Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

SF 568

2nd Engrossment - 83rd Legislature (2003 - 2004) Posted on 12/15/2009 12:00am

KEY: stricken = removed, old language.
underscored = added, new language.

Bill Text Versions

Engrossments
Introduction Posted on 02/24/2003
1st Engrossment Posted on 04/14/2003
2nd Engrossment Posted on 05/08/2003

Current Version - 2nd Engrossment

  1.1                          A bill for an act 
  1.2             relating to data practices; classifying and regulating 
  1.3             the access to, use, release, and sharing of certain 
  1.4             government, financial, and consumer data, personal 
  1.5             information, social security numbers, and other data; 
  1.6             providing for award of attorney fees and other 
  1.7             remedies under certain conditions; amending Minnesota 
  1.8             Statutes 2002, sections 13.08, subdivision 4; 13.32, 
  1.9             subdivision 8, by adding a subdivision; 13.37, 
  1.10            subdivision 3; 13.43, by adding a subdivision; 13.46, 
  1.11            subdivision 7; 13.643, by adding a subdivision; 
  1.12            13.746, subdivision 3; 16C.06, by adding a 
  1.13            subdivision; 16C.10, subdivision 7; 144.335, by adding 
  1.14            a subdivision; 268.19, by adding a subdivision; 
  1.15            307.08, by adding a subdivision; 325M.01, subdivision 
  1.16            5; 325M.03; 325M.09; 349A.08, subdivision 9; 626.556, 
  1.17            by adding a subdivision; 626.557, subdivision 9a; 
  1.18            proposing coding for new law in Minnesota Statutes, 
  1.19            chapters 13; 325E; proposing coding for new law as 
  1.20            Minnesota Statutes, chapter 13E; repealing Minnesota 
  1.21            Statutes 2002, section 13.6401, subdivision 4; Laws 
  1.22            2001, First Special Session chapter 10, article 2, 
  1.23            section 40. 
  1.24  BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 
  1.25                             ARTICLE 1
  1.26                          GOVERNMENT DATA
  1.27     Section 1.  Minnesota Statutes 2002, section 13.08, 
  1.28  subdivision 4, is amended to read: 
  1.29     Subd. 4.  [ACTION TO COMPEL COMPLIANCE.] (a) In addition to 
  1.30  the remedies provided in subdivisions 1 to 3 or any other law, 
  1.31  any aggrieved person seeking to enforce the person's rights 
  1.32  under this chapter or obtain access to data may bring an action 
  1.33  in district court to compel compliance with this chapter and may 
  1.34  recover costs and disbursements, including reasonable attorney's 
  2.1   fees, as determined by the court.  If the court determines that 
  2.2   an action brought under this subdivision is frivolous and 
  2.3   without merit and a basis in fact, it may award reasonable costs 
  2.4   and attorney fees to the responsible authority.  If the court 
  2.5   issues an order to compel compliance under this subdivision, the 
  2.6   court may impose a civil penalty of up to $300 against the 
  2.7   government entity.  This penalty is payable to the state general 
  2.8   fund and is in addition to damages under subdivision 1.  The 
  2.9   matter shall be heard as soon as possible.  In an action 
  2.10  involving a request for government data under section 13.03 or 
  2.11  13.04, the court may inspect in camera the government data in 
  2.12  dispute, but shall conduct its hearing in public and in a manner 
  2.13  that protects the security of data classified as not public.  If 
  2.14  the court issues an order to compel compliance under this 
  2.15  subdivision, the court shall forward a copy of the order to the 
  2.16  commissioner of administration. 
  2.17     (b) In determining whether to assess a civil penalty under 
  2.18  this subdivision, the court shall consider whether the 
  2.19  government entity has substantially complied with general data 
  2.20  practices under this chapter, including but not limited to, 
  2.21  whether the government entity has:  
  2.22     (1) designated a responsible authority under section 13.02, 
  2.23  subdivision 16; 
  2.24     (2) designated a data practices compliance official under 
  2.25  section 13.05, subdivision 13; 
  2.26     (3) prepared the public document that names the responsible 
  2.27  authority and describes the records and data on individuals that 
  2.28  are maintained by the government entity under section 13.05, 
  2.29  subdivision 1; 
  2.30     (4) developed public access procedures under section 13.03, 
  2.31  subdivision 2; procedures to guarantee the rights of data 
  2.32  subjects under section 13.05, subdivision 8; and procedures to 
  2.33  ensure that data on individuals are accurate and complete and to 
  2.34  safeguard the data's security under section 13.05, subdivision 
  2.35  5; 
  2.36     (5) sought an oral, written, or electronic opinion from the 
  3.1   commissioner of administration related to the matter at issue 
  3.2   and acted in conformity with that opinion or acted in conformity 
  3.3   with an opinion issued under section 13.072 that was sought by 
  3.4   another person; or 
  3.5      (6) provided ongoing training to government entity 
  3.6   personnel who respond to requests under this chapter. 
