open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/wisconsin.md

@@ -0,0 +1,156 @@
+---
+jurisdiction: "Wisconsin"
+slug: wisconsin
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/wisconsin
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/wisconsin · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Wisconsin Consumer Privacy Law[^about]
+
+Wisconsin has no comprehensive consumer-privacy statute — the 2025–26 Wisconsin Data Privacy Act bills failed in March 2026. The operative state law is the breach-notification statute, Wis. Stat. § 134.98 (a 45-day notice clock with no penalty provision), plus sectoral rules, the codified § 995.50 right of privacy, and the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA).
+
+
+## At a glance
+
+| Question | Wisconsin |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Wisconsin has no comprehensive consumer-privacy law — the 2025–26 Wisconsin Data Privacy Act bills (AB 172/SB 166) failed on March 23, 2026 — so there are no general data-rights, consent, or processor-contract duties under state law. The operative state statute is the breach-notification law, Wis. Stat. § 134.98, which sets a 45-day notice clock but prescribes no penalty, names no enforcer, and creates no private right of action; its practical teeth are evidentiary use in negligence suits plus possible federal FTC Act exposure for unfair or deceptive conduct. The rest of a Wisconsin program rides sectoral statutes — record disposal, patient health records, insurance data security — and the federal overlay, with the codified § 995.50 right of privacy supplying Wisconsin's only general privacy private action. |
+| **Main law** | No comprehensive consumer-privacy law — Wis. Stat. § 134.98 (breach notification) is the operative general statute, alongside sectoral rules (§§ 134.97, 146.84, ch. 601 subch. IX), the § 995.50 right of privacy, and the federal overlay |
+| **Privacy policy required?** | No Wisconsin statute mandates a consumer privacy policy or fixes its contents; the operative rules are FTC Act § 5 (unfair or deceptive conduct can create federal exposure), § 100.18 (untrue, deceptive or misleading public representations), and the GLBA, HIPAA, and COPPA notice rules where the business is in scope |
+| **Who does it cover?** | § 134.98 covers any entity — expressly including state and local government — that conducts business in Wisconsin and maintains personal information, licenses personal information in the state, maintains depository accounts for residents, or lends money to residents; no size or revenue threshold |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under § 134.98 — noncompliance is only potential evidence of negligence; § 100.18(11)(b)2. requires pecuniary loss; the codified right of privacy, § 995.50, is Wisconsin's only general privacy private action, and § 146.84 adds a strong one for patient health-care records |
+| **Who enforces it?** | No designated privacy regulator — § 134.98 names no enforcement agency; DATCP enforces § 100.18, and the Commissioner of Insurance enforces insurance data security |
+
+## Which privacy laws apply to your business in Wisconsin? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Wisconsin consumer-privacy law. The operative general statute is the breach-notification law, Wis. Stat. § 134.98, which applies to any *entity* — a person, other than an individual, that conducts business in Wisconsin and maintains personal information in the ordinary course of business, licenses personal information in the state, maintains a depository account for a resident, or lends money to a resident — and the definition expressly sweeps in state government and every city, village, town, and county [^breach-entity]. It carries no size or revenue threshold, and it governs breach response rather than day-to-day data handling.
+
+Wisconsin came close to changing this. The 2025–26 legislature considered companion bills — 2025 Assembly Bill 172 and Senate Bill 166 — that would have created a controller-and-processor consumer-data-protection framework at Wis. Stat. § 100.80, in the same family as the comprehensive acts other states have adopted. AB 172 won a unanimous 10–0 committee recommendation, but neither bill ever received a floor vote: on March 23, 2026, each was recorded on its official bill history as *Failed to pass pursuant to Senate Joint Resolution 1* — the mechanism by which Wisconsin bills die when the session's last general-business floorperiod closes. A 2027-28 successor is plausible because WDPA-style bills have now appeared in consecutive bienniums, but it would need to be introduced and passed as new legislation. Until one passes, Wisconsin residents have no general state-law rights to access, delete, correct, or opt out of the sale of their personal data, and businesses face no state notice-at-collection, consent, or data-protection-assessment duties.
+
+What governs today is a patchwork. Beyond § 134.98, record-disposal and patient-health-record rules impose concrete state obligations, and insurance licensees also have a separate data-security subchapter enforced by the Commissioner of Insurance. A financial institution, medical business, or tax preparation business may not dispose of a record containing personal information without shredding it, erasing it, or otherwise rendering it unreadable or inaccessible [^disposal-rule], on pain of a forfeiture of up to $1,000 per incident [^disposal-forfeiture]. Insurance licensees sit under their own data-security subchapter (2021 Wis. Act 73, ch. 601 subch. IX), built around an *information security program* — the administrative, technical, and physical safeguards a licensee uses to handle nonpublic information [^ins-program] — with the Commissioner of Insurance empowered to examine, investigate, and enforce [^ins-enforcement]. Health-care providers answer to the patient health-care-records statutes, whose damages remedy is covered in the consumer-lawsuit prong below. Two cross-cutting state laws round out the picture: § 100.18, the fraudulent-representations statute, polices untrue, deceptive, or misleading statements to the public, and § 995.50 codifies a general right of privacy. Everything else comes from the federal overlay — FTC Act § 5 for deceptive or unfair data practices, GLBA for financial institutions, HIPAA for covered health entities, and COPPA for child-directed services. This note is written to stay durable: a program built to the breach statute and the federal overlay upgrades rather than restarts if Wisconsin later enacts an omnibus law.
+
+## What must your Wisconsin privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Wisconsin statute requires a general consumer privacy policy or fixes what it must say. The operative rule is that whatever you publish has to be true. Under Section 5 of the FTC Act, a policy that misstates how you collect, use, share, retain, or secure data can create FTC Act exposure if the mismatch is unfair or deceptive [^q2-ftc5], and Wisconsin's own fraudulent-representations statute, § 100.18, prohibits placing before the public a statement or representation containing any assertion of fact that is untrue, deceptive, or misleading [^q2-fraud-rep]. Where a sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q2-hipaa-notice].
+
+In practice the drafting question in Wisconsin is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay. A financial institution may not share nonpublic personal information with nonaffiliated third parties without first giving the consumer a GLBA-compliant privacy notice [^q2-glba-notice]. An operator of a website or online service directed to children must post notice of what information it collects from children, how it uses it, and its disclosure practices, and must obtain verifiable parental consent [^q2-coppa-notice]. A HIPAA covered entity uses the Notice of Privacy Practices framework. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct.
+
+The § 100.18 angle deserves one scoping note. A published privacy policy that misstates data practices fits the statute's language — it is a statement to the public, and most commercial policies are published with intent to sell a product or service — but the statute's private remedy is narrower than its prohibition, reaching only a plaintiff who suffered pecuniary loss because of the representation. That limit, and who can actually sue, is developed in the consumer-lawsuit prong below. There is no Wisconsin-mandated contents checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Wisconsin has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. Vendor data terms are instead driven by the sectoral regimes that apply to your business: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^q3-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information changes hands [^q3-hipaa-baa].
