Get to Know the Wisconsin Data Privacy Act (WDPA)
Privacy protection and data security laws are becoming increasingly vital. Serving a key part in this pursuit for privacy is the Wisconsin Data Privacy Act (WDPA). This Act is a comprehensive law dealing with issues around data privacy and cyber security within the state. It outlines provisions for the collection, storage, use, and disclosure of personal information, and provides businesses and consumers with a legal framework for data security and privacy protection.
We’ll explore this proposed law in further detail, including its implications for businesses and residents alike, the risks of non-compliance, and implementation strategies, all below.
WDPA Origin
Wisconsin recognized the pressing need to enact data privacy legislation in light of increasing cybercrime incidents and privacy breaches affecting its citizens. Technology and the rise of data-driven businesses were seen as contributing factors, sparking concerns over the handling and misuse of personal data. It was in this context that the Wisconsin Data Privacy Act (WDPA) was proposed.
The Wisconsin State Assembly passed Assembly Bill 466 on November 14, 2023 and, pending passage by the senate and signed by the governor, the WDPA will become effective on January 1, 2025. Not surprisingly, the WDPA closely mirrors other comprehensive state consumer privacy laws including Virginia, Colorado, and Connecticut, and many others.
The Structure of the WDPA
The WDPA is structured in such a way that it protects consumers’ data and ensures businesses use this data responsibly. Its key elements include requiring businesses to inform consumers if their data is being collected and the purpose of collection. The Act also stipulates that businesses must secure the personally identifiable and protected health information (PII/PHI) they collect against unlawful access, destruction, or alteration.
Another significant feature of the WDPA is the right to access and control over personal information. The Act provides a mechanism for consumers to access their personal data collected by businesses, request corrections, or even deletion of the data. These elements are essential in ensuring the WDPA achieves its mission of providing robust data privacyand protection in Wisconsin.
Fundamentals of the WDPA
The WDPA contains vital regulations that businesses must follow to ensure the privacy and protection of individual’s data.
A fundamental component of the WDPA is that it requires businesses to implement reasonable security procedures and practices to protect personal data. The legislation recognizes that different businesses will have different capabilities and resources. Therefore, the scale and complexity of the security procedures businesses are expected to implement are dependent on the size of the business, the amount of data they process, and the nature of their operations.
Another important aspect of the WDPA is the requirement for businesses to notify individuals if their personal data has been breached. This notification must be issued without unreasonable delay and in no case later than 45 days after the business becomes aware of the breach. This is designed to give individuals ample opportunity to take necessary actions to protect themselves from potential harm.
The WDPA also stipulates that businesses must provide consumers with a simple, straightforward method to opt-out of having their personal data sold to third parties. This regulation is intended to give individuals more control over their personal data and helps to prevent misuse of data.
Another critical element of the WDPA is the right of individuals to access their personal data. Upon a verifiable consumer request, businesses are required to disclose the categories of personal information they have collected, the source of the information, the purpose of collection, and the categories of third parties with whom the data has been shared. This ensures transparency and empowers consumers to make informed decisions about their personal data.
In total, the WDPA is a comprehensive piece of legislation designed to safeguard the personal data of Wisconsin residents. It imposes strict responsibilities on businesses to protect personal data, notify individuals of any breaches, provide mechanisms to opt-out of data sales, and ensure transparency in their data collection practices. It is essential for businesses operating in Wisconsin to understand and comply with these regulations to protect not only their customers but also the reputation and credibility of their business.
Impact of the WDPA on Consumers
On the consumer side, the WDPA provides several benefits. It gives individuals control over their personal information, enhancing their privacy and security. Consumers can also access, correct, or delete their data, thereby ensuring their information is accurate and used for intended purposes only.
Moreover, the Act requires businesses to inform consumers about data breaches, allowing them to take timely protective measures. By ensuring businesses adhere to high standards of data security and privacy, the WDPA contributes to a safer digital environment for consumers in Wisconsin.
Compliance Obligations for Businesses
Any organization that collects, uses, stores, or disposes of personal information about Wisconsin residents is obligated to protect these data. This responsibility ensures that organizations do not misuse or allow unauthorized access to the information they handle.
To comply with the WDPA, organizations must implement and maintain reasonable security procedures and practices. These security measures should be scalable, reflecting the nature of the personal information held and the nature of the business.
Organizations must also develop a written comprehensive Information Security Program (ISP) that details the manner of protecting personal information. The ISP must include administrative, technical, and physical safeguards.
In the event of a data breach, the WDPA requires organizations to notify affected Wisconsin residents promptly. If more than 1,000 residents are affected, the organization must also notify all consumer reporting agencies. These notification requirements mandate that organizations have monitoring systems in place to detect data breaches in a timely manner.
