LRB-4122/1
KP:cdc&kjf
2019 - 2020 LEGISLATURE
February 10, 2020 - Introduced by Representatives Zimmerman, Steffen, Quinn,
Duchow, Wichgers, Wittke, Plumer, Sortwell, Kulp, Dittrich, Thiesfeldt,
Knodl, Gundrum, Brostoff and Macco, cosponsored by Senator Risser.
Referred to Committee on Science and Technology.
AB872,1,2
1An Act to create 134.985 of the statutes;
relating to: restricting controllers
2from using consumer personal data and providing a penalty.
Analysis by the Legislative Reference Bureau
This bill establishes various requirements on controllers that process
consumers' personal data. Under the bill, a “controller” is a person that alone or
jointly with others determines the purposes and means of the processing of personal
data. The bill defines “personal data” as information relating to a consumer that
allows the consumer to be identified other than information lawfully made available
from federal, state, or local government records.
Under the bill, a controller may not process a consumer's personal data unless
certain conditions apply, such as if the consumer consents, if processing is necessary
to perform a contract the controller has with a consumer, if processing is necessary
to comply with a legal obligation, or if processing is conducted to detect a security
incident or to protect against fraudulent or illegal activity. The bill requires that
consent to process personal data must be obtained from a consumer by a statement
or clear affirmative action; that the consumer be able to withdraw consent at any
time; and that consent to process a consumer's personal data may not be required as
a condition of using a service provided by the controller. Additionally, the bill limits
the processing of personal data that reveals a consumer's racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership;
genetic data; biometric data; personal data concerning a consumer's health; and
personal data concerning a consumer's sex life or sexual orientation. Under the bill,
a controller may process those types of personal data only if certain conditions apply,
including 1) if the processing is conducted for a purpose to which the consumer
consents; 2) if the processing is necessary to comply with a legal obligation; 3) if the
processing is conducted by a political, philosophical, or religious nonprofit
organization that processes only personal data of members, former members, or
persons who have regular contact with the organization; or 4) if the processing is
necessary for certain public interest reasons.
The bill also allows consumers to request that a controller restrict the
processing of the consumer's personal data, and the controller may store but not
otherwise process the personal data if certain conditions apply, such as the following:
1) if the controller has no legitimate ground to process the personal data that
overrides the consumer's request; or 2) if processing the personal data is unlawful.
The controller generally must notify other controllers to which the controller
discloses the consumer's personal data, unless notification is impossible or involves
unreasonable effort, and those controllers generally must not process, other than by
storing, the personal data. A controller may continue processing a consumer's
personal data under the bill under certain conditions, including 1) if the consumer
consents; 2) if processing occurs for important public interest reasons under federal,
state, or local law; or 3) if processing occurs to protect the rights of another person.
Also, under the bill, controllers and processors must maintain records of
processing of personal data that contain certain information including the purpose
of the processing, the categories of personal data involved in the processing, and the
categories of consumers whose personal data is involved in the processing. The bill
also requires a controller or processor to make the records available to the
Department of Justice upon request.
Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller or processor who violates the bill's
record-keeping requirements is subject to a fine of up to $10,000,000 or of up to 2
percent of the controller's total annual revenue, whichever is greater. For violating
the bill's requirements related to processing a consumer's personal data, a controller
or processor may be fined up to $20,000,000 or up to 4 percent of the controller's total
annual revenue, whichever is greater.
Because this bill creates a new crime or revises a penalty for an existing crime,
the Joint Review Committee on Criminal Penalties may be requested to prepare a
report.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB872,1
1Section
1. 134.985 of the statutes is created to read:
AB872,2,3
2134.985 Processing personal data; restrictions. (1) Definitions. In this
3section:
AB872,3,3
1(a) “Biometric data” means personal data resulting from specific technical
2processing relating to the physical, physiological, or behavioral characteristics of a
3consumer that uniquely identify the consumer.
AB872,3,44
(b) “Consumer” means an individual who is a resident of this state.
