2019 - 2020 LEGISLATURE
February 10, 2020 - Introduced by Representatives Zimmerman, Macco, Quinn,
Duchow, Wichgers, Plumer, Sortwell, Kulp, Dittrich, Thiesfeldt, Knodl,
Gundrum, Brostoff, Wittke and Steffen, cosponsored by Senator Risser.
Referred to Committee on Science and Technology.
1An Act to create
134.985 of the statutes; relating to: deletion of consumer
2personal data by controllers and providing a penalty.
Analysis by the Legislative Reference Bureau
This bill generally requires controllers of consumers' personal data to delete a
consumer's personal data if the consumer requests deletion of that personal data.
Under the bill, a “controller” is a person that alone or jointly with others
determines the purposes and means of the processing of personal data. The bill
defines “personal data” as information relating to a consumer that allows the
consumer to be identified other than information lawfully made available from
federal, state, or local government records. The bill allows a consumer to request that
a controller delete personal data relating to the consumer, and the controller must
delete the personal data if certain conditions apply, such as the following: 1) it is no
longer necessary for the controller to process the consumer's personal data to
accomplish the purposes for which the personal data was collected or processed; or
2) the personal data is processed for direct marketing purposes. Under the bill, if a
controller is required to delete a consumer's personal data and has disclosed the
personal data, the controller must take reasonable steps based on the available
technology and implementation cost to notify other controllers that are processing
the personal data to delete the personal data, and other controllers so notified must
also delete the personal data.
Various exceptions are provided under the bill, and under certain conditions,
a controller is not required to delete personal data, such as if processing the personal
data is necessary for performing a contract with the consumer, detecting or stopping
a security incident, protecting against malicious, deceptive, fraudulent, or illegal
activity or prosecuting a person responsible for that activity, exercising the right of
free expression and information, complying with a legal obligation, or performing
certain tasks carried out in the public interest, or if the personal data is processed
by a political, philosophical, or religious nonprofit organization that processes only
personal data of members, former members, or persons who have regular contact
with the organization.
Also, under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller who violates the bill's personal data deletion
requirements is subject to a fine of up to $20,000,000 or of up to 4 percent of the
controller's total annual revenue, whichever is greater.
Because this bill creates a new crime or revises a penalty for an existing crime,
the Joint Review Committee on Criminal Penalties may be requested to prepare a
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
134.985 of the statutes is created to read:
2134.985 Deleting consumer personal data. (1) Definitions.
In this 3
(a) “Consumer” means an individual who is a resident of this state.
(b) “Controller” means a person that alone or jointly with others determines the 6
purposes and means of the processing of personal data but does not include a law 7
enforcement agency or a unit or instrumentality of the federal government, the state, 8
or a local government.
(c) “Personal data” means information relating to a consumer that allows the 10
consumer to be identified, either directly or indirectly, including by reference to an 11
identifier such as a name, an identification number, location data, an online 12
identifier, or one or more factors related to the physical, physiological, genetic, 13
mental, economic, cultural, or social identity of the consumer, but does not include
any information lawfully made available from federal, state, or local government 2
(d) “Process,” when used in reference to personal data, means to perform an 4
operation or set of operations on personal data, including to collect, record, organize, 5
store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or 6
destroy the personal data.
7(2) Deleting consumer personal data.
(a) 1. Except as provided in par. (b), 8
upon a consumer's request, a controller shall delete without undue delay the 9
personal data relating to the consumer if any of the following applies:
a. It is no longer necessary for the controller to process the personal data to 11
accomplish the purposes for which the data was collected or processed.
b. The personal data is processed for direct marketing purposes.
c. The personal data has been unlawfully processed.
d. Deleting the personal data is necessary to comply with a legal obligation to 15
which the controller is subject.
2. If a controller is required under this subsection to delete a consumer's 17
personal data and the controller has disclosed the personal data, the controller shall 18
take reasonable steps based on the available technology and implementation cost to 19
notify other controllers that are processing the consumer's personal data that the 20
consumer has requested that the controllers delete the consumer's personal data and 21
any links to the personal data. Except as provided in par. (b), upon receiving the 22
notice, the other controller shall delete the consumer's personal data.
3. a. Except as provided in subd. 3. b., if a controller is required under this 24
subsection to delete a consumer's personal data, the controller shall delete the
personal data and make any notification required under subd. 2. within one month 2
of receiving the consumer's request.
b. A controller may delete a consumer's personal data and make a notification 4
when required under this subsection within 3 months of receiving a consumer's 5
request if necessary due to the complexity and number of requests received by the 6
controller. If the controller does not delete the consumer's personal data and make 7
a notification under subd. 2. within one month of the consumer's request, the 8
controller shall within one month of the request inform the consumer about the delay 9
and notify the consumer of the reason for the delay.
4. A controller is not required to delete personal data under this paragraph if 11
the controller is unable to verify, using commercially reasonable efforts, the identity 12
of the consumer making the request.
(b) A controller is not required to delete personal data under par. (a) if 14
processing the personal data is necessary for any of the following:
1. Performing a contract to which the consumer has agreed.
2. Detecting or stopping a security incident; protecting against malicious, 17
deceptive, fraudulent, or illegal activity; or prosecuting a person responsible for that 18
3. Exercising the right of free expression and information.
4. Complying with a legal obligation under federal, state, or local law.
5. Performing a task carried out in the public interest or in the exercise of 22
official authority vested in the controller.
6. Reasons of public interest in the area of public health, if the personal data 24
is processed by or under the responsibility of a professional subject to confidentiality 25
obligations under federal, state, or local law and any of the following applies:
a. Processing the personal data is necessary for purposes of preventive or 2
occupational medicine, for assessing the working capacity of an employee, for 3
medical diagnosis, or for providing health care or treatment.
b. Processing the personal data is necessary to protect against serious threats 5
to health or for ensuring the quality and safety of health care, medical products, or 6
7. Archiving purposes that are in the public interest, scientific or historical 8
research purposes, or statistical purposes, if deleting the personal data is likely to 9
render impossible or seriously impair achieving the objectives of the processing.
8. Establishing, exercising, or defending a legal claim.
(c) 1. This subsection does not require a controller to delete the following types 12
a. Health information protected by the federal Health Insurance Portability 14
and Accountability Act of 1996.
b. Information identifying a patient covered by 42 USC 290dd-2
c. Information collected as part of research subject to the Federal Policy for the 17
Protection of Human Subjects, 45 CFR part 46
, or subject to 21 CFR parts 50
d. Information and documents created specifically for and collected and 19
maintained by a hospital.
e. Information and documents created for purposes of the federal Health Care 21
Quality Improvement Act of 1986, 42 USC 11101
f. Patient safety work product information for purposes of 42 USC 299b-21
g. Information maintained by a health care provider, a health care facility, or 2
an entity covered by the federal Health Insurance Portability and Accountability Act 3
h. Personal information provided to or from or held by a consumer reporting 5
agency, as defined in s. 422.501 (1m), if the use of the information complies with the 6
federal Fair Credit Reporting Act, 15 USC 1681
i. Personal information collected, processed, sold, or disclosed pursuant to the 8
federal Gramm-Leach-Bliley Act, P.L. 106-102