3rd Engrossment - 82nd Legislature (2001 - 2002) Posted on 12/15/2009 12:00am
1.1 A bill for an act 1.2 relating to data privacy; regulating electronic mail 1.3 solicitations; protecting privacy of Internet 1.4 consumers; regulating use of data about Internet 1.5 users; providing penalties; amending Minnesota 1.6 Statutes 2000, section 626A.28, subdivision 3; 1.7 proposing coding for new law in Minnesota Statutes, 1.8 chapter 325F; proposing coding for new law as 1.9 Minnesota Statutes, chapter 325M. 1.10 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 1.11 ARTICLE 1 1.12 INTERNET PRIVACY 1.13 Section 1. [325M.01] [DEFINITIONS.] 1.14 Subdivision 1. [SCOPE.] The terms used in this chapter 1.15 have the meanings given them in this section. 1.16 Subd. 2. [CONSUMER.] "Consumer" means a person who agrees 1.17 to pay a fee to an Internet service provider for access to the 1.18 Internet for personal, family, or household purposes, and who 1.19 does not resell access. 1.20 Subd. 3. [INTERNET SERVICE PROVIDER.] "Internet service 1.21 provider" means a business or person who provides consumers 1.22 authenticated access to, or presence on, the Internet by means 1.23 of a switched or dedicated telecommunications channel upon which 1.24 the provider provides transit routing of Internet Protocol (IP) 1.25 packets for and on behalf of the consumer. Internet service 1.26 provider does not include the offering, on a common carrier 1.27 basis, of telecommunications facilities or of telecommunications 2.1 by means of these facilities. 2.2 Subd. 4. [ORDINARY COURSE OF BUSINESS.] "Ordinary course 2.3 of business" means debt-collection activities, order 2.4 fulfillment, request processing, or the transfer of ownership. 2.5 Subd. 5. [PERSONALLY IDENTIFIABLE 2.6 INFORMATION.] "Personally identifiable information" means 2.7 information that identifies: 2.8 (1) a consumer by physical or electronic address or 2.9 telephone number; 2.10 (2) a consumer as having requested or obtained specific 2.11 materials or services from an Internet service provider; 2.12 (3) Internet or online sites visited by a consumer; or 2.13 (4) any of the contents of a consumer's data-storage 2.14 devices. 2.15 Sec. 2. [325M.02] [WHEN DISCLOSURE OF PERSONAL INFORMATION 2.16 PROHIBITED.] 2.17 Except as provided in sections 325M.03 and 325M.04, an 2.18 Internet service provider may not knowingly disclose personally 2.19 identifiable information concerning a consumer of the Internet 2.20 service provider. 2.21 Sec. 3. [325M.03] [WHEN DISCLOSURE OF PERSONAL INFORMATION 2.22 REQUIRED.] 2.23 An Internet service provider shall disclose personally 2.24 identifiable information concerning a consumer: 2.25 (1) pursuant to a grand jury subpoena; 2.26 (2) to an investigative or law enforcement officer as 2.27 defined in section 626A.01, subdivision 7, while acting as 2.28 authorized by law; 2.29 (3) pursuant to a court order in a civil proceeding upon a 2.30 showing of compelling need for the information that cannot be 2.31 accommodated by other means; 2.32 (4) to a court in a civil action for conversion commenced 2.33 by the Internet service provider or in a civil action to enforce 2.34 collection of unpaid subscription fees or purchase amounts, and 2.35 then only to the extent necessary to establish the fact of the 2.36 subscription delinquency or purchase agreement, and with 3.1 appropriate safeguards against unauthorized disclosure; 3.2 (5) to the consumer who is the subject of the information, 3.3 upon written or electronic request and upon payment of a fee not 3.4 to exceed the actual cost of retrieving the information; 3.5 (6) pursuant to subpoena, including an administrative 3.6 subpoena, issued under authority of a law of this state or 3.7 another state or the United States; or 3.8 (7) pursuant to a warrant or court order. 3.9 Sec. 4. [325M.04] [WHEN DISCLOSURE OF PERSONAL INFORMATION 3.10 PERMITTED; AUTHORIZATION.] 3.11 Subdivision 1. [CONDITIONS OF DISCLOSURE.] An Internet 3.12 service provider may disclose personally identifiable 3.13 information concerning a consumer to: 3.14 (1) any person if the disclosure is incident to the 3.15 ordinary course of business of the Internet service provider; 3.16 (2) another Internet service provider for purposes of 3.17 reporting or preventing violations of the published acceptable 3.18 use policy or customer service agreement of the Internet service 3.19 provider; except that the recipient may further disclose the 3.20 personally identifiable information only as provided by this 3.21 chapter; 3.22 (3) any person with the authorization of the consumer; or 3.23 (4) as provided by section 626A.27. 3.24 Subd. 2. [AUTHORIZATION.] The Internet service provider 3.25 may obtain the consumer's authorization of the disclosure of 3.26 personally identifiable information in writing or by electronic 3.27 means. The request for authorization must reasonably describe 3.28 the types of persons to whom personally identifiable information 3.29 may be disclosed and the anticipated uses of the information. 3.30 In order for an authorization to be effective, a contract 3.31 between an Internet service provider and the consumer must state 3.32 either that the authorization will be obtained by an affirmative 3.33 act of the consumer or that failure of the consumer to object 3.34 after the request has been made constitutes authorization of 3.35 disclosure. The provision in the contract must be conspicuous. 3.36 Authorization may be obtained in a manner consistent with 4.1 self-regulating guidelines issued by representatives of the 4.2 Internet service provider or online industries, or in any other 4.3 manner reasonably designed to comply with this subdivision. 4.4 Sec. 5. [325M.05] [SECURITY OF INFORMATION.] 4.5 The Internet service provider shall take reasonable steps 4.6 to maintain the security and privacy of a consumer's personally 4.7 identifiable information. The Internet service provider is not 4.8 liable for actions that would constitute a violation of section 4.9 609.88, 609.89, or 609.891, if the Internet service provider 4.10 does not participate in, authorize, or approve the actions. 4.11 Sec. 6. [325M.06] [EXCLUSION FROM EVIDENCE.] 4.12 Except for purposes of establishing a violation of this 4.13 chapter, personally identifiable information obtained in any 4.14 manner other than as provided in this chapter may not be 4.15 received in evidence in a civil action. 4.16 Sec. 7. [325M.07] [ENFORCEMENT; CIVIL LIABILITY; DEFENSE.] 4.17 A consumer who prevails or substantially prevails in an 4.18 action brought under this chapter is entitled to the greater of 4.19 $500 or actual damages. Costs, disbursements, and reasonable 4.20 attorney fees may be awarded to a party awarded damages for a 4.21 violation of this section. No class action shall be brought 4.22 under this chapter. 4.23 In an action under this chapter, it is a defense that the 4.24 defendant has established and implemented reasonable practices 4.25 and procedures to prevent violations of this chapter. 4.26 Sec. 8. [325M.08] [OTHER LAW.] 4.27 This chapter does not limit any greater protection of the 4.28 privacy of information under other law, except that: 4.29 (1) nothing in this chapter limits the authority under 4.30 other state or federal law of law enforcement or prosecuting 4.31 authorities to obtain information; and 4.32 (2) if federal law is enacted that regulates the release of 4.33 personally identifiable information by Internet service 4.34 providers but does not preempt state law on the subject, the 4.35 federal law supersedes any conflicting provisions of this 4.36 chapter. 5.1 Sec. 9. [325M.09] [APPLICATION.] 5.2 This chapter applies to Internet service providers in the 5.3 provision of services to consumers in this state. 5.4 Sec. 10. Minnesota Statutes 2000, section 626A.28, 5.5 subdivision 3, is amended to read: 5.6 Subd. 3. [RECORDS CONCERNING ELECTRONIC COMMUNICATION 5.7 SERVICE OR REMOTE COMPUTING SERVICE.] (a)(1) Except as provided 5.8 in clause (2) or chapter 325M, a provider of electronic 5.9 communication service or remote computing service may disclose a 5.10 record or other information pertaining to a subscriber to or 5.11 customer of the service, not including the contents of 5.12 communications covered by subdivision 1 or 2, to any person 5.13 other than a governmental entity. 5.14 (2) A provider of electronic communication service or 5.15 remote computing service may disclose a record or other 5.16 information pertaining to a subscriber to or customer of the 5.17 service, not including the contents of communications covered by 5.18 subdivision 1 or 2, to a governmental entity only when the 5.19 governmental entity: 5.20 (i) uses an administrative subpoena authorized by statute, 5.21 or a grand jury subpoena; 5.22 (ii) obtains a warrant; 5.23 (iii) obtains a court order for such disclosure under 5.24 subdivision 4; or 5.25 (iv) has the consent of the subscriber or customer to the 5.26 disclosure. 5.27 (b) A governmental entity receiving records or information 5.28 under this subdivision is not required to provide notice to a 5.29 subscriber or customer. 5.30 Sec. 11. [EFFECTIVE DATE; EXPIRATION.] 5.31 Article 1 is effective March 1, 2003. 5.32 Article 1 expires on the effective date of federal 5.33 legislation that preempts state regulation of the release of 5.34 personally identifiable information by Internet service 5.35 providers. 5.36 ARTICLE 2 6.1 COMMERCIAL ELECTRONIC MAIL SOLICITATION 6.2 Section 1. [325F.694] [FALSE OR MISLEADING COMMERCIAL 6.3 ELECTRONIC MAIL MESSAGES.] 6.4 Subdivision 1. [DEFINITIONS.] (a) The terms used in this 6.5 section have the meanings given them in this subdivision. 6.6 (b) "Commercial electronic mail message" means an 6.7 electronic mail message sent through an Internet service 6.8 provider's facilities located in this state to a resident of 6.9 this state for promoting real property, goods, or services for 6.10 sale or lease. 6.11 (c) "Electronic mail address" means a destination, commonly 6.12 expressed as a string of characters, to which electronic mail 6.13 may be sent or delivered. 6.14 (d) "Electronic mail service provider" means a business, 6.15 nonprofit organization, educational institution, library, or 6.16 government entity that provides a set of users the ability to 6.17 send or receive electronic mail messages via the Internet. 6.18 (e) "Initiate the transmission" refers to the action by the 6.19 original sender of an electronic mail message, not to the action 6.20 by an intervening Internet service provider or electronic mail 6.21 service provider that may handle or retransmit the message. 6.22 (f) "Internet service provider" means a business or person 6.23 who provides users authenticated access to, or presence on, the 6.24 Internet by means of a switched or dedicated telecommunications 6.25 channel upon which the provider provides transit routing of 6.26 Internet Protocol (IP) packets for and on behalf of the user. 6.27 (g) "Internet domain name" refers to a globally unique, 6.28 hierarchical reference to an Internet host or service, assigned 6.29 through centralized Internet naming authorities, comprising a 6.30 series of character strings separated by periods, with the 6.31 rightmost string specifying the top of the hierarchy. 6.32 Subd. 2. [FALSE OR MISLEADING MESSAGES PROHIBITED.] No 6.33 person may initiate the transmission of a commercial electronic 6.34 mail message that: 6.35 (1) uses a third party's Internet domain name without 6.36 permission of the third party, or otherwise misrepresents any 7.1 information in identifying the point of origin or the 7.2 transmission path of a commercial electronic mail message; or 7.3 (2) contains false or misleading information in the subject 7.4 line. 7.5 Subd. 3. [SUBJECT DISCLOSURE.] The subject line of a 7.6 commercial electronic mail message must include "ADV" as the 7.7 first characters. If the message contains information that 7.8 consists of material of a sexual nature that may only be viewed 7.9 by an individual 18 years of age and older, the subject line of 7.10 the message must include "ADV-ADULT" as the first characters. 7.11 For purposes of this subdivision, "commercial electronic 7.12 mail message" does not include a message: 7.13 (1) if the recipient has consented to receive or has 7.14 solicited electronic mail messages from the initiator; 7.15 (2) from an organization using electronic mail to 7.16 communicate exclusively with its members; 7.17 (3) from an entity which uses electronic mail to 7.18 communicate exclusively with its employees or contractors; or 7.19 (4) if there is a business or personal relationship between 7.20 the initiator and the recipient. 7.21 For purposes of this subdivision, "business relationship" 7.22 means a prior or existing relationship formed between the 7.23 initiator and the recipient, with or without an exchange of 7.24 consideration, on the basis of an inquiry, application, 7.25 purchase, or use by the recipient of or regarding products, 7.26 information, or services offered by the initiator or an 7.27 affiliate or agent of the initiator. For purposes of this 7.28 paragraph, "affiliate" means a person that directly or 7.29 indirectly controls, is controlled by, or is under common 7.30 control with a specified person. 7.31 Subd. 4. [TOLL-FREE NUMBER.] (a) A sender initiating the 7.32 transmission of a commercial electronic mail message must 7.33 establish a toll-free telephone number, a valid sender-operated 7.34 return electronic mail address, or another easy-to-use 7.35 electronic method that the recipient of the commercial 7.36 electronic mail message may call or access by electronic mail or 8.1 other electronic means to notify the sender not to transmit by 8.2 electronic mail any further unsolicited commercial electronic 8.3 mail messages. The notification process may include the ability 8.4 for the commercial electronic mail messages recipient to direct 8.5 the initiator to transmit or not transmit particular commercial 8.6 electronic mail messages based upon products, services, 8.7 divisions, organizations, companies, or other selections of the 8.8 recipient's choice. 8.9 (b) A commercial electronic mail message must include a 8.10 statement informing the recipient of a toll-free telephone 8.11 number that the recipient may call, or a valid return address to 8.12 which the recipient may write or access by electronic mail or 8.13 another electronic method established by the initiator, 8.14 notifying the sender not to transmit to the recipient any 8.15 further unsolicited commercial electronic mail messages to the 8.16 electronic mail address, or addresses, specified by the 8.17 recipient, and explaining the manner in which the recipient may 8.18 specify what commercial electronic mail messages the recipient 8.19 does and does not wish to receive. 8.20 Subd. 5. [BLOCKING RECEIPT OR TRANSMISSION.] No electronic 8.21 mail service provider may be held liable in an action by a 8.22 recipient for any act voluntarily taken in good faith to block 8.23 the receipt or transmission through its service of any 8.24 commercial electronic mail message that the electronic mail 8.25 service provider reasonably believes is, or will be, sent in 8.26 violation of this section. 8.27 Subd. 6. [DEFENSES.] (a) A person is not liable for a 8.28 commercial electronic mail message sent in violation of this 8.29 section if the person can show by a preponderance of the 8.30 evidence that the commercial electronic mail message was not 8.31 initiated by the person or was initiated in a manner and form 8.32 not subject to the control of the person. 8.33 (b) In an action under this section it is a defense that 8.34 the defendant has established and implemented reasonable 8.35 practices and procedures to prevent violations of this section. 8.36 Subd. 7. [DAMAGES.] (a) A person injured by a violation of 9.1 this section may recover damages caused by the violation as 9.2 specified in this subdivision. 9.3 (b) An injured person, other than an electronic mail 9.4 service provider, may recover: 9.5 (1) the lesser of $25 for each commercial electronic mail 9.6 message received that violates subdivision 2, or $35,000 per 9.7 day; or 9.8 (2) the lesser of $10 for each commercial electronic mail 9.9 message received that violates subdivision 3, or $25,000 per day. 9.10 (c) An injured electronic mail service provider may recover 9.11 actual damages or elect, in lieu of actual damages, to recover: 9.12 (1) the lesser of $25 for each commercial electronic mail 9.13 message received that violates subdivision 2, or $35,000 per 9.14 day; or 9.15 (2) the lesser of $10 for each commercial electronic mail 9.16 message received that violates subdivision 3, or $25,000 per day. 9.17 (d) At the request of any party to an action brought under 9.18 this section, the court may, at its discretion, conduct all 9.19 legal proceedings in such a way as to protect the secrecy and 9.20 security of the computer, computer network, computer data, 9.21 computer program, and computer software involved in order to 9.22 prevent possible recurrence of the same or a similar act by 9.23 another person and to protect any trade secrets of any party. 9.24 (e) Costs, disbursements, and reasonable attorney fees may 9.25 be awarded to a party awarded damages for a violation of this 9.26 section. No class action shall be brought under this section. 9.27 (f) Except as otherwise provided in this subdivision, the 9.28 remedies in this subdivision are in addition to remedies 9.29 available under section 8.31, 325F.70, or other law. 9.30 Subd. 8. [RELATIONSHIP TO FEDERAL LAW.] If federal law is 9.31 enacted that regulates false, misleading, or unsolicited 9.32 commercial electronic mail messages but does not preempt state 9.33 law on the subject, the federal law supersedes any conflicting 9.34 provisions of this section. 9.35 Sec. 2. [EFFECTIVE DATE; EXPIRATION.] 9.36 Article 2 is effective March 1, 2003. 10.1 Article 2 expires on the effective date of federal 10.2 legislation that preempts state regulation of false, misleading, 10.3 or unsolicited commercial electronic mail messages.