SF 3483

  1.1                          A bill for an act 
  1.2             relating to consumer privacy; enacting the Consumer 
  1.3             Privacy Protection Act; regulating the use of credit 
  1.4             cards as identification; requiring consent for the 
  1.5             release of personal information on consumers to third 
  1.6             parties; providing for notices regarding information 
  1.7             practices; requiring practices to prevent unauthorized 
  1.8             disclosure of information; prohibiting businesses from 
  1.9             requiring unnecessary information; prohibiting 
  1.10            requests for information under false pretenses; 
  1.11            regulating the release of personally identifiable 
  1.12            information on consumers by interactive services 
  1.13            providers; amending Minnesota Statutes 1998, section 
  1.14            325F.981, subdivision 1; proposing coding for new law 
  1.15            as Minnesota Statutes, chapters 325L; and 325M; 
  1.16            repealing Minnesota Statutes 1998, section 325F.981, 
  1.17            subdivision 2. 
  1.18  BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 
  1.19                             ARTICLE 1
  1.20                    CONSUMER PRIVACY PROTECTION
  1.21     Section 1.  Minnesota Statutes 1998, section 325F.981, 
  1.22  subdivision 1, is amended to read: 
  1.23     Subdivision 1.  [PROVISION OF CREDIT CARD NUMBER.] A person 
  1.24  shall not require as a condition of acceptance of a check, or as 
  1.25  a means of identification, that the person presenting the 
  1.26  check display a credit card or provide a credit card account 
  1.27  number.  If a person presenting a check voluntarily displays a 
  1.28  credit card as a means of identification, the only information 
  1.29  concerning the credit card that may be recorded, physically or 
  1.30  electronically, is the type and issuer of the credit card and 
  1.31  the expiration date.  The credit card account number must not be 
  2.1   recorded.  This subdivision does not require acceptance of a 
  2.2   check without more than one form of identification, other than a 
  2.3   credit card. 
  2.4      Sec. 2.  [325L.01] [CITATION.] 
  2.5      This chapter may be cited as the Consumer Privacy 
  2.6   Protection Act.  
  2.7      Sec. 3.  [325L.02] [DEFINITIONS.] 
  2.8      Subdivision 1.  [GENERAL] The definitions in this section 
  2.9   apply to this chapter.  
  2.10     Subd. 2.  [BUSINESS.] "Business" means a person engaged in 
  2.11  a trade or commercial activity or the provision of goods or 
  2.12  services to the general public.  Business does not include a 
  2.13  government entity subject to chapter 13.  
  2.14     Subd. 3.  [CONSUMER.] "Consumer" means an individual who 
  2.15  requests or receives goods or services from a business.  
  2.16     Subd. 4.  [PERSONAL INFORMATION.] "Personal information" 
  2.17  means information that identifies a consumer or from which the 
  2.18  consumer may reasonably be identified, if the information is 
  2.19  provided to the business by the consumer or otherwise results 
  2.20  from the transaction between the business and the consumer.  
  2.21     Sec. 4.  [325L.03] [CONSENT TO RELEASE OF PERSONAL 
  2.22  INFORMATION.] 
  2.23     (a) A business may not release personal information on a 
  2.24  consumer with whom it does business to another person unless:  
  2.25     (1) the consumer has given express written consent to the 
  2.26  business permitting release of the information; or 
  2.27     (2) the release of the information is necessary for a 
  2.28  legitimate business purpose directly related to the transaction 
  2.29  with the consumer.  
  2.30     (b) This section does not prohibit the release of 
  2.31  information required by law or pursuant to a warrant or court 
  2.32  order. 
  2.33     Sec. 5.  [325L.04] [NOTICE REGARDING INFORMATION 
  2.34  PRACTICES.] 
  2.35     A business shall conspicuously disclose to a consumer at 
  2.36  the time of establishing a business relationship and not less 
  3.1   than annually after that while the relationship continues:  
  3.2      (1) the types of personal information collected and 
  3.3   maintained by the business about the consumer; and 
  3.4      (2) the practices and policies of the business with respect 
  3.5   to disclosing personal information or making unrelated uses of 
  3.6   the information and the categories of persons to whom the 
  3.7   information may be disclosed. 