AB872,3,85
(c) “Controller” means a person that alone or jointly with others determines the
6purposes and means of the processing of personal data but does not include a law
7enforcement agency or a unit or instrumentality of the federal government, the state,
8or a local government.
AB872,3,109
(d) “Data concerning health” means personal data related to the physical or
10mental health of a consumer.
AB872,3,1411
(e) “Genetic data” means personal data resulting from an analysis of a
12biological sample from a consumer that relates to the consumer's inherited or
13acquired genetic characteristics that provide unique information about the
14consumer's physiology or health.
AB872,3,2115
(f) “Personal data” means information relating to a consumer that allows the
16consumer to be identified, either directly or indirectly, including by reference to an
17identifier such as a name, an identification number, location data, an online
18identifier, or one or more factors related to the physical, physiological, genetic,
19mental, economic, cultural, or social identity of the consumer, but does not include
20any information lawfully made available from federal, state, or local government
21records.
AB872,3,2522
(g) “Process,” when used in reference to personal data, means to perform an
23operation or set of operations on personal data, including to collect, record, organize,
24store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or
25destroy the personal data.
AB872,4,3
1(h) “Processor” means a person who processes personal data on behalf of a
2controller, but does not include a law enforcement agency or a unit or instrumentality
3of the federal government, the state, or a local government.
AB872,4,44
(i) “Recipient” means a person to which personal data is disclosed.
AB872,4,7
5(2) Requirements for processing personal data. Subject to sub. (4), no
6controller or processor may process a consumer's personal data unless any of the
7following applies:
AB872,4,88
(a) All of the following applies:
AB872,4,119
1. The processing is conducted for a purpose to which the consumer, or if the
10consumer is less than 16 years of age, the consumer's parent or guardian, consents
11by a statement or clear affirmative action.
AB872,4,1312
2. The consent under par. (a) 1. is freely given, specific, informed, and
13unambiguous.
AB872,4,1514
3. The consumer is able to withdraw any consent provided under par. (a) 1. at
15any time, and before giving consent is informed that consent may be withdrawn.
AB872,4,1716
4. The consent provided under par. (a) 1. is as easy for the consumer to
17withdraw as to give.
AB872,4,2118
5. If the consumer grants consent as part of a written declaration that also
19concerns other matters, the request for consent is clearly distinguishable from the
20other matters in an intelligible and easily accessible form using clear and plain
21language.
AB872,4,2322
6. The controller or processor is able to demonstrate that the consumer
23provided consent under par. (a) 1.
AB872,5,224
7. The controller or processor does not require as a condition of using the
25controller's or processor's service that the consumer consent to processing of personal
1data, unless processing the consumer's personal data is necessary to perform the
2service.
AB872,5,53
(b) The processing is necessary to perform a contract to which the consumer is
4party or in order to take steps at the request of the consumer before entering a
5contract.
AB872,5,66
(c) The processing is necessary for complying with a legal obligation.
AB872,5,87
(d) The processing is necessary to protect the vital interests of the consumer
8or another person.
AB872,5,109
(e) The processing is necessary to perform a task carried out in the public
10interest or to exercise official authority vested in the controller.
AB872,5,1311
(f) The processing is conducted to detect security incidents; to protect against
12malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person
13responsible for that activity.
AB872,5,1514
(g) The controller or a 3rd party has a legitimate ground to process the personal
15data.
AB872,5,17
16(3) Processing of certain types of personal data. (a) Except as provided in
17par. (b), a controller or processor may not process any of the following:
AB872,5,1918
1. Personal data revealing a consumer's racial or ethnic origin, political
19opinions, religious or philosophical beliefs, or trade union membership.
AB872,5,2120
2. Genetic data, data concerning health, or personal data concerning a
21consumer's sex life or sexual orientation.
AB872,5,2322
3. Biometric data, if the purpose of the processing is to uniquely identify a
23consumer.
AB872,5,2524
(b) A controller or processor may process information described in par. (a) if any
25of the following applies:
AB872,6,2
11. The processing is conducted for a purpose to which the consumer explicitly
2consents.
