Monday, March 9, 2020

On February 10, 2020, bipartisan cosponsors in the Wisconsin State Assembly introduced a trio of bills targeting the use of personal data information and modeled after the requirements of the European General Data Protection Regulation. Titled by their sponsors as the “Wisconsin Data Privacy Act,” the three bills work together to regulate what data a company may collect on an individual, when the company may collect it, how the company may use it, to whom the company may give it, and how long the company may retain it. While employee information maintained by employers is exempted from the legislation’s requirements in key facets, the bills do not directly relieve employers of all burdens.

Key Definitions

The three bills constituting the proposed Wisconsin Data Privacy Act, Assembly Bills (AB) 870, 871, and 872, rely on the same definitions for multiple key terms. These definitions include the following:

A “consumer” means “an individual who is a resident of [Wisconsin].”

A “controller,” the term for which the legislation directs the majority of its requirements, is defined to mean “a person that alone or jointly with others determines the purposes and means of the processing of personal data, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government.”

“Personal data,” which is the focus of the proposed legislative protections, is defined to mean “information relating to a consumer that allows the consumer to be identified, either directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the consumer, but does not include any information lawfully made available from federal, state, or local government records.”

To “process” personal data means “to perform an operation or set of operations on personal data, including to collect, record, organize, store, alter, retrieve, use, disclose, disseminate, make available, combine, delete, or destroy the personal data.”

Notwithstanding the absence of any direct reference to an “employer” or “employee,” these broad definitions may make companies subject to the Wisconsin Data Privacy Act’s requirements for employee-related information unless exempted.

AB 870

The first of the three bills composing the Wisconsin Data Privacy Act, AB 870, requires a controller to provide a consumer with specific information at the time the controller collects personal data from the individual. This information includes the following

The identity and contact information of the controller

The purposes for which the controller intends to process the consumer’s personal data and the legal authority for conducting the processing

The recipients or categories of recipients to whom the consumer’s personal data will be disclosed

If known, the estimated period of time that the controller will store the consumer’s personal data, or, if not known, the criteria the controller will use to determine the amount of time that the controller will store the personal data

Information describing the consumer’s ability to make requests [for access to personal data]

Whether the controller will use the consumer’s personal data to conduct automated decision-making related to the consumer, and, if so, the purpose for which the automated decision-making will be used and meaningful information about the automated decision-making procedure

Additionally, AB 870 would require controllers to notify the Wisconsin Department of Justice in the event of a breach of personal data maintained by the controller when “the data breach is likely to result in a risk to the rights and freedoms of consumers.” This notice of any breach will need to be provided within one month, if feasible, from the date the breach becomes known to the controller. Failure to comply with this notice requirement may result in a fine of up to $10,000,000 or up to 2 percent of the controller’s total annual revenue during the preceding financial year.

In its current form, AB 870 exempts “information maintained for employment records” from the bill’s requirement that requires a controller “to confirm processing or provide a copy of” personal data. However, this exemption does not clearly exclude employers from other requirements such as the notice of a breach of personal data or the mandated notice at the time of collection.

AB 871

AB 871 seeks to require controllers to delete personal data they maintain upon request by any consumer. However, this legislation specifically exempts “information maintained for employment records” from this deletion requirement.

AB 872

AB 872 imposes requirements on any controller to process a consumer’s personal data. These requirements include that the controller must:

conduct the processing for a purpose for which the consumer consents “by a statement or clear affirmative action”;

obtain consent that is “freely given, specific, informed, and unambiguous”;

allow the consumer to withdraw his or her consent and be able to withdraw it as easily as it was given;

distinguish consent for the processing of personal data from any other matters addressed in a written declaration;

be able to demonstrate that the consumer consented; and

not require the consumer’s consent to use the controller’s service.

Additionally, AB 872 requires a controller to maintain records of personal data processing conducted by the controller. Such records must contain specified information describing the controller, the purpose of the processing, the personal data involved, consumers involved in the processing, documentation of consent from consumers, and any person to whom the controller discloses personal data.

AB 872 exempts “[i]nformation maintained for employment records” from its prohibitions on processing information. However, this exemption does not directly relieve a controller of the obligation related to maintaining records of personal data processing.

What’s Next for the Wisconsin Data Privacy Act?

If enacted as proposed, the Wisconsin Data Privacy Act would take effect on July 31, 2022. Currently, the legislation sits in the Assembly Committee on Science and Technology. On February 12, 2020, the committee held a public hearing on AB 870, 871, and 872. The committee may offer amendments to the proposed Wisconsin Data Privacy Act before returning the legislation to the Assembly for a second reading and vote on any other amendments offered to it.