166
1466	1466	- 31 - LRB-2468/1
1467	1467	MDE:cdc&emw
1468	1468	SECTION 2
1469	1469	SECTION 2. 100.80 (9) (b) 1. of the statutes, as created by 2025 Wisconsin Act
1470	1470	.... (this act), is repealed.
1471	1471	SECTION 3. 100.80 (9) (b) 2. of the statutes, as created by 2025 Wisconsin Act
1472	1472	.... (this act), is renumbered 100.80 (9) (b) and amended to read:
1473	1473	100.80 (9) (b) Notwithstanding subd. 1., if If a controller or processor
1474	1474	continues to violate violates this section in breach of an express written statement
1475	1475	provided to the department or the department of justice under subd. 1., the
1476	1476	department or the department of justice may initiate an action under this section.
1477	1477	SECTION 4. Effective dates This act takes effect on July 1, 2027, except as
1478	1478	follows:
1479	1479	(1) The repeal of s. 100.80 (9) (b) 1. and the renumbering and amendment of s.
1480	1480	100.80 (9) (b) 2. take effect on July 1, 2031.
1481	1481	(END)
1482	1482	1
1483	1483	2
1484	1484	3
1485	1485	4
1486	1486	5
1487	1487	6
1488	1488	7
1489	1489	8
1490	1490	9
1491	1491	10
1492	1492	11
1493	1493	12
1494	1494	13