+
+One Wisconsin-specific wrinkle makes the vendor contract worth drafting carefully. The breach statute gives data-holding vendors only a default duty: a person that stores personal information pertaining to Wisconsin residents but does not own or license it — and *has not entered into a contract* with the owner — must notify the owner of an unauthorized acquisition as soon as practicable [^q3-storage-notice]. Once vendor and owner sign a contract, that statutory default falls away and the contract governs. So the practical move is to write the breach-reporting duty into the agreement expressly — notice to your business within a fixed number of days of discovery, cooperation with your own 45-day consumer-notice clock, and indemnity for vendor-caused incidents — rather than assume the statute fills the gap. Outside the regulated verticals, carrying the familiar protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — costs little and future-proofs the contract against a later Wisconsin omnibus law.
+
+## When must you notify people of a data breach in Wisconsin? {#breach-notification}
+
+**Short answer.** For an entity with its principal place of business in Wisconsin, or an entity that maintains or licenses personal information in Wisconsin, the statute provides that "the entity shall make reasonable efforts to notify each subject of the personal information."[^q4-breach-trigger] Out-of-state entities have a parallel duty to notify each affected Wisconsin resident when they know Wisconsin residents' personal information was acquired by an unauthorized person [^q4-breach-trigger]. The clock is explicit: "an entity shall provide the notice required under sub. (2) within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information."[^q4-breach-timing] [^q4-breach-timing] When a single incident requires notice to 1,000 or more individuals, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay [^q4-breach-cra].
+
+*Personal information* is defined as the individual's last name plus first name or initial, combined with an unencrypted, unredacted data element — Social Security number, driver's license or state ID number, financial-account number or an access code that would permit access to the account, DNA profile, or unique biometric data [^q4-personal-info]. Encryption and redaction are built into the definition, so a breach of properly encrypted data generally triggers nothing unless the protective element was compromised too. Two exceptions excuse notice entirely: where the acquisition does not create a material risk of identity theft or fraud to the data subject, and where an employee or agent acquired the information in good faith for a lawful purpose of the entity [^q4-breach-exception]. The materiality screen does real work in practice — it is the statutory basis for not notifying after low-risk incidents — but it puts the burden of that judgment on the business. The statute also stands down for the major federally regulated sectors: it does not apply to an entity subject to and in compliance with the GLBA privacy and security requirements (with a breach policy in effect), or to a HIPAA-regulated entity complying with the federal privacy and security rules [^q4-breach-exempt].
+
+Operationally, notice may be sent by mail or by a method the entity previously used to communicate with the subject, with a reasonably calculated actual-notice method if neither a mailing address nor a prior communication channel is available [^q4-breach-method]. A recipient who makes a written request can require the notifying entity to identify the personal information that was acquired [^q4-breach-identify]. Law enforcement can delay notice to protect an investigation or homeland security, and during that delay the entity may not provide notice or publicize the unauthorized acquisition except as the requesting agency authorizes [^q4-breach-law-enforcement].
+
+> [!NOTE]
+> **Practice note.**
+>
+> Statutory gap — § 134.98 has no enforcement provision. The section prescribes no penalty, names no enforcement agency, and creates no private right of action, and chapter 100's penalty section does not pick it up: § 100.26 imposes penalties only for violations of provisions of chapter 100, and nowhere references § 134.98, which sits in chapter 134 [^q4-penalties-gap]. The only consequence the statute itself states is evidentiary: "Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty."[^q4-breach-evidence] [^q4-breach-evidence] Two readings of the practical exposure follow. On one reading, a missed 45-day deadline carries no direct state-law sanction — no forfeiture, no agency action, no statutory damages. On the other, the exposure is real but indirect: noncompliance is admissible evidence in the negligence and contract suits that routinely follow a breach, and breach-response conduct by a business outside the GLBA and HIPAA carve-outs can create federal exposure if it is unfair or deceptive under FTC Act § 5 [^q4-ftc5]. Both readings measure conduct against the same yardstick, so treat the 45-day clock as the standard a court or regulator would apply even though no Wisconsin official is designated to start that clock against you.
+
+## Can a consumer sue your business in Wisconsin over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach statute — § 134.98 creates no private right of action, and its own text limits the consequence of noncompliance to potential evidence in a suit brought on some other legal theory [^q5-breach-no-pra]. Wisconsin's only general privacy private action is the codified right of privacy: "The right of privacy is recognized in this state."[^q5-privacy-right] A person whose privacy is unreasonably invaded is entitled to equitable relief, compensatory damages based either on the plaintiff's loss or the defendant's unjust enrichment, and a reasonable amount for attorney fees [^q5-privacy-right]. Alongside it, § 100.18 prohibits public commercial representations containing an assertion of fact that is untrue, deceptive, or misleading [^q5-fraud-violation]; any person suffering pecuniary loss because of such a violation may sue and recover that loss plus costs and reasonable attorney fees [^q5-fraud-pra].
+
+Section 995.50 defines *invasion of privacy* in four branches: intrusion upon another's privacy, of a kind highly offensive to a reasonable person, in a place a reasonable person would consider private or in a manner actionable as trespass; the use of a living person's name, portrait, or picture for advertising or trade purposes without prior written consent — the statutory misappropriation branch, and the one most naturally suited to commercial exploitation of identity; publicity given to private life, of a kind highly offensive to a reasonable person, subject to a public-record safe harbor; and conduct prohibited by the nonconsensual-depiction crimes, regardless of any criminal proceeding [^q5-privacy-branches]. The statute is to be interpreted in accordance with the developing common law of privacy, and — unlike the fraudulent-representations action — its compensatory damages are not limited to pecuniary loss, though they may not be presumed without proof [^q5-privacy-construction]. Those branches are tort-shaped: the intrusion branch is tied to a place, and the publicity branch requires publicity. How far they reach into ordinary commercial data collection, sale, or breach fact patterns is an open question the statutory text does not answer, so treat § 995.50 as a genuine but untested exposure for data practices, with the misappropriation branch the most plausible vehicle.
+
+The § 100.18 action is the workhorse for false statements about data practices, but it is tightly scoped. The Department of Agriculture, Trade and Consumer Protection enforces the section publicly [^q5-fraud-enforcer], while the private action belongs only to a plaintiff who can show pecuniary loss caused by a public commercial representation that violates the section — a hurdle that screens out most pure privacy-injury theories, where the harm is exposure rather than money out of pocket [^q5-fraud-violation] [^q5-fraud-pra]. Suits also face a hard three-year limit running from the unlawful act [^q5-fraud-limit].
+
+Two sectoral private actions are stronger than anything general-purpose in Wisconsin. The patient health-care-records statute makes a person who knowingly and willfully violates the records-confidentiality rules liable for actual damages plus exemplary damages of up to $25,000 and attorney fees, with a negligence tier capped at $1,000 in exemplary damages [^q5-health-pra]. And a financial institution, medical business, or tax preparation business that disposes of records in violation of the disposal statute is liable to the affected person for resulting damages [^q5-disposal-liability]. The net effect for most businesses: Wisconsin consumer-privacy litigation arrives through the privacy tort, the pecuniary-loss UDAP action, or post-breach negligence claims that use § 134.98 noncompliance as evidence — not through a statutory privacy class action of the kind comprehensive-law states authorize.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Wisconsin. This article synthesizes Wisconsin primary law and is not legal advice from a Wisconsin-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^breach-entity]: **Wis. Stat. § 134.98(1)(a)** — "‘Entity’ means a person, other than an individual, that does any of the following: a. Conducts business in this state and maintains personal information in the ordinary course of business. b. Licenses personal information in this state. c. Maintains for a resident of this state a depository account as defined in s. 815.18 (2) (e) . d. Lends money to a resident of this state. 2. ‘Entity’ includes all of the following: a. The state and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts. b. A city, village, town, or county." *Wis. Stat. § 134.98(1)(a).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^disposal-rule]: **Wis. Stat. § 134.97(2)** — "A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following: (a) Shreds the record before the disposal of the record. (b) Erases the personal information contained in the record before the disposal of the record. (c) Modifies the record to make the personal information unreadable before the disposal of the record. (d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record’s disposal and the record’s destruction." *Wis. Stat. § 134.97(2).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/97>
+
+[^disposal-forfeiture]: **Wis. Stat. § 134.97(4)(a)** — "A financial institution, medical business or tax preparation business that violates sub. (2) may be required to forfeit not more than $1,000. Acts arising out of the same incident or occurrence shall be a single violation." *Wis. Stat. § 134.97(4)(a).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/97>
+
+[^ins-program]: **Wis. Stat. § 601.95(5)** — "‘Information security program’ means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information." *Wis. Stat. § 601.95(5).* <https://docs.legis.wisconsin.gov/statutes/statutes/601/ix/95>
+
+[^ins-enforcement]: **Wis. Stat. § 601.956** — "The commissioner shall have the power to examine and investigate the affairs of any licensee to determine whether the licensee has engaged in conduct in violation of this subchapter and to take action that is necessary or appropriate to enforce the provisions of this subchapter." *Wis. Stat. § 601.956.* <https://docs.legis.wisconsin.gov/statutes/statutes/601/ix/956>
+
+[^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-fraud-rep]: **Wis. Stat. § 100.18(1)** — "No person, firm, corporation or association, or agent or employee thereof, with intent to sell, distribute, increase the consumption of or in any wise dispose of any real estate, merchandise, securities, employment, service, or anything offered by such person, firm, corporation or association, or agent or employee thereof, directly or indirectly, to the public for sale, hire, use or other distribution, or with intent to induce the public in any manner to enter into any contract or obligation relating to the purchase, sale, hire, use or lease of any real estate, merchandise, securities, employment or service, shall make, publish, disseminate, circulate, or place before the public, or cause, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in this state, in a newspaper, magazine or other publication, or in the form of a book, notice, handbill, poster, bill, circular, pamphlet, letter, sign, placard, card, label, or over any radio or television station, or in any other way similar or dissimilar to the foregoing, an advertisement, announcement, statement or representation of any kind to the public relating to such purchase, sale, hire, use or lease of such real estate, merchandise, securities, service or employment or to the terms or conditions thereof, which advertisement, announcement, statement or representation contains any assertion, representation or statement of fact which is untrue, deceptive or misleading." *Wis. Stat. § 100.18(1).* <https://docs.legis.wisconsin.gov/statutes/statutes/100/18>
+
+[^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q2-glba-notice]: **GLBA privacy notice, 15 U.S.C. § 6802** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^q2-coppa-notice]: **COPPA, 15 U.S.C. § 6502** — "require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children" *15 U.S.C. § 6502(b)(1)(A).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=require%20the%20operator%20of%20any,of%20personal%20information%20from%20children>
+
+[^q3-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^q3-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; (E) Make available protected health information in accordance with § 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. (I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,destruction%20of%20the%20information%20infeasible.>
+
+[^q3-storage-notice]: **Wis. Stat. § 134.98(2)(bm)** — "If a person, other than an individual, that stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable." *Wis. Stat. § 134.98(2)(bm).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-trigger]: **Wis. Stat. § 134.98(2)(a)–(b)** — "If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information. (b) If an entity whose principal place of business is not located in this state knows that personal information pertaining to a resident of this state has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each resident of this state who is the subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the resident of this state who is the subject of the personal information." *Wis. Stat. § 134.98(2)(a)–(b).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-timing]: **Wis. Stat. § 134.98(3)(a)** — "Subject to sub. (5) , an entity shall provide the notice required under sub. (2) within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness under this paragraph shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity." *Wis. Stat. § 134.98(3)(a).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-cra]: **Wis. Stat. § 134.98(2)(br)** — "If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a (p), of the timing, distribution, and content of the notices sent to the individuals." *Wis. Stat. § 134.98(2)(br).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-personal-info]: **Wis. Stat. § 134.98(1)(b)** — "‘Personal information’ means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable: 1. The individual’s social security number. 2. The individual’s driver’s license number or state identification number. 3. The number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account. 4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a) . 5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation." *Wis. Stat. § 134.98(1)(b).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-exception]: **Wis. Stat. § 134.98(2)(cm)** — "Notwithstanding pars. (a) , (b) , (bm) , and (br) , an entity is not required to provide notice of the acquisition of personal information if any of the following applies: 1. The acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information. 2. The personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity." *Wis. Stat. § 134.98(2)(cm).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-exempt]: **Wis. Stat. § 134.98(3m)** — "This section does not apply to any of the following: (a) An entity that is subject to, and in compliance with, the privacy and security requirements of 15 USC 6801 to 6827 , or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security. (b) An entity that is described in 45 CFR 164.104 (a) , if the entity complies with the requirements of 45 CFR part 164 ." *Wis. Stat. § 134.98(3m).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-method]: **Wis. Stat. § 134.98(3)(b)** — "An entity shall provide the notice required under sub. (2) by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information." *Wis. Stat. § 134.98(3)(b).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-identify]: **Wis. Stat. § 134.98(3)(c)** — "Upon written request by a person who has received a notice under sub. (2) (a) or (b) , the entity that provided the notice shall identify the personal information that was acquired." *Wis. Stat. § 134.98(3)(c).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-breach-law-enforcement]: **Wis. Stat. § 134.98(5)** — "A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a notice that is otherwise required under sub. (2) for any period of time and the notification process required under sub. (2) shall begin at the end of that time period. Notwithstanding subs. (2) and (3) , if an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request." *Wis. Stat. § 134.98(5).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-penalties-gap]: **Wis. Stat. § 100.26(1)** — "Any person who violates any provision of this chapter, except s. 100.18 , 100.20 , 100.206 or 100.51 , for which no specific penalty is prescribed shall be fined not to exceed $200, or imprisoned in the county jail not more than 6 months or both." *Wis. Stat. § 100.26(1).* <https://docs.legis.wisconsin.gov/statutes/statutes/100/26>
+
+[^q4-breach-evidence]: **Wis. Stat. § 134.98(4)** — "Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty." *Wis. Stat. § 134.98(4).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q4-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q5-breach-no-pra]: **Wis. Stat. § 134.98(4)** — "Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty." *Wis. Stat. § 134.98(4).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/98>
+
+[^q5-privacy-right]: **Wis. Stat. § 995.50(1)** — "The right of privacy is recognized in this state. One whose privacy is unreasonably invaded is entitled to the following relief: (a) Equitable relief to prevent and restrain such invasion, excluding prior restraint against constitutionally protected communication privately and through the public media; (b) Compensatory damages based either on plaintiff’s loss or defendant’s unjust enrichment; and (c) A reasonable amount for attorney fees." *Wis. Stat. § 995.50(1).* <https://docs.legis.wisconsin.gov/statutes/statutes/995/50>
+
+[^q5-fraud-violation]: **Wis. Stat. § 100.18(1)** — "No person, firm, corporation or association, or agent or employee thereof, with intent to sell, distribute, increase the consumption of or in any wise dispose of any real estate, merchandise, securities, employment, service, or anything offered by such person, firm, corporation or association, or agent or employee thereof, directly or indirectly, to the public for sale, hire, use or other distribution, or with intent to induce the public in any manner to enter into any contract or obligation relating to the purchase, sale, hire, use or lease of any real estate, merchandise, securities, employment or service, shall make, publish, disseminate, circulate, or place before the public, or cause, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in this state, in a newspaper, magazine or other publication, or in the form of a book, notice, handbill, poster, bill, circular, pamphlet, letter, sign, placard, card, label, or over any radio or television station, or in any other way similar or dissimilar to the foregoing, an advertisement, announcement, statement or representation of any kind to the public relating to such purchase, sale, hire, use or lease of such real estate, merchandise, securities, service or employment or to the terms or conditions thereof, which advertisement, announcement, statement or representation contains any assertion, representation or statement of fact which is untrue, deceptive or misleading." *Wis. Stat. § 100.18(1).* <https://docs.legis.wisconsin.gov/statutes/statutes/100/18>
+
+[^q5-fraud-pra]: **Wis. Stat. § 100.18(11)(b)2.** — "Any person suffering pecuniary loss because of a violation of this section by any other person may sue in any court of competent jurisdiction and shall recover such pecuniary loss, together with costs, including reasonable attorney fees, except that no attorney fees may be recovered from a person licensed under ch. 452 while that person is engaged in real estate practice, as defined in s. 452.01 (6) ." *Wis. Stat. § 100.18(11)(b)2.* <https://docs.legis.wisconsin.gov/statutes/statutes/100/18>
+
+[^q5-privacy-branches]: **Wis. Stat. § 995.50(2)(am)** — "In this section, ‘invasion of privacy’ means any of the following: 1. Intrusion upon the privacy of another of a nature highly offensive to a reasonable person, except as provided under par. (bm) , in a place that a reasonable person would consider private, or in a manner that is actionable for trespass. 2. The use, for advertising purposes or for purposes of trade, of the name, portrait or picture of any living person, without having first obtained the written consent of the person or, if the person is a minor, of his or her parent or guardian. 3. Publicity given to a matter concerning the private life of another, of a kind highly offensive to a reasonable person, if the defendant has acted either unreasonably or recklessly as to whether there was a legitimate public interest in the matter involved, or with actual knowledge that none existed. It is not an invasion of privacy to communicate any information available to the public as a matter of public record. 4. Conduct that is prohibited under s. 942.09 or 942.095 , regardless of whether there has been a criminal action related to the conduct, and regardless of the outcome of the criminal action, if there has been a criminal action related to the conduct." *Wis. Stat. § 995.50(2)(am).* <https://docs.legis.wisconsin.gov/statutes/statutes/995/50>
+
+[^q5-privacy-construction]: **Wis. Stat. § 995.50(3)–(4)** — "The right of privacy recognized in this section shall be interpreted in accordance with the developing common law of privacy, including defenses of absolute and qualified privilege, with due regard for maintaining freedom of communication, privately and through the public media. (4) Compensatory damages are not limited to damages for pecuniary loss, but shall not be presumed in the absence of proof." *Wis. Stat. § 995.50(3)–(4).* <https://docs.legis.wisconsin.gov/statutes/statutes/995/50>
+
+[^q5-fraud-enforcer]: **Wis. Stat. § 100.18(11)(a)** — "The department of agriculture, trade and consumer protection shall enforce this section." *Wis. Stat. § 100.18(11)(a).* <https://docs.legis.wisconsin.gov/statutes/statutes/100/18>
+
+[^q5-fraud-limit]: **Wis. Stat. § 100.18(11)(b)3.** — "No action may be commenced under this section more than 3 years after the occurrence of the unlawful act or practice which is the subject of the action." *Wis. Stat. § 100.18(11)(b)3.* <https://docs.legis.wisconsin.gov/statutes/statutes/100/18>
+
+[^q5-health-pra]: **Wis. Stat. § 146.84(1)(b)–(bm)** — "Any person, including the state or any political subdivision of the state, who violates s. 146.82 or 146.83 in a manner that is knowing and willful shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees. (bm) Any person, including the state or any political subdivision of the state, who negligently violates s. 146.82 or 146.83 shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $1,000 and costs and reasonable actual attorney fees." *Wis. Stat. § 146.84(1)(b)–(bm).* <https://docs.legis.wisconsin.gov/statutes/statutes/146/84>
+
+[^q5-disposal-liability]: **Wis. Stat. § 134.97(3)(a)** — "A financial institution, medical business or tax preparation business is liable to a person whose personal information is disposed of in violation of sub. (2) for the amount of damages resulting from the violation." *Wis. Stat. § 134.97(3)(a).* <https://docs.legis.wisconsin.gov/statutes/statutes/134/97>

package/skills/legal-explainers/data-privacy-law-explainer/content/wyoming.md

@@ -0,0 +1,185 @@
+---
+jurisdiction: "Wyoming"
+slug: wyoming
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-12"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/wyoming
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/wyoming · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Wyoming Consumer Privacy Law[^about]
+
+Wyoming has no comprehensive consumer-privacy statute. The operative state laws are the data-breach statute (Wyo. Stat. §§ 40-12-501 et seq.), the Wyoming Consumer Protection Act, and a genetic-data privacy chapter, plus the federal overlay.