  3.8      Sec. 6.  [325L.05] [SECURITY OF INFORMATION.] 
  3.9      A business shall establish standards to ensure the security 
  3.10  and confidentiality of personal information about consumers, and 
  3.11  to protect against unauthorized access to or use of information 
  3.12  that could result in substantial harm or inconvenience to a 
  3.13  consumer. 
  3.14     Sec. 7.  [325L.06] [REQUEST FOR INFORMATION AS A CONDITION 
  3.15  OF DOING BUSINESS.] 
  3.16     (a) A business must not require a consumer to provide 
  3.17  information as a condition of doing business with the consumer, 
  3.18  or as a condition of providing a level of service or price, if 
  3.19  the information is not reasonably necessary for the provision of 
  3.20  the goods or services to the consumer by the business.  
  3.21     (b) This section applies to the collection of information 
  3.22  in any manner, including oral, written, or electronic means, and 
  3.23  includes the use of membership cards or other devices that 
  3.24  monitor the purchase or use of goods or services by a consumer. 
  3.25     (c) This section does not prohibit a requirement that a 
  3.26  consumer provide identification as a condition of acceptance of 
  3.27  a check or the extension of credit to the consumer.  
  3.28     (d) This section does not prohibit the collection of 
  3.29  information with the express written consent of the consumer, 
  3.30  provided the consumer is given a conspicuous notice that 
  3.31  complies with section 325L.04.  
  3.32     Sec. 8.  [325L.07] [OBTAINING INFORMATION UNDER FALSE 
  3.33  PRETENSES.] 
  3.34     Subdivision 1.  [REQUESTING INFORMATION FROM 
  3.35  INDIVIDUALS.] A person must not request or require an individual 
  3.36  to provide information about the individual under false or 
  4.1   misleading pretenses regarding the legal or other necessity for 
  4.2   providing the information.  
  4.3      Subd. 2.  [REQUESTING INFORMATION FROM THIRD PARTIES.] (a) 
  4.4   A person must not request or obtain information about an 
  4.5   individual from a third party, without the consent of the 
  4.6   individual, by making a false or misleading representation 
  4.7   regarding the person's identity or authority for obtaining the 
  4.8   information. 
  4.9      (b) For purposes of this subdivision, "false or misleading 
  4.10  representation" includes a representation regarding the 
  4.11  requester's identity or the communication of information about 
  4.12  the individual such as date of birth, address, zip code, family 
  4.13  name, all or part of a social security number, password, 
  4.14  personal identification number, or other information if it 
  4.15  reasonably appears the information is being requested as a 
  4.16  security measure or for purposes of confirming identity.  
  4.17     (c) This subdivision applies to oral, written, or 
  4.18  electronic forms of communication.  
  4.19     Sec. 9.  [325L.08] [BIOMETRIC DATABASES; LIMITATIONS ON 
  4.20  CREATION AND USE.] 
  4.21     (a) A person must not create a database that includes 
  4.22  biometric identification data to be used primarily for 
  4.23  commercial identification purposes without express legal 
  4.24  authorization for collecting, maintaining, and sharing the data. 
  4.25     (b) This section does not apply to:  
  4.26     (1) biometric databases maintained by the criminal justice 
  4.27  system or for law enforcement purposes; or 
  4.28     (2) biometric databases that are used solely for security 
  4.29  or identification purposes of the person who controls the 
  4.30  database. 
  4.31     Sec. 10.  [325L.09] [REMEDIES AND ENFORCEMENT.] 
  4.32     The public and private remedies and enforcement provisions 
  4.33  of section 8.31 apply to this chapter. 
  4.34     Sec. 11.  [REPEALER.] 
  4.35     Minnesota Statutes 1998, section 325F.981, subdivision 2, 
  4.36  is repealed. 
  5.1                              ARTICLE 2
  5.2                    INTERACTIVE SERVICES PROVIDERS
  5.3      Section 1.  [325M.01] [DEFINITIONS.] 
  5.4      Subdivision 1.  [SCOPE.] The definitions in this section 
  5.5   apply to this chapter. 
  5.6      Subd. 2.  [CONSUMER.] "Consumer" means a person who agrees 
  5.7   to pay a fee for access to an interactive services provider for 
  5.8   personal, family, or household purposes. 
  5.9      Subd. 3.  [INTERACTIVE SERVICES PROVIDER.] "Interactive 
  5.10  services provider" means a person in the primary business of 
  5.11  offering access to online or Internet information directly to or 
  5.12  for a consumer via telecommunications.  Interactive services 
  5.13  provider includes electronic publishing but does not include: 
  5.14     (1) a service that is provided to business, professional, 
  5.15  or commercial users; or 
  5.16     (2) a governmental entity. 
  5.17     Subd. 4.  [PERSONALLY IDENTIFIABLE INFORMATION.] 
  5.18  "Personally identifiable information" means information that 
  5.19  identifies: 
  5.20     (1) a person by physical or electronic address or telephone 
  5.21  number; 
  5.22     (2) a person as having requested or obtained specific 
  5.23  materials or services from an interactive services provider; 
  5.24     (3) Internet or online sites visited by a person; or 
  5.25     (4) any of the contents of a person's data storage devices. 
  5.26     Subd. 5.  [TELECOMMUNICATIONS SERVICE.] "Telecommunications 
  5.27  service" means the offering, on a common carrier basis, of 
  5.28  telecommunications facilities or of telecommunications by means 
  5.29  of these facilities.  It does not include an interactive 
  5.30  services provider. 
  5.31     Sec. 2.  [325M.02] [DISCLOSURE OF CONSUMER'S PERSONALLY 
  5.32  IDENTIFIABLE INFORMATION.] 
  5.33     Subdivision 1.  [DISCLOSURE PROHIBITED.] Except as provided 
  5.34  in subdivision 2, an interactive services provider must not 
  5.35  knowingly disclose personally identifiable information 
  5.36  concerning a consumer of the interactive services provider. 
  6.1      Subd. 2.  [DISCLOSURE PERMITTED; CONSENT.] (a) An 
  6.2   interactive services provider may disclose personally 
  6.3   identifiable information concerning a consumer: 
  6.4      (1) to the consumer; 
  6.5      (2) as specifically required by law; or 
  6.6      (3) to any person with the informed consent of the consumer.
  6.7      (b) The interactive services provider may obtain the 
  6.8   consumer's informed consent to the disclosure of personally 
  6.9   identifiable information in writing or by electronic means.  The 
  6.10  request for consent must reasonably describe the types of 
  6.11  persons to whom personally identifiable information may be 
  6.12  disclosed and anticipated uses of the information.  
  6.13     Subd. 4.  [SECURED ACCOUNT.] The interactive services 
  6.14  provider shall provide the consumer with a secured, verifiable 
  6.15  account.  The interactive services provider shall maintain the 
  6.16  security and privacy of a consumer's personally identifiable 
  6.17  information concerning this account. 
  6.18     Sec. 3.  [325M.03] [REMEDIES AND ENFORCEMENT.] 
  6.19     The public and private remedies and enforcement provisions 
  6.20  of section 8.31 apply to this chapter. 
  6.21     Sec. 4.  [325M.04] [OTHER LAW.] 
  6.22     This chapter does not limit any greater protection of the 
  6.23  privacy of information under other law. 
  6.24     Sec. 5.  [325M.05] [APPLICATION.] 
  6.25     This chapter applies to interactive services providers in 
  6.26  the provision of services to consumers in this state.