The following law(s) specifically govern personal data / information:
Wisconsin does not currently have a law like California that specifically governs personal data.
The Wisconsin Constitution recognizes an individual's right to privacy as: '[t]he right of people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures shall not be violated; and no warrant shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.'
The Wisconsin Supreme Court has recognised a limited right of privacy under common law including the tort of misappropriation of one's name and likeness but not all privacy rights have been recognized under common law. See Hirsch v. S.C. Johnson & Son, Inc., 90 Wis.2d 379 (1979).
The invasion of privacy tort has been codified in Wisconsin Statutes §995.50 of the & Annotations with specific provisions that regulate telephone records, disposal of records containing personal information, and the unauthorized acquisition of personal information.
The Wisconsin statute specifically states that '[t]he right of privacy recognised in this section shall be interpreted in accordance with the developing common law of privacy, including defences of absolute and qualified privilege, with due regard for maintaining freedom of communication, privately and through the public media' (Wis. Stat. § 995.50(3)).
According to Wis. Stat. 943 the following activities are considered a crime:
- unauthorized use of an individual's personal identifying information or documents (Wis. Stat. § 943.201);
- unauthorized use or possession of a credit card scanner (Wis. Stat. § 943.202);
- unauthorized use of an entity's identifying information or documents (Wis. Stat. § 943.203);
- theft of mail (Wis. Stat. § 943.204);
- theft of trade secrets (Wis. Stat. § 943.205);
- recording performance without consent (Wis. Stat. § 943.208); and
- threats to communicate derogatory or humiliating information (Wis. Stat. § 943.31).
The key data protection principles in this jurisdiction are:
No general principles.
The supervisory authority / regulator in charge of data protection is:
No central data privacy authority or regulator.
Is there a requirement to register with a supervisory authority / regulator?
No registration required.
Is there a requirement to notify the supervisory authority / regulator?
No notification required.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
No key rights except for notice in event of data breach.
Is there a requirement to appoint a data protection officer (or equivalent)?
No statutory requirement for a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
The Wis. Stat. § 134.98, Wisconsin's data breach notification law provides as follows:
An 'entity' is defined as a person, other than an individual, that:
- conducts business in Wisconsin and maintains personal information in the ordinary course of business;
- licenses personal information in Wisconsin;
- maintains a state depository account for a resident of Wisconsin; or
- lends money to a resident of Wisconsin.
'Personal information' means an individual's first name or first initial, in combination with and linked to any of the following:
- the individual's social security number;
- the individual's driver's license number or state identification number;
- the number of the individual's financial account, including a credit or debit account number, or any security code, access code or password that would permit access to the person's financial account;
- the individual's DNA profile; or
- the individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
'Personal information' does not include data elements that are publicly available. Information is not deemed 'personal information' if it is encrypted, redacted or altered in a manner that renders the element unreadable.
Notification of a data security incident is required:
- If an entity whose principal place of business is located in Wisconsin or an entity that maintains or licenses personal information in Wisconsin knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorized to acquire the personal information.
- If an entity whose principal place of business is not located in Wisconsin knows that personal information pertaining to a resident of Wisconsin has been acquired by a person whom the entity has not authorized to acquire the personal information.
- If a person, other than an individual, that stores personal information pertaining to a resident of Wisconsin, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information.
If, as the result of a single incident, an entity is required to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity must without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices sent to the individuals.
An entity is not required to provide notice of the acquisition of personal information if any of the following applies:
- the acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information; or
- the personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.
Timing & manner of notice
Notice must be provided to individuals within a reasonable time, not exceeding 45 days after the entity learns of the unauthorized acquisition of personal information.
Notice must be provided by mail or any method the entity has previously used to communicate with the subject of the personal information. If, after conducting reasonable due diligence, the entity cannot determine the mailing address of the subject and if the entity had not previously communicated with the subject, the entity must provide notice by a method reasonably calculated to provide actual notice to the subject.
The statute does not include specific requirements for the content of the notices.
