This bill generally requires controllers of consumers' personal data to delete a
consumer's personal data if the consumer requests deletion of that personal data.
Under the bill, a “controller” is a person that alone or jointly with others
determines the purposes and means of the processing of personal data. The bill
defines “personal data” as information relating to a consumer that allows the
consumer to be identified other than information lawfully made available from
federal, state, or local government records. The bill allows a consumer to request that
a controller delete personal data relating to the consumer, and the controller must
delete the personal data if certain conditions apply, such as the following: 1) it is no
longer necessary for the controller to process the consumer's personal data to
accomplish the purposes for which the personal data was collected or processed; or
2) the personal data is processed for direct marketing purposes. Under the bill, if a
controller is required to delete a consumer's personal data and has disclosed the
personal data, the controller must take reasonable steps based on the available
technology and implementation cost to notify other controllers that are processing
the personal data to delete the personal data, and other controllers so notified must
also delete the personal data.
Various exceptions are provided under the bill, and under certain conditions,
a controller is not required to delete personal data, such as if processing the personal
data is necessary for performing a contract with the consumer, detecting or stopping

a security incident, protecting against malicious, deceptive, fraudulent, or illegal
activity or prosecuting a person responsible for that activity, exercising the right of
free expression and information, complying with a legal obligation, or performing
certain tasks carried out in the public interest, or if the personal data is processed
by a political, philosophical, or religious nonprofit organization that processes only
personal data of members, former members, or persons who have regular contact
with the organization.
Also, under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller who violates the bill's personal data deletion
requirements is subject to a fine of up to $20,000,000 or of up to 4 percent of the
controller's total annual revenue, whichever is greater.
Because this bill creates a new crime or revises a penalty for an existing crime,
the Joint Review Committee on Criminal Penalties may be requested to prepare a
report.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB871,1 1Section 1. 134.985 of the statutes is created to read:
AB871,2,3 2134.985 Deleting consumer personal data. (1) Definitions. In this
3section:
AB871,2,44 (a) “Consumer” means an individual who is a resident of this state.
AB871,2,85 (b) “Controller” means a person that alone or jointly with others determines the
6purposes and means of the processing of personal data but does not include a law
7enforcement agency or a unit or instrumentality of the federal government, the state,
8or a local government.
AB871,3,29 (c) “Personal data” means information relating to a consumer that allows the
10consumer to be identified, either directly or indirectly, including by reference to an
11identifier such as a name, an identification number, location data, an online
12identifier, or one or more factors related to the physical, physiological, genetic,
13mental, economic, cultural, or social identity of the consumer, but does not include

1any information lawfully made available from federal, state, or local government
2records.
AB871,3,63 (d) “Process,” when used in reference to personal data, means to perform an
4operation or set of operations on personal data, including to collect, record, organize,
5store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
6destroy the personal data.
AB871,3,9 7(2) Deleting consumer personal data. (a) 1. Except as provided in par. (b),
8upon a consumer's request, a controller shall delete without undue delay the
9personal data relating to the consumer if any of the following applies:
AB871,3,1110 a. It is no longer necessary for the controller to process the personal data to
11accomplish the purposes for which the data was collected or processed.
AB871,3,1212 b. The personal data is processed for direct marketing purposes.
AB871,3,1313 c. The personal data has been unlawfully processed.
AB871,3,1514 d. Deleting the personal data is necessary to comply with a legal obligation to
15which the controller is subject.
AB871,3,2216 2. If a controller is required under this subsection to delete a consumer's
17personal data and the controller has disclosed the personal data, the controller shall
18take reasonable steps based on the available technology and implementation cost to
19notify other controllers that are processing the consumer's personal data that the
20consumer has requested that the controllers delete the consumer's personal data and
21any links to the personal data. Except as provided in par. (b), upon receiving the
22notice, the other controller shall delete the consumer's personal data.
AB871,4,223 3. a. Except as provided in subd. 3. b., if a controller is required under this
24subsection to delete a consumer's personal data, the controller shall delete the