Another crucial obligation under the WDPA is the disposal of data. Organizations should not retain personal information indefinitely. They must dispose of records containing personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable.
Lastly, organizations need to update their privacy policies, ensuring they are transparent about the types of personal information they collect, the purpose for the collection, and the rights of Wisconsin residents. The policy should also detail any third parties with whom the information may be shared.
In summary, the compliance obligations for the WDPA are comprehensive, requiring organizations to implement robust security procedures, maintain a written ISP, notify affected residents in the event of a data breach, responsibly dispose of data, and maintain transparent privacy policies. By complying with these obligations, organizations can protect the privacy of Wisconsin residents, adhere to the law, and build trust with their consumers.
Enforcing the WDPA
Enforcement of the WDPA is crucial to ensure that this law is upheld and adhered to. The Office of Privacy Protection (OPP) within the Wisconsin Department of Agriculture, Trade and Consumer Protection is the key entity responsible for enforcing the WDPA.
The OPP carries out its enforcement responsibilities by conducting routine investigations to ensure compliance. If a breach is detected, they may issue orders to cease the violation and initiate legal proceedings if necessary.
Non-compliance with the WDPA can result in serious repercussions. Companies failing to adhere to the guidelines can face heavy fines, with penalties determined based on the severity of the breach and the number of individuals affected. In addition to monetary penalties, non-compliant entities may also be subject to legal actions, such as injunctions or business prohibition orders.
While it is the responsibility of all entities that process personal data to comply with the WDPA, stringent enforcement is critical to ensuring the rights of individuals are protected and to maintain trust in data-driven services and technologies.
Challenges to the WDPA
The WDPA demands strict control and confidentiality of customer data, however, it’s implementation faces various challenges.
One significant challenge for businesses is the cost and time dedicated to ensuring compliance. Companies, for example, are compelled to invest in data protection systems to revise their databases, modify their procedures, and train their employees to ensure compliance with the WDPA. This is a significant burden, especially for small businesses and startups that may not have the necessary resources. These businesses argue that these requirements are too stringent and may hinder their growth and innovation.
Another challenge is the legal complexities surrounding the WDPA. Some critics argue that the language of the Act is complex to navigate, leading to potential misinterpretation and noncompliance. The lack of clarity on what exactly constitutes as private data can cause confusion and, in some cases, litigation.
Consumer rights advocates also pose a challenge to the WDPA. While they support the Act’s goal of protecting consumer privacy, they argue it falls short in providing consumers with the right to sue companies that violate their privacy. They believe the Act should place more power in the hands of consumers to control their data.
In all, while the WDPA has been designed to protect consumer data, it faces significant opposition from businesses and consumer rights advocates. Its successful implementation would need to balance these diverse interests. This is a delicate balance to strike, recognizing the necessity of data protection and privacy, yet acknowledging the constraints and challenges that businesses face.
Kiteworks Helps Organizations Comply with the WDPA
The Wisconsin Data Privacy Act (WDPA) serves as a crucial legal framework protecting consumers and businesses in Wisconsin against the threat of data breaches and ensuring the ethical use of data. Since its inception, the Act has shown adaptability and relevance, evolving with the changing technological landscape.
The benefits to businesses and consumers alike make it a significant piece of legislation. However, the WDPA also faces challenges, especially with the rapid advancement in technology and changing political influences. Moving forward, it is crucial for the WDPA to stay adaptable and resilient. In doing so, it can continue to contribute towards a safer and more secure digital environment for all.
The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP and managed file transfer, so organizations control, protect, and track every file as it enters and exits the organization.
Kiteworks allows organizations to control who can access sensitive information, with whom they can share it, and how third parties can interact with (and for how long) the sensitive content they receive. Together, these advanced DRM capabilities mitigate the risk of unauthorized access and data breaches.
These access controls, as well as Kiteworks’ enterprise-grade secure transmission encryption features also enable organizations to comply with strict data sovereigntyrequirements.
In addition, Kiteworks customers manage their own encryption keys. As a result, Kiteworks does not have access to any customer data, ensuring the privacy and security of the customer’s information. By contrast, other services such as Microsoft Office 365 that manage or co-manage a customer’s encryption keys, can (and will) surrender a customer’s data in response to government subpoenas and warrants. With Kiteworks, the customer has complete control over their data and encryption keys, ensuring a high level of privacy and security.
Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, ANSSI, HIPAA, CMMC, Cyber Essentials Plus, IRAP, DPA, and many more.
To learn more about Kiteworks, schedule a custom demo today.