  3.7      (c) The court shall award reasonable attorney fees to a 
  3.8   prevailing plaintiff who has brought an action under this 
  3.9   subdivision if the government entity that is the defendant in 
  3.10  the action was the subject of a written opinion issued under 
  3.11  section 13.072 and did not act in conformity with the opinion. 
  3.12     Sec. 2.  [13.15] [COMPUTER DATA.] 
  3.13     Subdivision 1.  [DEFINITIONS.] As used in this section, the 
  3.14  following terms have the meanings given. 
  3.15     (a)  [ELECTRONIC ACCESS DATA.] "Electronic access data" 
  3.16  means data created, collected, or maintained about a person's 
  3.17  access to a government entity's computer for the purpose of:  
  3.18     (1) gaining access to data or information; 
  3.19     (2) transferring data or information; or 
  3.20     (3) using government services. 
  3.21     (b)  [COOKIE.] "Cookie" means any data that a 
  3.22  government-operated computer electronically places on the 
  3.23  computer of a person who has gained access to a government 
  3.24  computer.  
  3.25     Subd. 2.  [CLASSIFICATION OF DATA.] Electronic access data 
  3.26  are private data on individuals or nonpublic data. 
  3.27     Subd. 3.  [NOTICE.] A government entity that creates, 
  3.28  collects, or maintains electronic access data or uses its 
  3.29  computer to install a cookie on a person's computer must inform 
  3.30  persons gaining access to the entity's computer of the creation, 
  3.31  collection, or maintenance of electronic access data or the 
  3.32  entity's use of cookies before requiring the person to provide 
  3.33  any data about the person to the government entity.  As part of 
  3.34  that notice, the government entity must inform the person how 
  3.35  the data will be used and disseminated, including the uses and 
  3.36  disseminations in subdivision 4. 
  4.1      Subd. 4.  [USE OF ELECTRONIC ACCESS DATA.] Electronic 
  4.2   access data may be disseminated: 
  4.3      (1) to the commissioner for the purpose of evaluating 
  4.4   electronic government services; 
  4.5      (2) to another government entity to prevent unlawful 
  4.6   intrusions into government electronic systems; or 
  4.7      (3) as otherwise provided by law. 
  4.8      Sec. 3.  Minnesota Statutes 2002, section 13.32, is amended 
  4.9   by adding a subdivision to read: 
  4.10     Subd. 4a.  [NONPUBLIC SCHOOL STUDENTS.] Data collected by a 
  4.11  public school on a child, or parents of a child, whose identity 
  4.12  must be reported pursuant to section 120A.24 is private data 
  4.13  which: 
  4.14     (1) shall not be designated directory information pursuant 
  4.15  to subdivision 5 unless prior written consent is given by the 
  4.16  child's parent or guardian; and 
  4.17     (2) may be disclosed only pursuant to subdivision 3, clause 
  4.18  (a), (b), (c), or (f).  This provision does not apply to 
  4.19  students who receive shared-time educational services from a 
  4.20  public agency or institution. 
  4.21     Sec. 4.  Minnesota Statutes 2002, section 13.32, 
  4.22  subdivision 8, is amended to read: 
  4.23     Subd. 8.  [ACCESS BY JUVENILE JUSTICE SYSTEM.] (a) Upon 
  4.24  request, the following education data shall be disclosed under 
  4.25  subdivision 3, clause (i), to the juvenile justice system:  a 
  4.26  student's full name, home address, telephone number, date of 
  4.27  birth; a student's school schedule, attendance record, and 
  4.28  photographs, if any; and parents' names, home addresses, and 
  4.29  telephone numbers.  Notwithstanding paragraphs (b) and (c), data 
  4.30  relating to the student's alleged involvement in an offense on 
  4.31  school property that would make the student subject to chapter 
  4.32  260B must also be disclosed upon request.  For purposes of this 
  4.33  subdivision, "school property" has the meaning given in section 
  4.34  609.66, subdivision 1d, paragraph (c), clause (4).  
  4.35     (b) In addition, the existence of the following data about 
  4.36  a student may be disclosed under subdivision 3, clause (i): 
  5.1      (1) use of a controlled substance, alcohol, or tobacco; 
  5.2      (2) assaultive or threatening conduct that could result in 
  5.3   dismissal from school under section 121A.45, subdivision 2, 
  5.4   clause (b) or (c); 
  5.5      (3) possession or use of weapons or look-alike weapons; 
  5.6      (4) theft; or 
  5.7      (5) vandalism or other damage to property. 
  5.8      Any request for access to data under this paragraph must 
  5.9   contain an explanation of why access to the data is necessary to 
  5.10  serve the student. 
  5.11     (c) A principal or chief administrative officer of a school 
  5.12  who receives a request to disclose information about a student 
  5.13  to the juvenile justice system under paragraph (b) shall, to the 
  5.14  extent permitted by federal law, notify the student's parent or 
  5.15  guardian by certified mail of the request to disclose 
  5.16  information before disclosing the information.  If the student's 
  5.17  parent or guardian notifies the principal or chief 
  5.18  administrative officer within ten days of receiving the 
  5.19  certified notice that the parent or guardian objects to the 
  5.20  disclosure, the principal or chief administrative officer must 
  5.21  not disclose the information.  The principal or chief 
  5.22  administrative officer must inform the requesting member of the 
  5.23  juvenile justice system of the objection. 
  5.24     (d) A principal or chief administrative officer is not 
  5.25  required to create data under this subdivision.  Information 
  5.26  provided in response to a data request under paragraph (b) shall 
  5.27  indicate only whether the data described in paragraph (b) 
  5.28  exist.  The principal or chief administrative officer is not 
  5.29  authorized under paragraph (b) to disclose the actual data or 
  5.30  other information contained in the student's education record.  
  5.31  A principal or chief administrative officer is not required to 
  5.32  provide data that are protected by court order.  A principal or 
  5.33  chief administrative officer must respond to a data request 
  5.34  within 14 days if no objection is received from the parent or 
  5.35  guardian. 
  5.36     (e) Nothing in this subdivision shall limit the disclosure 
  6.1   of educational data pursuant to court order. 
  6.2      (f) A school district, its agents, and employees who 
  6.3   provide data in good faith under this subdivision are not liable 
  6.4   for compensatory or exemplary damages or an award of attorney 
  6.5   fees in an action under section 13.08, or other law, or for a 
  6.6   penalty under section 13.09. 
  6.7      (g) Section 13.03, subdivision 4, applies to data that are 
  6.8   shared under this subdivision with a government entity.  If data 
  6.9   are shared with a member of the juvenile justice system who is 
  6.10  not a government entity, the person receiving the shared data 
  6.11  must treat the data consistent with the requirements of this 
  6.12  chapter applicable to a government entity.  
  6.13     (h) A member of the juvenile justice system who falsely 
  6.14  certifies a request for data under this section is subject to 
  6.15  the penalties under section 13.09. 
  6.16     Sec. 5.  [13.3215] [UNIVERSITY OF MINNESOTA DATA.] 
  6.17     Claims experience and all related information received from 
  6.18  carriers and claims administrators participating in a University 
  6.19  of Minnesota group health, dental, life, or disability insurance 
  6.20  plan or the University of Minnesota workers' compensation 
  6.21  program, and survey information collected from employees or 
  6.22  students participating in these plans and programs, are 
  6.23  nonpublic data.  The University of Minnesota may release the 
  6.24  data described in this section if it determines that the release 
  6.25  will not be detrimental to the plan or program. 
  6.26     Sec. 6.  Minnesota Statutes 2002, section 13.37, 
  6.27  subdivision 3, is amended to read: 
  6.28     Subd. 3.  [DATA DISSEMINATION.] Crime prevention block maps 
  6.29  and names, home addresses, and telephone numbers of volunteers 
  6.30  who participate in community crime prevention programs may be 
  6.31  disseminated to volunteers participating in crime prevention 
  6.32  programs.  The location of a National Night Out event is public 
  6.33  data. 
  6.34     Sec. 7.  Minnesota Statutes 2002, section 13.43, is amended 
  6.35  by adding a subdivision to read: 
  6.36     Subd. 17.  [EVALUATION DATA.] (a) Data submitted by an 
  7.1   employee to a government entity as part of an organized 
  7.2   self-evaluation effort by the government entity to obtain 
  7.3   suggestions from employees on ways to decrease costs, make 
  7.4   government more efficient, or improve the operation of 
  7.5   government are private data on individuals. 
  7.6      (b) Notwithstanding paragraph (a), an employee who is 
  7.7   identified in a suggestion has access to all data in the 
  7.8   suggestion except for data that identify the employee making the 
  7.9   suggestion. 
  7.10     Sec. 8.  Minnesota Statutes 2002, section 13.46, 
  7.11  subdivision 7, is amended to read: 
  7.12     Subd. 7.  [MENTAL HEALTH CENTER DATA.] (a) Mental health 
  7.13  data are private data on individuals and shall not be disclosed, 
  7.14  except:  
  7.15     (1) pursuant to section 13.05, as determined by the 
  7.16  responsible authority for the community mental health center, 
  7.17  mental health division, or provider; 
  7.18     (2) pursuant to court order; 
  7.19     (3) pursuant to a paragraph (c) or another statute 
  7.20  specifically authorizing access to or disclosure of mental 
  7.21  health data; or 
  7.22     (4) with the consent of the client or patient.  
  7.23     (b) An agency of the welfare system may not require an 
  7.24  individual to consent to the release of mental health data as a 
  7.25  condition for receiving services or for reimbursing a community 
  7.26  mental health center, mental health division of a county, or 
  7.27  provider under contract to deliver mental health services. 
  7.28     (c) County mental health services may share mental health 
  7.29  data with a police department crisis intervention team to 
  7.30  determine whether an individual that has been apprehended is a 
  7.31  client of the county and if so, the individual's physician, 
  7.32  therapist, or case manager. 
  7.33     Sec. 9.  [13.468] [DATA SHARING WITHIN COUNTIES.] 
  7.34     County welfare, human services, corrections, public health, 
  7.35  and veterans service units of a county may inform each other as 
  7.36  to whether an individual or family currently is being served by 
  8.1   the county unit, without the consent of the subject of the 
  8.2   data.  Data that may be shared are limited to the following:  
  8.3   the name, telephone number, and last known address of the data 
  8.4   subject; and the identification and contact information 
  8.5   regarding personnel of the county unit responsible for working 
  8.6   with the individual or family.  If further information is 
  8.7   necessary for the county unit to carry out its duties, each 
  8.8   county unit may share additional data if the unit is authorized 
  8.9   by state statute or federal law to do so or the individual gives 
  8.10  written, informed consent. 
  8.11     Sec. 10.  Minnesota Statutes 2002, section 13.643, is 
  8.12  amended by adding a subdivision to read: 
  8.13     Subd. 5.  [DATA RECEIVED FROM FEDERAL GOVERNMENT.] All data 
  8.14  received by the department of agriculture from the United States 
  8.15  Department of Health and Human Services, the Food and Drug 
  8.16  Administration, and the Agriculture, Food Safety, and Inspection 
  8.17  Service for the purpose of carrying out the department of 
  8.18  agriculture's statutory food safety regulatory and enforcement 
  8.19  duties are classified as nonpublic data under section 13.02, 
  8.20  subdivision 9, and private data on individuals under section 
  8.21  13.02, subdivision 12. 
  8.22     Sec. 11.  Minnesota Statutes 2002, section 13.746, 
  8.23  subdivision 3, is amended to read: 
  8.24     Subd. 3.  [STATE LOTTERY.] (a)  [ACCESS TO CRIMINAL DATA.] 
  8.25  The state lottery director's access to criminal history data on 
  8.26  certain persons is governed by sections 349A.06, subdivision 4, 
  8.27  and 349A.07, subdivision 2. 
  8.28     (b)  [LOTTERY PRIZE WINNERS.] Certain data on lottery prize 
  8.29  winners are classified under section 349A.08, subdivision 9.  
  8.30     (c)  [DIRECT MARKETING.] Data on individuals given to the 
  8.31  lottery for direct marketing purposes are classified in section 
  8.32  349A.08, subdivision 9.  
  8.33     Sec. 12.  Minnesota Statutes 2002, section 16C.06, is 
  8.34  amended by adding a subdivision to read: 
  8.35     Subd. 3a.  [INFORMATION IN BIDS AND PROPOSALS.] Data 
  8.36  relating to bids and proposals are governed by section 13.591. 
  9.1      Sec. 13.  Minnesota Statutes 2002, section 16C.10, 
  9.2   subdivision 7, is amended to read: 
  9.3      Subd. 7.  [REVERSE AUCTION.] (a) For the purpose of this 
  9.4   subdivision, "reverse auction" means a purchasing process in 
  9.5   which vendors compete to provide goods at the lowest selling 
  9.6   price in an open and interactive environment. 
  9.7      (b) The provisions of section sections 13.591, subdivision 
  9.8   3, and 16C.06, subdivisions subdivision 2 and 3, do not apply 
  9.9   when the commissioner determines that a reverse auction is the 
  9.10  appropriate purchasing process. 
  9.11     Sec. 14.  Minnesota Statutes 2002, section 144.335, is 
  9.12  amended by adding a subdivision to read: 
  9.13     Subd. 3d.  [RELEASE OF RECORDS TO COUNTY LOCAL WELFARE 
  9.14  AGENCY.] If a provider has been notified by a county local 
  9.15  welfare agency under section 626.556, subdivision 3d, the 
  9.16  provider must report to the agency the birth of a child to that 
  9.17  individual within 24 hours of the birth. 
