2nd Engrossment - 83rd Legislature (2003 - 2004) Posted on 12/15/2009 12:00am
Engrossments | ||
---|---|---|
Introduction | Posted on 02/24/2003 | |
1st Engrossment | Posted on 04/14/2003 | |
2nd Engrossment | Posted on 05/08/2003 |
1.1 A bill for an act 1.2 relating to data practices; classifying and regulating 1.3 the access to, use, release, and sharing of certain 1.4 government, financial, and consumer data, personal 1.5 information, social security numbers, and other data; 1.6 providing for award of attorney fees and other 1.7 remedies under certain conditions; amending Minnesota 1.8 Statutes 2002, sections 13.08, subdivision 4; 13.32, 1.9 subdivision 8, by adding a subdivision; 13.37, 1.10 subdivision 3; 13.43, by adding a subdivision; 13.46, 1.11 subdivision 7; 13.643, by adding a subdivision; 1.12 13.746, subdivision 3; 16C.06, by adding a 1.13 subdivision; 16C.10, subdivision 7; 144.335, by adding 1.14 a subdivision; 268.19, by adding a subdivision; 1.15 307.08, by adding a subdivision; 325M.01, subdivision 1.16 5; 325M.03; 325M.09; 349A.08, subdivision 9; 626.556, 1.17 by adding a subdivision; 626.557, subdivision 9a; 1.18 proposing coding for new law in Minnesota Statutes, 1.19 chapters 13; 325E; proposing coding for new law as 1.20 Minnesota Statutes, chapter 13E; repealing Minnesota 1.21 Statutes 2002, section 13.6401, subdivision 4; Laws 1.22 2001, First Special Session chapter 10, article 2, 1.23 section 40. 1.24 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 1.25 ARTICLE 1 1.26 GOVERNMENT DATA 1.27 Section 1. Minnesota Statutes 2002, section 13.08, 1.28 subdivision 4, is amended to read: 1.29 Subd. 4. [ACTION TO COMPEL COMPLIANCE.] (a) In addition to 1.30 the remedies provided in subdivisions 1 to 3 or any other law, 1.31 any aggrieved person seeking to enforce the person's rights 1.32 under this chapter or obtain access to data may bring an action 1.33 in district court to compel compliance with this chapter and may 1.34 recover costs and disbursements, including reasonable attorney's 2.1 fees, as determined by the court. If the court determines that 2.2 an action brought under this subdivision is frivolous and 2.3 without merit and a basis in fact, it may award reasonable costs 2.4 and attorney fees to the responsible authority. If the court 2.5 issues an order to compel compliance under this subdivision, the 2.6 court may impose a civil penalty of up to $300 against the 2.7 government entity. This penalty is payable to the state general 2.8 fund and is in addition to damages under subdivision 1. The 2.9 matter shall be heard as soon as possible. In an action 2.10 involving a request for government data under section 13.03 or 2.11 13.04, the court may inspect in camera the government data in 2.12 dispute, but shall conduct its hearing in public and in a manner 2.13 that protects the security of data classified as not public. If 2.14 the court issues an order to compel compliance under this 2.15 subdivision, the court shall forward a copy of the order to the 2.16 commissioner of administration. 2.17 (b) In determining whether to assess a civil penalty under 2.18 this subdivision, the court shall consider whether the 2.19 government entity has substantially complied with general data 2.20 practices under this chapter, including but not limited to, 2.21 whether the government entity has: 2.22 (1) designated a responsible authority under section 13.02, 2.23 subdivision 16; 2.24 (2) designated a data practices compliance official under 2.25 section 13.05, subdivision 13; 2.26 (3) prepared the public document that names the responsible 2.27 authority and describes the records and data on individuals that 2.28 are maintained by the government entity under section 13.05, 2.29 subdivision 1; 2.30 (4) developed public access procedures under section 13.03, 2.31 subdivision 2; procedures to guarantee the rights of data 2.32 subjects under section 13.05, subdivision 8; and procedures to 2.33 ensure that data on individuals are accurate and complete and to 2.34 safeguard the data's security under section 13.05, subdivision 2.35 5; 2.36 (5) sought an oral, written, or electronic opinion from the 3.1 commissioner of administration related to the matter at issue 3.2 and acted in conformity with that opinion or acted in conformity 3.3 with an opinion issued under section 13.072 that was sought by 3.4 another person; or 3.5 (6) provided ongoing training to government entity 3.6 personnel who respond to requests under this chapter. 