Lawmakers Introduce Wisconsin Data Privacy Act
Lawmakers Introduce Wisconsin Data Privacy Act
What this groundbreaking proposed legislation may mean for Wisconsin businesses and consumers.
By Mason B. Schultz
Earlier this year, a bipartisan group of lawmakers introduced a trio of bills called the “Wisconsin Data Privacy Act.” If passed, the Act would make Wisconsin home to the strongest consumer data privacy rights in the entire country. At the same time, this Act would create strict new regulations on businesses that collect, process, and retain personal data from its consumers, and would impose severe penalties on businesses who fail to comply with the law.
This law would apply to “controllers,” meaning any person or organization that determines the purposes and means of the “processing” of “personal data.” “Personal data” means any personally identifiable information relating to a consumer, including phone numbers, location data, or online identifiers. “Processing” basically means any act that uses the personal data, such as collecting, recording, or storing of any data. Many routine business practices, such as collecting customer phone lists and addresses, could fall under the ambit of this proposed law.
Each of the proposed bills would impose distinct requirements on controllers—including businesses—that collect consumer personal data:
The first bill would require controllers to inform consumers that their personal data is being collected and to disclose the intended use of that data. Controllers would also be required to inform the Department of Justice in the event of a data breach.
The second bill would require controllers of personal data to delete that data once it is no longer necessary to hold, or within a limited time after a customer requests the deletion.
Finally, the third bill would forbid controllers of consumer personal data from using that data unless the consumer provides affirmative “opt-in” consent, and the consumer reserves the right to later opt out. This bill would also limit the types of per data that controllers can use, including express restrictions on the use of data revealing a consumer’s racial or ethnic origin, as well as genetic, biometric, and other health data.
If passed in its current language, the penalties for violating the Wisconsin Data Privacy Act would be severe. Although there is currently no private right of action in the proposed legislation, the law would be enforced by the Department of Justice. The law would create two tiers of penalties. The first tier, which includes violations of the data breach notice requirements, the penalty could be up to $10,000,000 or 2% of the business’s total annual revenues—whichever is greater. The second tier, which includes the unauthorized use of personal data, the penalty could be up to $20,000,000 or 4% of the business’s total annual revenues—whichever is greater.
The Wisconsin Data Privacy Act has not yet been passed by the legislature, and even if passed in its current form, would not go into effect until 2022. However, given the Act’s bipartisan support, as well as the fact that similar consumer protection laws are enacted in other states, it is likely only a matter of time before these proposals become law in Wisconsin as well.
Data privacy law is a complex, nuanced, and constantly changing area of the law. This article only serves as a broad overview of the law and should not be construed as legal advice. If you are local business seeking advice on compliance with the law, or if you are a consumer who thinks your rights may have been violated, contact us today to schedule a consultation.