  9.18     Sec. 15.  Minnesota Statutes 2002, section 268.19, is 
  9.19  amended by adding a subdivision to read: 
  9.20     Subd. 1a.  [WAGE DETAIL DATA.] (a) Wage and employment data 
  9.21  gathered pursuant to section 268.044 may be disseminated to and 
  9.22  used, without the consent of the subject of the data, by an 
  9.23  agency of another state that is designated as the performance 
  9.24  accountability and consumer information agency for that state 
  9.25  pursuant to Code of Federal Regulations, volume 20, part 
  9.26  663.510(c), in order to carry out the requirements of the 
  9.27  Workforce Investment Act of 1998, United States Code, title 29, 
  9.28  sections 2842 and 2871. 
  9.29     (b) The commissioner may enter into a data exchange 
  9.30  agreement with an employment and training service provider under 
  9.31  section 116L.17, or the Workforce Investment Act of 1998, United 
  9.32  States Code, title 29, section 2864, under which the 
  9.33  commissioner, with the consent of the subject of the data, may 
  9.34  furnish data on the quarterly wages paid and number of hours 
  9.35  worked on those individuals who have received employment and 
  9.36  training services from the provider.  With the initial consent 
 10.1   of the subject of the data, this data may be shared for up to 
 10.2   three years after termination of the employment and training 
 10.3   services provided to the individual without execution of an 
 10.4   additional consent.  This data shall be furnished solely for the 
 10.5   purpose of evaluating the employment and training services 
 10.6   provided. 
 10.7      Sec. 16.  Minnesota Statutes 2002, section 307.08, is 
 10.8   amended by adding a subdivision to read: 
 10.9      Subd. 11.  [BURIAL SITES DATA.] Burial sites locational and 
 10.10  related data maintained by the office of the state archaeologist 
 10.11  and accessible through the office's "Unplatted Burial Sites and 
 10.12  Earthworks in Minnesota" Web site are security information for 
 10.13  purposes of section 13.37.  Persons who gain access to the data 
 10.14  maintained on the site are subject to liability under section 
 10.15  13.08 and the penalty established by section 13.09 if they 
 10.16  improperly use or further disseminate the data. 
 10.17     Sec. 17.  Minnesota Statutes 2002, section 349A.08, 
 10.18  subdivision 9, is amended to read: 
 10.19     Subd. 9.  [PRIVACY.] (a) The phone number and street 
 10.20  address of a winner of a lottery prize is private data on 
 10.21  individuals under chapter 13. 
 10.22     (b) Data on an individual, including name, physical and 
 10.23  electronic address, and telephone number, that are given to the 
 10.24  lottery for direct marketing purposes are private data on 
 10.25  individuals as defined in section 13.02.  
 10.26     Sec. 18.  Minnesota Statutes 2002, section 626.556, is 
 10.27  amended by adding a subdivision to read: 
 10.28     Subd. 3d.  [REPORT TO PROTECT SAFETY OF AT-RISK 
 10.29  NEWBORNS.] If a county local welfare agency determines that a 
 10.30  child born to an individual would be subjected to a threatened 
 10.31  injury while in the care of that individual, the agency may 
 10.32  disclose private data on the individual to providers for the 
 10.33  purpose of requesting notification of the birth of a child to 
 10.34  the individual.  For purposes of this subdivision, "provider" 
 10.35  has the meaning given in section 144.335, subdivision 1. 
 10.36     Sec. 19.  Minnesota Statutes 2002, section 626.557, 
 11.1   subdivision 9a, is amended to read: 
 11.2      Subd. 9a.  [EVALUATION AND REFERRAL OF REPORTS MADE TO A 
 11.3   COMMON ENTRY POINT UNIT.] The common entry point must screen the 
 11.4   reports of alleged or suspected maltreatment for immediate risk 
 11.5   and make all necessary referrals as follows: 
 11.6      (1) if the common entry point determines that there is an 
 11.7   immediate need for adult protective services, the common entry 
 11.8   point agency shall immediately notify the appropriate county 
 11.9   agency; 
 11.10     (2) if the report contains suspected criminal activity 
 11.11  against a vulnerable adult, the common entry point shall 
 11.12  immediately notify the appropriate law enforcement agency; 
 11.13     (3) if the report references alleged or suspected 
 11.14  maltreatment and there is no immediate need for adult protective 
 11.15  services, the common entry point shall notify the appropriate 
 11.16  lead agency as soon as possible, but in any event no longer than 
 11.17  two working days; 
 11.18     (4) if the report does not reference alleged or suspected 
 11.19  maltreatment, the common entry point may determine whether the 
 11.20  information will be referred; and 
 11.21     (5) if the report contains information about a suspicious 
 11.22  death, the common entry point shall immediately notify the 
 11.23  appropriate law enforcement agencies, the local medical 
 11.24  examiner, and the ombudsman established under section 245.92.  
 11.25  Law enforcement agencies shall coordinate with the local medical 
 11.26  examiner and the ombudsman as provided by law. 
