Wisconsin Consumer Privacy Law

Primary law

The breach-notification statute applies to any entity that conducts business in Wisconsin and maintains personal information, licenses personal information, maintains depository accounts, or lends money to residents — expressly including state and local government.

“Entity” means a person, other than an individual, that does any of the following: a. Conducts business in this state and maintains personal information in the ordinary course of business. b. Licenses personal information in this state. c. Maintains for a resident of this state a depository account as defined in s. 815.18 (2) (e) . d. Lends money to a resident of this state. 2. “Entity” includes all of the following: a. The state and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts. b. A city, village, town, or county.

See Wis. Stat. § 134.98(1)(a).

Primary law

A financial institution, medical business, or tax preparation business may not dispose of a record containing personal information without shredding, erasing, or otherwise rendering the information unreadable or protecting it from unauthorized access.

A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following: (a) Shreds the record before the disposal of the record. (b) Erases the personal information contained in the record before the disposal of the record. (c) Modifies the record to make the personal information unreadable before the disposal of the record. (d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record’s disposal and the record’s destruction.

See Wis. Stat. § 134.97(2).

Primary law

A covered business that violates the record-disposal rule may be required to forfeit up to $1,000, with acts arising out of the same incident treated as a single violation.

A financial institution, medical business or tax preparation business that violates sub. (2) may be required to forfeit not more than $1,000. Acts arising out of the same incident or occurrence shall be a single violation.

See Wis. Stat. § 134.97(4)(a).

Primary law

Wisconsin's insurance data-security subchapter is organized around an information security program — the administrative, technical, and physical safeguards a licensee uses to handle nonpublic information.

“Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

See Wis. Stat. § 601.95(5).

Primary law

The Commissioner of Insurance has the power to examine and investigate licensees and to take action necessary or appropriate to enforce the insurance data-security subchapter.

The commissioner shall have the power to examine and investigate the affairs of any licensee to determine whether the licensee has engaged in conduct in violation of this subchapter and to take action that is necessary or appropriate to enforce the provisions of this subchapter.

See Wis. Stat. § 601.956.

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, supplying a federal hook when a privacy-policy mismatch is unfair or deceptive.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

Wisconsin's fraudulent-representations statute prohibits public statements or representations, made with intent to sell, that contain any assertion of fact which is untrue, deceptive or misleading — language broad enough to reach a false published privacy policy.

No person, firm, corporation or association, or agent or employee thereof, with intent to sell, distribute, increase the consumption of or in any wise dispose of any real estate, merchandise, securities, employment, service, or anything offered by such person, firm, corporation or association, or agent or employee thereof, directly or indirectly, to the public for sale, hire, use or other distribution, or with intent to induce the public in any manner to enter into any contract or obligation relating to the purchase, sale, hire, use or lease of any real estate, merchandise, securities, employment or service, shall make, publish, disseminate, circulate, or place before the public, or cause, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in this state, in a newspaper, magazine or other publication, or in the form of a book, notice, handbill, poster, bill, circular, pamphlet, letter, sign, placard, card, label, or over any radio or television station, or in any other way similar or dissimilar to the foregoing, an advertisement, announcement, statement or representation of any kind to the public relating to such purchase, sale, hire, use or lease of such real estate, merchandise, securities, service or employment or to the terms or conditions thereof, which advertisement, announcement, statement or representation contains any assertion, representation or statement of fact which is untrue, deceptive or misleading.

See Wis. Stat. § 100.18(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a privacy notice complying with the GLBA.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

COPPA requires a child-directed website or online service to post notice of what information it collects from children, how it uses that information, and its disclosure practices, and to obtain verifiable parental consent.

require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children

See 15 U.S.C. § 6502(b)(1)(A).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes permitted uses and disclosures, requires safeguards and breach reporting, flows restrictions to subcontractors, and addresses return or destruction of protected health information.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; (E) Make available protected health information in accordance with § 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. (I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

See 45 C.F.R. § 164.504(e)(2).

Primary law

A person that stores Wisconsin residents' personal information without owning or licensing it, and without a contract with the owner, must notify the owner of an unauthorized acquisition as soon as practicable — a statutory default that applies only in the absence of a contract.

If a person, other than an individual, that stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable.

See Wis. Stat. § 134.98(2)(bm).

Primary law

In-state entities, entities maintaining or licensing personal information in Wisconsin, and out-of-state entities with Wisconsin-resident personal information must make reasonable efforts to notify the affected subjects or residents after unauthorized acquisition.

If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information. (b) If an entity whose principal place of business is not located in this state knows that personal information pertaining to a resident of this state has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each resident of this state who is the subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the resident of this state who is the subject of the personal information.

