SB851,11,218
5. A business shall deliver personal information under this paragraph in
19writing and through the consumer's account with the business, if the consumer
20maintains an account with the business. If the consumer does not maintain an
21account with the business, the business shall deliver personal information under this
22paragraph by mail or electronically, at the choice of the consumer. If the business
23provides personal information under this paragraph electronically, the business
24shall provide the information in a portable and, to the extent technically feasible, a
1readily useable format that allows the consumer to transmit the information to
2another entity without hindrance.
SB851,11,53
6. A business may not require a consumer to create an account in order to
4submit a verifiable consumer request for a disclosure of personal information
5required under this paragraph.
SB851,11,76
7. A business is not required to provide personal information to a consumer
7under this paragraph more than 2 times in a 12-month period.
SB851,11,88
(b) Paragraph (a) does not require any of the following:
SB851,11,119
1. That a business retain any personal information collected for a single,
10onetime transaction, if the personal information is not sold or retained by the
11business.
SB851,11,1312
2. That a business reidentify or otherwise link information that is not
13maintained in a manner that would be considered personal information.
SB851,11,1614
(c) 1. Upon receiving a verifiable consumer request from a consumer, a business
15that has sold or disclosed for a business purpose personal information about that
16consumer shall disclose to the consumer the following information:
SB851,11,1917
a. If the business has collected personal information in the preceding 12
18months, the categories of personal information that the business collected about the
19consumer.
SB851,11,2120
b. If the business sold the consumer's personal information in the preceding 12
21months, the categories of the personal information that the business sold.
SB851,11,2422
c. If the business sold the consumer's personal information in the preceding 12
23months, for each 3rd party to whom the business sold the personal information, the
24categories of personal information that the business sold to the 3rd party.
SB851,12,3
1d. If the business disclosed the consumer's personal information for a business
2purpose in the preceding 12 months, the categories of the personal information that
3the business disclosed.
SB851,12,54
2. A business shall identify the information required to be disclosed under
5subd. 1. c. separately from the information required to be disclosed under subd. 1. d.
SB851,12,96
3. A business shall make available to consumers 2 or more methods for
7submitting verifiable consumer requests for a disclosure under this paragraph
8including, at a minimum, a toll-free telephone number and, if the business
9maintains an Internet site, an Internet address.
SB851,12,1510
4. a. Except as provided in subd. 4. b., a business shall deliver the disclosure
11required under this paragraph within 45 days of receiving a verifiable consumer
12request from a consumer. A business shall promptly take steps to determine whether
13a request received is a verifiable consumer request. The time that a business spends
14determining whether a request received is a verifiable consumer request is included
15in the 45-day deadline under this subd. 4. a.
SB851,12,1916
b. A business may deliver the disclosure required under this paragraph within
1790 days after receiving a verifiable consumer request if reasonably necessary and if
18the business notifies the consumer of the delayed delivery before the time period
19under subd. 4. a. expires.
SB851,13,320
5. A business shall deliver personal information under this paragraph in
21writing and through the consumer's account with the business, if the consumer
22maintains an account with the business. If the consumer does not maintain an
23account with the business, the business shall deliver personal information under this
24paragraph by mail or electronically, at the choice of the consumer. If the business
25provides information under this paragraph electronically, the business shall provide
1the information in a portable and, to the extent technically feasible, a readily useable
2format that allows the consumer to transmit the information to another entity
3without hindrance.
SB851,13,64
6. A business may not require a consumer to create an account in order to
5submit a verifiable consumer request for a disclosure of personal information
6required under this paragraph.
SB851,13,10
7(4) Selling or collecting information. (a) A business may not collect a
8consumer's personal information or use the personal information for a particular
9purpose unless the business informs the consumer, at or before the point of collecting
10the information, about all of the following:
SB851,13,1211
1. That the business will collect that category of personal information about the
12consumer.
SB851,13,1413
2. The purpose for which the business will use the category of personal
14information collected.
SB851,13,1615
(b) 1. A business may not sell a consumer's personal information to 3rd parties
16unless the business satisfies all of the following:
SB851,13,2117
a. If the business has an Internet site, the business provides a clear and
18conspicuous link on the homepage of the Internet site, titled “Do Not Sell My
19Personal Information,” to an Internet page that enables a consumer or person
20authorized by the consumer to object to the sale of the consumer's personal
21information.
SB851,14,222
b. The business includes a statement explaining that a consumer may object
23to the sale of the consumer's personal information and a link to the Internet page
24required under subd. 1. a. in its online privacy policy or policies, if the business has
1an online privacy policy or policies, and any Wisconsin-specific description of
2consumers' privacy rights.
SB851,14,63
c. The business ensures that each individual responsible for handling
4consumer inquiries about the business's privacy practices or compliance with this
5section is informed of the requirements in this subdivision and par. (c) and of how to
6direct consumers to object to the sale of their personal information under par. (c).
SB851,14,97
2. Subdivision 1. does not require a business to provide the link described in
8subd. 1. a. on the homepage of an Internet site that the business makes available to
9the public generally, if all of the following apply:
SB851,14,1110
a. The business maintains a separate and additional Internet site that the
11business dedicates to consumers.
SB851,14,1312
b. The Internet site under subd. 2. a. satisfies the requirements under subd.
131. a.
SB851,14,1614
c. The business takes reasonable steps to ensure that consumers in this state
15are directed to the Internet site under subd. 2. a. and not the homepage of the
16Internet site made available to the public generally.
SB851,14,2117
(c) 1. a. A business may not sell personal information that the business collects
18about a consumer to a 3rd party if the consumer is 16 years of age or older and the
19consumer directs the business not to sell the consumer's personal information,
20unless the consumer subsequently provides express authorization for the business
21to sell the personal information.
SB851,15,222
b. A consumer may authorize another person to, as provided in subd. 1. a.,
23direct a business not to sell the consumer's personal information. A representative
24authorized under this subd. 1. b. may not subsequently provide express
1authorization on behalf of the consumer for the business to sell the consumer's
2personal information.
SB851,15,53
2. A business may not sell personal information that the business collects about
4a consumer to a 3rd party if the business has actual knowledge that the consumer
5is under 16 years of age unless any of the following applies:
SB851,15,86
a. The consumer is at least 13 years of age and under 16 years of age and the
7consumer affirmatively authorizes the business to sell the consumer's personal
8information.
SB851,15,109
b. The consumer is under 13 years of age and the consumer's parent or guardian
10affirmatively authorizes the business to sell the consumer's personal information.
SB851,15,1211
3. A business that willfully disregards the age of a consumer is considered to
12have actual knowledge of the consumer's age.
SB851,15,1713
4. A business may not request authorization from a consumer or the consumer's
14parent or guardian to sell the consumer's personal information within 12 months of
15the most recent occasion that the consumer, parent, or guardian directed the
16business not to sell the personal information or denied the business's request for
17authorization to sell the personal information.
SB851,15,2118
5. A business that collects the personal information of a consumer in connection
19with receiving a direction under subd. 1. to not sell the consumer's personal
20information may use the personal information only for the purposes of implementing
21the consumer's direction not to sell the personal information.
SB851,16,222
(d) 1. A 3rd party may not sell personal information about a consumer that has
23been sold to the 3rd party by a business unless the 3rd party provides explicit notice
24to the consumer that the consumer's personal information has been sold to the 3rd
1party and that the 3rd party intends to sell the information and the 3rd party
2satisfies par. (b) 1. a. to c.
SB851,16,63
2. A 3rd party may not sell information about a consumer that has been sold
4to the 3rd party by a business if the consumer directs the 3rd party not to sell the
5consumer's personal information, unless the consumer subsequently provides
6express authorization for the 3rd party to sell the personal information.
SB851,16,87
(e) A business may not require a consumer to create an account in order to direct
8the business not to sell the consumer's personal information under par. (c).
SB851,16,119
(f) A business shall, to protect the personal information of consumers,
10implement and maintain reasonable security procedures and practices appropriate
11to the nature of the personal information.
SB851,16,16
12(5) Deletion of information. (a) Except as provided in par. (b), a business that
13receives a verifiable consumer request from a consumer to delete the consumer's
14personal information shall delete the personal information that the business has
15collected from the consumer from its records and direct any of the business's service
16providers to delete the consumer's personal information from their records.
