AB871,4,2221 5. Performing a task carried out in the public interest or in the exercise of
22official authority vested in the controller.

AB871,4,2523 6. Reasons of public interest in the area of public health, if the personal data
24is processed by or under the responsibility of a professional subject to confidentiality
25obligations under federal, state, or local law and any of the following applies:

AB871,5,3

---

1a. Processing the personal data is necessary for purposes of preventive or
2occupational medicine, for assessing the working capacity of an employee, for
3medical diagnosis, or for providing health care or treatment.

AB871,5,64 b. Processing the personal data is necessary to protect against serious threats
5to health or for ensuring the quality and safety of health care, medical products, or
6medical devices.

AB871,5,97 7. Archiving purposes that are in the public interest, scientific or historical
8research purposes, or statistical purposes, if deleting the personal data is likely to
9render impossible or seriously impair achieving the objectives of the processing.

AB871,5,1010 8. Establishing, exercising, or defending a legal claim.

AB871,5,1211 (c) 1. This subsection does not require a controller to delete the following types
12of information:

AB871,5,1413 a. Health information protected by the federal Health Insurance Portability
14and Accountability Act of 1996.

AB871,5,1515b. Information identifying a patient covered by 42 USC 290dd-2.

AB871,5,1716 c. Information collected as part of research subject to the Federal Policy for the
17Protection of Human Subjects, 45 CFR part 46, or subject to 21 CFR parts 50 and 56.

AB871,5,1918 d. Information and documents created specifically for and collected and
19maintained by a hospital.

AB871,5,2120 e. Information and documents created for purposes of the federal Health Care
21Quality Improvement Act of 1986, 42 USC 11101 et seq.

AB871,5,2322f. Patient safety work product information for purposes of 42 USC 299b-21 to
23299b-26.

AB871,6,3

---

1g. Information maintained by a health care provider, a health care facility, or
2an entity covered by the federal Health Insurance Portability and Accountability Act
3of 1996.

AB871,6,64 h. Personal information provided to or from or held by a consumer reporting
5agency, as defined in s. 422.501 (1m), if the use of the information complies with the
6federal Fair Credit Reporting Act, 15 USC 1681 et seq.

AB871,6,87 i. Personal information collected, processed, sold, or disclosed pursuant to the
8federal Gramm-Leach-Bliley Act, P.L. 106-102.

AB871,6,109 j. Personal information collected, processed, sold, or disclosed pursuant to the
10federal Driver's Privacy Protection Act, 18 USC 2721 et seq.

AB871,6,1111 k. Information maintained for employment records.

AB871,6,1312 2. This subsection does not require a consumer processing personal data in
13connection with a purely personal or household activity to delete that personal data.

AB871,6,1514 3. This subsection does not require a controller that processes a consumer's
15personal data for literary or artistic purposes to delete that personal data.

AB871,6,1816 4. This subsection does not require a controller that processes a consumer's
17personal data, that intends to publish the personal data, and that believes that
18publication of the personal data is in the public interest to delete that personal data.

AB871,6,2119 5. This subsection does not require a nonprofit organization having a political,
20philosophical, or religious purpose that processes a consumer's personal data to
21delete that personal data if all of the following apply:

AB871,6,2422 a. The processing relates only to members or former members of the
23organization or to persons who have regular contact with the organization related
24the organization's purposes.

AB871,6,2525 b. The personal data processed is not disclosed outside the organization.

AB871,7,2

---

1(3) Enforcement; penalty. (a) The attorney general may investigate violations
2of this section and may bring actions for enforcement of this section.

AB871,7,53 (b) 1. A controller who violates sub. (2) shall be fined not more than $20,000,000
4or not more than 4 percent of the controller's total annual revenue during the
5preceding financial year, whichever is greater.

AB871,7,86 2. A court may not impose in the same action more than one fine on a controller
7under this paragraph unless the additional fine is imposed for a violation that does
8not involve the same or linked processing activities by the controller.