HUDSON, Wis. — Companies could pay a high penalty for disobeying orders to halt the collection and distribution of personal data under a package of bills being proposed by a Wisconsin lawmaker.
State Rep. Shannon Zimmerman said he’ll begin circulating the proposed Wisconsin Data Privacy Act, which could fine companies up to $20 million — or assess a portion of their annual revenue — if they don’t abide rules established in three bills. The River Falls Republican unveiled the package Wednesday, Jan. 29.
Zimmerman said the legislation represents the first of its kind in the United States to hold companies accountable for sharing personal data without users’ consent. He said the practice of collecting private user information and then distributing it has become prolific.
“However bad you think it is, it’s worse,” Zimmerman said. “It’s unnerving, it’s a violation of privacy.”
The first bill would allow Wisconsin residents to learn what data businesses have collected. He said those companies could range from tech giants such as Google or Facebook to any entity that collects user data. With some limitations, businesses would be required to release a record of what they’ve collected and what they intend to do with it, according to the legislation.
Zimmerman said such data could include names, identification numbers, geographic movements collected through smartphone location data or information including the user’s genetic, physical, physiological, mental or social identifier.
“There’s so many nefarious ways that information’s being used,” he said.
The bill also calls on third parties that have received users’ data to disclose what personal data they received.
The second bill would give Wisconsinites the right to demand a company stop collecting the data and to delete it, while the third bill outlines strict rules companies must follow for collecting personal data and how consent would be applied.
The third bill prohibits — with some exceptions — companies from collecting or selling personal data. That data includes biometric, health and genetic data that could be gathered by genealogy firms. Information made available from federal, state or local government records would not be subject to regulations under the bill.
The proposal would require entities to post an unambiguous consent waiver for users. Those users could later withdraw that consent.
Theoretically, a company could deny use of products or services depending on a user’s refusal to consent, Zimmerman said. But he pointed to Europe’s General Data Protection Regulation, from which he modeled portions of the legislation.
Zimmerman said refusals of service stemming from consent forms haven’t become an issue there, where the GDPR was enacted in 2018.
“I have yet to hear about that in Europe, which leads me to believe it's not going to be as big a deal as you think,” he said.
One element of the legislation allows for entities to reject a user’s data-deletion request if processing that personal information is necessary for “exercising the right of free expression and information.” Asked if companies could leverage the First Amendment to skirt such requests, Zimmerman said he would research that issue.
‘Standard for the nation’?
Depending on the severity of the offender, the Wisconsin attorney general could bring legal action, according to the proposal. Penalties call on entities to be fined up to $10 million or 2% of annual revenue — whichever is greater — for recordkeeping violations. Those penalties could be doubled for personal data violations.
No other state has enacted a similar law, Zimmerman said.
“It could serve as the standard for the nation,” he said. “This package of bills is a real front runner.”
Zimmerman said he began formulating a data privacy act after becoming disturbed by data collection practices and having witnessed data abuses in the tech sector, where he’s worked for about 25 years.
“I have seen firsthand how content is used,” he said, calling unregulated data collection practices “the wild, wild west.”
Zimmerman said he’s not going to wait on federal legislation to establish data privacy laws, but would yield if it appeared Congress was poised to take action.
“I’d rather be prepared and proactive and get something done just in case the feds don’t get anything done,” he said.
Zimmerman said there’s little hope the private sector will effectively regulate itself on data collection.
“They won’t,” he said, “because there’s too much in it for them.”
He said that while some pro-business groups may cry foul over the bills, there is little evidence from Europe’s GDPR to suggest it is harmful to commerce.
“They’re still operating, they’re still conducting business,” he said.
Zimmerman said he expects strong support in the Legislature for the proposal and that Speaker Robin Vos considers the bills “a thoughtful starting point.” Still, Zimmerman said he expects the legislation to undergo “some level of evolution” as it makes its way through the committee process.
While he expects the legislation to take at least a year to reach the governor’s desk, Zimmerman said has requested Committee on Science and Technology Chairman Romaine Quinn, R-Cameron, to call a public hearing on the bills.
“Nothing flushes out interested parties like a public hearing,” Zimmerman said.