2019 - 2020 LEGISLATURE
February 10, 2020 - Introduced by Representatives Zimmerman, Steffen, Quinn,
Duchow, Wichgers, Wittke, Plumer, Sortwell, Kulp, Dittrich, Thiesfeldt,
Knodl, Gundrum, Brostoff and Macco, cosponsored by Senator Risser.
Referred to Committee on Science and Technology.
1An Act to create
134.985 of the statutes; relating to: restricting controllers
2from using consumer personal data and providing a penalty.
Analysis by the Legislative Reference Bureau
This bill establishes various requirements on controllers that process
consumers' personal data. Under the bill, a “controller” is a person that alone or
jointly with others determines the purposes and means of the processing of personal
data. The bill defines “personal data” as information relating to a consumer that
allows the consumer to be identified other than information lawfully made available
from federal, state, or local government records.
Under the bill, a controller may not process a consumer's personal data unless
certain conditions apply, such as if the consumer consents, if processing is necessary
to perform a contract the controller has with a consumer, if processing is necessary
to comply with a legal obligation, or if processing is conducted to detect a security
incident or to protect against fraudulent or illegal activity. The bill requires that
consent to process personal data must be obtained from a consumer by a statement
or clear affirmative action; that the consumer be able to withdraw consent at any
time; and that consent to process a consumer's personal data may not be required as
a condition of using a service provided by the controller. Additionally, the bill limits
the processing of personal data that reveals a consumer's racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership;
genetic data; biometric data; personal data concerning a consumer's health; and
personal data concerning a consumer's sex life or sexual orientation. Under the bill,
a controller may process those types of personal data only if certain conditions apply,
including 1) if the processing is conducted for a purpose to which the consumer
consents; 2) if the processing is necessary to comply with a legal obligation; 3) if the
processing is conducted by a political, philosophical, or religious nonprofit
organization that processes only personal data of members, former members, or
persons who have regular contact with the organization; or 4) if the processing is
necessary for certain public interest reasons.
The bill also allows consumers to request that a controller restrict the
processing of the consumer's personal data, and the controller may store but not
otherwise process the personal data if certain conditions apply, such as the following:
1) if the controller has no legitimate ground to process the personal data that
overrides the consumer's request; or 2) if processing the personal data is unlawful.
The controller generally must notify other controllers to which the controller
discloses the consumer's personal data, unless notification is impossible or involves
unreasonable effort, and those controllers generally must not process, other than by
storing, the personal data. A controller may continue processing a consumer's
personal data under the bill under certain conditions, including 1) if the consumer
consents; 2) if processing occurs for important public interest reasons under federal,
state, or local law; or 3) if processing occurs to protect the rights of another person.
Also, under the bill, controllers and processors must maintain records of
processing of personal data that contain certain information including the purpose
of the processing, the categories of personal data involved in the processing, and the
categories of consumers whose personal data is involved in the processing. The bill
also requires a controller or processor to make the records available to the
Department of Justice upon request.
Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller or processor who violates the bill's
record-keeping requirements is subject to a fine of up to $10,000,000 or of up to 2
percent of the controller's total annual revenue, whichever is greater. For violating
the bill's requirements related to processing a consumer's personal data, a controller
or processor may be fined up to $20,000,000 or up to 4 percent of the controller's total
annual revenue, whichever is greater.
Because this bill creates a new crime or revises a penalty for an existing crime,
the Joint Review Committee on Criminal Penalties may be requested to prepare a
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
134.985 of the statutes is created to read:
2134.985 Processing personal data; restrictions. (1) Definitions.
In this 3
(a) “Biometric data” means personal data resulting from specific technical 2
processing relating to the physical, physiological, or behavioral characteristics of a 3
consumer that uniquely identify the consumer.
(b) “Consumer” means an individual who is a resident of this state.
(c) “Controller” means a person that alone or jointly with others determines the 6
purposes and means of the processing of personal data but does not include a law 7
enforcement agency or a unit or instrumentality of the federal government, the state, 8
or a local government.
(d) “Data concerning health” means personal data related to the physical or 10
mental health of a consumer.
(e) “Genetic data” means personal data resulting from an analysis of a 12
biological sample from a consumer that relates to the consumer's inherited or 13
acquired genetic characteristics that provide unique information about the 14
consumer's physiology or health.
(f) “Personal data” means information relating to a consumer that allows the 16
consumer to be identified, either directly or indirectly, including by reference to an 17
identifier such as a name, an identification number, location data, an online 18
identifier, or one or more factors related to the physical, physiological, genetic, 19
mental, economic, cultural, or social identity of the consumer, but does not include 20
any information lawfully made available from federal, state, or local government 21
(g) “Process,” when used in reference to personal data, means to perform an 23
operation or set of operations on personal data, including to collect, record, organize, 24
store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or 25
destroy the personal data.
(h) “Processor” means a person who processes personal data on behalf of a 2
controller, but does not include a law enforcement agency or a unit or instrumentality 3
of the federal government, the state, or a local government.
(i) “Recipient” means a person to which personal data is disclosed.
5(2) Requirements for processing personal data.
Subject to sub. (4), no 6
controller or processor may process a consumer's personal data unless any of the 7
(a) All of the following applies:
1. The processing is conducted for a purpose to which the consumer, or if the 10
consumer is less than 16 years of age, the consumer's parent or guardian, consents 11
by a statement or clear affirmative action.
2. The consent under par. (a) 1. is freely given, specific, informed, and 13
3. The consumer is able to withdraw any consent provided under par. (a) 1. at 15
any time, and before giving consent is informed that consent may be withdrawn.
4. The consent provided under par. (a) 1. is as easy for the consumer to 17
withdraw as to give.
5. If the consumer grants consent as part of a written declaration that also 19
concerns other matters, the request for consent is clearly distinguishable from the 20
other matters in an intelligible and easily accessible form using clear and plain 21
6. The controller or processor is able to demonstrate that the consumer 23
provided consent under par. (a) 1.
7. The controller or processor does not require as a condition of using the 25
controller's or processor's service that the consumer consent to processing of personal
data, unless processing the consumer's personal data is necessary to perform the 2
(b) The processing is necessary to perform a contract to which the consumer is 4
party or in order to take steps at the request of the consumer before entering a 5
(c) The processing is necessary for complying with a legal obligation.
(d) The processing is necessary to protect the vital interests of the consumer 8
or another person.
(e) The processing is necessary to perform a task carried out in the public 10
interest or to exercise official authority vested in the controller.
(f) The processing is conducted to detect security incidents; to protect against 12
malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person 13
responsible for that activity.
(g) The controller or a 3rd party has a legitimate ground to process the personal 15
16(3) Processing of certain types of personal data.
(a) Except as provided in 17
par. (b), a controller or processor may not process any of the following:
1. Personal data revealing a consumer's racial or ethnic origin, political 19
opinions, religious or philosophical beliefs, or trade union membership.
2. Genetic data, data concerning health, or personal data concerning a 21
consumer's sex life or sexual orientation.
3. Biometric data, if the purpose of the processing is to uniquely identify a 23
(b) A controller or processor may process information described in par. (a) if any 25
of the following applies:
1. The processing is conducted for a purpose to which the consumer explicitly 2
2. The processing is necessary for complying with a legal obligation.
3. The consumer is physically or legally incapable of giving consent and the 5
processing is necessary to protect the vital interests of the consumer or another 6
4. The processing is conducted by a nonprofit organization having a political, 8
philosophical, or religious purpose and all of the following applies: