By Tom Still

MADISON, Wis. – State Rep. Shannon Zimmerman, the Republican Assembly member and software entrepreneur from western Wisconsin, tells a story that helps to explain why he’s interested in passing a state data privacy bill in this legislative session.

Zimmerman’s family owns a dog with the annoying habit of chewing up shoes, furniture and anything else within unwatched reach. After the dog recently tore into parts of the household, Zimmerman suggested to his wife it might be time to buy a dog crate for those unattended moments.

Her Facebook app was open at the time. The next thing to show up on Facebook was an advertisement for dog crates.

Coincidence? Perhaps, but it’s not the first time someone has reported ads showing up on devices only minutes after a product was mentioned.

The ever-evolving nature of the digital age has raised awareness of data privacy among consumers, industry leaders and policymakers, with the latter group engaged in debates that include legislatures in most states as well as the halls of Congress. It is not a black-and-white issue, however, which may help to explain why there is little action in the United States compared to other countries.

Congress edged closer to federal regulations on data privacy in late 2022, but movement stalled over provisions that would have pre-empted existing California law. The Golden State is one of five U.S. states to adopt a data privacy law so far, along with Utah, Colorado, Connecticut and Virginia.

The California law is generally viewed as the strictest of the bunch. It rests on principles of accountability, control and transparency, and is based on the European Union’s General Data Protection Regulation, or GDPR.  However, some critics say it is intrusive in its own ways.

Why is data privacy important? In addition to the ability of some modern devices to “listen in” and offer opportunities to buy a dog crate for Fido, people surrender lots of personal data and many worry about it. People routinely buy things online or sign up for services – telecom, medical, banking and social media, for example – or leave a trail of “cookie” crumbs simply by searching the internet.

The question is what happens when the information is collected for other uses, especially if it’s sold to others who may use it for legitimate market purposes … or for shady marketing, online or telephone scams or identity theft.

Zimmerman, who built and sold one software company and is helping to lead another, is far from a tech Luddite. He has served on some key Assembly committees, such as Information and Technology. He’s also aware of problems that stem from misuse of consumer data.

Zimmerman took part in a Wisconsin Technology Council panel discussion that included Epic Systems director Ladd Wiley (Epic does not sell data) and entrepreneur Nick Myers of Red Fox AI, a conversational artificial intelligence platform with applications in health care and beyond. There was no disagreement about the need for better data privacy regulation, although there was some talk about how best to accomplish it.

The state-by-state approach is viewed by some experts as dangerous for many businesses, especially small businesses, that don’t have the time or money to navigate competing laws across state lines. Going back several decades, a driver of digital commerce was that it was relatively untethered by regulations. That lack of regulation spawned creativity and innovation. Few people want that spirit of entrepreneurism to fade.

Then again, many people don’t want to wait for Congress to move beyond investigations and partisan “gotchas” to act on core issues. That is why lawmakers such as Zimmerman want to move on state legislation.

A bill he authored (AB-957) made it through the Assembly last session but must be reintroduced this year. It more resembles the Virginia law than the California regulations. Here is a link to the previous bill’s history:

The bill provided consumers with rights about their data and imposed obligations on businesses. It gave the Wisconsin Attorney General exclusive authority to enforce the act (meaning, no private rights of action) so long as the attorney general gave a 30-day written “notice to cure.”

Data privacy legislation is coming, one way or the other. The trick is finding a path that works for consumers without hurting businesses.

Still is president of the Wisconsin Technology Council. He can be reached at