SB851,16,1917
(b) A business or its service provider is not required to delete a consumer's
18personal information if it is necessary for the business or its service provider to
19maintain the consumer's personal information for any of the following purposes:
SB851,16,2420
1. To complete the transaction for which the personal information was
21collected, to provide a good or service requested by the consumer or reasonably
22anticipated to be requested by the consumer within the context of the business's
23ongoing relationship with the consumer, or to otherwise perform a contract between
24the business and the consumer.
SB851,17,2
12. To detect security incidents, to protect against malicious, deceptive,
2fraudulent, or illegal activity, or to prosecute a person responsible for that activity.
SB851,17,43
3. To debug to identify and repair errors that impair existing or intended
4functionality.
SB851,17,65
4. To exercise free speech, to ensure the right of another consumer to exercise
6free speech, or to exercise another right provided by law.
SB851,17,117
5. If the consumer provides informed consent, to engage in public or
8peer-reviewed scientific, historical, or statistical research in the public interest that
9adheres to all other applicable ethics and privacy laws, if the business's deletion of
10the personal information is likely to render impossible or seriously impair the
11achievement of that research.
SB851,17,1412
6. To enable solely internal uses that are reasonably aligned with the
13expectations of the consumer based on the consumer's relationship with the
14business.
SB851,17,1515
7. To comply with a legal obligation.
SB851,17,1816
8. To otherwise use the consumer's personal information internally in a lawful
17manner that is compatible with the context in which the consumer provided the
18information.
SB851,17,23
19(6) Discrimination prohibited. (a) 1. A business may not discriminate against
20a consumer because the consumer makes a verifiable consumer request under sub.
21(3) (a) or (c) or (5) or because under sub. (4) (c) the personal information of the
22consumer was not permitted to be sold by the business, including by doing any of the
23following:
SB851,17,2424
a. Denying goods or services to the consumer.
SB851,18,2
1b. Charging different prices or rates for goods or services, including through the
2use of discounts or other benefits or imposing penalties.
SB851,18,33
c. Providing a different level or quality of goods or services to the consumer.
SB851,18,54
d. Suggesting that the consumer will receive a different price or rate for goods
5or services or a different level or quality of goods or services.
SB851,18,96
2. This paragraph does not prohibit a business from charging a consumer a
7different price or rate, or from providing a different level or quality of goods or
8services to the consumer, if the difference is reasonably related to the value provided
9to the consumer by the consumer's data.
SB851,18,1510
(b) 1. A business may offer financial incentives, including payments to
11consumers as compensation, for the collection of a consumer's personal information,
12the sale of a consumer's personal information, or the deletion of a consumer's
13personal information. A business may also offer a different price, rate, level, or
14quality of goods or services to a consumer if that difference is directly related to the
15value provided to the consumer by the consumer's data.
SB851,18,1916
2. A business may enter a consumer into a financial incentive program
17described in subd. 1. only if the consumer or the consumer's parent or guardian
18affirmatively authorizes entry into the program after receiving a notice that clearly
19describes the material terms of the program.
SB851,18,2120
3. A consumer or a consumer's parent or guardian may revoke entry into a
21financial incentive program described in subd. 1. at any time.
SB851,18,2422
4. If a business offers a financial incentive program described in subd. 1., the
23business shall include a description of the program on the Internet page described
24in sub. (4) (b) 1. a. and in the policies described in sub. (4) (b) 1. b.
SB851,19,2
15. A business may not use financial incentive practices that are unjust,
2unreasonable, coercive, or usurious in nature.
SB851,19,5
3(7) Guidance; rules. (a) A business or 3rd party may request advice from the
4attorney general on how to comply with this section, and the attorney general shall
5respond to the request.
SB851,19,76
(b) The department of justice shall promulgate rules to implement this section,
7including the following:.
SB851,19,98
1. Rules that specify additional categories of personal information to those
9enumerated in sub. (1) (i) 1.
SB851,19,1210
2. Rules that specify unique personal identifiers to address changes in
11technology, changes in data collection, obstacles to implementing this section, and
12privacy concerns.
SB851,19,1413
3. Rules that specify additional methods for consumers to make requests and
14businesses to provide disclosures under this section.
SB851,19,1715
4. Rules that establish any exceptions necessary to comply with other state or
16federal law, including exceptions relating to trade secrets and intellectual property
17rights.
