Wisconsin Consumer Data Protection Act

Wisconsin has proposed the Consumer Data Protection Act (WCDPA), joining its Midwestern neighbor, Michigan, in advancing comprehensive privacy legislation. The WCDPA largely adopts the standard framework seen across the US, focused on providing consumers with opt-out rights for data sale and targeted advertising. However, its specific applicability thresholds and enforcement mechanisms demand distinct attention from corporate compliance teams.

The WCDPA’s introduction underscores the national shift: operating in any state—even one not historically seen as a major tech hub—now means operating under a mandatory, comprehensive privacy law. The strategy for large corporations must be to deploy flexible, integrated data privacy software that can be rapidly configured to meet the WCDPA’s specific definitions and procedural timelines.

This bill is still in the works and the Wisconsin Privacy Law is not live yet but we are prepared to protect businesses and corporations as soon as it’s set to go live. Get a free privacy audit from our team to understand what your risks are.

The WCDPA Framework: Coverage and Rights

The Wisconsin bill is a standard “opt-out” mechanism, granting consumers control over how their data is used for commercial monetization while placing clear duties on the businesses that act as Controllers.

Applicability and Scope

The WCDPA’s thresholds are comparable to many of the established state laws, focusing on entities that conduct business in Wisconsin or target its residents:

• Controls or processes the personal data of at least 100,000 Wisconsin consumers during a calendar year.

• Controls or processes the personal data of at least 25,000 Wisconsin consumers and derives more than 50% of gross revenue from the sale of personal data.

These thresholds ensure coverage of major online retailers, data brokers, and technology platforms, while generally exempting small businesses whose data operations are minimal.

Consumer Rights and Data Processing Duties

Wisconsin consumers gain the full suite of modern privacy rights:

• The Right to Know: Consumers can confirm whether a controller is processing their personal data and access that data.

• Data Management Rights: Consumers have the right to correct inaccuracies, delete personal data, and obtain a portable copy of the data they provided.

• Opt-Out Rights: Consumers can opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

• Sensitive Data: Controllers must obtain the consumer’s affirmative consent before processing sensitive data. Sensitive data is broadly defined, including health status, racial/ethnic origin, religious beliefs, precise geolocation, and genetic/biometric data. 

Enforcement and Risk Mitigation

Like most other state privacy proposals, the WCDPA is designed for centralized, administrative enforcement, making the compliance relationship one between the business and the Wisconsin Attorney General (AG).

• Enforcement Authority: Exclusive enforcement power resides with the AG.

• No Private Right of Action (PRA): The WCDPA does not include a private right of action, protecting businesses from class-action lawsuits brought by individuals for privacy violations under the Act.

• Penalties: The AG is authorized to seek civil penalties of up to $5,000 per violation.

• Cure Period: The WCDPA includes a mandatory 30-day cure period, providing businesses with an opportunity to remedy an alleged violation before facing penalties. However, this cure period is often subject to sunset provisions or the AG’s discretion over time.

The Wisconsin Business Compliance Checklist

The WCDPA’s requirements solidify the need for automated solutions that handle the sheer volume and complexity of multi-state privacy demands.

1. Standardize Sensitive Data Opt-In: Since the WCDPA requires affirmative consent for sensitive data, all businesses must adopt this as the default collection setting for all Wisconsin consumers. Privacy software must present a clear, non-deceptive mechanism for obtaining and logging this consent.

2. Integrate Comprehensive Consumer Request (DSR) Handling: The 45-day response window for access, deletion, and correction requests is non-negotiable. Privacy software solutions must provide:

   • Verified Intake: Secure methods for consumers to submit requests.

   • Automated Fulfillment: Workflow automation to find and either delete, correct, or port the data across all interconnected systems.

   • Audit Logging: Detailed logs showing the request received date, verification method, steps taken, and completion date to demonstrate compliance to the AG.

3. Conduct Mandatory Data Protection Assessments (DPAs): Controllers must complete DPAs for targeted advertising, data sales, and sensitive data processing. These assessments require a thorough internal review of data practices, which is best achieved using a governance platform that centralizes risk analysis and documentation.

4. Adopt the GPC: Although the WCDPA may not initially mandate the Universal Opt-Out Signal/Global Privacy Control (GPC), the trend in all serious state bills (like Michigan’s) requires it. Preparing your web assets and advertising technology now to recognize and honor GPC signals for Wisconsin consumers will future-proof your compliance program.

Comparative Analysis: Wisconsin vs. Midwest and US Privacy Laws

The WCDPA provides a strong compliance baseline for the Midwest, particularly when paired with the stricter revenue-for-sale trigger in the Michigan bill. For multi-state operators, the overarching strategy must be to adopt the highest common denominator of compliance—the opt-in requirement for sensitive data and automated DSR fulfillment—to satisfy all three new regional bills effectively and Captain Compliance stands ready to be the company that guarantees their clients compliance and pays their fines if something goes wrong.