3.7 (c) The court shall award reasonable attorney fees to a 3.8 prevailing plaintiff who has brought an action under this 3.9 subdivision if the government entity that is the defendant in 3.10 the action was the subject of a written opinion issued under 3.11 section 13.072 and did not act in conformity with the opinion. 3.12 Sec. 2. [13.15] [COMPUTER DATA.] 3.13 Subdivision 1. [DEFINITIONS.] As used in this section, the 3.14 following terms have the meanings given. 3.15 (a) [ELECTRONIC ACCESS DATA.] "Electronic access data" 3.16 means data created, collected, or maintained about a person's 3.17 access to a government entity's computer for the purpose of: 3.18 (1) gaining access to data or information; 3.19 (2) transferring data or information; or 3.20 (3) using government services. 3.21 (b) [COOKIE.] "Cookie" means any data that a 3.22 government-operated computer electronically places on the 3.23 computer of a person who has gained access to a government 3.24 computer. 3.25 Subd. 2. [CLASSIFICATION OF DATA.] Electronic access data 3.26 are private data on individuals or nonpublic data. 3.27 Subd. 3. [NOTICE.] A government entity that creates, 3.28 collects, or maintains electronic access data or uses its 3.29 computer to install a cookie on a person's computer must inform 3.30 persons gaining access to the entity's computer of the creation, 3.31 collection, or maintenance of electronic access data or the 3.32 entity's use of cookies before requiring the person to provide 3.33 any data about the person to the government entity. As part of 3.34 that notice, the government entity must inform the person how 3.35 the data will be used and disseminated, including the uses and 3.36 disseminations in subdivision 4. 4.1 Subd. 4. [USE OF ELECTRONIC ACCESS DATA.] Electronic 4.2 access data may be disseminated: 4.3 (1) to the commissioner for the purpose of evaluating 4.4 electronic government services; 4.5 (2) to another government entity to prevent unlawful 4.6 intrusions into government electronic systems; or 4.7 (3) as otherwise provided by law. 4.8 Sec. 3. Minnesota Statutes 2002, section 13.32, is amended 4.9 by adding a subdivision to read: 4.10 Subd. 4a. [NONPUBLIC SCHOOL STUDENTS.] Data collected by a 4.11 public school on a child, or parents of a child, whose identity 4.12 must be reported pursuant to section 120A.24 is private data 4.13 which: 4.14 (1) shall not be designated directory information pursuant 4.15 to subdivision 5 unless prior written consent is given by the 4.16 child's parent or guardian; and 4.17 (2) may be disclosed only pursuant to subdivision 3, clause 4.18 (a), (b), (c), or (f). This provision does not apply to 4.19 students who receive shared-time educational services from a 4.20 public agency or institution. 4.21 Sec. 4. Minnesota Statutes 2002, section 13.32, 4.22 subdivision 8, is amended to read: 4.23 Subd. 8. [ACCESS BY JUVENILE JUSTICE SYSTEM.] (a) Upon 4.24 request, the following education data shall be disclosed under 4.25 subdivision 3, clause (i), to the juvenile justice system: a 4.26 student's full name, home address, telephone number, date of 4.27 birth; a student's school schedule, attendance record,and4.28 photographs, if any; and parents' names, home addresses, and 4.29 telephone numbers. Notwithstanding paragraphs (b) and (c), data 4.30 relating to the student's alleged involvement in an offense on 4.31 school property that would make the student subject to chapter 4.32 260B must also be disclosed upon request. For purposes of this 4.33 subdivision, "school property" has the meaning given in section 4.34 609.66, subdivision 1d, paragraph (c), clause (4). 4.35 (b) In addition, the existence of the following data about 4.36 a student may be disclosed under subdivision 3, clause (i): 5.1 (1) use of a controlled substance, alcohol, or tobacco; 5.2 (2) assaultive or threatening conduct that could result in 5.3 dismissal from school under section 121A.45, subdivision 2, 5.4 clause (b) or (c); 5.5 (3) possession or use of weapons or look-alike weapons; 5.6 (4) theft; or 5.7 (5) vandalism or other damage to property. 5.8 Any request for access to data under this paragraph must 5.9 contain an explanation of why access to the data is necessary to 5.10 serve the student. 