Wisconsin Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Wisconsin currently lacks a comprehensive consumer data privacy law like those enacted in California, Colorado, or Iowa. Instead, the state protects personal data through several targeted statutes that address specific privacy concerns. The most significant is the data breach notification law under Wis. Stat. 134.98, which has been in effect since 2006.

This guide covers every major Wisconsin data privacy statute, the pending comprehensive privacy legislation, federal protections that apply to Wisconsin residents, and practical steps you can take to protect your personal information.

Wisconsin Data Breach Notification Law (Wis. Stat. 134.98)

The cornerstone of Wisconsin's data privacy framework is the Notice of Unauthorized Acquisition of Personal Information statute. Enacted in 2006, this law requires businesses and organizations to notify individuals when their personal information has been compromised.

Who Must Comply

The law applies to any "entity," defined as a person other than an individual that meets any of these criteria:

• Conducts business in Wisconsin and maintains personal information in the ordinary course of business
• Licenses personal information in Wisconsin
• Maintains a depository account for a Wisconsin resident
• Lends money to a Wisconsin resident

This broad definition covers corporations, LLCs, partnerships, nonprofits, government agencies, and any other organization that handles personal data of Wisconsin residents.

What Qualifies as Personal Information

Under Wis. Stat. 134.98(1)(b), "personal information" means an individual's last name combined with their first name or first initial, linked to any of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, including credit or debit card numbers
• Any security code, access code, or password that would permit access to a financial account
• DNA profile, as defined in Wis. Stat. 939.74(2d)(a)
• Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation

The definition does not include information that is publicly available from federal, state, or local government records.

Notification Timeline and Requirements

When an entity discovers that personal information has been acquired by an unauthorized person, it must provide notice within a reasonable time, not to exceed 45 days after learning of the breach. This places Wisconsin among the states with the strictest notification deadlines.

What counts as "reasonable" depends on:

• The number of notices the entity must send
• The methods of communication available to the entity
• Whether a law enforcement investigation requires a delay

Methods of Notification

Entities may provide notice through:

• Mail sent to the last known address of the affected individual
• A method previously used to communicate with the individual (such as email)
• Substitute notice if the entity cannot determine a mailing address and has not previously communicated with the individual, using a method reasonably calculated to provide actual notice

Consumer Reporting Agency Notification

If a single breach affects 1,000 or more individuals, the entity must also notify all nationwide consumer reporting agencies without unreasonable delay. This allows the credit bureaus to monitor for identity theft activity linked to the breach.

Law Enforcement Exception

A law enforcement agency may request that an entity delay notification if doing so is necessary to protect an investigation or homeland security. The entity must comply with such a request and provide notification after the law enforcement agency determines that the delay is no longer necessary.

Exemptions from the Law

Two significant categories of entities are exempt from Wis. Stat. 134.98:

• Financial institutions subject to and compliant with federal disclosure laws for nonpublic personal information (such as the Gramm-Leach-Bliley Act), and persons with contractual obligations to such institutions that maintain breach policies
• HIPAA-covered entities, including health plans, healthcare clearinghouses, and healthcare providers that comply with federal health information security and privacy laws

These entities follow their respective federal notification frameworks instead.

Penalties and Enforcement

Wisconsin's breach notification law takes a notable approach to enforcement. Under Wis. Stat. 134.98(3), failure to comply is not automatically considered negligence or a breach of any duty. However, a violation may be used as evidence of negligence or a breach of a legal duty in civil litigation.

The Wisconsin Attorney General has enforcement authority and can pursue civil penalties against entities that fail to provide proper notification.

Wisconsin Record Disposal Law (Wis. Stat. 134.97)

Wisconsin's record disposal statute complements the breach notification law by regulating how businesses destroy records containing personal information.

Who Must Comply

The disposal requirements apply specifically to:

• Financial institutions
• Medical businesses
• Tax preparation businesses

These entities may not dispose of records containing personal information unless they take appropriate destruction measures.

Required Disposal Methods

Before disposing of records containing personal information, covered businesses must:

• Shred the physical record
• Erase personal information from the record
• Modify the record to make personal information unreadable
• Take other actions the record holder reasonably believes will prevent unauthorized access to the personal information

Penalties

A business that improperly disposes of records containing personal information faces:

• A forfeiture of up to $1,000 per violation
• Civil liability for actual damages to individuals whose personal information was improperly disposed of

Wisconsin Right to Privacy (Wis. Stat. 995.50)

Wisconsin recognizes a statutory right to privacy under Wis. Stat. 995.50. While not specifically a data privacy law, this statute provides a legal framework for privacy claims that can intersect with data protection issues.

Types of Privacy Violations

The statute recognizes four categories of invasion of privacy:

• Intrusion upon seclusion into private affairs that would be highly offensive to a reasonable person
• Public disclosure of private facts that would be highly offensive to a reasonable person
• Publicity that places a person in a false light before the public
• Appropriation of a person's name or likeness for commercial advantage

Limitations

Several important limitations apply to privacy claims under this statute:

• The matter must involve intentional disclosure by the defendant
• A defendant is not liable for information stolen by a third party
• There is a public interest exception: when legitimate public interest is involved, no cause of action for invasion of privacy exists
• The intrusion or disclosure must be highly offensive to a reasonable person of ordinary sensibilities

Identity Theft Protection (Wis. Stat. 100.54 and 100.545)

Wisconsin provides residents with tools to combat identity theft through its security freeze statutes.

Security Freeze Rights

Any Wisconsin resident can place a security freeze on their credit report, which prevents consumer reporting agencies from releasing the report to potential creditors without the resident's consent. Key provisions include:

• Identity theft victims with a police report can place a freeze at no cost
• Other consumers may be charged up to $10 to place a security freeze
• Consumer reporting agencies may charge up to $10 to temporarily lift ("thaw") a freeze
• Agencies must place a freeze within 30 days of receiving a valid request

Security Freeze for Minors

Under Wis. Stat. 100.545, parents and guardians can also place security freezes on credit reports for protected consumers, including minors, to prevent identity thieves from opening accounts in a child's name.

The Wisconsin Department of Agriculture, Trade and Consumer Protection (DATCP) provides resources and assistance to identity theft victims, helping them restore their identity and credit standing.

Student Data Privacy in Wisconsin

Student data in Wisconsin receives protection under both federal and state law. Wisconsin schools must comply with whichever statute provides the most restrictive protection in any given situation.

Federal Protection: FERPA

The Family Educational Rights and Privacy Act (FERPA) is the foundational federal law protecting student education records. It applies to all schools receiving funds from the U.S. Department of Education and grants parents the right to:

• Inspect and review their child's education records
• Request corrections to records they believe are inaccurate
• Consent before the school discloses personally identifiable information from education records (with certain exceptions)

When students turn 18 or enter postsecondary education, these rights transfer to the student.

Wisconsin Pupil Records Law (Wis. Stat. 118.125)

The Wisconsin Pupil Records Law applies specifically to public K-12 schools and provides protections that in some cases go beyond FERPA.

Categories of Student Records

Wisconsin law divides pupil records into three categories, each with different access rules:

Progress Records include:

• Grades and course history
• Attendance records
• Immunization and lead screening records
• Extracurricular activity records

Behavioral Records include:

• Psychological tests and personality evaluations
• Records of conversations about specific student behavior
• Achievement and ability tests
• Any pupil records not classified as progress records

Directory Data includes:

• Name, address, and telephone number
• Date and place of birth
• Participation in officially recognized activities and sports
• Dates of attendance and awards received

Key Protections

Under Wis. Stat. 118.125(2), all pupil records maintained by a public school are confidential. School boards must adopt policies to maintain confidentiality. Specific protections include:

• Parents have the right to review and receive copies of their child's records
• Behavioral records are subject to stricter access controls than progress records
• Schools must comply with the most restrictive applicable statute when state and federal laws differ
• Records are protected regardless of format, whether written, printed, spoken, visual, or electromagnetic

Wisconsin Student Data Privacy Resources

The Wisconsin Department of Public Instruction provides training, resources, and guidance to schools on student data privacy compliance. DPI maintains a student data privacy program that helps districts understand both federal and state requirements.

Wisconsin also participates in a longitudinal data system authorized by state law, allowing DPI, the University of Wisconsin System, the Technical College System, and the Wisconsin Association of Independent Colleges and Universities to study education programs. Written agreements governing data use and privacy must be in place before any data sharing occurs.

Health Data Privacy Protections

Wisconsin residents' health information receives protection through both federal and state law.

Federal HIPAA Protections

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting health information. The Wisconsin Department of Health Services oversees state compliance and provides guidance on health data privacy.

Under HIPAA, health information cannot be used or shared without written permission unless the law specifically allows it. Wisconsin residents have the right to:

• Access their health information
• Correct or amend inaccurate health information
• File complaints about privacy violations

Wisconsin Medical Records Statutes

Wisconsin provides additional health privacy protections through several state statutes:

• Wis. Stat. 146.82 governs confidentiality of patient health care records
• Wis. Stat. 146.83 establishes patient access rights to their own medical records
• Wis. Stat. 51.30 provides heightened protections for mental health, developmental disabilities, and substance abuse treatment records

When state and federal health privacy laws conflict, the rule providing the most protection to the patient applies.