AB872,6,33
2. The processing is necessary for complying with a legal obligation.
AB872,6,64
3. The consumer is physically or legally incapable of giving consent and the
5processing is necessary to protect the vital interests of the consumer or another
6individual.
AB872,6,87
4. The processing is conducted by a nonprofit organization having a political,
8philosophical, or religious purpose and all of the following applies:
AB872,6,119
a. The processing relates only to members or former members of the
10organization or to persons who have regular contact with the organization related
11to the organization's purposes.
AB872,6,1212
b. The personal data processed is not disclosed outside the organization.
AB872,6,1313
5. The processing relates to personal data that the consumer makes public.
AB872,6,1514
6. The processing is necessary for establishing, exercising, or defending a legal
15claim or a court authorizes the processing.
AB872,6,1616
7. The processing is necessary for reasons of substantial public interest.
AB872,6,2017
8. The processing is necessary for reasons of public interest in the area of public
18health, if the personal data is processed by or under the responsibility of a
19professional subject to confidentiality obligations under federal, state, or local law
20and any of the following applies:
AB872,6,2221
a. Processing the personal data is necessary to provide health care or treatment
22to a person in a medical emergency.
AB872,6,2523
b. Processing the personal data is necessary to protect against serious threats
24to health or for ensuring the quality and safety of health care, medical products, or
25medical devices.
AB872,7,2
19. The processing is necessary for archiving purposes that are in the public
2interest, scientific or historic research purposes, or statistical purposes.
AB872,7,5
3(4) Request to restrict processing of personal data. (a)
Except as provided
4in par. (c) 1., upon a consumer's request, a controller may store but may not otherwise
5process the consumer's personal data if any of the following applies:
AB872,7,66
1. Processing the personal data is unlawful.
AB872,7,87
2. Storing the personal data is necessary for the consumer to establish,
8exercise, or defend a legal claim.
AB872,7,109
3. The controller has no legitimate ground to process the personal data that
10overrides the consumer's request.
AB872,7,1711
(b) If a controller is required under par. (a) to not process, other than by storing,
12a consumer's personal data and the controller has disclosed the personal data to
13other controllers, the controller shall notify each recipient to whom the controller
14disclosed the personal data about the consumer's request under par. (a), unless
15notification is impossible or involves unreasonable effort. Except as provided in par.
16(c) 1., upon receiving the notice, a controller may store but may not otherwise process
17the consumer's personal data if any of the conditions of par. (a) applies.
AB872,7,1918
(c) 1. Paragraphs (a) and (b) do not prohibit a controller from processing, other
19than by storing, a consumer's personal data if any of the following apply:
AB872,7,2020
a. The consumer consents to the processing.
AB872,7,2221
b. The controller processes the personal data for establishing, exercising, or
22defending a legal claim.
AB872,7,2423
c. The controller processes the personal data to protect the rights of another
24person.
AB872,8,2
1d. The controller processes the personal data for important public interest
2reasons under federal, state, or local law.
AB872,8,43
2. A controller may not process, other than by storing, personal data under this
4paragraph unless the controller first notifies the consumer.
AB872,8,75
(d) A controller is not required to restrict processing of a consumer's personal
6data under this subsection if the controller is unable to verify, using commercially
7reasonable efforts, the identity of the consumer making the request.
AB872,8,10
8(5) Records of processing activities. (a) A controller shall maintain records
9of processing of personal data conducted by the controller that contain all of the
10following information:
AB872,8,1111
1. The controller's name and contact information.
AB872,8,1212
2. The purpose of the processing.
AB872,8,1413
3. An identification of the categories of personal data involved in the
14processing.
AB872,8,1615
4. An identification of the categories of consumers whose personal data is
16involved in the processing.
AB872,8,1817
5. If consent is provided for the processing, documentation of consent from
18consumers for the consumers' personal data to be processed.
AB872,8,2019
6. The name and contact information of a person to whom the controller
20discloses personal data, and the purpose for the disclosure.
AB872,8,2221
(b) A processor shall maintain records of processing of personal data conducted
22by the processor that contain all of the following:
