Wisconsin Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Wisconsin does not have a comprehensive consumer data privacy law as of May 2026. The state protects personal data through targeted statutes: the data breach notification law (Wis. Stat. 134.98), the record disposal law (Wis. Stat. 134.97), the wiretap and recording consent statute (Wis. Stat. 968.31), and computer crimes law (Wis. Stat. 943.70). Federal law -- HIPAA, GLBA, FCRA, COPPA, FTC Act Section 5, and the TAKE IT DOWN Act -- fills important gaps.

Wisconsin currently lacks a comprehensive consumer data privacy law like those in California, Colorado, or Iowa. The state protects personal data through several targeted statutes addressing specific privacy concerns. The cornerstone is the data breach notification law under Wis. Stat. 134.98, in effect since 2006.

This guide covers every major Wisconsin data privacy statute, the wiretap and computer crimes laws, the pending comprehensive legislation, federal protections that apply to Wisconsin residents, and practical steps you can take to protect your personal information.

Wisconsin Data Breach Notification Law (Wis. Stat. 134.98)

The Notice of Unauthorized Acquisition of Personal Information statute has been the cornerstone of Wisconsin's data privacy framework since 2006. It requires businesses and organizations to notify individuals when their personal information has been compromised.

Who Must Comply

The law applies to any "entity," defined as a person other than an individual that meets any of these criteria:

• Conducts business in Wisconsin and maintains personal information in the ordinary course of business
• Licenses personal information in Wisconsin
• Maintains a depository account for a Wisconsin resident
• Lends money to a Wisconsin resident

This broad definition covers corporations, LLCs, partnerships, nonprofits, government agencies, and any other organization that handles personal data of Wisconsin residents.

What Qualifies as Personal Information

Under Wis. Stat. 134.98(1)(b), "personal information" means an individual's last name combined with their first name or first initial, linked to any of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, including credit or debit card numbers
• Any security code, access code, or password that would permit access to a financial account
• DNA profile, as defined in Wis. Stat. 939.74(2d)(a)
• Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation

The definition does not include information that is publicly available from federal, state, or local government records.

Notification Timeline and Requirements

When an entity discovers that personal information has been acquired by an unauthorized person, it must provide notice within a reasonable time, not to exceed 45 days after learning of the breach. This places Wisconsin among the states with the strictest notification deadlines.

What counts as "reasonable" depends on:

• The number of notices the entity must send
• The methods of communication available to the entity
• Whether a law enforcement investigation requires a delay

Methods of Notification

Entities may provide notice through:

• Mail sent to the last known address of the affected individual
• A method previously used to communicate with the individual (such as email)
• Substitute notice if the entity cannot determine a mailing address and has not previously communicated with the individual, using a method reasonably calculated to provide actual notice

Consumer Reporting Agency Notification

If a single breach affects 1,000 or more individuals, the entity must also notify all nationwide consumer reporting agencies without unreasonable delay. This allows the credit bureaus to monitor for identity theft activity linked to the breach.

Law Enforcement Exception

A law enforcement agency may request that an entity delay notification if doing so is necessary to protect an investigation or homeland security. The entity must comply and provide notification after the law enforcement agency determines the delay is no longer necessary.

Exemptions from the Law

Two significant categories of entities are exempt from Wis. Stat. 134.98:

• Financial institutions subject to and compliant with federal disclosure laws for nonpublic personal information (such as the Gramm-Leach-Bliley Act), and persons with contractual obligations to such institutions that maintain breach policies
• HIPAA-covered entities, including health plans, healthcare clearinghouses, and healthcare providers that comply with federal health information security and privacy laws

These entities follow their respective federal notification frameworks instead.

Penalties and Enforcement

Under Wis. Stat. 134.98(3), failure to comply is not automatically considered negligence or a breach of any duty. However, a violation may be used as evidence of negligence or a breach of a legal duty in civil litigation.

The Wisconsin Attorney General and DATCP share enforcement authority. In 2024, DATCP handled 11,374 written consumer complaints and returned over $23 million to Wisconsin consumers through mediations, enforcement actions, and settlements. DATCP received 618 identity theft complaints in 2024, with online account takeovers as the top issue. Consumers who believe a business failed to provide proper notification can file a complaint directly with DATCP.

Wisconsin Record Disposal Law (Wis. Stat. 134.97)

Wisconsin's record disposal statute complements the breach notification law by regulating how businesses destroy records containing personal information.

Who Must Comply

The disposal requirements apply specifically to:

• Financial institutions
• Medical businesses
• Tax preparation businesses

These entities may not dispose of records containing personal information unless they take appropriate destruction measures.

Required Disposal Methods

Before disposing of records containing personal information, covered businesses must:

• Shred the physical record
• Erase personal information from the record
• Modify the record to make personal information unreadable
• Take other actions the record holder reasonably believes will prevent unauthorized access to the personal information

Penalties

A business that improperly disposes of records containing personal information faces:

• A forfeiture of up to $1,000 per violation
• Civil liability for actual damages to individuals whose personal information was improperly disposed of

Wisconsin Wiretap and Computer Crimes Laws

Wisconsin has two statutes that directly regulate electronic surveillance and unauthorized data access. Both are relevant to any business or individual handling digital communications or computer systems in Wisconsin.

One-Party Consent Recording (Wis. Stat. 968.31)

Wisconsin is a one-party consent state under Wis. Stat. 968.31, the state's wiretap statute. Any person who is a party to a wire, electronic, or oral communication, or who has obtained prior consent from at least one party to the communication, may legally record and divulge the contents of that communication. The only exception: the recording cannot be for the purpose of committing a criminal or tortious act.

In practice, this means:

• A Wisconsin resident can record a phone call they are a participant in without informing the other party
• No verbal notice, beep tone, or written agreement is required
• The recorder must be an active participant in the conversation, not a third party secretly intercepting it

Criminal penalty: Intentionally intercepting or attempting to intercept wire, electronic, or oral communications without satisfying the one-party consent requirement is a Class H felony under Wisconsin law, carrying a maximum of 6 years in prison and a fine up to $10,000.

Civil remedies: Under Wis. Stat. 968.31(2m), any person whose communication is intercepted, disclosed, or used in violation of the wiretapping statutes may sue for actual damages (not less than $100 per day for each day of violation, or $1,000, whichever is higher), punitive damages for willful or egregious violations, and reasonable attorney fees and other litigation costs.

For a full discussion of Wisconsin's recording consent rules, see Wisconsin Recording Laws.

Computer Crimes (Wis. Stat. 943.70)

Wis. Stat. 943.70 is Wisconsin's computer crimes statute. It prohibits unauthorized access to computers and computer systems and covers a range of offenses that directly intersect with data privacy:

• Accessing computer systems or data without authorization
• Disclosing restricted access codes or other restricted access information to unauthorized persons
• Damaging, altering, or destroying computer data or programs
• Introducing a computer contaminant (malware or virus) into a computer system

Penalty structure:

Wis. Stat. 943.70 operates alongside the federal Computer Fraud and Abuse Act (18 U.S.C. 1030) for larger-scale unauthorized access cases involving interstate computer networks.

Wisconsin Right to Privacy (Wis. Stat. 995.50)

Wisconsin recognizes a statutory right to privacy under Wis. Stat. 995.50. While not specifically a data privacy law, this statute provides a legal framework for privacy claims that can intersect with data protection issues.

Types of Privacy Violations

The statute recognizes four categories of invasion of privacy:

• Intrusion upon seclusion into private affairs that would be highly offensive to a reasonable person
• Public disclosure of private facts that would be highly offensive to a reasonable person
• Publicity that places a person in a false light before the public
• Appropriation of a person's name or likeness for commercial advantage

Limitations

Several important limitations apply to privacy claims under this statute:

• The matter must involve intentional disclosure by the defendant
• A defendant is not liable for information stolen by a third party
• There is a public interest exception: when legitimate public interest is involved, no cause of action for invasion of privacy exists
• The intrusion or disclosure must be highly offensive to a reasonable person of ordinary sensibilities

Identity Theft Protection (Wis. Stat. 100.54 and 100.545)

Wisconsin provides residents with tools to combat identity theft through its security freeze statutes.

Security Freeze Rights

Any Wisconsin resident can place a security freeze on their credit report, which prevents consumer reporting agencies from releasing the report to potential creditors without the resident's consent.

Wisconsin's own statute (Wis. Stat. 100.54) historically permitted CRAs to charge up to $10 to place, lift, or remove a security freeze. That fee provision is now largely superseded by federal law: under the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018, the three major nationwide consumer reporting agencies -- Equifax, Experian, and TransUnion -- must provide security freezes free of charge to all consumers, effective September 21, 2018. For identity theft victims who have a police report, security freezes have been free at all CRAs under Wisconsin law as well.

Additional protections under Wisconsin's framework:

• Agencies must place a freeze within 30 days of receiving a valid request under state law (federal law requires placement within one business day for online or phone requests)
• Temporary lifts ("thaws") for specified creditors or time periods remain available

Security Freeze for Minors

Under Wis. Stat. 100.545, parents and guardians can also place security freezes on credit reports for protected consumers, including minors, to prevent identity thieves from opening accounts in a child's name.

The Wisconsin Department of Agriculture, Trade and Consumer Protection (DATCP) provides resources and assistance to identity theft victims, helping them restore their identity and credit standing.

Student Data Privacy in Wisconsin

Student data in Wisconsin receives protection under both federal and state law. Wisconsin schools must comply with whichever statute provides the most restrictive protection in any given situation.

Federal Protection: FERPA

The Family Educational Rights and Privacy Act (FERPA) is the foundational federal law protecting student education records. It applies to all schools receiving funds from the U.S. Department of Education and grants parents the right to:

• Inspect and review their child's education records
• Request corrections to records they believe are inaccurate
• Consent before the school discloses personally identifiable information from education records (with certain exceptions)

When students turn 18 or enter postsecondary education, these rights transfer to the student.

Wisconsin Pupil Records Law (Wis. Stat. 118.125)

The Wisconsin Pupil Records Law applies specifically to public K-12 schools and provides protections that in some cases go beyond FERPA.

Categories of Student Records

Wisconsin law divides pupil records into three categories, each with different access rules:

Progress Records include:

• Grades and course history
• Attendance records
• Immunization and lead screening records
• Extracurricular activity records

Behavioral Records include:

• Psychological tests and personality evaluations
• Records of conversations about specific student behavior
• Achievement and ability tests
• Any pupil records not classified as progress records

Directory Data includes:

• Name, address, and telephone number
• Date and place of birth
• Participation in officially recognized activities and sports
• Dates of attendance and awards received

Key Protections

Under Wis. Stat. 118.125(2), all pupil records maintained by a public school are confidential. School boards must adopt policies to maintain confidentiality. Specific protections include:

• Parents have the right to review and receive copies of their child's records
• Behavioral records are subject to stricter access controls than progress records
• Schools must comply with the most restrictive applicable statute when state and federal laws differ
• Records are protected regardless of format, whether written, printed, spoken, visual, or electromagnetic

Wisconsin Student Data Privacy Resources

The Wisconsin Department of Public Instruction provides training, resources, and guidance to schools on student data privacy compliance. DPI maintains a student data privacy program that helps districts understand both federal and state requirements.

Health Data Privacy Protections

Wisconsin residents' health information receives protection through both federal and state law.

Federal HIPAA Protections

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting health information. The Wisconsin Department of Health Services oversees state compliance and provides guidance on health data privacy.

Under HIPAA, health information cannot be used or shared without written permission unless the law specifically allows it. Wisconsin residents have the right to:

• Access their health information
• Correct or amend inaccurate health information
• File complaints about privacy violations

Wisconsin Medical Records Statutes

Wisconsin provides additional health privacy protections through several state statutes:

• Wis. Stat. 146.82 governs confidentiality of patient health care records
• Wis. Stat. 146.83 establishes patient access rights to their own medical records
• Wis. Stat. 51.30 provides heightened protections for mental health, developmental disabilities, and substance abuse treatment records

When state and federal health privacy laws conflict, the rule providing the most protection to the patient applies.

Pending Comprehensive Privacy Legislation (AB 172 / SB 166)

Wisconsin has been working toward a comprehensive consumer data privacy law for several years. The most recent effort is Assembly Bill 172 and its companion Senate Bill 166, introduced during the 2025-2026 legislative session.

Background

This is not Wisconsin's first attempt at comprehensive data privacy legislation. A previous bill, Assembly Bill 466, passed the Assembly on November 14, 2023, but failed to advance in the Senate. The current bills represent a renewed push based partly on recommendations from the DATCP Data Privacy and Security Advisory Committee.

Key Provisions of AB 172 / SB 166

If enacted, the proposed Wisconsin Data Privacy Act would:

Apply to businesses that:

• Control or process the personal data of at least 100,000 Wisconsin consumers, OR
• Control or process data of at least 25,000 consumers and derive revenue from selling personal data

Grant consumers the right to:

• Know what personally identifiable information a business holds about them
• Learn how widely their data has been shared or sold
• Opt out of the sale of their personal data
• Opt out of targeted advertising based on their data
• Request deletion of their personal data

Require businesses to:

• Recognize opt-out preference signals (such as Global Privacy Control)
• Conduct regular data protection assessments for high-risk processing activities
• Implement safeguards for sensitive data, including data from children
• Establish contracts with data processors that include specific privacy requirements

Enforcement and Penalties

The proposed legislation would give enforcement authority to both DATCP and the Wisconsin Department of Justice:

• Violations would carry penalties of up to $10,000 per violation
• Agencies could recover reasonable investigation and litigation expenses
• A 30-day cure period would apply through July 1, 2031, requiring regulators to provide written notice before bringing enforcement actions
• There would be no private right of action, meaning only state agencies can enforce the law

Preemption

The bills would prohibit cities, villages, towns, and counties from enacting or enforcing local ordinances that regulate the collection, processing, or sale of personal data.

Current Status (May 2026)

AB 172 passed the Assembly State Affairs Committee by a unanimous 10-0 vote in late January 2026 and was referred to the Assembly Committee on Rules on January 30, 2026. SB 166 received a Senate Licensing Committee hearing in January 2026, but as of May 2026 no committee vote has been scheduled in the Senate. The 2025-2026 Wisconsin legislative session runs through June 2026. Neither bill has been enacted into law as of May 2026.

Federal Privacy Framework Applicable in Wisconsin

Because Wisconsin lacks comprehensive state privacy legislation, several federal laws provide important baseline protections for Wisconsin residents.

TAKE IT DOWN Act (Pub. L. 119-12)

The TAKE IT DOWN Act, signed into law on May 19, 2025, is the most significant federal privacy development since Wisconsin's last page review. The law:

• Criminalizes the publication of nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes
• Requires covered platforms -- websites, online services, apps, and mobile applications that primarily host user-generated content -- to establish a notice-and-removal process
• Mandates removal of NCII within 48 hours of receiving a valid notice from the victim
• Gives the FTC enforcement authority over the platform takedown requirements

Compliance deadline: Platform takedown obligations took effect on May 19, 2026. FTC Chairman Andrew Ferguson sent letters to major online platforms in early 2026 highlighting their obligations under this law. Wisconsin residents who are victims of nonconsensual intimate imagery can submit a removal notice directly to covered platforms under this federal process.

FTC Act Section 5

The FTC Act's prohibition on unfair or deceptive practices (15 U.S.C. 45) serves as a general consumer-protection backstop for data privacy. The FTC has used Section 5 to pursue companies that make false privacy promises in their policies, fail to implement reasonable data security, or engage in unauthorized data sharing. Because Wisconsin lacks a comprehensive state law, FTC Section 5 is particularly significant for Wisconsin residents seeking federal accountability for privacy violations.

Gramm-Leach-Bliley Act (GLBA)

Requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Wisconsin financial institutions that comply with GLBA are exempt from the state breach notification law.

Fair Credit Reporting Act (FCRA)

Regulates how consumer reporting agencies collect, access, use, and distribute credit information. Wisconsin's security freeze statutes under Wis. Stat. 100.54 and 100.545 complement FCRA protections. The 2018 FCRA amendment making security freezes free at major bureaus is the primary operative rule for most Wisconsin consumers.

Children's Online Privacy Protection Act (COPPA)

Protects the online privacy of children under 13 by requiring parental consent before collecting personal information from children. This applies to websites and online services directed at children or that knowingly collect data from children.

Health Insurance Portability and Accountability Act (HIPAA)

As discussed above, HIPAA protects health information nationally. HIPAA-compliant entities in Wisconsin are exempt from the state's data breach notification requirements.

Family Educational Rights and Privacy Act (FERPA)

Protects the privacy of student education records at institutions receiving federal funding. Wisconsin's Pupil Records Law builds on FERPA with additional state-level protections.

American Privacy Rights Act (APRA)

The American Privacy Rights Act, a proposed comprehensive federal privacy law, was introduced as a bipartisan bill in 2024 but expired without passage at the end of the 118th Congress in January 2025. It had not been reintroduced as of May 2026. Wisconsin residents therefore do not have federal comprehensive privacy rights under APRA.

How to Protect Your Data Privacy in Wisconsin

Given Wisconsin's patchwork privacy framework, residents should take proactive steps to protect their personal information.

If You Receive a Breach Notification

1. Read the notification carefully to understand what data was compromised
2. Place a security freeze on your credit reports through all three major bureaus (now free under federal law)
3. Monitor financial statements and credit reports for suspicious activity
4. File a complaint with DATCP if you believe a business failed to provide proper notification
5. Consider filing an identity theft report with local law enforcement if sensitive data was compromised

If You Are a Victim of Nonconsensual Intimate Images

Under the federal TAKE IT DOWN Act (now in effect):

1. Submit a removal notice directly to the platform hosting the image. Platforms must remove it within 48 hours.
2. If the platform does not comply, file a complaint with the FTC.
3. Wisconsin's general right-to-privacy statute (Wis. Stat. 995.50) may also support a civil claim in appropriate cases.

Everyday Privacy Steps

• Review privacy policies before sharing personal information with businesses
• Use strong, unique passwords and enable two-factor authentication
• Regularly check your credit reports through AnnualCreditReport.com
• Limit the personal information you share on social media
• Opt out of data broker listings when possible
• File consumer complaints with DATCP for privacy-related violations; the agency returned over $23 million to Wisconsin consumers in 2024

More Wisconsin Laws

• Wisconsin AI Meeting Recording Laws
• Wisconsin Alimony Laws
• Wisconsin At-Will Employment Laws
• Wisconsin Car Accident Laws
• Wisconsin Car Seat Laws
• Wisconsin Child Custody Laws
• Wisconsin Child Support Laws
• Wisconsin Common Law Marriage Laws
• Wisconsin Deepfake Laws
• Wisconsin Divorce Laws
• Wisconsin Dog Bite Laws
• Wisconsin Emancipation Laws
• Wisconsin Expungement Laws
• Wisconsin Hit and Run Laws
• Wisconsin Landlord-Tenant Laws
• Wisconsin Lemon Laws

This article provides general legal information about Wisconsin data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Wisconsin for advice about your specific situation.