On February 23, the Wisconsin House passed Assembly Bill 957 (AB 957), a bill relating to consumer data protection. This legislation is based on the Virginia Consumer Data Protection Act (VCDPA) and provides consumers with various rights about their data and imposes obligations on businesses. Wisconsin is the second state in 2022 to pass a consumer privacy bill out of a chamber, although numerous other states have introduced their own state comprehensive privacy bills.
Who Would This Bill Affect?
Those that conduct business in the state of Wisconsin or produce products or services that are targeted to residents of the state and satisfy either of the following: (1) control or process personal data of at least 100,000 “consumers” during a calendar year, or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data would be obligated to comply with the AB 957. Importantly, the bill defines “consumer” as an individual who is a resident of Wisconsin, acting only in an individual or household context. “Consumer” does not include an individual acting in a commercial or employment context.
Enforcement and Remedies
If adopted, this law would go into effect on January 1, 2024. The Wisconsin attorney general has exclusive authority to enforce the act (meaning there is no private right of action). However, the attorney general must provide a 30-day written notice to cure before any enforcement action can be taken. Companies that violate the act may face a penalty of up to $7,500 for each violation, and the attorney general may be able to recover reasonable investigation and litigation expenses incurred.
On the day the Wisconsin House passed AB 957, a few amendments were made:
- The definition of “biometric data” was modified to specify that biometric data does not include a physical or digital photograph, a video or audio recording, or data generated therefrom if not used to identify a specific individual or infer information about an individual or identifiable individual.
- It changed the frequency with which a controller must provide information free of charge from twice a year to only once annually.
- The amendment specified what a controller that has obtained personal data about a consumer from a source other than the consumer must do to comply with a consumer’s request to delete personal data.
- It provides that affiliates of financial institutions that are exempt from the bill’s provisions are also exempt.
- The amendment exempts data collected, processed, and maintained in compliance with the federal Children’s Online Privacy Protection Act (COPPA) from the bill’s provisions.
AB 957 passed the house with 59 votes in favor and 37 votes against it. The majority of votes in favor of the bill were from Republican lawmakers, and the majority of votes against the bill were from Democrat lawmakers. The bill heads to the Senate next, where Republicans currently maintain a strong majority. They will need to move quickly as this year’s legislative session is set to adjourn on March 10. Also, there are two separate bills and one House bill related to privacy that could advance in the coming week. Troutman Pepper will continue to closely monitor these developments.