AB870,1,2
1An Act to create 134.985 of the statutes;
relating to: consumer access to
2personal data processed by a controller and providing a penalty.
Analysis by the Legislative Reference Bureau
This bill generally requires controllers of consumers' personal data to provide
a consumer with copies of the consumer's personal data processed by the controller.
Under the bill, a “controller” is a person that alone or jointly with others
determines the purposes and means of the processing of personal data. The bill
defines “personal data” as information relating to a consumer that allows the
consumer to be identified other than information lawfully made available from
federal, state, or local government records.
The bill requires a controller, when collecting personal data from a consumer,
to inform the consumer that it is collecting personal data and to provide the consumer
with certain other information. Additionally, if a controller intends to process a
consumer's personal data and the controller did not collect the personal data from
the consumer, the controller must, within one month of obtaining the personal data,
identify itself to the consumer and provide the consumer with certain information,
such as the purposes for which the controller intends to process the personal data and
where the controller obtained the personal data.
Also, under the bill, if a controller processes a consumer's personal data, the
controller must provide a copy of the personal data to a consumer who requests a
copy. The controller must also provide the consumer with certain other information,
including the purposes for which the controller processes the personal data, the
categories of the personal data that the controller processes, and the persons to
whom the controller discloses the personal data. If a consumer requests a copy of
personal data electronically, the controller must provide the copy and requested
information in a commonly used electronic form, unless the consumer requests
otherwise. A controller is not required to provide a consumer with a copy of the
consumer's personal data 1) if providing the copy would adversely affect the rights
of others; 2) if the controller processes a consumer's personal data out of necessity
in performing a task for the public interest; or 3) if the personal data is certain health,
financial, or other personal information, including information restricted by federal
law.
The bill also requires a controller to notify the Department of Justice if the
controller is aware of a personal data breach involving consumer personal data it
maintains and the data breach is likely to result in a risk to the rights and freedoms
of consumers. The notification must describe the nature of the personal data breach
and provide certain additional information. Also, if the personal data breach is likely
to result in a high risk to the rights and freedoms of consumers, a controller generally
must notify the consumers whose personal data is involved in the personal data
breach. The bill also requires a processor to notify a controller about a personal data
breach of personal data that it maintains on behalf of the controller.
Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller who violates the bill's personal data breach
notification requirements is subject to a fine of up to $10,000,000 or up to 2 percent
of the controller's total annual revenue, whichever is greater. For violating the bill's
requirements related to providing copies of a consumer's personal data, a controller
may be fined up to $20,000,000 or up to 4 percent of the controller's total annual
revenue, whichever is greater.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB870,1
1Section
1. 134.985 of the statutes is created to read:
AB870,2,2
2134.985 Access to personal data.
(1) Definitions. In this section:
AB870,2,33
(a) “Consumer” means an individual who is a resident of this state.
AB870,2,74
(b) “Controller” means a person that alone or jointly with others determines the
5purposes and means of the processing of personal data, but does not include a law
6enforcement agency or a unit or instrumentality of the federal government, the state,
7or a local government.
AB870,3,6
1(c) “Personal data” means information relating to an consumer that allows the
2consumer to be identified, either directly or indirectly, including by reference to an
3identifier such as a name, identification number, location data, online identifier, or
4one or more factors related to the physical, physiological, genetic, mental, economic,
5cultural, or social identity of the consumer, but does not include any information
6lawfully made available from federal, state, or local government records.
AB870,3,97
(d) “Personal data breach” means a breach of security leading to the accidental
8or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
9personal data.
AB870,3,1310
(e) “Process,” when used in reference to personal data, means to perform an
11operation or set of operations on personal data, including to collect, record, organize,
12store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
13destroy the personal data.
AB870,3,1614
(f) “Processor” means a person who processes personal data on behalf of a
15controller, but does not include a law enforcement agency or a unit or instrumentality
16of the federal government, the state, or a local government.
AB870,3,1717
(g) “Recipient” means a person to which personal data is disclosed.
AB870,3,20
18(2) Notice required. (a) Except as provided in par. (b), at the time when a
19controller collects personal data from a consumer, the controller shall provide the
20consumer with the following information:
AB870,3,2121
1. The identity and contact information of the controller.
AB870,3,2322
2. The purposes for which the controller intends to process the consumer's
23personal data and the legal authority for conducting the processing.
AB870,3,2524
3. The recipients or categories of recipients to whom the consumer's personal
25data will be disclosed.
AB870,4,3
14. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,4,54
5. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,4,96
6. Whether the controller will use the consumer's personal data to conduct
7automated decision-making related to the consumer, and, if so, the purpose for
8which automated decision-making will be used and meaningful information about
9the automated decision-making procedure.