5.11 (c) A principal or chief administrative officer of a school 5.12 who receives a request to disclose information about a student 5.13 to the juvenile justice system under paragraph (b) shall, to the 5.14 extent permitted by federal law, notify the student's parent or 5.15 guardian by certified mail of the request to disclose 5.16 information before disclosing the information. If the student's 5.17 parent or guardian notifies the principal or chief 5.18 administrative officer within ten days of receiving the 5.19 certified notice that the parent or guardian objects to the 5.20 disclosure, the principal or chief administrative officer must 5.21 not disclose the information. The principal or chief 5.22 administrative officer must inform the requesting member of the 5.23 juvenile justice system of the objection. 5.24 (d) A principal or chief administrative officer is not 5.25 required to create data under this subdivision. Information 5.26 provided in response to a data request under paragraph (b) shall 5.27 indicate only whether the data described in paragraph (b) 5.28 exist. The principal or chief administrative officer is not 5.29 authorized under paragraph (b) to disclose the actual data or 5.30 other information contained in the student's education record. 5.31 A principal or chief administrative officer is not required to 5.32 provide data that are protected by court order. A principal or 5.33 chief administrative officer must respond to a data request 5.34 within 14 days if no objection is received from the parent or 5.35 guardian. 5.36 (e) Nothing in this subdivision shall limit the disclosure 6.1 of educational data pursuant to court order. 6.2 (f) A school district, its agents, and employees who 6.3 provide data in good faith under this subdivision are not liable 6.4 for compensatory or exemplary damages or an award of attorney 6.5 fees in an action under section 13.08, or other law, or for a 6.6 penalty under section 13.09. 6.7 (g) Section 13.03, subdivision 4, applies to data that are 6.8 shared under this subdivision with a government entity. If data 6.9 are shared with a member of the juvenile justice system who is 6.10 not a government entity, the person receiving the shared data 6.11 must treat the data consistent with the requirements of this 6.12 chapter applicable to a government entity. 6.13 (h) A member of the juvenile justice system who falsely 6.14 certifies a request for data under this section is subject to 6.15 the penalties under section 13.09. 6.16 Sec. 5. [13.3215] [UNIVERSITY OF MINNESOTA DATA.] 6.17 Claims experience and all related information received from 6.18 carriers and claims administrators participating in a University 6.19 of Minnesota group health, dental, life, or disability insurance 6.20 plan or the University of Minnesota workers' compensation 6.21 program, and survey information collected from employees or 6.22 students participating in these plans and programs, are 6.23 nonpublic data. The University of Minnesota may release the 6.24 data described in this section if it determines that the release 6.25 will not be detrimental to the plan or program. 6.26 Sec. 6. Minnesota Statutes 2002, section 13.37, 6.27 subdivision 3, is amended to read: 6.28 Subd. 3. [DATA DISSEMINATION.] Crime prevention block maps 6.29 and names, home addresses, and telephone numbers of volunteers 6.30 who participate in community crime prevention programs may be 6.31 disseminated to volunteers participating in crime prevention 6.32 programs. The location of a National Night Out event is public 6.33 data. 6.34 Sec. 7. Minnesota Statutes 2002, section 13.43, is amended 6.35 by adding a subdivision to read: 6.36 Subd. 17. [EVALUATION DATA.] (a) Data submitted by an 7.1 employee to a government entity as part of an organized 7.2 self-evaluation effort by the government entity to obtain 7.3 suggestions from employees on ways to decrease costs, make 7.4 government more efficient, or improve the operation of 7.5 government are private data on individuals. 7.6 (b) Notwithstanding paragraph (a), an employee who is 7.7 identified in a suggestion has access to all data in the 7.8 suggestion except for data that identify the employee making the 7.9 suggestion. 7.10 Sec. 8. Minnesota Statutes 2002, section 13.46, 7.11 subdivision 7, is amended to read: 7.12 Subd. 7. [MENTAL HEALTH CENTER DATA.] (a) Mental health 7.13 data are private data on individuals and shall not be disclosed, 7.14 except: 7.15 (1) pursuant to section 13.05, as determined by the 7.16 responsible authority for the community mental health center, 7.17 mental health division, or provider; 7.18 (2) pursuant to court order; 7.19 (3) pursuant toaparagraph (c) or another statute 7.20 specifically authorizing access to or disclosure of mental 7.21 health data; or 7.22 (4) with the consent of the client or patient. 