Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • 45 day deadline for notifications
  • Report to consumer reporting agencies (w/in 45 days) with specific information
  • Data owners are responsible for breach reporting and notifications
  • Attorney general can take action for noncompliance AND for failing to take precautions against a breach
  • Laws also cover data protection and data disposal
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?


Wisconsin breach and notification laws may apply if you:

  • Whose business is located in WI
  • That maintains or licenses PII in WI
  • Whose business is not in Wisconsin, but knows that PII pertaining to a WI resident has been acquired by an unauthorized person
  • That stores PII pertaining to a WI resident, but does not own or license it

 There are exemptions.

What is PII?


PII relevant to a breach in Wisconsin include a person's name plus one ore more of the following:

  • Social Security Number
  • Driver license or WI identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Deoxribonucleic acid profile
  • Unique biometric dataa



A few applicable laws include, but are not limited to:

Chapter 134 Miscellaneous Trade Regulations

  • 134.98 Notice of unauthorized acquisition of personal information
  • 134.99 Parties to a violation


Wisconsin has laws related to the protection and disposal of personal information.  A few of these laws include:

  • Chapter 134 Miscellaneous Trade Regulations / 134.74 Nondisclosure of information on receipts; and 134.97 Disposal of records containing personal information.
  • Chapter 995 – Miscellaneous Statutes / 995.55 Internet privacy protection



Whomever is concerned in the commission of a violation for which a forfeiture is imposed is a principal and may be charged with and convicted of the violation although he or she did not directly commit it and although the person who directly committed it has not been convicted of the violation.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If it was acquired by an unauthorized person;
  • If there is a material risk of fraud.


The notification may be delayed if law enforcement advises the entity it will interfere with an investigation or homeland security, otherwise, the notification must be made within a reasonable time, but within 45 days, from the date the entity learns of the unauthorized acquisition.


Requires detailed information and potential provision of services

If notification is required to more than 1000 individuals, it must also be reported, without unreasonable delay, but within 45 days, to the consumer reporting agencies.

The notification may sent by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information the entity must provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.

Contact the Privacy Experts at CSR