The following restrictions apply to the international transfer of personal data / information:
No restrictions apply.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The following rules specifically deal with marketing:
Federal laws such as the CAN-SPAM Act, establishes requirements for commercial messages sent to recipients in the United States. The CAN-SPAM Act expressly pre-empts state laws or regulations that expressly regulate the use of electronic mail to send commercial messages, except to the extent that such laws or regulations prohibit false or deceptive actions.
Wisconsin prohibits sending unsolicited electronic email solicitations to a person that contain obscene material or a depiction of sexually explicit conduct without including the words 'ADULT ADVERTISEMENT' in the subject line of the electronic mail (Wis. Stat. § 944.25).
Wisconsin also requires opt-outs for telephone marketing with a state-wide registry containing the telephone numbers of consumers in the state who do not wish to be contacted by telephone for marketing purposes. Wis. Stat. 100.52 prohibits, telephone solicitors from calling persons whose telephone numbers are included in the Wisconsin No-Call list. Telemarketers are also prohibited from using electronically pre-recorded messages without consent.
Wis. Stat. 134.72 prohibits sending solicitations via facsimile without the consent of the person solicited unless:
- the document transmitted by facsimile machine does not exceed one page in length and is received by the person soliciting after 9:00 pm and before 6:00 am;
- the person making the facsimile solicitation has had a previous business relationship with the person solicited; and
- the document transmitted contains the name of the person sending the document.
Facsimile transmissions for solicitation purposes are strictly prohibited even if the above three elements are met if a person has notified the facsimile solicitor in writing, by telephone or by facsimile transmission that the person does not want to receive facsimile solicitations. The prohibitions in Wis. Stat. § 134.72 apply to facsimile transmissions originating in Wisconsin, as well as transmissions originating outside of Wisconsin that are received by a person within the state of Wisconsin. A person who violates this law may be subject to $500 per violation.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
See above. Federal TCPA applies to text messages.
The following rules specifically deal with cookies:
There are no specific state laws dealing with cookies.
The consequences of non compliance with data protections laws (including marketing laws) are:
No state regulator except for the Wisconsin Attorney General who may impose fines under the statutes discussed above.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Under Wisconsin law, '[a]ll patient health care records shall remain confidential. Patient health care records may be released only to the persons designated [by law] or to other persons with the informed consent of the patient or of a person authorised by the patient' (Wis. Stat. § 146.82(1)).
Wis. Stat. § 995.55 prohibits educational institutions, employers and landlords from requesting or requiring a student, employee or tenant to disclose access information for their personal Internet accounts. Wis. Stat. § 995.55 also prohibits educational institutions, employers and landlords from discriminating against or taking adverse actions against any student, employee, or tenant who refuses to disclose their personal Internet account information.
As set forth in Wis. Stat. § 134.97, Wisconsin law has set forth certain requirements for the disposal of certain records that contain personal information. Financial institutions, medical businesses and tax preparation businesses are prohibited from disposing of records containing personal information unless the entity (or those it contracts with) first shreds the record, erases the personal information contained in the record, modifies the record to make the personal information unreadable or takes actions it reasonably believes will ensure that no unauthorized person may access the personal information. 'Personal information' means:
- personally identifiable data about an individual's medical condition, if the data are not generally considered to be public knowledge;
- personally identifiable data that contain an individual's account or customer number, account balance, balance owing, credit balance or credit limit, if the data relate to an individual's account or transaction with a financial institution;
- personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit; or
- personally identifiable data about an individual's federal, state or local tax returns.
'Personally identifiable' means capable of being associated with a particular individual through one or more identifiers or other information or circumstances. A 'record' is an material on which written, drawn, printed, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
Failure to comply with the requirements of Wis. Stat. § 134.97 may result in both civil liability as well as criminal fines up to $1,000 and 90 days of imprisonment.
Multinational organisations should be aware of the following upcoming data protection developments:
Nothing unique or special about Wisconsin. However, there have been bills introduced that are similar to the California Consumer Privacy Act (CCPA) and proposed Washington state legislation.