Instead of introducing one all-encompassing bill addressing consumer data privacy issues, legislators in Wisconsin have introduced three consecutively-numbered privacy bills. Together, the bills would provide consumers the right to know and to delete and would place restrictions on the processing of personal data.
This legislation is worth studying because it shares more in terms of general principles and actual language with the European Union’s General Data Protection Regulation (GDPR) than the California Consumer Privacy Act (CCPA), and is more clearly drafted than the CCPA. It also has greater coverage than the CCPA, applying to “controllers” and “processors” without any limitations based on annual gross revenue, volume of personal data collected or processed, or percentage of revenue derived from the sale of personal data.
Right to Know
AB 870 would require that controllers, “a person that alone or jointly with others determines the purposes and means of the processing of personal data,” provide consumers a notice at collection with content much different than that required by the CCPA or most legislation pending in other states. The notice would provide:
- The identity and contact information for the controller;
- The purposes and legal authority for processing;
- The recipients or categories of recipients with whom personal data will be disclosed;
- The estimated time period that personal data will be stored;
- A description of the right to know;
- Whether “automated decision-making” will be used and, if so, the purpose and procedure.
A similar notice would be required within one month of obtaining a consumer’s personal data if the data was obtained from a source other than the consumer and the controller intends to process that data.
The legislation would require that upon request, a controller must provide a consumer with a copy of the consumer’s personal data and generally the same information as required in the notice at collection plus the source of any personal data not provided by the consumer.
Despite Wisconsin already having a data breach notification law, the legislation provides its own unique requirements which apply to different types of information contained in the legislation’s definition of “personal data” versus the existing law’s definition of “personal information.” It would also require a processor, “a person who processes personal data on behalf of a controller,” who becomes “aware” of a data breach to notify its controller “without undue delay.”
The legislation would exclude information processed pursuant to the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA), as well as pursuant to various other laws.
A violation of the data breach notification requirements could result in a fine of up to $10 million or 2 percent of the controller’s total annual revenue, whichever is greater. For a violation of any of the other provisions, replace those figures with $20 million and 4 percent.
Right to Delete
AB 871 addresses the right to delete and requires a controller, upon request, to delete a consumer’s personal data “without delay” if:
- The data is no longer needed for purposes for which it was collected;
- The data is being processed for the purpose of direct marketing;
- The data was unlawfully processed; or
- Deletion is necessary for the controller to comply with a legal obligation.
If deletion is required, a controller must “take reasonable steps based on the available technology and implementation cost to notify other controllers that are processing the consumer’s personal data . . .”
As with AB 870, the legislation would exclude information processed pursuant to the HIPAA, FCRA and GLBA, as well as pursuant to various other laws.
A violation could result in a fine of up to $20 million or 4 percent of the controller’s total annual revenue, whichever is greater.
Restrictions on Processing
Under AB 872, a controller’s or processor’s processing a consumer’s personal data would be prohibited unless any of the following apply:
- Consent to the processing was given and:
- The consent was given by statement or clear affirmative action;
- The consent was freely given, specific, informed and unambiguous;
- The consumer can withdraw consent;
- The consent can be as easily withdrawn as it was given;
- Written consent given as part of a written declaration also addressing other matters is clearly distinguishable;
- The controller or processor can demonstrate the consent; and
- Consent is not required as a condition to using the service unless necessary to perform the service.
- The processing is necessary to perform a contract to which the consumer is a party;
- The processing is necessary to perform a legal obligation;
- The processing is necessary to protect the vital interests of the consumer or someone else;
- The processing is necessary to the public interest;
- The processing is necessary to detect security incidents, etc.; or
- The controller or a third party has a legitimate ground to process the personal data.
Restrictions would apply to the processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or data relating to trade union membership, genetics, health, sex life, sexual orientation, or biometrics if used to uniquely identify a consumer.
Subject to certain exceptions, consumers would have the right to request that controllers cease processing their personal data. However, controllers would still be able to store that data if:
- The processing is unlawful;
- Storing the data is necessary for the consumer to establish exercise, or defend a legal claim; or
- There is no legitimate ground to process the personal data.
The legislation would require that controllers maintain records containing specific information relating to the processing of personal information.
Again, the legislation would exclude information processed pursuant to the HIPAA, FCRA and GLBA, as well as pursuant to various other laws.
A violation of the recordkeeping requirements could result in a fine of up to $10 million or 2 percent of the controller’s total annual revenue, whichever is greater. For a violation of any of the other provisions, replace those figures with $20 million and 4 percent.