1personal data and make any notification required under subd. 2. within one month
2of receiving the consumer's request.
AB871,4,93 b. A controller may delete a consumer's personal data and make a notification
4when required under this subsection within 3 months of receiving a consumer's
5request if necessary due to the complexity and number of requests received by the
6controller. If the controller does not delete the consumer's personal data and make
7a notification under subd. 2. within one month of the consumer's request, the
8controller shall within one month of the request inform the consumer about the delay
9and notify the consumer of the reason for the delay.
AB871,4,1210 4. A controller is not required to delete personal data under this paragraph if
11the controller is unable to verify, using commercially reasonable efforts, the identity
12of the consumer making the request.
AB871,4,1413 (b) A controller is not required to delete personal data under par. (a) if
14processing the personal data is necessary for any of the following:
AB871,4,1515 1. Performing a contract to which the consumer has agreed.
AB871,4,1816 2. Detecting or stopping a security incident; protecting against malicious,
17deceptive, fraudulent, or illegal activity; or prosecuting a person responsible for that
18activity.
AB871,4,1919 3. Exercising the right of free expression and information.
AB871,4,2020 4. Complying with a legal obligation under federal, state, or local law.
AB871,4,2221 5. Performing a task carried out in the public interest or in the exercise of
22official authority vested in the controller.
AB871,4,2523 6. Reasons of public interest in the area of public health, if the personal data
24is processed by or under the responsibility of a professional subject to confidentiality
25obligations under federal, state, or local law and any of the following applies:
AB871,5,3
1a. Processing the personal data is necessary for purposes of preventive or
2occupational medicine, for assessing the working capacity of an employee, for
3medical diagnosis, or for providing health care or treatment.
AB871,5,64 b. Processing the personal data is necessary to protect against serious threats
5to health or for ensuring the quality and safety of health care, medical products, or
6medical devices.
AB871,5,97 7. Archiving purposes that are in the public interest, scientific or historical
8research purposes, or statistical purposes, if deleting the personal data is likely to
9render impossible or seriously impair achieving the objectives of the processing.
AB871,5,1010 8. Establishing, exercising, or defending a legal claim.
AB871,5,1211 (c) 1. This subsection does not require a controller to delete the following types
12of information:
AB871,5,1413 a. Health information protected by the federal Health Insurance Portability
14and Accountability Act of 1996.
AB871,5,1515b. Information identifying a patient covered by 42 USC 290dd-2.
AB871,5,1716 c. Information collected as part of research subject to the Federal Policy for the
17Protection of Human Subjects, 45 CFR part 46, or subject to 21 CFR parts 50 and 56.
AB871,5,1918 d. Information and documents created specifically for and collected and
19maintained by a hospital.
AB871,5,2120 e. Information and documents created for purposes of the federal Health Care
21Quality Improvement Act of 1986, 42 USC 11101 et seq.
AB871,5,2322f. Patient safety work product information for purposes of 42 USC 299b-21 to
23299b-26.
AB871,6,3
1g. Information maintained by a health care provider, a health care facility, or
2an entity covered by the federal Health Insurance Portability and Accountability Act
3of 1996.
AB871,6,64 h. Personal information provided to or from or held by a consumer reporting
5agency, as defined in s. 422.501 (1m), if the use of the information complies with the
6federal Fair Credit Reporting Act, 15 USC 1681 et seq.
AB871,6,87 i. Personal information collected, processed, sold, or disclosed pursuant to the
8federal Gramm-Leach-Bliley Act, P.L. 106-102.
AB871,6,109 j. Personal information collected, processed, sold, or disclosed pursuant to the
10federal Driver's Privacy Protection Act, 18 USC 2721 et seq.
AB871,6,1111 k. Information maintained for employment records.
AB871,6,1312 2. This subsection does not require a consumer processing personal data in
13connection with a purely personal or household activity to delete that personal data.
AB871,6,1514 3. This subsection does not require a controller that processes a consumer's
15personal data for literary or artistic purposes to delete that personal data.
AB871,6,1816 4. This subsection does not require a controller that processes a consumer's
17personal data, that intends to publish the personal data, and that believes that
18publication of the personal data is in the public interest to delete that personal data.
AB871,6,2119 5. This subsection does not require a nonprofit organization having a political,
20philosophical, or religious purpose that processes a consumer's personal data to
21delete that personal data if all of the following apply:
AB871,6,2422 a. The processing relates only to members or former members of the
23organization or to persons who have regular contact with the organization related
24the organization's purposes.
AB871,6,2525 b. The personal data processed is not disclosed outside the organization.
AB871,7,2
1(3) Enforcement; penalty. (a) The attorney general may investigate violations
2of this section and may bring actions for enforcement of this section.
AB871,7,53 (b) 1. A controller who violates sub. (2) shall be fined not more than $20,000,000
4or not more than 4 percent of the controller's total annual revenue during the
5preceding financial year, whichever is greater.
AB871,7,86 2. A court may not impose in the same action more than one fine on a controller
7under this paragraph unless the additional fine is imposed for a violation that does
8not involve the same or linked processing activities by the controller.
AB871,2 9Section 2. Effective date.
AB871,7,1010 (1) This act takes effect on July 31, 2022.
AB871,7,1111 (End)
Loading...
Loading...