See Wis. Stat. § 134.98(2)(a)–(b).

Primary law

Personal information is a name combined with an unencrypted, unredacted element: Social Security number, driver's license or state ID number, financial-account number or access code, DNA profile, or unique biometric data.

“Personal information” means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable: 1. The individual’s social security number. 2. The individual’s driver’s license number or state identification number. 3. The number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account. 4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a) . 5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.

See Wis. Stat. § 134.98(1)(b).

Primary law

Notice must be given within a reasonable time, not to exceed 45 days after the entity learns of the acquisition, with reasonableness judged by the number of notices and available communication methods.

Subject to sub. (5) , an entity shall provide the notice required under sub. (2) within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness under this paragraph shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.

See Wis. Stat. § 134.98(3)(a).

Primary law

When a single incident requires notice to 1,000 or more individuals, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay.

If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a (p), of the timing, distribution, and content of the notices sent to the individuals.

See Wis. Stat. § 134.98(2)(br).

Primary law

Notice is excused where the acquisition does not create a material risk of identity theft or fraud, or where an employee or agent acquired the information in good faith for a lawful purpose of the entity.

Notwithstanding pars. (a) , (b) , (bm) , and (br) , an entity is not required to provide notice of the acquisition of personal information if any of the following applies: 1. The acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information. 2. The personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.

See Wis. Stat. § 134.98(2)(cm).

Primary law

Breach notice may be sent by mail or by a previously used communication method, with an actual-notice fallback when no mailing address or prior channel is reasonably available.

An entity shall provide the notice required under sub. (2) by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.

See Wis. Stat. § 134.98(3)(b).

Primary law

A person who receives breach notice may submit a written request requiring the entity to identify the personal information that was acquired.

Upon written request by a person who has received a notice under sub. (2) (a) or (b) , the entity that provided the notice shall identify the personal information that was acquired.

See Wis. Stat. § 134.98(3)(c).

Primary law

Law enforcement may delay required breach notice to protect an investigation or homeland security, and the entity may not notify or publicize the acquisition except as authorized during the delay.

A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a notice that is otherwise required under sub. (2) for any period of time and the notification process required under sub. (2) shall begin at the end of that time period. Notwithstanding subs. (2) and (3) , if an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request.

See Wis. Stat. § 134.98(5).

Primary law

The breach statute does not apply to entities subject to and in compliance with the GLBA privacy and security requirements (with a breach policy in effect) or to HIPAA-regulated entities complying with the federal rules.

This section does not apply to any of the following: (a) An entity that is subject to, and in compliance with, the privacy and security requirements of 15 USC 6801 to 6827 , or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security. (b) An entity that is described in 45 CFR 164.104 (a) , if the entity complies with the requirements of 45 CFR part 164 .

See Wis. Stat. § 134.98(3m).

Primary law

The statute's only stated consequence for noncompliance is evidentiary — failure to comply is not negligence or a breach of duty, but may be evidence of negligence or a breach of a legal duty.

Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.

See Wis. Stat. § 134.98(4).

Primary law

Chapter 100's penalty section reaches only violations of chapter 100 provisions — it nowhere references § 134.98, leaving the breach statute without a penalty backbone.

Any person who violates any provision of this chapter, except s. 100.18 , 100.20 , 100.206 or 100.51 , for which no specific penalty is prescribed shall be fined not to exceed $200, or imprisoned in the county jail not more than 6 months or both.

See Wis. Stat. § 100.26(1).

Primary law

FTC Act § 5 declares unfair or deceptive acts or practices unlawful, supplying a federal hook when breach-response conduct is unfair or deceptive.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The breach statute creates no private right of action — failure to comply is not itself negligence or a breach of duty, but may be evidence of negligence or a breach of a legal duty in a suit brought on another theory.

Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.

See Wis. Stat. § 134.98(4).

Primary law

Wisconsin codifies a right of privacy: one whose privacy is unreasonably invaded is entitled to equitable relief, compensatory damages based on the plaintiff's loss or the defendant's unjust enrichment, and reasonable attorney fees.

The right of privacy is recognized in this state. One whose privacy is unreasonably invaded is entitled to the following relief: (a) Equitable relief to prevent and restrain such invasion, excluding prior restraint against constitutionally protected communication privately and through the public media; (b) Compensatory damages based either on plaintiff’s loss or defendant’s unjust enrichment; and (c) A reasonable amount for attorney fees.

See Wis. Stat. § 995.50(1).

Primary law

Invasion of privacy has four statutory branches: highly offensive intrusion in a private place, misappropriation of name, portrait, or picture for advertising or trade without written consent, highly offensive publicity given to private life, and conduct prohibited by the nonconsensual-depiction crimes.

