Bill > AB172

Introduced Session

This bill establishes requirements for controllers and processors of the personal data of consumers. The bill defines a XcontrollerY as a person that, alone or jointly with others, determines the purpose and means of processing personal data, and the bill applies to controllers that control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. Under the bill, Xpersonal dataY means any information that is linked or reasonably linkable to an individual except for publicly available information. The bill provides consumers with the following rights regarding their personal data: 1) to confirm whether a controller is processing the consumer[s personal data and to access the personal data; 2) to correct inaccuracies in the consumer[s personal data; 3) to require a controller to delete personal data provided by or about the consumer; 4) to obtain a copy of the personal data that the consumer previously provided to the controller; and 5) to opt out of the processing of the consumer[s personal data for targeted advertising; the sale of the consumer[s personal data; and certain forms of automated processing of the consumer[s personal data. These rights are subject to certain exceptions specified in the bill. Controllers may not discriminate against a consumer for exercising rights under the bill, including by charging different prices for goods or providing a different level of quality of goods or services. A controller must establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under the bill. Such means must include a clear and conspicuous link on the controller[s website to a webpage that enables a consumer or an agent of a consumer to opt out of the targeted advertising or sale of the consumer[s personal data and, on or after July 1, 2028, an opt-out preference signal sent, with a consumer[s intent, by a platform, technology, or mechanism to the controller indicating the consumer[s intent to opt out of any processing of the consumer[s personal data for the purpose of targeted advertising or sale of the consumer[s personal data. The bill requires controllers to respond to consumers[ requests to invoke rights under the bill without undue delay. If a controller declines to take action regarding a consumer[s request, the controller must inform the consumer of its justification without undue delay. The bill also requires that information provided in response to a consumer[s request be provided free of charge once annually per consumer. Controllers must also establish processes for consumers to appeal a refusal to take action on a consumer[s request. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the Department of Agriculture, Trade and Consumer Protection to submit a complaint. Under the bill, a controller must provide consumers with a privacy notice that discloses the categories of personal data processed by the controller; the purpose of processing the personal data; the categories of third parties, if any, with whom the controller shares personal data; the categories of personal data that the controller shares with third parties; and information about how consumers may exercise their rights under the bill. Controllers may not collect or process personal data for purposes that are not relevant to or reasonably necessary for the purposes disclosed in the privacy notice. The bill[s requirements do not restrict a controller[s ability to collect, use, or retain data for conducting internal research, effectuating a product recall, identifying and repairing technical errors, or performing internal operations that are reasonably aligned with consumer expectations or reasonably anticipated on the basis of a consumer[s relationship with the controller. Persons that process personal data on behalf of a controller must adhere to a contract between the controller and the processor, and such contracts must satisfy certain requirements specified in the bill. The bill also requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill. DATCP may request that a controller disclose a data protection assessment that is relevant to an investigation being conducted by DATCP. DATCP and the Department of Justice have exclusive authority to enforce violations of the bill[s requirements. A controller or processor that violates the bill[s requirements is subject to a forfeiture of up to $10,000 per violation, and DATCP or DOJ may recover reasonable investigation and litigation expenses incurred. During the time between the bill[s effective date and July 1, 2031, before bringing an action to enforce the bill[s requirements, DATCP or DOJ must first provide a controller or processor with a written notice identifying the violations. If within 30 days of receiving the notice the controller or processor cures the violation and provides DATCP or DOJ with an express written statement that the violation is cured and that no such further violations will occur, then DATCP or DOJ may not bring an action against the controller or processor. The bill also prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data. For further information see the state fiscal estimate, which will be printed as an appendix to this bill.

AI Summary

Committee Categories

Scott Allen (R)*,  David Armstrong (R)*,  Elijah Behnke (R)*,  Barbara Dittrich (R)*,  Cindi Duchow (R)*,  Joy Goeben (R)*,  Nate Gustafson (R)*,  Dan Knodl (R)*,  Rob Kreibich (R)*,  Scott Krug (R)*,  Anthony Kurtz (R)*,  Dave Maxey (R)*,  Paul Melotik (R)*,  Clint Moses (R)*,  Dave Murphy (R)*,  Jeff Mursau (R)*,  Amanda Nedweski (R)*,  Jerry O'Connor (R)*,  William Penterman (R)*,  Jim Piwowarczyk (R)*,  Treig Pronschinske (R)*,  Pat Snyder (R)*,  Shae Sortwell (R)*,  David Steffen (R)*,  Paul Tittl (R)*,  Ron Tusler (R)*,  Robert Wittke (R)*,  Shannon Zimmerman (R)*,  Howard Marklein (R),  Steve Nass (R),  Romaine Quinn (R),  Kelda Roys (D), 

Referred to committee on Rules (on 01/30/2026)

Official Document