A trio of consumer data privacy bills modeled after Europe’s General Data Protection Regulation (GDPR) has been introduced in the Wisconsin State Assembly. The three bills, collectively dubbed the Wisconsin Data Privacy Act (WDPA), were sponsored by Republican State Representative Shannon Zimmerman, who is seeking to make Wisconsin “the most consumer-friendly state in our nation on data privacy.” Collectively, Assembly Bills 870, 871, and 872 seek to grant Wisconsin residents a host of rights related to companies’ collection and processing of their personal data and would impose a number of related regulatory obligations on companies that process personal data.

Consumer rights

  • A right to request information about what personal data a company has processed;
  • A requirement that companies obtain opt-in consent before collecting or making any use of the consumer’s personal data;
  • A right to request that a company stop any processing of the consumer’s personal data and give notice to cease processing personal data to every entity the company has shared the consumer’s data with (unless this is impossible or involves unreasonable efforts); and
  • A right to request deletion of the consumer’s personal data.

Additional requirements for companies

  • A prohibition (subject to limited exceptions) against processing certain sensitive categories of personal data (race, ethnicity, religious and philosophical beliefs, genetic data, biometrics, and sexual orientation);
  • A requirement that businesses maintain detailed records of their personal data processing activities (similar to the record of processing requirements under GDPR); and
  • A personal data breach notification requirement.

Penalties

The Wisconsin Attorney General would be empowered to investigate alleged violations, and violators would be subject to penalties of up to $20 million or 4 percent of annual revenue, depending on the nature of the alleged violation.

Implications

If enacted, the WDPA would take effect on July 31, 2022. Of immediate concern to the business community – in particular, small businesses – is the WDPA’s extremely broad scope of application. Unlike the California Consumer Privacy Act (CCPA), which has threshold limitations that prevent many smaller companies from being forced to comply with the law, the WDPA as drafted would regulate any “person” who functions as a “controller” of Wisconsin residents’ personal data – irrespective of the size of the company or the amount of data collected. Echoing the GDPR, the WDPA defines a controller as any person who alone, or jointly with others, determines the purposes and means of the processing of personal data.

Wisconsin joins an already active field of state legislative efforts based on the CCPA and GDPR in states like Washington, Illinois, New Hampshire, and Florida. With each proposed bill, and in the absence of a comprehensive federal law, the likelihood of an inconsistent, uncertain nationwide patchwork of privacy legislation continues to rise.