AB870,4,1210
(b) A controller is not required to provide a consumer with information under
11par. (a) if the consumer has previously been provided with the information required
12under par. (a).
AB870,4,1613
(c) Except as provided in par. (d), if a controller intends to process a consumer's
14personal data and the controller did not collect the personal data from the consumer,
15within one month of obtaining the personal data, the controller shall provide the
16consumer with the following information:
AB870,4,1717
1. The identity and contact information of the controller.
AB870,4,1918
2. The purposes for which the controller intends to process the consumer's
19personal data and the legal authority for conducting the processing.
AB870,4,2120
3. The categories of the consumer's personal data that the controller intends
21to process.
AB870,4,2322
4. The recipients or categories of recipients to whom the consumer's personal
23data will be disclosed.
AB870,5,3
15. If known, the estimated period of time that the controller will store the
2consumer's personal data, or, if not known, the criteria the controller will use to
3determine the amount of time that the controller will store the personal data.
AB870,5,54
6. Information describing the consumer's ability to make requests under sub.
5(3).
AB870,5,76
7. The controller's source for the personal data, including whether the personal
7data was obtained from publicly accessible sources.
AB870,5,118
8. Whether the controller will use the consumer's personal data to conduct
9automated decision-making related to the consumer, and, if so, the purpose for
10which automated decision-making will be used and meaningful information about
11the automated decision-making procedure.
AB870,5,1312
(d) A controller is not required to provide a consumer with information under
13par. (c) if any of the following applies:
AB870,5,1514
1. The consumer has previously been provided with the information required
15under par. (c).
AB870,5,1616
2. Providing the information is impossible or involves unreasonable effort.
AB870,5,1717
3. Federal, state, or local law requires that the information not be disclosed.
AB870,5,20
18(3) Access to personal data. (a) Upon a consumer's request, a controller shall
19inform the consumer as to whether or not the controller processes the consumer's
20personal data.
AB870,5,2321
(b) 1. If a controller processes a consumer's personal data, upon the consumer's
22request, the controller shall provide the consumer with a copy of the consumer's
23personal data and all of the following information:
AB870,5,2524
a. The purposes for which the controller processes the consumer's personal
25data.
AB870,6,1
1b. The categories of the consumer's personal data that the controller processes.
AB870,6,32
c. The recipients or categories of recipients to whom the consumer's personal
3data have been or will be disclosed.
AB870,6,64
d. If known, the estimated period of time that the controller will store the
5consumer's personal data, or, if not known, the criteria the controller will use to
6determine the amount of time that the controller will store the personal data.
AB870,6,87
e. If the controller did not collect the personal data from the consumer, any
8available information on the controller's source for the personal data.
AB870,6,129
2. If the consumer makes a request under this paragraph to the controller by
10electronic means, the controller shall provide the information required under subd.
111. to the consumer in a commonly used electronic form, unless otherwise requested
12by the consumer.
AB870,6,1413
3. a. Except as provided in subd. 3. b., a controller shall provide copies and
14information required under subd. 1. free of charge.
AB870,6,1915
b. If a request from a consumer is manifestly unfounded or excessive, including
16by being repetitive, a controller may either charge the consumer a reasonable fee
17based on the administrative costs of providing a copy or information or refuse to act
18on the request. The controller bears the burden of demonstrating the a consumer's
19request is manifestly unfounded or excessive.
AB870,6,2120
4. a. Except as provided in subd. 4. b., a controller shall provide a copy and
21information under subd. 1. within one month of receiving a consumer's request.
AB870,7,322
b. A controller may provide a copy and information under subd. 1. within 3
23months of receiving a consumer's request if necessary due to the complexity and
24number of requests received by the controller. If the controller does not provide a
25copy and information under subd. 1. to a consumer within one month of the
1consumer's request, the controller shall within one month of the consumer's request
2inform the consumer about the delay and notify the consumer of the reason for the
3delay.
AB870,7,54
5. A controller is not required to provide a consumer with a copy and
5information under subd. 1. if any of the following applies:
AB870,7,86
a. The controller processes the consumer's personal data out of necessity for
7performing a task carried out in the public interest or out of necessity for exercising
8official authority vested in the controller.
AB870,7,99
b. Providing a copy would adversely affect the rights of others.
AB870,7,1010
(c) This subsection does not require a controller to do any of the following:
AB870,7,1111
1. Reidentify data that does not identify a consumer.
AB870,7,1412
2. Retain, link, or combine personal data concerning a consumer that the
13controller would not otherwise retain, link, or combine in its ordinary course of
14business.
AB870,7,1715
3. Comply with a request under this subsection if the controller is unable to
16verify, using commercially reasonable efforts, the identity of the consumer making
17the request.