 11.27     Sec. 20.  [REPEALER.] 
 11.28     Minnesota Statutes 2002, section 13.6401, subdivision 4; 
 11.29  Laws 2001, First Special Session chapter 10, article 2, section 
 11.30  40, are repealed. 
 11.31     Sec. 21.  [EFFECTIVE DATE.] 
 11.32     Sections 11 and 17 are effective the day following final 
 11.33  enactment. 
 11.34                             ARTICLE 2
 11.35                         FINANCIAL PRIVACY
 11.36     Section 1.  [13E.01] [DEFINITIONS.] 
 12.1      For purposes of this chapter, the terms "consumer," 
 12.2   "financial institution," "nonaffiliated third party," "nonpublic 
 12.3   personal information," and "joint agreement" have the meanings 
 12.4   given in section 509 of the Gramm-Leach-Bliley Financial 
 12.5   Services Modernization Act, codified as United States Code, 
 12.6   title 15, section 6809, including any federal regulations 
 12.7   implementing that section. 
 12.8      Sec. 2.  [13E.02] [PRIVACY OF FINANCIAL DATA.] 
 12.9      Except as required by sections 13E.03 to 13E.05, which 
 12.10  afford greater protection to consumers, every financial 
 12.11  institution doing business in this state shall comply with 
 12.12  sections 502 and 503 of the Gramm-Leach-Bliley Financial 
 12.13  Services Modernization Act, codified as United States Code, 
 12.14  title 15, sections 6802 and 6803 respectively, including any 
 12.15  federal regulations issued under authority of section 504 of the 
 12.16  act, codified as United States Code, title 15, section 6804. 
 12.17     Sec. 3.  [13E.03] [DUTY OF CONFIDENTIALITY.] 
 12.18     A financial institution doing business in this state shall 
 12.19  not disclose nonpublic personal information about a consumer to 
 12.20  any nonaffiliated third party unless the disclosure is made in 
 12.21  accordance with any of the following: 
 12.22     (1) pursuant to affirmative consent granted by the consumer 
 12.23  in accordance with this chapter; 
 12.24     (2) pursuant to the exception in section 502(b)(2) of the 
 12.25  Gramm-Leach-Bliley Financial Services Modernization Act, 
 12.26  codified as United States Code, title 15, section 6802(b)(2), 
 12.27  including any federal regulations issued to implement that 
 12.28  section; or 
 12.29     (3) pursuant to an exception in section 502(e) of the 
 12.30  Gramm-Leach-Bliley Financial Services Modernization Act, 
 12.31  codified as United States Code, title 15, section 6802(e), 
 12.32  including any federal regulations issued to implement that 
 12.33  section. 
 12.34     Sec. 4.  [13E.04] [AFFIRMATIVE CONSENT.] 
 12.35     Subdivision 1.  [USE.] Affirmative consent must not be 
 12.36  required as a condition of doing business with any financial 
 13.1   institution.  Any affirmative consent obtained from a consumer 
 13.2   as a condition of doing business with a financial institution 
 13.3   shall not be effective for purposes of this chapter. 
 13.4      Subd. 2.  [FORM.] Affirmative consent as required by this 
 13.5   chapter must be in writing and signed by the consumer.  The 
 13.6   affirmative consent form signed by the consumer must be 
 13.7   contained on a separate page that also clearly and conspicuously 
 13.8   discloses the following: 
 13.9      (1) the time during which the consent will operate, which 
 13.10  must not be longer than five years; 
 13.11     (2) each category of nonpublic personal information to be 
 13.12  disclosed, including, but not limited to, the consumer's social 
 13.13  security number, account numbers, account balances, credit 
 13.14  limits, the amount or date of any transaction, the identity of 
 13.15  persons to whom the consumer's checks are made payable, and the 
 13.16  identity of merchants or other persons honoring the consumer's 
 13.17  credit cards; and 
 13.18     (3) the type of nonaffiliated third parties to whom 
 13.19  disclosure may be made. 
 13.20     Sec. 5.  [13E.05] [ACCESS TO AND CORRECTION OF NONPUBLIC 
 13.21  PERSONAL INFORMATION.] 
 13.22     Subdivision 1.  [ACCESS AND CORRECTION.] If a consumer 
 13.23  submits a written request to a financial institution for access 
 13.24  to nonpublic personal information held by the financial 
 13.25  institution about the consumer, within 30 business days from the 
 13.26  date the request is received, the financial institution shall: 
 13.27     (1) provide to the consumer in person, by regular mail, or 
 13.28  by electronic mail a copy of all such nonpublic personal 
 13.29  information, or a reasonably described portion of the 
 13.30  information, whichever the consumer requests; and 
 13.31     (2) provide to the consumer a summary of the procedures by 
 13.32  which the consumer may request correction, amendment, or 
 13.33  deletion of nonpublic personal information. 
 13.34  If any nonpublic personal information is in coded or electronic 
 13.35  form, an accurate translation in hard copy must be provided. 
 13.36     Subd. 2.  [REASONABLE FEE.] A financial institution may 
 14.1   charge a reasonable fee to copy nonpublic personal information 
 14.2   provided under this section, provided the fee is clearly and 
 14.3   conspicuously disclosed to the consumer.  A financial 
 14.4   institution may not charge for inspection of nonpublic personal 
 14.5   information by the consumer. 
 14.6      Sec. 6.  [13E.06] [REMEDIES.] 
 14.7      The public and private remedies available under section 
 14.8   8.31 apply to this chapter. 
 14.9      Sec. 7.  [13E.07] [OTHER LAW.] 
 14.10     This chapter does not limit any rights or remedies 
 14.11  protecting the privacy of information that are available under 
 14.12  other law. 
 14.13     Sec. 8.  [EFFECTIVE DATE.] 
 14.14     This article is effective July 1, 2004. 
 14.15                             ARTICLE 3
 14.16                          INTERNET PRIVACY
 14.17     Section 1.  Minnesota Statutes 2002, section 325M.01, 
 14.18  subdivision 5, is amended to read: 
 14.19     Subd. 5.  [PERSONALLY IDENTIFIABLE INFORMATION.] (a) 
 14.20  "Personally identifiable information" means information that 
 14.21  identifies: 
 14.22     (1) a consumer by physical or electronic address or 
 14.23  telephone number; 
 14.24     (2) a consumer as having requested or obtained specific 
 14.25  materials or services from an Internet service provider; 
 14.26     (3) Internet or online sites visited by a consumer; or 
 14.27     (4) any of the contents of a consumer's data-storage 
 14.28  devices. 
 14.29     (b) Personally identifiable information does not include: 
 14.30     (1) information that is in aggregate or summary form from 
 14.31  which the identity of an individual consumer is not 
 14.32  ascertainable; or 
 14.33     (2) information from which all information identifying a 
 14.34  consumer has been removed and that cannot be combined with other 
 14.35  information to identify the consumer. 
 14.36     Sec. 2.  Minnesota Statutes 2002, section 325M.03, is 
 15.1   amended to read: 
 15.2      325M.03 [WHEN DISCLOSURE OF PERSONAL INFORMATION REQUIRED.] 
 15.3      (a) An Internet service provider shall disclose personally 
 15.4   identifiable information concerning a consumer: 
 15.5      (1) pursuant to a grand jury subpoena; 
 15.6      (2) to an investigative or law enforcement officer as 
 15.7   defined in section 626A.01, subdivision 7, while acting as 
 15.8   authorized by law; 
 15.9      (3) pursuant to a court order in a civil proceeding upon a 
 15.10  showing of compelling need for the information that cannot be 
 15.11  accommodated by other means; 
 15.12     (4) to a court in a civil action for conversion commenced 
 15.13  by the Internet service provider or in a civil action to enforce 
 15.14  collection of unpaid subscription fees or purchase amounts, and 
 15.15  then only to the extent necessary to establish the fact of the 
 15.16  subscription delinquency or purchase agreement, and with 
 15.17  appropriate safeguards against unauthorized disclosure; 
 15.18     (5) to the consumer who is the subject of the information, 
 15.19  upon written or electronic request, reasonable authentication of 
 15.20  the consumer's identity, and upon payment of a fee not to exceed 
 15.21  the actual cost of retrieving the information; 
 15.22     (6) pursuant to subpoena, including an administrative 
 15.23  subpoena, issued under authority of a law of this state or 
 15.24  another state or the United States; or 
 15.25     (7) pursuant to a warrant or court order; or 
 15.26     (8) as required by United States Code, title 42, section 
 15.27  13032. 
 15.28     (b) This section does not require an Internet service 
 15.29  provider to create or retrieve information in a format in which 
 15.30  it is not maintained by the Internet service provider at the 
 15.31  time of the request for disclosure.  This section does not 
 15.32  require an Internet service provider to establish or maintain a 
 15.33  system for retrieval of personally identifiable information that 
 15.34  is retained and temporarily stored, used only for system backup 
 15.35  or other technical purposes, and not disclosed to a third party. 
 15.36     Sec. 3.  Minnesota Statutes 2002, section 325M.09, is 
 16.1   amended to read: 
 16.2      325M.09 [APPLICATION.] 
 16.3      This chapter applies to Internet service providers in the 
 16.4   provision of services to consumers in this state.  This chapter 
 16.5   does not apply to activities of an Internet service provider 
 16.6   that are not related to the provision of Internet service 
 16.7   provider services and are regulated by other law in a manner 
 16.8   that is inconsistent with this chapter.  To the extent that a 
 16.9   service other than the provision of Internet services is subject 
 16.10  to other law that is inconsistent with this chapter, the other 
 16.11  law controls.  
 16.12     Sec. 4.  [EFFECTIVE DATE.] 
 16.13     Sections 1 to 3 are effective retroactive to March 1, 2003. 
 16.14                             ARTICLE 4
 16.15                      SOCIAL SECURITY NUMBERS
 16.16     Section 1.  [325E.59] [USE OF SOCIAL SECURITY NUMBERS.] 
 16.17     Subdivision 1.  [GENERALLY.] (a) A person or entity, not 
 16.18  including a government entity, may not do any of the following: 
 16.19     (1) publicly post or publicly display in any manner an 
 16.20  individual's social security number.  "Publicly post" or 
 16.21  "publicly display" means to intentionally communicate or 
 16.22  otherwise make available to the general public; 
 16.23     (2) print an individual's social security number on any 
 16.24  card required for the individual to access products or services 
 16.25  provided by the person or entity; 
 16.26     (3) require an individual to transmit the individual's 
 16.27  social security number over the Internet, unless the connection 
 16.28  is secure or the social security number is encrypted; 
 16.29     (4) require an individual to use the individual's social 
 16.30  security number to access an Internet Web site, unless a 
 16.31  password or unique personal identification number or other 
 16.32  authentication device is also required to access the Internet 
 16.33  Web site; or 
 16.34     (5) print a number that the person or entity knows to be an 
 16.35  individual's social security number on any materials that are 
 16.36  mailed to the individual, unless state or federal law requires 
 17.1   the social security number to be on the document to be mailed.  
 17.2   If, in connection with a transaction involving or otherwise 
 17.3   relating to an individual, a person or entity receives a number 
 17.4   from a third party, that person or entity is under no duty to 
 17.5   inquire or otherwise determine whether the number is or includes 
 17.6   that individual's social security number and may print that 
 17.7   number on materials mailed to the individual, unless the person 
 17.8   or entity receiving the number has actual knowledge that the 
 17.9   number is or includes the individual's social security number. 
 17.10     (b) Notwithstanding paragraph (a), social security numbers 
 17.11  may be included in applications and forms sent by mail, 
 17.12  including school transcripts; or documents sent as part of an 
 17.13  application or enrollment process; to establish, amend, or 
 17.14  terminate an account, contract, or policy; or to confirm the 
 17.15  accuracy of the social security number.  Nothing in this 
 17.16  paragraph authorizes inclusion of a social security number on 
 17.17  the outside of a mailing. 
 17.18     (c) Except as provided in subdivision 2, this section 
 17.19  applies only to the use of social security numbers on or after 
 17.20  July 1, 2005. 
 17.21     Subd. 2.  [CONTINUATION OF PRIOR USE.] (a) A person or 
 17.22  entity, not including a government entity, that has used, prior 
 17.23  to July 1, 2005, an individual's social security number in a 
 17.24  manner inconsistent with subdivision 1, may continue using that 
 17.25  individual's social security number in that manner on or after 
 17.26  July 1, 2005, if all of the conditions in this subdivision are 
 17.27  met.  
 17.28     (b) The use of the social security number must be 
 17.29  continuous.  If the use is stopped for any reason, subdivision 1 
 17.30  applies. 
 17.31     (c) The individual must be provided an annual disclosure, 
 17.32  commencing in 2005, that informs the individual that the 
 17.33  individual has the right to stop the use of the individual's 
 17.34  social security number in a manner prohibited by subdivision 1. 
 17.35     (d) A written request by an individual to stop the use of 
 17.36  the individual's social security number in a manner prohibited 
 18.1   by subdivision 1 must be implemented within 30 days of receipt 
 18.2   of the request.  A fee may not be charged for implementing the 
 18.3   request. 
 18.4      (e) A person or entity, not including a government entity, 
 18.5   must not deny services to an individual because the individual 
 18.6   makes a written request pursuant to this subdivision. 
 18.7      Subd. 3.  [COORDINATION WITH OTHER LAW.] This section does 
 18.8   not prevent the collection, use, or release of a social security 
 18.9   number as required by state or federal law or the use of a 
 18.10  social security number for internal verification or 
 18.11  administrative purposes. 
 18.12     Subd. 4.  [PUBLIC RECORDS.] This section does not apply to 
 18.13  documents that are recorded or required to be open to the public 
 18.14  under chapter 13 or other law. 
 18.15     Subd. 5.  [DEFINITIONS.] For purposes of this section, 
 18.16  "government entity" has the meaning given in section 13.02, 
 18.17  subdivision 7a, but does not include the Minnesota state 
 18.18  colleges and universities or the University of Minnesota. 
 18.19     Sec. 2.  [EFFECTIVE DATE.] 
 18.20     Section 1 is effective July 1, 2005.