7.23 (b) An agency of the welfare system may not require an 7.24 individual to consent to the release of mental health data as a 7.25 condition for receiving services or for reimbursing a community 7.26 mental health center, mental health division of a county, or 7.27 provider under contract to deliver mental health services. 7.28 (c) County mental health services may share mental health 7.29 data with a police department crisis intervention team to 7.30 determine whether an individual that has been apprehended is a 7.31 client of the county and if so, the individual's physician, 7.32 therapist, or case manager. 7.33 Sec. 9. [13.468] [DATA SHARING WITHIN COUNTIES.] 7.34 County welfare, human services, corrections, public health, 7.35 and veterans service units of a county may inform each other as 7.36 to whether an individual or family currently is being served by 8.1 the county unit, without the consent of the subject of the 8.2 data. Data that may be shared are limited to the following: 8.3 the name, telephone number, and last known address of the data 8.4 subject; and the identification and contact information 8.5 regarding personnel of the county unit responsible for working 8.6 with the individual or family. If further information is 8.7 necessary for the county unit to carry out its duties, each 8.8 county unit may share additional data if the unit is authorized 8.9 by state statute or federal law to do so or the individual gives 8.10 written, informed consent. 8.11 Sec. 10. Minnesota Statutes 2002, section 13.643, is 8.12 amended by adding a subdivision to read: 8.13 Subd. 5. [DATA RECEIVED FROM FEDERAL GOVERNMENT.] All data 8.14 received by the department of agriculture from the United States 8.15 Department of Health and Human Services, the Food and Drug 8.16 Administration, and the Agriculture, Food Safety, and Inspection 8.17 Service for the purpose of carrying out the department of 8.18 agriculture's statutory food safety regulatory and enforcement 8.19 duties are classified as nonpublic data under section 13.02, 8.20 subdivision 9, and private data on individuals under section 8.21 13.02, subdivision 12. 8.22 Sec. 11. Minnesota Statutes 2002, section 13.746, 8.23 subdivision 3, is amended to read: 8.24 Subd. 3. [STATE LOTTERY.] (a) [ACCESS TO CRIMINAL DATA.] 8.25 The state lottery director's access to criminal history data on 8.26 certain persons is governed by sections 349A.06, subdivision 4, 8.27 and 349A.07, subdivision 2. 8.28 (b) [LOTTERY PRIZE WINNERS.] Certain data on lottery prize 8.29 winners are classified under section 349A.08, subdivision 9. 8.30 (c) [DIRECT MARKETING.] Data on individuals given to the 8.31 lottery for direct marketing purposes are classified in section 8.32 349A.08, subdivision 9. 8.33 Sec. 12. Minnesota Statutes 2002, section 16C.06, is 8.34 amended by adding a subdivision to read: 8.35 Subd. 3a. [INFORMATION IN BIDS AND PROPOSALS.] Data 8.36 relating to bids and proposals are governed by section 13.591. 9.1 Sec. 13. Minnesota Statutes 2002, section 16C.10, 9.2 subdivision 7, is amended to read: 9.3 Subd. 7. [REVERSE AUCTION.] (a) For the purpose of this 9.4 subdivision, "reverse auction" means a purchasing process in 9.5 which vendors compete to provide goods at the lowest selling 9.6 price in an open and interactive environment. 9.7 (b) The provisions ofsectionsections 13.591, subdivision 9.8 3, and 16C.06,subdivisionssubdivision 2and 3, do not apply 9.9 when the commissioner determines that a reverse auction is the 9.10 appropriate purchasing process. 9.11 Sec. 14. Minnesota Statutes 2002, section 144.335, is 9.12 amended by adding a subdivision to read: 9.13 Subd. 3d. [RELEASE OF RECORDS TO COUNTY LOCAL WELFARE 9.14 AGENCY.] If a provider has been notified by a county local 9.15 welfare agency under section 626.556, subdivision 3d, the 9.16 provider must report to the agency the birth of a child to that 9.17 individual within 24 hours of the birth. 9.18 Sec. 15. Minnesota Statutes 2002, section 268.19, is 9.19 amended by adding a subdivision to read: 9.20 Subd. 1a. [WAGE DETAIL DATA.] (a) Wage and employment data 9.21 gathered pursuant to section 268.044 may be disseminated to and 9.22 used, without the consent of the subject of the data, by an 9.23 agency of another state that is designated as the performance 9.24 accountability and consumer information agency for that state 9.25 pursuant to Code of Federal Regulations, volume 20, part 9.26 663.510(c), in order to carry out the requirements of the 9.27 Workforce Investment Act of 1998, United States Code, title 29, 9.28 sections 2842 and 2871. 9.29 (b) The commissioner may enter into a data exchange 9.30 agreement with an employment and training service provider under 9.31 section 116L.17, or the Workforce Investment Act of 1998, United 9.32 States Code, title 29, section 2864, under which the 9.33 commissioner, with the consent of the subject of the data, may 9.34 furnish data on the quarterly wages paid and number of hours 9.35 worked on those individuals who have received employment and 9.36 training services from the provider. With the initial consent 10.1 of the subject of the data, this data may be shared for up to 10.2 three years after termination of the employment and training 10.3 services provided to the individual without execution of an 10.4 additional consent. This data shall be furnished solely for the 10.5 purpose of evaluating the employment and training services 10.6 provided. 10.7 Sec. 16. Minnesota Statutes 2002, section 307.08, is 10.8 amended by adding a subdivision to read: 10.9 Subd. 11. [BURIAL SITES DATA.] Burial sites locational and 10.10 related data maintained by the office of the state archaeologist 10.11 and accessible through the office's "Unplatted Burial Sites and 10.12 Earthworks in Minnesota" Web site are security information for 10.13 purposes of section 13.37. Persons who gain access to the data 10.14 maintained on the site are subject to liability under section 10.15 13.08 and the penalty established by section 13.09 if they 10.16 improperly use or further disseminate the data. 10.17 Sec. 17. Minnesota Statutes 2002, section 349A.08, 10.18 subdivision 9, is amended to read: 10.19 Subd. 9. [PRIVACY.] (a) The phone number and street 10.20 address of a winner of a lottery prize is private data on 10.21 individuals under chapter 13. 10.22 (b) Data on an individual, including name, physical and 10.23 electronic address, and telephone number, that are given to the 10.24 lottery for direct marketing purposes are private data on 10.25 individuals as defined in section 13.02. 10.26 Sec. 18. Minnesota Statutes 2002, section 626.556, is 10.27 amended by adding a subdivision to read: 10.28 Subd. 3d. [REPORT TO PROTECT SAFETY OF AT-RISK 10.29 NEWBORNS.] If a county local welfare agency determines that a 10.30 child born to an individual would be subjected to a threatened 10.31 injury while in the care of that individual, the agency may 10.32 disclose private data on the individual to providers for the 10.33 purpose of requesting notification of the birth of a child to 10.34 the individual. For purposes of this subdivision, "provider" 10.35 has the meaning given in section 144.335, subdivision 1. 10.36 Sec. 19. Minnesota Statutes 2002, section 626.557, 11.1 subdivision 9a, is amended to read: 11.2 Subd. 9a. [EVALUATION AND REFERRAL OF REPORTS MADE TO A 11.3 COMMON ENTRY POINT UNIT.] The common entry point must screen the 11.4 reports of alleged or suspected maltreatment for immediate risk 11.5 and make all necessary referrals as follows: 11.6 (1) if the common entry point determines that there is an 11.7 immediate need for adult protective services, the common entry 11.8 point agency shall immediately notify the appropriate county 11.9 agency; 11.10 (2) if the report contains suspected criminal activity 11.11 against a vulnerable adult, the common entry point shall 11.12 immediately notify the appropriate law enforcement agency; 11.13 (3) if the report references alleged or suspected 11.14 maltreatment and there is no immediate need for adult protective 11.15 services, the common entry point shall notify the appropriate 11.16 lead agency as soon as possible, but in any event no longer than 11.17 two working days; 11.18 (4) if the report does not reference alleged or suspected 11.19 maltreatment, the common entry point may determine whether the 11.20 information will be referred; and 11.21 (5) if the report contains information about a suspicious 11.22 death, the common entry point shall immediately notify the 11.23 appropriate law enforcement agencies, the local medical 11.24 examiner, and the ombudsman established under section 245.92. 11.25 Law enforcement agencies shall coordinate with the local medical 11.26 examiner and the ombudsman as provided by law. 11.27 Sec. 20. [REPEALER.] 11.28 Minnesota Statutes 2002, section 13.6401, subdivision 4; 11.29 Laws 2001, First Special Session chapter 10, article 2, section 11.30 40, are repealed. 