SB851,19,1818
5. Rules that establish procedures for the following:
SB851,19,1919
a. The submission of a direction under sub. (4) (c) 1. a.
SB851,19,2020
b. Business compliance with a direction submitted under sub. (4) (c) 1. a.
SB851,19,2321
c. The use of a recognizable and uniform logo or button by all businesses to
22promote consumer awareness of the option to make a direction under sub. (4) (c) 1.
23a.
SB851,20,224
6. Rules that ensure that the notices and information that business are
25required to provide under this section are provided in a manner that may be easily
1understood by the average consumer, are accessible to consumers with disabilities,
2and are available in the language primarily used to interact with the consumer.
SB851,20,123
7. Rules that facilitate a consumer's or, under sub. (4) (c) 1. b., a representative's
4ability to make a request or submit a direction under this section, with the goal of
5minimizing the administrative burden on consumers, taking into account available
6technology, security concerns, and the burden on the business, to govern a business's
7determination that a request by a consumer is a verifiable consumer request,
8including by treating a request submitted through a password-protected account
9maintained by the consumer with the business while the consumer is logged into the
10account as a verifiable consumer request and providing a mechanism for a business
11to authenticate the identity of a consumer who does not maintain an account with
12the business and requests information or submits a direction under this section.
SB851,20,1713
(c) The department of justice shall adjust the monetary threshold amount in
14sub. (1) (c) 1. a. in January of every odd-numbered year by the percentage change
15in the U.S. consumer price index for all urban consumers, U.S. city average, as
16determined by the federal department of labor for the period since the last
17adjustment under this paragraph.
SB851,20,20
18(8) Contracts in violation. A provision in a contract or agreement that
19purports to waive or limit a requirement under this section is void and
20unenforceable.
SB851,20,25
21(9) Private cause of action. (a) 1. A consumer may initiate an action against
22a business to enforce a written statement under subd. 2. and may pursue injunctive
23or declaratory relief, damages in an amount not less than $100 and not more than
24$750 per consumer per incident or actual damages, whichever is greater, or any other
25relief the court deems proper if all of the following apply:
SB851,21,4
1a. The consumer, on an individual or class-wide basis, provides the business
2with written notice identifying that the consumer's nonencrypted or nonredacted
3personal information is subject to an unauthorized access and exfiltration, theft, or
4disclosure as a result of the business's violation of sub. (4) (f).
SB851,21,65
b. The business continues to violate sub. (4) (f) more than 30 days after
6receiving the written notice under subd. 1. a.
SB851,21,107
2. No action may be brought under subd. 1. if within 30 days of receiving a
8written notice under subd. 1. a., a business cures the noticed violation of sub. (4) (f)
9and provides the consumer that provided the written notice with an express written
10statement that the violation has been cured.
SB851,21,1611
3. In assessing the amount of damages under subd. 1., a court shall consider
12the relevant circumstances presented by any of the parties to the case, including the
13nature and seriousness of the misconduct, the number of violations, the persistence
14of the misconduct, the length of time over which the misconduct occurred, the
15willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and
16net worth.
SB851,21,1817
(b) A consumer may initiate an action against a business solely for actual
18pecuniary damages suffered as a result of the business's violation of sub. (4) (f).
SB851,21,19
19(10) Inapplicability. (a) This section does not do any of the following:
SB851,21,2120
1. Restrict a business from complying with federal or state laws or local
21ordinances.
SB851,21,2322
2. Restrict a business from complying with a civil, criminal, or regulatory
23inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
SB851,22,224
3. Restrict a business, service provider, or 3rd party from cooperating with law
25enforcement agencies concerning conduct or activity that the business, service
1provider, or 3rd party reasonably and in good faith believes might violate federal,
2state, or local law.
SB851,22,33
4. Restrict a business from exercising or defending legal claims.
SB851,22,54
5. Restrict the collection, use, retention, sale, or disclosure of consumer
5information that is deidentified or aggregate consumer information.
SB851,22,96
6. Restrict the collection or sale of a consumer's personal information if the
7information is collected while the consumer was outside of this state, no part of any
8sale of the consumer's personal information occurs in this state, and no personal
9information collected from a consumer while the consumer is in this state is sold.
SB851,22,1010
(b) This section does not apply to any of the following: