Wisconsin Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Wisconsin occupies a middle ground in the national biometric privacy landscape. The state does not have a standalone biometric privacy law like Illinois or Texas, but its breach notification statute provides more protection than many states by explicitly covering biometric data and DNA profiles.

What makes Wisconsin noteworthy is the breadth of its breach notification definitions. While states like West Virginia exclude biometric data entirely from breach notification, Wisconsin casts a wider net that includes fingerprints, voiceprints, retina images, and even DNA profiles as separate protected categories.

For a broader overview of privacy protections in the state, see the parent guide to Wisconsin Data Privacy Laws.

How Wisconsin Law Defines Biometric Data

Wisconsin's breach notification statute, Wis. Stat. 134.98, defines personal information to include an individual's unique biometric data. Under Wis. Stat. 134.98(1)(b)4., the covered biometric data types include:

• Fingerprints
• Voiceprints
• Retina or iris images
• Any other unique physical representation

This definition is broad enough to cover emerging biometric technologies such as facial geometry scans, hand geometry measurements, and vein pattern recognition, so long as they qualify as a "unique physical representation."

DNA Profile: A Separate Category

Wisconsin stands out by separately listing an individual's DNA profile as a protected data element under Wis. Stat. 134.98. The DNA profile definition references Wis. Stat. 939.74(2d)(a), which defines it in the context of criminal proceedings.

By covering DNA profiles as their own category alongside biometric data, Wisconsin provides one of the more comprehensive breach notification definitions for biological identifiers in the country.

Breach Notification Requirements

When a breach exposes biometric data or DNA profiles, Wisconsin's notification requirements apply.

Who Must Comply

Any entity whose principal place of business is in Wisconsin, or any entity that maintains or licenses personal information in Wisconsin, must comply with the notification requirements under Wis. Stat. 134.98(2).

What Triggers Notification

A notification obligation arises when an entity knows that personal information in its possession has been acquired by a person whom the entity has not authorized to acquire the information. This applies when the unauthorized acquisition involves biometric data, DNA profiles, or other covered personal information that has not been encrypted, redacted, or otherwise rendered unreadable.

45-Day Notification Timeline

Under Wis. Stat. 134.98(3m), an entity must provide notice within a reasonable time, not to exceed 45 days after the entity learns of the unauthorized acquisition. The determination of what is reasonable considers the number of notices the entity must send and the communication methods available.

This 45-day maximum is stricter than states that use a vague "without unreasonable delay" standard but more lenient than states like Colorado (30 days).

Notification Methods

The entity must provide notice by mail or by a method the entity has previously employed to communicate with the affected individual. If the entity has an email address but has not previously communicated with the individual by email, mail is the default method.

Substitute Notice

If the cost of providing individual notice would exceed $100,000, the number of affected individuals exceeds 175,000, or the entity does not have sufficient contact information, the entity may provide substitute notice through all of the following:

• Email notice, if the entity has email addresses
• Conspicuous posting on the entity's website
• Notification to statewide media

Federal Preemption

Entities that comply with federal breach notification requirements under regulations such as HIPAA or GLBA are deemed to be in compliance with Wisconsin's notification law, provided the entity notifies affected individuals as required by the applicable federal law.

Consumer Reporting Agency Notification

Under Wis. Stat. 134.98(4), if a breach requires notification of more than 1,000 individuals, the entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. This is an additional requirement that applies on top of individual notification.

Enforcement and Penalties

Wisconsin's breach notification statute takes an unusual approach to enforcement. Under Wis. Stat. 134.98(4), the statute explicitly states that failure to comply is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.

This means:

• There are no specific civil penalties in the statute for failing to provide breach notification
• Non-compliance cannot by itself support a negligence claim
• However, non-compliance can be used as evidence in a civil lawsuit to support a claim that the entity was negligent or breached a duty

The Wisconsin Department of Agriculture, Trade and Consumer Protection (DATCP) provides guidance on the breach notification law and can receive consumer complaints. The Wisconsin Attorney General may also pursue enforcement actions related to unfair or deceptive business practices.

What Wisconsin Law Does Not Cover

Despite including biometric data in breach notification, Wisconsin's protections have significant gaps.

No Collection Consent Requirements

Wisconsin law does not require businesses or employers to obtain consent before collecting biometric data. A company can implement fingerprint scanners, facial recognition cameras, or voice authentication systems without providing notice or obtaining any form of permission.

No Retention or Destruction Rules

There are no requirements to set retention schedules for biometric data, publish data retention policies, or destroy biometric data after a set period or when the purpose for collection ends.

No Purpose Limitation

Businesses that collect biometric data in Wisconsin face no restrictions on how they use, share, or sell that data.

No Private Right of Action for Biometric Violations

While non-compliance with the breach notification law can serve as evidence in a negligence claim, there is no standalone private right of action for biometric data collection or misuse.

Proposed Wisconsin Data Privacy Act

Wisconsin legislators have introduced comprehensive privacy legislation that would strengthen biometric data protections.

Assembly Bill 172 / Senate Bill 166 (2025)

In 2025, Wisconsin introduced AB 172 in the Assembly and its companion SB 166 in the Senate. The proposed Wisconsin Data Privacy Act would:

• Define biometric data as data generated by automatic measurements of biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify a specific individual
• Classify biometric data as sensitive data requiring opt-in consent before processing
• Grant consumers rights to access, delete, and port their personal data
• Require data controllers to recognize opt-out preference signals
• Mandate data protection assessments for processing activities involving sensitive data
• Establish Attorney General enforcement authority

SB 166 was referred to the Senate Committee on Licensing, Regulatory Reform, State and Federal Affairs in March 2025. A previous version of the bill passed the Assembly in 2023 but failed to advance in the Senate.

If enacted, the Wisconsin Data Privacy Act would significantly expand biometric data protections beyond the current breach notification framework.

How Wisconsin Compares to Neighboring States

Wisconsin's approach to biometric privacy is stronger than some neighbors but weaker than others.

Illinois has the strongest protections in the region with its Biometric Information Privacy Act (BIPA), which includes a private right of action and has generated thousands of lawsuits. Minnesota enacted comprehensive consumer data privacy legislation with biometric data provisions.

Iowa passed its Consumer Data Protection Act, which classifies biometric data as sensitive. Michigan has considered biometric privacy legislation but has not yet enacted comprehensive protections.

Wisconsin's inclusion of biometric data and DNA profiles in breach notification puts it ahead of states that lack even that level of coverage.

Practical Guidance for Wisconsin Residents

Wisconsin residents should be aware that while their biometric data is protected in the event of a breach, there are no restrictions on its collection or use before a breach occurs.

If you believe your biometric data was compromised in a breach and you did not receive notification within 45 days, contact the Wisconsin DATCP to file a complaint. You may also contact the Wisconsin Attorney General for consumer protection concerns.

Review privacy policies before providing biometric data to businesses or apps. While Wisconsin does not require consent, understanding how your data will be used can help you make informed decisions.

More Wisconsin Laws

• Wisconsin Recording Laws
• Wisconsin Data Privacy Laws
• Wisconsin Recording Laws
• Wisconsin Recording Laws
• Wisconsin Recording Laws
• Wisconsin Car Seat Laws
• Wisconsin Whistleblower Laws
• Wisconsin Lemon Laws

Sources and References

This article references Wisconsin statutes available through the Wisconsin Legislature website. For consumer guidance on data breaches, visit the Wisconsin DATCP. For proposed legislation, see AB 172. For consumer complaints, contact the Wisconsin Attorney General.

This article provides general legal information about Wisconsin biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Wisconsin government sources.