11.31 Sec. 21. [EFFECTIVE DATE.] 11.32 Sections 11 and 17 are effective the day following final 11.33 enactment. 11.34 ARTICLE 2 11.35 FINANCIAL PRIVACY 11.36 Section 1. [13E.01] [DEFINITIONS.] 12.1 For purposes of this chapter, the terms "consumer," 12.2 "financial institution," "nonaffiliated third party," "nonpublic 12.3 personal information," and "joint agreement" have the meanings 12.4 given in section 509 of the Gramm-Leach-Bliley Financial 12.5 Services Modernization Act, codified as United States Code, 12.6 title 15, section 6809, including any federal regulations 12.7 implementing that section. 12.8 Sec. 2. [13E.02] [PRIVACY OF FINANCIAL DATA.] 12.9 Except as required by sections 13E.03 to 13E.05, which 12.10 afford greater protection to consumers, every financial 12.11 institution doing business in this state shall comply with 12.12 sections 502 and 503 of the Gramm-Leach-Bliley Financial 12.13 Services Modernization Act, codified as United States Code, 12.14 title 15, sections 6802 and 6803 respectively, including any 12.15 federal regulations issued under authority of section 504 of the 12.16 act, codified as United States Code, title 15, section 6804. 12.17 Sec. 3. [13E.03] [DUTY OF CONFIDENTIALITY.] 12.18 A financial institution doing business in this state shall 12.19 not disclose nonpublic personal information about a consumer to 12.20 any nonaffiliated third party unless the disclosure is made in 12.21 accordance with any of the following: 12.22 (1) pursuant to affirmative consent granted by the consumer 12.23 in accordance with this chapter; 12.24 (2) pursuant to the exception in section 502(b)(2) of the 12.25 Gramm-Leach-Bliley Financial Services Modernization Act, 12.26 codified as United States Code, title 15, section 6802(b)(2), 12.27 including any federal regulations issued to implement that 12.28 section; or 12.29 (3) pursuant to an exception in section 502(e) of the 12.30 Gramm-Leach-Bliley Financial Services Modernization Act, 12.31 codified as United States Code, title 15, section 6802(e), 12.32 including any federal regulations issued to implement that 12.33 section. 12.34 Sec. 4. [13E.04] [AFFIRMATIVE CONSENT.] 12.35 Subdivision 1. [USE.] Affirmative consent must not be 12.36 required as a condition of doing business with any financial 13.1 institution. Any affirmative consent obtained from a consumer 13.2 as a condition of doing business with a financial institution 13.3 shall not be effective for purposes of this chapter. 13.4 Subd. 2. [FORM.] Affirmative consent as required by this 13.5 chapter must be in writing and signed by the consumer. The 13.6 affirmative consent form signed by the consumer must be 13.7 contained on a separate page that also clearly and conspicuously 13.8 discloses the following: 13.9 (1) the time during which the consent will operate, which 13.10 must not be longer than five years; 13.11 (2) each category of nonpublic personal information to be 13.12 disclosed, including, but not limited to, the consumer's social 13.13 security number, account numbers, account balances, credit 13.14 limits, the amount or date of any transaction, the identity of 13.15 persons to whom the consumer's checks are made payable, and the 13.16 identity of merchants or other persons honoring the consumer's 13.17 credit cards; and 13.18 (3) the type of nonaffiliated third parties to whom 13.19 disclosure may be made. 13.20 Sec. 5. [13E.05] [ACCESS TO AND CORRECTION OF NONPUBLIC 13.21 PERSONAL INFORMATION.] 13.22 Subdivision 1. [ACCESS AND CORRECTION.] If a consumer 13.23 submits a written request to a financial institution for access 13.24 to nonpublic personal information held by the financial 13.25 institution about the consumer, within 30 business days from the 13.26 date the request is received, the financial institution shall: 13.27 (1) provide to the consumer in person, by regular mail, or 13.28 by electronic mail a copy of all such nonpublic personal 13.29 information, or a reasonably described portion of the 13.30 information, whichever the consumer requests; and 13.31 (2) provide to the consumer a summary of the procedures by 13.32 which the consumer may request correction, amendment, or 13.33 deletion of nonpublic personal information. 13.34 If any nonpublic personal information is in coded or electronic 13.35 form, an accurate translation in hard copy must be provided. 13.36 Subd. 2. [REASONABLE FEE.] A financial institution may 14.1 charge a reasonable fee to copy nonpublic personal information 14.2 provided under this section, provided the fee is clearly and 14.3 conspicuously disclosed to the consumer. A financial 14.4 institution may not charge for inspection of nonpublic personal 14.5 information by the consumer. 14.6 Sec. 6. [13E.06] [REMEDIES.] 14.7 The public and private remedies available under section 14.8 8.31 apply to this chapter. 14.9 Sec. 7. [13E.07] [OTHER LAW.] 14.10 This chapter does not limit any rights or remedies 14.11 protecting the privacy of information that are available under 14.12 other law. 14.13 Sec. 8. [EFFECTIVE DATE.] 14.14 This article is effective July 1, 2004. 14.15 ARTICLE 3 14.16 INTERNET PRIVACY 14.17 Section 1. Minnesota Statutes 2002, section 325M.01, 14.18 subdivision 5, is amended to read: 14.19 Subd. 5. [PERSONALLY IDENTIFIABLE INFORMATION.] (a) 14.20 "Personally identifiable information" means information that 14.21 identifies: 14.22 (1) a consumer by physical or electronic address or 14.23 telephone number; 14.24 (2) a consumer as having requested or obtained specific 14.25 materials or services from an Internet service provider; 14.26 (3) Internet or online sites visited by a consumer; or 14.27 (4) any of the contents of a consumer's data-storage 14.28 devices. 14.29 (b) Personally identifiable information does not include: 14.30 (1) information that is in aggregate or summary form from 14.31 which the identity of an individual consumer is not 14.32 ascertainable; or 14.33 (2) information from which all information identifying a 14.34 consumer has been removed and that cannot be combined with other 14.35 information to identify the consumer. 14.36 Sec. 2. Minnesota Statutes 2002, section 325M.03, is 15.1 amended to read: 15.2 325M.03 [WHEN DISCLOSURE OF PERSONAL INFORMATION REQUIRED.] 15.3 (a) An Internet service provider shall disclose personally 15.4 identifiable information concerning a consumer: 15.5 (1) pursuant to a grand jury subpoena; 15.6 (2) to an investigative or law enforcement officer as 15.7 defined in section 626A.01, subdivision 7, while acting as 15.8 authorized by law; 15.9 (3) pursuant to a court order in a civil proceeding upon a 15.10 showing of compelling need for the information that cannot be 15.11 accommodated by other means; 15.12 (4) to a court in a civil action for conversion commenced 15.13 by the Internet service provider or in a civil action to enforce 15.14 collection of unpaid subscription fees or purchase amounts, and 15.15 then only to the extent necessary to establish the fact of the 15.16 subscription delinquency or purchase agreement, and with 15.17 appropriate safeguards against unauthorized disclosure; 15.18 (5) to the consumer who is the subject of the information, 15.19 upon written or electronic request, reasonable authentication of 15.20 the consumer's identity, anduponpayment of a fee not to exceed 15.21 the actual cost of retrieving the information; 15.22 (6) pursuant to subpoena, including an administrative 15.23 subpoena, issued under authority of a law of this state or 15.24 another state or the United States;or15.25 (7) pursuant to a warrant or court order; or 15.26 (8) as required by United States Code, title 42, section 15.27 13032. 15.28 (b) This section does not require an Internet service 15.29 provider to create or retrieve information in a format in which 15.30 it is not maintained by the Internet service provider at the 15.31 time of the request for disclosure. This section does not 15.32 require an Internet service provider to establish or maintain a 15.33 system for retrieval of personally identifiable information that 15.34 is retained and temporarily stored, used only for system backup 15.35 or other technical purposes, and not disclosed to a third party. 15.36 Sec. 3. Minnesota Statutes 2002, section 325M.09, is 16.1 amended to read: 16.2 325M.09 [APPLICATION.] 16.3 This chapter applies to Internet service providers in the 16.4 provision of services to consumers in this state. This chapter 16.5 does not apply to activities of an Internet service provider 16.6 that are not related to the provision of Internet service 16.7 provider services and are regulated by other law in a manner 16.8 that is inconsistent with this chapter. To the extent that a 16.9 service other than the provision of Internet services is subject 16.10 to other law that is inconsistent with this chapter, the other 16.11 law controls. 16.12 Sec. 4. [EFFECTIVE DATE.] 16.13 Sections 1 to 3 are effective retroactive to March 1, 2003. 16.14 ARTICLE 4 16.15 SOCIAL SECURITY NUMBERS 16.16 Section 1. [325E.59] [USE OF SOCIAL SECURITY NUMBERS.] 16.17 Subdivision 1. [GENERALLY.] (a) A person or entity, not 16.18 including a government entity, may not do any of the following: 16.19 (1) publicly post or publicly display in any manner an 16.20 individual's social security number. "Publicly post" or 16.21 "publicly display" means to intentionally communicate or 16.22 otherwise make available to the general public; 16.23 (2) print an individual's social security number on any 16.24 card required for the individual to access products or services 16.25 provided by the person or entity; 16.26 (3) require an individual to transmit the individual's 16.27 social security number over the Internet, unless the connection 16.28 is secure or the social security number is encrypted; 16.29 (4) require an individual to use the individual's social 16.30 security number to access an Internet Web site, unless a 16.31 password or unique personal identification number or other 16.32 authentication device is also required to access the Internet 16.33 Web site; or 16.34 (5) print a number that the person or entity knows to be an 16.35 individual's social security number on any materials that are 16.36 mailed to the individual, unless state or federal law requires 17.1 the social security number to be on the document to be mailed. 17.2 If, in connection with a transaction involving or otherwise 17.3 relating to an individual, a person or entity receives a number 17.4 from a third party, that person or entity is under no duty to 17.5 inquire or otherwise determine whether the number is or includes 17.6 that individual's social security number and may print that 17.7 number on materials mailed to the individual, unless the person 17.8 or entity receiving the number has actual knowledge that the 17.9 number is or includes the individual's social security number. 17.10 (b) Notwithstanding paragraph (a), social security numbers 17.11 may be included in applications and forms sent by mail, 17.12 including school transcripts; or documents sent as part of an 17.13 application or enrollment process; to establish, amend, or 17.14 terminate an account, contract, or policy; or to confirm the 17.15 accuracy of the social security number. Nothing in this 17.16 paragraph authorizes inclusion of a social security number on 17.17 the outside of a mailing. 17.18 (c) Except as provided in subdivision 2, this section 17.19 applies only to the use of social security numbers on or after 17.20 July 1, 2005. 17.21 Subd. 2. [CONTINUATION OF PRIOR USE.] (a) A person or 17.22 entity, not including a government entity, that has used, prior 17.23 to July 1, 2005, an individual's social security number in a 17.24 manner inconsistent with subdivision 1, may continue using that 17.25 individual's social security number in that manner on or after 17.26 July 1, 2005, if all of the conditions in this subdivision are 17.27 met. 17.28 (b) The use of the social security number must be 17.29 continuous. If the use is stopped for any reason, subdivision 1 17.30 applies. 17.31 (c) The individual must be provided an annual disclosure, 17.32 commencing in 2005, that informs the individual that the 17.33 individual has the right to stop the use of the individual's 17.34 social security number in a manner prohibited by subdivision 1. 17.35 (d) A written request by an individual to stop the use of 17.36 the individual's social security number in a manner prohibited 18.1 by subdivision 1 must be implemented within 30 days of receipt 18.2 of the request. A fee may not be charged for implementing the 18.3 request. 18.4 (e) A person or entity, not including a government entity, 18.5 must not deny services to an individual because the individual 18.6 makes a written request pursuant to this subdivision. 18.7 Subd. 3. [COORDINATION WITH OTHER LAW.] This section does 18.8 not prevent the collection, use, or release of a social security 18.9 number as required by state or federal law or the use of a 18.10 social security number for internal verification or 18.11 administrative purposes. 18.12 Subd. 4. [PUBLIC RECORDS.] This section does not apply to 18.13 documents that are recorded or required to be open to the public 18.14 under chapter 13 or other law. 18.15 Subd. 5. [DEFINITIONS.] For purposes of this section, 18.16 "government entity" has the meaning given in section 13.02, 18.17 subdivision 7a, but does not include the Minnesota state 18.18 colleges and universities or the University of Minnesota. 18.19 Sec. 2. [EFFECTIVE DATE.] 18.20 Section 1 is effective July 1, 2005.