AB870,7,25
18(4) Personal data breach notification. (a) 1. Except as provided in subd. 2.,
19if a controller is aware of a personal data breach of personal data maintained by the
20controller, the controller shall notify the department of justice of the personal data
21breach without undue delay. If feasible, the controller shall notify the department
22within 30 days of becoming aware of the personal data breach. If the controller does
23not notify the department within 30 days of becoming aware of the personal data
24breach, the controller shall provide a reason for not notifying within 30 days. The
25notification shall do all of the following:
AB870,8,3
1a. Describe the nature of the personal data breach including, if known, the
2categories and approximate number of consumers involved and the categories and
3approximate number of personal data records involved.
AB870,8,44
b. Describe the likely consequences of the personal data breach.
AB870,8,75
c. Describe the measures taken or proposed by the controller to address the
6personal data breach, including, if appropriate, measures to mitigate the possible
7adverse effects.
AB870,8,108
2. A controller is not required to make a notification under this paragraph if
9the personal data breach is unlikely to result in a risk to the rights and freedoms of
10consumers.
AB870,8,1211
3. If it is not possible to provide the information required under subd. 1. at the
12same time, the controller may provide the information in stages without undue delay.
AB870,8,1513
4. If a processor is aware of a personal data breach of personal data that the
14processor maintains on behalf of a controller, the processor shall notify the controller
15without undue delay.
AB870,8,2116
(b) 1. Except as provided in subd. 2., if a controller is aware of a personal data
17breach of personal data maintained by the controller and the personal data breach
18is likely to result in a high risk to the rights and freedoms of consumers, the controller
19shall notify the consumers whose personal data is involved in the personal data
20breach. The notification shall describe in clear and plain language the nature of the
21personal data breach and contain the information described in par. (a) 1. b. and c.
AB870,8,2322
2. A controller is not required to make a notification under this paragraph if
23any of the following applies:
AB870,9,224
a. The controller has implemented appropriate technical and organizational
25protection measures to the personal data involved in the personal data breach that
1render the personal data unintelligible to any person who is not authorized to access
2it.
AB870,9,43
b. The controller takes measures after the personal data breach that ensure
4that a high risk to the rights and freedoms of consumers is not likely to exist.
AB870,9,75
c. Making the notification involves unreasonable effort. If this subd. 2. c.
6applies, the controller shall publicly communicate about the personal data breach to
7consumers in an effective manner.
AB870,9,9
8(5) Applicability. (a) This section does not require a controller to confirm
9processing or provide a copy of the following types of information:
AB870,9,1110
1. Health information protected by the federal Health Insurance Portability
11and Accountability Act of 1996.
AB870,9,12122. Information identifying a patient covered by
42 USC 290dd-2.
AB870,9,1413
3. Information collected as part of research subject to the Federal Policy for the
14Protection of Human Subjects,
45 CFR part 46, or subject to
21 CFR parts 50 and
56.
AB870,9,1615
4. Information and documents created specifically for and collected and
16maintained by a hospital.
AB870,9,1817
5. Information and documents created for purposes of the federal Health Care
18Quality Improvement Act of 1986,
42 USC 11101 et seq.
AB870,9,20196. Patient safety work product information for purposes of
42 USC 299b-21 to
20299b-26.
AB870,9,2321
7. Information maintained by a health care provider, a health care facility, or
22an entity covered by the federal Health Insurance Portability and Accountability Act
23of 1996.
AB870,10,3
18. Personal information provided to or from or held by a consumer reporting
2agency, as defined in s. 422.501 (1m), if the use of the information complies with the
3federal Fair Credit Reporting Act,
15 USC 1681 et seq.
AB870,10,54
9. Personal information collected, processed, sold, or disclosed pursuant to the
5federal Gramm-Leach-Bliley Act, P.L.
106-102.
AB870,10,76
10. Personal information collected, processed, sold, or disclosed pursuant to the
7federal Driver's Privacy Protection Act,
18 USC 2721 et seq.
AB870,10,88
11. Information maintained for employment records.
AB870,10,109
(b) This section does not apply to a consumer who processes personal data in
10connection with a purely personal or household activity.
AB870,10,1211
(c) This section does not apply to a controller that processes a consumer's
12personal data for literary or artistic purposes.
AB870,10,1513
(d) This section does not apply to a controller that processes a consumer's
14personal data, that intends to publish the personal data, and that believes that
15publication of the personal data is in the public interest.
AB870,10,17
16(6) Enforcement; penalties. (a) The attorney general may investigate
17violations of this section and may bring actions for enforcement of this section.
AB870,10,2018
(b) 1. A controller who violates sub. (4) shall be fined not more than $10,000,000
19or not more than 2 percent of the controller's total annual revenue during the
20preceding financial year, whichever is greater.