+
+
+## At a glance
+
+| Question | Wyoming |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Wyoming has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state laws are the data-breach notification statute (Wyo. Stat. §§ 40-12-501 et seq.), the Wyoming Consumer Protection Act, and a genetic-data privacy chapter that imposes consent, notice, and deletion duties on direct-to-consumer genetic testing companies and carries a private right of action. Everything else in a Wyoming-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA. |
+| **Main law** | Wyo. Stat. §§ 40-12-501 et seq. (breach of the security of the data system), the Wyoming Consumer Protection Act, §§ 40-12-101 et seq., and the genetic data privacy chapter, §§ 35-32-101 et seq. — Wyoming has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No general Wyoming statute mandates a consumer privacy policy or fixes its contents; direct-to-consumer genetic testing companies must post a high-level privacy-policy overview and a prominent privacy notice, and FTC Act § 5, GLBA, HIPAA, and COPPA drive contents for everyone else |
+| **Who does it cover?** | Any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized personal identifying information about Wyoming residents — no revenue or consumer-volume threshold; the genetic-data chapter reaches direct-to-consumer genetic testing companies |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute, which the Attorney General enforces; the Wyoming Consumer Protection Act lets a consumer sue over an uncured deceptive trade practice (§ 40-12-108), and the genetic-data chapter gives individuals a civil action after a 60-day cure window (§ 35-32-104) |
+| **Who enforces it?** | Wyoming Attorney General (the enforcing authority under the Wyoming Consumer Protection Act) |
+
+## Which privacy laws apply to your business in Wyoming? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Wyoming consumer-privacy law. Three sectoral state statutes do the work instead: the data-breach statute, which defines a reportable breach as unauthorized acquisition of computerized data that materially compromises personal identifying information and causes or is reasonably believed to cause loss or injury to a Wyoming resident [^breach-def]; the Wyoming Consumer Protection Act, the state's general deceptive-trade-practices law [^wcpa-unlawful-practices]; and a genetic-data privacy chapter that bars obtaining, testing, retaining, or disclosing genetic data without informed consent [^q1-genetic-informed-consent].
+
+Wyoming residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties of general application. The state framework is narrower and issue-specific. The breach statute, Wyo. Stat. §§ 40-12-501 through 40-12-511, governs incident response and credit-report security freezes. The Wyoming Consumer Protection Act, §§ 40-12-101 through 40-12-114, supplies the enforcement spine: a business that misrepresents its data practices in connection with a consumer transaction risks a deceptive-trade-practice claim under § 40-12-105 [^wcpa-unlawful-practices]. The genetic-data chapter, §§ 35-32-101 et seq., is Wyoming's one modern consent-based privacy statute, aimed at direct-to-consumer genetic testing companies [^q1-genetic-informed-consent].
+
+One niche provision is worth knowing: a website operator that publishes arrest photographs and charges for their removal must take down the photograph and associated personal information free of charge within thirty days of a qualifying written request [^mugshot-removal], and a violation is itself an unlawful practice under the Consumer Protection Act.
+
+The rest of a Wyoming privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide [^q1-fed-ftc5]; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. Wyoming has also legislated on *government* data practices — including a 2026 act directed at state-agency handling of resident data — but that legislation regulates public bodies, not private businesses, and does not create consumer-privacy duties for the private sector. A program built to the breach statute, the Consumer Protection Act, the genetic-data chapter, and the federal overlay would upgrade rather than restart if Wyoming later adopted an omnibus privacy statute.
+
+## What must your Wyoming privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Wyoming statute requires a general consumer privacy policy or fixes what it must say. The one state-law exception is sectoral: a direct-to-consumer genetic testing company must make available both a high-level privacy-policy overview and a prominent, publicly available privacy notice covering its data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices [^genetic-privacy-notice]. For everyone else, the governing rule is that whatever you publish has to be true — under Section 5 of the FTC Act, and under the Wyoming Consumer Protection Act by the same logic, a policy that misstates how you collect, use, share, or secure data is a deceptive practice [^q2-fed-ftc5].
+
+In practice the drafting question in Wyoming is less what must be included and more whether the policy matches actual practice. Where a sectoral regime applies, that regime supplies the contents: the GLBA privacy-notice rules if you are a financial institution, a COPPA notice if your service is directed to children under 13, and for HIPAA covered entities a notice of privacy practices describing the uses and disclosures of protected health information and the individual's rights [^q2-fed-hipaa-notice]. Outside those verticals, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct.
+
+For genetic testing companies the Wyoming notice duty is real and specific. The statute splits the disclosure into two layers — an essential-information overview plus a fuller privacy notice — so a single dense legal document likely does not satisfy the text on its own [^genetic-privacy-notice]. Build the overview as a short, plain-English summary and keep the complete notice one click away.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Wyoming has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The breach statute does impose one vendor-facing duty: a person that maintains computerized personal identifying information on behalf of another business must disclose any breach of the security of the system to that business as soon as practicable, and the two may agree by contract which of them gives the required consumer notice [^breach-data-maintainer].
+
+That allocation rule is the reason Wyoming vendor contracts should always name a notification owner: if no agreement is reached, the statute defaults the consumer-notice duty to whichever party has the direct business relationship with the Wyoming resident. The genetic-data chapter takes a similar contract-anchored approach — a third-party provider whose services are limited to storage, retrieval, handling, or transmission of genetic data under a contract or other obligation falls within a statutory exception to the informed-consent requirement, which makes the written service contract the thing that defines the vendor's permitted role [^genetic-service-provider].
+
+Where a federal regime is in scope, it supplies the rest of the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers and to bind them by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a written business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor flow-down terms before protected health information changes hands [^fed-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Wyoming statute compels them.
+
+## What rights do Wyoming consumers have over their personal data? {#consumer-rights}
+
+**Short answer.** None of general application — Wyoming law gives consumers no across-the-board rights to access, delete, correct, or port personal data, no right to opt out of its sale or of targeted advertising, and no recognition of universal opt-out signals such as Global Privacy Control. The exceptions are domain-specific. For genetic data, an individual or an authorized representative may inspect, correct, and obtain the individual's genetic data [^genetic-inspect-correct], and a direct-to-consumer genetic testing company must provide a process to access genetic data, delete the account and genetic data, and obtain destruction of the biological sample [^genetic-deletion-process]. For credit data, a consumer may place a security freeze that blocks a consumer reporting agency from releasing the credit report for new-credit purposes without prior authorization [^security-freeze].
+
+The genetic-data deletion right has teeth beyond the account-deletion process: any person conducting genetic testing must destroy an individual's genetic data on request, unless the data was obtained under one of the chapter's no-consent exceptions or retention is necessary for a purpose disclosed in the informed consent [^genetic-destroy-request]. A company that wants to keep genetic data after a deletion request therefore needs to point to a disclosed retention purpose in the consent documents themselves — an after-the-fact business justification does not fit the statutory text.
+
+The security-freeze article is consumer-initiated and aimed at identity theft rather than commercial data practices: the consumer requests the freeze, the consumer reporting agency must place it within five business days, and lifts and removals run through an agency-established contact method. It is the closest thing Wyoming law offers to a consumer-controlled switch over data flows, but it applies only to credit reports, not to ordinary marketing or advertising data.
+
+Because there is no omnibus statute, a Wyoming-facing rights program is in practice built to other states' laws and to the sectoral overlay — businesses that honor access and deletion requests nationwide will already exceed what Wyoming law requires for non-genetic data.
+
+## Do you need consent to collect or share genetic data in Wyoming? {#genetic-data-consent}
+
+**Short answer.** Yes. No person conducting genetic testing may obtain, test, retain, or disclose an individual's genetic data without informed consent, subject to enumerated exceptions such as law enforcement, court orders, paternity determinations, newborn screening, and anonymous research [^q5-genetic-informed-consent]. Direct-to-consumer genetic testing companies face a layered express-consent regime on top of that baseline: initial express consent for the collection itself, plus separate express consent before transferring genetic data to anyone beyond vendors and service providers or using it beyond the primary purpose of the testing service [^genetic-express-consent].
+
+The statute adds two more separate-consent tiers: separate express consent to retain a biological sample after the initial testing service is complete [^genetic-sample-retention-consent], and separate express consent for marketing based on genetic data or based on the consumer having bought a genetic test [^genetic-marketing-consent]. Companies must also require valid legal process before disclosing genetic data to law enforcement or any other government agency without the consumer's express written consent, and must maintain a comprehensive security program that protects genetic data against unauthorized access, use, or disclosure [^genetic-legal-process-security].
+
+Two disclosure targets get an absolute written-consent rule: a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health, life, or long-term-care insurance, or to the consumer's employer, without written consent [^genetic-insurer-employer]. And none of these company-facing duties can be contracted around — the chapter's provisions applicable to direct-to-consumer genetic testing companies cannot be waived [^genetic-no-waiver], so a terms-of-service clause purporting to do so is ineffective.
+
+The chapter has a boundary worth checking before building a compliance program around it: it does not apply to protected health information collected by a HIPAA covered entity or business associate [^genetic-hipaa-carveout]. A clinical laboratory operating inside the HIPAA framework is governed by HIPAA's privacy, security, and breach rules rather than this chapter, while a consumer ancestry-and-wellness testing company sits squarely inside the Wyoming statute.
+
+## When must you notify people of a data breach in Wyoming? {#breach-notification}
+
+**Short answer.** An individual or commercial entity that conducts business in Wyoming and owns or licenses computerized personal identifying information about Wyoming residents must, on becoming aware of a breach, conduct a good-faith, reasonable, and prompt investigation into the likelihood of misuse — and if misuse has occurred or is reasonably likely, give notice to affected residents as soon as possible, in the most expedient time possible and without unreasonable delay [^breach-notice-duty]. There is no fixed day-count deadline and no Attorney General or consumer-reporting-agency notification trigger in the statute; the clock is the reasonableness standard itself.
+
+The trigger turns on *personal identifying information*, defined as a first name or first initial and last name combined with one or more of the data elements specified in Wyoming's identity-theft statute, W.S. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted [^breach-pii-definition]. Information lawfully available from government records or widely distributed media is excluded, and a good-faith acquisition by an employee or agent for business purposes is not a breach if the information is not further misused or disclosed.
+
+Wyoming prescribes the notice's required contents in some detail. The notice must be clear and conspicuous and include, at a minimum, a toll-free contact number that also lets the individual reach the major credit reporting agencies, the types of personal identifying information involved, a general description of the incident, the approximate date of the breach if determinable, a general description of the remedial actions taken, advice to remain vigilant by reviewing account statements and monitoring credit reports, and whether notice was delayed for law enforcement [^breach-notice-contents]. Notice may be written or by electronic mail, with substitute notice available only where the business shows that notice would cost more than ten thousand dollars for Wyoming-based businesses or two hundred fifty thousand dollars for others, that the affected class exceeds ten thousand or five hundred thousand people respectively, or that it lacks sufficient contact information [^breach-substitute-notice]. Notification may be delayed if a law enforcement agency determines in writing that it would seriously impede a criminal investigation [^breach-le-delay].
+
+Two deemed-compliance paths matter for regulated entities: a HIPAA covered entity or business associate that notifies affected Wyoming customers in compliance with the HIPAA breach rules is deemed compliant with the Wyoming statute [^breach-hipaa-harbor], and financial institutions following the federal interagency notice framework referenced in the statute get parallel treatment.
+
+## Can a consumer sue your business under Wyoming privacy law? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach statute — enforcement of the notification duty belongs to the Attorney General, who may bring an action in law or equity for compliance, damages, or both [^breach-ag-enforcement]. But two other Wyoming statutes do open the courthouse door. The Wyoming Consumer Protection Act lets a person sue for actual damages suffered from an *uncured* unlawful deceptive trade practice [^wcpa-private-remedy], and the genetic-data chapter gives an individual whose rights were violated a civil action for an injunction and damages after written notice and a sixty-day cure window [^genetic-private-action].
+
+The Consumer Protection Act route is notice-and-cure gated. A practice becomes *uncured* only after the consumer gives notice to the alleged violator and either no offer to cure is made within fifteen days or the practice is not cured within a reasonable time after the consumer accepts the offer [^wcpa-cure-definition] — and the statute imposes short windows, requiring written notice that states the nature of the practice and the actual damage suffered [^wcpa-cure-definition]. Class actions are available under § 40-12-108(b), with court-awarded attorney fees determined by the time the attorney reasonably expended rather than by the amount of the judgment [^wcpa-class-action].
+
+Public enforcement carries the heavier penalties. The Attorney General — the Act's *enforcing authority* — can sue to restrain unlawful practices by restraining order or injunction, with additional court orders available to compensate identifiable persons for actual damages or restore money or property [^wcpa-injunction], and can seek civil penalties of up to ten thousand dollars per willful violation [^wcpa-civil-penalty], rising to fifteen thousand dollars per violation plus mandatory restitution where the practice victimizes an older person or a person with disabilities [^wcpa-elder-penalty].
+
+The genetic-data chapter stacks three enforcement layers: a misdemeanor fine, the private civil action with its sixty-day cure period and fee-shifting for prevailing parties [^genetic-private-action], and an Attorney General action — in the name of the state or as parens patriae — carrying a civil penalty of two thousand five hundred dollars per violation plus actual consumer damages and fees [^genetic-ag-penalty]. For a direct-to-consumer genetic testing company, the practical exposure is therefore both regulatory and private, and the sixty-day cure window is the moment to fix a violation before litigation attaches.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Wyoming. This article synthesizes Wyoming primary law and is not legal advice from a Wyoming-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^breach-def]: **Wyo. Stat. § 40-12-501** — "‘Breach of the security of the data system’ means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state." *Wyo. Stat. § 40-12-501(a)(i).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-unlawful-practices]: **Wyo. Stat. § 40-12-105** — "A person engages in a deceptive trade practice unlawful under this act when, in the course of his business and in connection with a consumer transaction, he knowingly:" *Wyo. Stat. § 40-12-105(a).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^q1-genetic-informed-consent]: **Wyo. Stat. § 35-32-102** — "Except as provided in subsection (b) of this section, no person conducting genetic testing shall do any of the following without the informed consent of the individual or the individual's authorized representative: (i) Obtain an individual's genetic data; (ii) Perform genetic testing on an individual; (iii) Retain an individual's genetic data; (iv) Disclose an individual's genetic data." *Wyo. Stat. § 35-32-102(a).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^mugshot-removal]: **Wyo. Stat. § 40-12-601** — "A person who operates a website that disseminates photographic records of arrested individuals made by law enforcement agencies as part of routinely documenting an arrest and who charges individuals to remove their photographs shall remove any photograph and related name and personal information from all websites owned or controlled by that person without charging a fee within thirty (30) days of the date of a request to remove the photograph and information if the request:" *Wyo. Stat. § 40-12-601(a).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^q1-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^genetic-privacy-notice]: **Wyo. Stat. § 35-32-102(c)(i)** — "To safeguard the privacy, confidentiality, security and integrity of a consumer's genetic data, a direct to consumer genetic testing company shall: (i) Provide clear and complete information regarding the company's policies and procedures for the collection, use or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes essential information about the company's collection, use or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices." *Wyo. Stat. § 35-32-102(c)(i).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^q2-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^breach-data-maintainer]: **Wyo. Stat. § 40-12-502(g)** — "Any person who maintains computerized data that includes personal identifying information on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The person who maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree which person or entity will provide any required notice as provided in subsection (a) of this section, provided only a single notice for each breach of the security of the system shall be required." *Wyo. Stat. § 40-12-502(g).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^genetic-service-provider]: **Wyo. Stat. § 35-32-102(b)(xi)** — "Services limited to storage, retrieval, handling or transmission of genetic data by a third party service provider pursuant to a contract or other obligation;" *Wyo. Stat. § 35-32-102(b)(xi).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,and%20a%20business%20associate%20must>
+
+[^genetic-inspect-correct]: **Wyo. Stat. § 35-32-103(a)** — "An individual or the individual's authorized representative may inspect, correct and obtain genetic data about the individual." *Wyo. Stat. § 35-32-103(a).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-deletion-process]: **Wyo. Stat. § 35-32-102(c)(v)** — "Provide a process for a consumer to: (A) Access the consumer's genetic data; (B) Delete the consumer's account and genetic data; and (C) Request and obtain the destruction of the consumer's biological sample." *Wyo. Stat. § 35-32-102(c)(v).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^security-freeze]: **Wyo. Stat. § 40-12-503(b)** — "If a security freeze is in place, a consumer reporting agency may not release a consumer's credit report or information derived from the credit report to a third party that intends to use the information to determine a consumer's eligibility for credit or the opening of a new account without prior authorization from the consumer." *Wyo. Stat. § 40-12-503(b).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^genetic-destroy-request]: **Wyo. Stat. § 35-32-103(b)** — "A person conducting genetic testing shall destroy an individual's genetic data upon request by the individual or the individual's authorized representative unless: (i) The data was obtained pursuant to W.S. 35-32-102(b); or (ii) Retention of the data is necessary for a purpose disclosed to the individual or representative in the informed consent." *Wyo. Stat. § 35-32-103(b).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^q5-genetic-informed-consent]: **Wyo. Stat. § 35-32-102(a)** — "Except as provided in subsection (b) of this section, no person conducting genetic testing shall do any of the following without the informed consent of the individual or the individual's authorized representative: (i) Obtain an individual's genetic data; (ii) Perform genetic testing on an individual; (iii) Retain an individual's genetic data; (iv) Disclose an individual's genetic data." *Wyo. Stat. § 35-32-102(a).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-express-consent]: **Wyo. Stat. § 35-32-102(c)(ii)** — "Obtain a consumer's consent for the collection, use or disclosure of the consumer's genetic data including, at a minimum: (A) Initial express consent that describes the uses of the genetic data collected through the genetic testing product or service, and specifies who has access to test results and how the genetic data may be shared; (B) Separate express consent for transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses;" *Wyo. Stat. § 35-32-102(c)(ii).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-sample-retention-consent]: **Wyo. Stat. § 35-32-102(c)(ii)(C)** — "Separate express consent for the retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer;" *Wyo. Stat. § 35-32-102(c)(ii)(C).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-marketing-consent]: **Wyo. Stat. § 35-32-102(c)(ii)(E)** — "Separate express consent for marketing to a consumer based on the consumer's genetic data, or for marketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service." *Wyo. Stat. § 35-32-102(c)(ii)(E).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-legal-process-security]: **Wyo. Stat. § 35-32-102(c)(iii)-(iv)** — "Require valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent; (iv) Develop, implement and maintain a comprehensive security program that protects a consumer's genetic data against unauthorized access, use or disclosure" *Wyo. Stat. § 35-32-102(c)(iii)-(iv).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-insurer-employer]: **Wyo. Stat. § 35-32-102(d)** — "Notwithstanding any other provisions in this section, a direct to consumer genetic testing company shall not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance, or to any employer of the consumer without the consumer's written consent." *Wyo. Stat. § 35-32-102(d).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-no-waiver]: **Wyo. Stat. § 35-32-105(a)** — "The provisions of this chapter applicable to direct to consumer genetic testing companies shall not be waived." *Wyo. Stat. § 35-32-105(a).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^genetic-hipaa-carveout]: **Wyo. Stat. § 35-32-105(b)** — "This chapter shall not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services" *Wyo. Stat. § 35-32-105(b).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^breach-notice-duty]: **Wyo. Stat. § 40-12-502(a)** — "An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." *Wyo. Stat. § 40-12-502(a).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-pii-definition]: **Wyo. Stat. § 40-12-501(a)(vii)** — "‘Personal identifying information’ means the first name or first initial and last name of a person in combination with one (1) or more of the data elements specified in W.S. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted." *Wyo. Stat. § 40-12-501(a)(vii).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-notice-contents]: **Wyo. Stat. § 40-12-502(e)** — "Notice required under subsection (a) of this section shall be clear and conspicuous and shall include, at a minimum: (i) A toll-free number: (A) That the individual may use to contact the person collecting the data, or his agent; and (B) From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies. (ii) The types of personal identifying information that were or are reasonably believed to have been the subject of the breach; (iii) A general description of the breach incident; (iv) The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided; (v) In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches; (vi) Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports; (vii) Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided." *Wyo. Stat. § 40-12-502(e).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-substitute-notice]: **Wyo. Stat. § 40-12-502(d)(iii)** — "Substitute notice, if the person demonstrates: (A) That the cost of providing notice would exceed ten thousand dollars ($10,000.00) for Wyoming-based persons or businesses, and two hundred fifty thousand dollars ($250,000.00) for all other businesses operating but not based in Wyoming; (B) That the affected class of subject persons to be notified exceeds ten thousand (10,000) for Wyoming-based persons or businesses and five hundred thousand (500,000) for all other businesses operating but not based in Wyoming; or (C) The person does not have sufficient contact information." *Wyo. Stat. § 40-12-502(d)(iii).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-le-delay]: **Wyo. Stat. § 40-12-502(b)** — "The notification required by this section may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation." *Wyo. Stat. § 40-12-502(b).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-hipaa-harbor]: **Wyo. Stat. § 40-12-502(h)** — "A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act, and the regulations promulgated under that act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of the Health Insurance Portability and Accountability Act and 45 C.F.R. Parts 160 and 164." *Wyo. Stat. § 40-12-502(h).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^breach-ag-enforcement]: **Wyo. Stat. § 40-12-502(f)** — "The attorney general may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law." *Wyo. Stat. § 40-12-502(f).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-private-remedy]: **Wyo. Stat. § 40-12-108(a)** — "A person relying upon an uncured unlawful deceptive trade practice may bring an action under this act for the damages he has actually suffered as a consumer as a result of such unlawful deceptive trade practice." *Wyo. Stat. § 40-12-108(a).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^genetic-private-action]: **Wyo. Stat. § 35-32-104(a)-(b)** — "Any person violating the provisions of this chapter is guilty of a misdemeanor punishable by a fine of not more than one thousand dollars ($1,000.00) for each violation. (b) An individual whose rights have been violated under the provisions of this chapter may bring a civil action to enjoin or restrain any violation of this chapter and may in the same action seek damages from the person violating this chapter. Prior to filing an action under this subsection the individual shall give notice in writing to the alleged violator stating fully the nature of the alleged violation. The alleged violator shall have not more than sixty (60) days from the date notice is provided to cure any violation. If, after sixty (60) days the violation has not been cured, the individual may bring a civil action. A prevailing party in an action brought under this subsection may recover all costs and expenses reasonably associated with the action, including but not limited to reasonable attorney fees." *Wyo. Stat. § 35-32-104(a)-(b).* <https://wyoleg.gov/statutes/compress/title35.pdf>
+
+[^wcpa-cure-definition]: **Wyo. Stat. § 40-12-102(a)(ix)** — "‘Uncured unlawful deceptive trade practice’ means an unlawful deceptive trade practice as defined in W.S. 40-12-105: (A) With respect to which a consumer who has been damaged by the unlawful deceptive trade practice has given notice to the alleged violator pursuant to W.S. 40-12-109; and (B) Either: (I) No offer to cure has been made to such consumer within fifteen (15) days after such notice; or (II) The unlawful deceptive trade practice has not been cured as to such consumer within a reasonable time after his acceptance of the offer to cure." *Wyo. Stat. § 40-12-102(a)(ix).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-class-action]: **Wyo. Stat. § 40-12-108(b)** — "Any person who is entitled to bring an action under subsection (a) of this section on his own behalf against an alleged violator of this act for damages for an unlawful deceptive trade practice may bring a class action against such person on behalf of any class of persons of which he is a member and which has been damaged by such unlawful deceptive trade practice, subject to and pursuant to the Wyoming Rules of Civil Procedure governing class actions, except as herein expressly provided. If the court determines that actual damages have been suffered by reason of the unlawful deceptive trade practice, the court shall award reasonable attorney's fees to the plaintiffs in a class action under this subsection, provided that such fees shall be determined by the amount of time reasonably expended by the attorney for the plaintiffs and not by the amount of the judgment." *Wyo. Stat. § 40-12-108(b).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-injunction]: **Wyo. Stat. § 40-12-106** — "Whenever the enforcing authority has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any practice which is unlawful under W.S. 40-12-104 or 40-12-105, and that proceedings would be in the public interest, he may bring an action in the name of this state against such person to restrain by temporary restraining order or preliminary or permanent injunction the use of such practice. The action may be brought in the district court of the county in which the person resides or has his principal place of business or in the district court of Laramie county, Wyoming. The district court may issue temporary restraining orders, including ex parte temporary restraining orders, or preliminary or permanent injunctions, in accordance with the principles of equity, to restrain and prevent violations of this act. The court may make such additional orders or judgments as are necessary to compensate identifiable persons for actual damages or restoration of money or property, real or personal, which may have been acquired by means or any act or practice restrained." *Wyo. Stat. § 40-12-106.* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-civil-penalty]: **Wyo. Stat. § 40-12-113(c)** — "Except as provided in W.S. 40-12-111, any person or agent or employee of the person, who willfully uses, or has willfully used, a method or act, in violation of this act, is liable for a civil penalty of not more than ten thousand dollars ($10,000.00) for each violation. Willful violations occur when the person knew or should have known that the person's conduct was unfair or deceptive." *Wyo. Stat. § 40-12-113(c).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^wcpa-elder-penalty]: **Wyo. Stat. § 40-12-111(b)** — "Any person who willfully uses, or has willfully used, a method, act or practice in violation of this act which victimizes or attempts to victimize an older person or a person with disabilities, and commits such violation when the person knew or should have known that the conduct was unfair or deceptive, shall make restitution or reimbursement to the older person or person with disabilities including reasonable attorney fees and costs, and, in addition, is liable for a civil penalty of up to fifteen thousand dollars ($15,000.00) for each violation recoverable by the office of the attorney general." *Wyo. Stat. § 40-12-111(b).* <https://wyoleg.gov/statutes/compress/title40.pdf>
+
+[^genetic-ag-penalty]: **Wyo. Stat. § 35-32-104(c)** — "The attorney general may bring an action in the name of the state or as parens patriae on behalf of consumers to enforce this chapter. In any action brought by the attorney general to enforce this chapter, a person found to have violated this chapter shall be subject to a civil penalty of two thousand five hundred dollars ($2,500.00) for each violation, the recovery of actual damages incurred by consumers on whose behalf the action was brought and costs and reasonable attorneys' fees incurred by the office of the attorney general." *Wyo. Stat. § 35-32-104(c).* <https://wyoleg.gov/statutes/compress/title35.pdf>