Pending Comprehensive Privacy Legislation (AB 172 / SB 166)

Wisconsin has been working toward a comprehensive consumer data privacy law. The most recent effort is Assembly Bill 172 and its companion Senate Bill 166, introduced during the 2025-2026 legislative session.

Background

This is not Wisconsin's first attempt at comprehensive data privacy legislation. A previous bill, Assembly Bill 466, passed the Assembly on November 14, 2023, but failed to advance in the Senate. The current bills represent a renewed push based partly on recommendations from the DATCP Data Privacy and Security Advisory Committee.

Key Provisions of AB 172 / SB 166

If enacted, the proposed Wisconsin Data Privacy Act would:

Apply to businesses that:

• Control or process the personal data of at least 100,000 Wisconsin consumers, OR
• Control or process data of at least 25,000 consumers and derive revenue from selling personal data

Grant consumers the right to:

• Know what personally identifiable information a business holds about them
• Learn how widely their data has been shared or sold
• Opt out of the sale of their personal data
• Opt out of targeted advertising based on their data
• Request deletion of their personal data

Require businesses to:

• Recognize opt-out preference signals (such as Global Privacy Control)
• Conduct regular data protection assessments for high-risk processing activities
• Implement safeguards for sensitive data, including data from children
• Establish contracts with data processors that include specific privacy requirements

Enforcement and Penalties

The proposed legislation would give enforcement authority to both DATCP and the Wisconsin Department of Justice:

• Violations would carry penalties of up to $10,000 per violation
• Agencies could recover reasonable investigation and litigation expenses
• A 30-day cure period would apply through July 1, 2031, requiring regulators to provide written notice before bringing enforcement actions
• There would be no private right of action, meaning only state agencies can enforce the law

Preemption

The bills would prohibit cities, villages, towns, and counties from enacting or enforcing local ordinances that regulate the collection, processing, or sale of personal data.

Current Status

As of March 2026, AB 172 was referred to the Assembly Committee on Rules in January 2026. SB 166 was referred to the Senate Committee on Licensing, Regulatory Reform, State and Federal Affairs. Neither bill has been enacted into law.

Federal Privacy Framework Applicable in Wisconsin

Because Wisconsin lacks comprehensive state privacy legislation, several federal laws provide important baseline protections for Wisconsin residents.

Gramm-Leach-Bliley Act (GLBA)

Requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Wisconsin financial institutions that comply with GLBA are exempt from the state breach notification law.

Fair Credit Reporting Act (FCRA)

Regulates how consumer reporting agencies collect, access, use, and distribute credit information. Wisconsin's security freeze statutes under Wis. Stat. 100.54 and 100.545 complement FCRA protections.

Children's Online Privacy Protection Act (COPPA)

Protects the online privacy of children under 13 by requiring parental consent before collecting personal information from children. This applies to websites and online services directed at children or that knowingly collect data from children.

Health Insurance Portability and Accountability Act (HIPAA)

As discussed above, HIPAA protects health information nationally. HIPAA-compliant entities in Wisconsin are exempt from the state's data breach notification requirements.

Family Educational Rights and Privacy Act (FERPA)

Protects the privacy of student education records at institutions receiving federal funding. Wisconsin's Pupil Records Law builds on FERPA with additional state-level protections.

How to Protect Your Data Privacy in Wisconsin

Given Wisconsin's patchwork privacy framework, residents should take proactive steps to protect their personal information.

If You Receive a Breach Notification

1. Read the notification carefully to understand what data was compromised
2. Place a security freeze on your credit reports through all three major bureaus
3. Monitor financial statements and credit reports for suspicious activity
4. File a complaint with DATCP if you believe a business failed to provide proper notification
5. Consider filing an identity theft report with local law enforcement if sensitive data was compromised

Everyday Privacy Steps

• Review privacy policies before sharing personal information with businesses
• Use strong, unique passwords and enable two-factor authentication
• Regularly check your credit reports through AnnualCreditReport.com
• Limit the personal information you share on social media
• Opt out of data broker listings when possible

More Wisconsin Laws

• Wisconsin Whistleblower Laws
• Wisconsin Lemon Laws
• Wisconsin Dog Bite Laws
• Wisconsin Recording Laws
• Wisconsin Hit and Run Laws
• Wisconsin Car Seat Laws
• Wisconsin Child Support Laws
• Wisconsin Sexting Laws

This article provides general legal information about Wisconsin data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Wisconsin for advice about your specific situation.