In this section, “invasion of privacy” means any of the following: 1. Intrusion upon the privacy of another of a nature highly offensive to a reasonable person, except as provided under par. (bm) , in a place that a reasonable person would consider private, or in a manner that is actionable for trespass. 2. The use, for advertising purposes or for purposes of trade, of the name, portrait or picture of any living person, without having first obtained the written consent of the person or, if the person is a minor, of his or her parent or guardian. 3. Publicity given to a matter concerning the private life of another, of a kind highly offensive to a reasonable person, if the defendant has acted either unreasonably or recklessly as to whether there was a legitimate public interest in the matter involved, or with actual knowledge that none existed. It is not an invasion of privacy to communicate any information available to the public as a matter of public record. 4. Conduct that is prohibited under s. 942.09 or 942.095 , regardless of whether there has been a criminal action related to the conduct, and regardless of the outcome of the criminal action, if there has been a criminal action related to the conduct.

See Wis. Stat. § 995.50(2)(am).

Primary law

The right of privacy is interpreted in accordance with the developing common law of privacy, and compensatory damages are not limited to pecuniary loss but may not be presumed without proof.

The right of privacy recognized in this section shall be interpreted in accordance with the developing common law of privacy, including defenses of absolute and qualified privilege, with due regard for maintaining freedom of communication, privately and through the public media. (4) Compensatory damages are not limited to damages for pecuniary loss, but shall not be presumed in the absence of proof.

See Wis. Stat. § 995.50(3)–(4).

Primary law

Section 100.18 prohibits public commercial statements or representations, made with intent to sell or induce a transaction, that contain an assertion of fact which is untrue, deceptive, or misleading.

No person, firm, corporation or association, or agent or employee thereof, with intent to sell, distribute, increase the consumption of or in any wise dispose of any real estate, merchandise, securities, employment, service, or anything offered by such person, firm, corporation or association, or agent or employee thereof, directly or indirectly, to the public for sale, hire, use or other distribution, or with intent to induce the public in any manner to enter into any contract or obligation relating to the purchase, sale, hire, use or lease of any real estate, merchandise, securities, employment or service, shall make, publish, disseminate, circulate, or place before the public, or cause, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in this state, in a newspaper, magazine or other publication, or in the form of a book, notice, handbill, poster, bill, circular, pamphlet, letter, sign, placard, card, label, or over any radio or television station, or in any other way similar or dissimilar to the foregoing, an advertisement, announcement, statement or representation of any kind to the public relating to such purchase, sale, hire, use or lease of such real estate, merchandise, securities, service or employment or to the terms or conditions thereof, which advertisement, announcement, statement or representation contains any assertion, representation or statement of fact which is untrue, deceptive or misleading.

See Wis. Stat. § 100.18(1).

Primary law

The fraudulent-representations statute gives a private damages action only to a person suffering pecuniary loss because of a violation, with recovery of that loss plus costs and reasonable attorney fees.

Any person suffering pecuniary loss because of a violation of this section by any other person may sue in any court of competent jurisdiction and shall recover such pecuniary loss, together with costs, including reasonable attorney fees, except that no attorney fees may be recovered from a person licensed under ch. 452 while that person is engaged in real estate practice, as defined in s. 452.01 (6) .

See Wis. Stat. § 100.18(11)(b)2.

Primary law

The Department of Agriculture, Trade and Consumer Protection is charged with public enforcement of the fraudulent-representations statute.

The department of agriculture, trade and consumer protection shall enforce this section.

See Wis. Stat. § 100.18(11)(a).

Primary law

A fraudulent-representations action must be commenced within three years of the unlawful act or practice.

No action may be commenced under this section more than 3 years after the occurrence of the unlawful act or practice which is the subject of the action.

See Wis. Stat. § 100.18(11)(b)3.

Primary law

Knowing and willful violations of the patient health-care-records statutes carry liability for actual damages plus exemplary damages up to $25,000 and attorney fees; negligent violations carry exemplary damages up to $1,000 plus fees.

Any person, including the state or any political subdivision of the state, who violates s. 146.82 or 146.83 in a manner that is knowing and willful shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees. (bm) Any person, including the state or any political subdivision of the state, who negligently violates s. 146.82 or 146.83 shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $1,000 and costs and reasonable actual attorney fees.

See Wis. Stat. § 146.84(1)(b)–(bm).

Primary law

A financial institution, medical business, or tax preparation business that disposes of records containing personal information in violation of the disposal rule is liable to the affected person for the resulting damages.

A financial institution, medical business or tax preparation business is liable to a person whose personal information is disposed of in violation of sub. (2) for the amount of damages resulting from the violation.

See Wis. Stat. § 134.97(3)(a).