LISTEN NOW: Evolution of Data Controls in the Era of Generative AI

View

An Overview of Wisconsin’s Data Privacy Bill – Assembly Bill 466

Publicada julio 9, 2024

I. Introduction

In a data-driven and ever-evolving data privacy landscape, states across the United States are enacting their own data privacy laws. In a recent development, the Wisconsin Data Privacy Bill (the “Wisconsin Data Privacy Bill” or “WDPB”) represents a significant stride towards strengthening the protection of personal data within the state. The Wisconsin Data Privacy Bill, if enacted into law, shall become effective on January 1, 2025.

WDPB addresses the rising concern over privacy in the digital era and regulates how businesses collect, utilize, and share consumer data. This Wisconsin Data Privacy Bill further aims to protect residents' right to privacy while promoting transparency and trust between businesses and consumers by establishing clear data processing guidelines and regulations.

As states across the US grapple with the complexities of data privacy, Wisconsin's approach provides a comprehensive data privacy framework that balances individual privacy rights with the operational needs of businesses, marking a pivotal moment in the ongoing dialogue on data protection in the US.

II. Who Needs to Comply with WDPB

A. Material Scope

The WDPB applies to persons who conduct business in Wisconsin or produce products or services that are targeted to Wisconsin residents and who meet either of the following:

  • The person controls or processes the personal data of at least 100,000 consumers during a calendar year; or
  • The person controls or processes the personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

B. Exemptions

WDPB exempts certain types of entities and data from its applications. The following entities do not fall under the scope of the law:

  • An association, authority, board, department, commission, independent agency, institution, office, society, or other body in state or local government created or authorized to be created by the constitution or any law.
  • Financial institutions, affiliates of financial institutions, or data subject to the federal Gramm-Leach-Bliley Act (GLBA).
  • A covered entity or business associate governed by HIPAA or HITECH.
  • A nonprofit organization.
  • An institution of higher education.

WDPB does not apply to the following information and data:

  • Data covered under medical laws: Any healthcare information or record that is governed by HIPAA, HITECH, Cures Act, or any other federal law governing the use, disclosure, access or creation of healthcare information or records.
  • Research Data: Identifiable private information collected as part of human subjects research pursuant to guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or under 21 CFR Parts 50 and 56; and personal data used or shared in research conducted in accordance with applicable law.
  • Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986.
  • Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act.
  • FCRA-related Data: Personal data that is collected, processed, shared, or sold by a consumer reporting agency under the Fair Credit Reporting Act (FCRA).
  • DPPA-related data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (DPPA).
  • FERPA-related data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA).
  • Farm Credit Act-related data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.
  • COPPA-related data: Personal data collected, processed, and maintained in compliance with the Children's Online Privacy Protection Act of 1998 (COPPA).
  • Employment-related data: Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role.

III. Definitions of Key Terms

A. Personal Data

Any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information.

B. Sensitive Data

It includes the following:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual.
  • The personal data collected from a known child.
  • Precise geolocation data.

C. Biometric Data

It refers to data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. It does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

D. Consumer

An individual who is a resident of this state acting only in an individual or household context. The consumer does not include an individual acting in a commercial or employment context.

E. Child

An individual younger than 13 years of age.

F. Controller

A person who, alone or jointly with others, determines the purpose and means of processing personal data.

IV. Obligations for Organizations Under WDPB

WDPB defines consent as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process their personal data. Any clear affirmative action or written statement, especially one produced electronically, may be deemed consent.

Without the consumer's consent, a controller isn't allowed to process their personal data for uses that are not both consistent with and reasonably required to achieve the objectives for which the data was originally obtained.

A controller must not process a consumer’s sensitive information without obtaining their consent or, if that consumer is a known child, without processing such information in compliance with the federal Children's Online Privacy Protection Act (COPPA).

B. Data Minimization and Transparency Requirements

A controller must only collect personal data that is adequate, relevant, and reasonably necessary considering the purposes for which it is processed, as disclosed to the consumer.

C. Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that discloses the following:

  • the categories of personal data processed by the controller;
  • the purpose of processing personal data;
  • the categories of third parties, if any, with whom the controller shares personal data;
  • the categories of personal data that the controller shares with third parties; and
  • information about how consumers may exercise their rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request.

A controller must clearly and noticeably disclose any processing of personal data for targeted advertising or sales to third parties, together with information on how consumers may exercise their right to opt out of such processing.

Controllers must not collect or process personal data for any reason other than those that are pertinent to or logically required for the objectives disclosed in the privacy notice. Additionally, a controller must establish and specify in the privacy notice one or more secure and reliable channels via which consumers may submit requests to exercise their consumer rights.

D. Security Requirements

To protect the privacy, integrity, and accessibility of personal data, a controller must establish, implement, and maintain appropriate administrative, technical, and physical data security practices, which must be appropriate for the volume and nature of the personal data in question.

E. Non-Discrimination Requirements

A controller must not process personal data in a manner that violates federal and state laws that prohibit unlawful consumer discrimination. A controller must not discriminate against a consumer for exercising any of the consumer rights, including refusing them products or services, charging them a different price or rate, or offering them goods and services of a different quality.

F. Data Protection Assessment

The Wisconsin Privacy Bill requires controllers to conduct data protection assessments related to certain activities, including:

  • processing personal data for targeted advertising,
  • the sale of personal data,
  • processing personal data for profiling purposes, where such profiling presents a reasonably foreseeable risk of any of the following:
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers.
    • Financial, physical, or reputational injury to consumers.
    • Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person.
    • Other substantial injury to consumers.
  • processing sensitive data, and
  • processing activities involving personal data that present a heightened risk of harm to consumers.

Data protection assessment should aim to identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that the controller can employ to reduce such risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, need to be factored into this assessment by the controller.

If the Attorney General is conducting an investigation, the AG may request that a controller disclose a data protection assessment that is relevant to the investigation.

V. Obligations for Data Processors

A processor must comply with a controller's instructions and help the controller fulfill its responsibilities, including:

  • Assisting the controller in honoring consumer rights requests via appropriate technical and organizational measures
  • Assisting the controller in fulfilling its responsibilities for maintaining the security of processing personal data and notifying third parties when personal data is obtained without authorization.
  • Providing the necessary data that the controller needs to conduct and document data protection assessments.

A contract between the controller and the processor must govern the processor's data processing practices regarding processing carried out on behalf of the controller. The contract will specify how data is to be processed, the type of data subject to processing, the nature and purpose of processing, the duration of processing, and each party's rights and responsibilities.

VI. Data Subject Rights

The WDPB provides consumers with the following rights regarding their personal data:

A. Right to Confirm and Access

Consumers have the right to confirm whether a controller is processing the consumer's personal data and to access such personal data unless such confirmation or access would require the controller to reveal a trade secret.

B. Right to Correct Inaccuracies

Consumers have the right to correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data.

C. Right to Delete

Consumers have the right to request a controller to delete their personal data.

D. Right to Portability

Customers have the right to request a copy of the personal information previously provided to a controller in a portable and, if technically possible, easily readable format. This will enable the consumer to transfer the data to another controller without hindrance, where processing is carried out by automated means, provided such a controller is not obliged to reveal any trade secrets.

E. Right to Opt-Out of Processing

Consumers have the right to opt out of the processing of their personal data for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

VII. Consumer Requests

Customers may exercise their rights by sending a request to the controller. When it comes to processing personal data belonging to a known child, the parent or legal guardian of the child may assert these consumer rights on the child's behalf.

If a controller is unable to authenticate the request using commercially reasonable efforts, the controller may not be required to comply with a request and initiate any action and may request the consumer to provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.

The WDPB requires controllers to respond to consumers' requests without undue delay but not later than 45 days of receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and the number of the consumer’s requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period, along with the reason for such extension.

In the instance that the controller declines to take action regarding a consumer’s request, the controller shall inform the consumer without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

Additionally, the WDPB mandates that data provided in response to a consumer's request be provided to the customer free of charge once annually.

A controller is required to provide the consumer with written notice detailing any action taken or not in response to an appeal, together with a documented justification for the choices made, within 60 days of receiving the appeal. In the event that the consumer's appeal is rejected, the controller is required to provide them with a way to lodge a complaint with the Attorney General.

VIII. Regulatory Authority

Wisconsin’s Attorney General has exclusive authority to enforce violations of the WDPB requirements.

IX. Penalties for Non-Compliance

The Attorney General must provide written notice of the violations to a controller or processor prior to bringing an action to enforce WDPB provisions. If, within 30 days of receiving the notice, the controller or processor cures the violation and provides the attorney general with an express written statement that the violation is cured and that no such further violations will occur, then the attorney general may not bring an action against the controller or processor.

A controller or processor that violates the WDPB’s requirements is subject to a forfeiture of up to $7,500 per violation. The Attorney General may recover reasonable investigation and litigation expenses incurred.

X. How Can an Organization Operationalize WDPB

Once Wisconsin’s Privacy Bill is enacted into law, organizations can operationalize WDPB by:

  • Establishing clearly defined policies and procedures for processing data in compliance with the law’s provisions;
  • Developing clear and accessible understandable privacy notices that comply with the privacy law’s requirements;
  • Obtaining explicit consent from users before processing their personal data;
  • Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
  • Train employees who handle consumers’ data on the organization's policies and procedures and the requirements of privacy law.

XI. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Wisconsin’s Data Privacy law by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.

Compartir

Suscríbase a nuestro boletín

Obtenga toda la información más reciente, actualizaciones de leyes y más en su bandeja de entrada

What's
New