SF 3588

  1.1                          A bill for an act 
  1.2             relating to data practices; requiring the development 
  1.3             of a model online privacy notice; providing an 
  1.4             Internet privacy policy for state and local 
  1.5             governments; restricting the release of personal 
  1.6             information; proposing coding for new law in Minnesota 
  1.7             Statutes, chapter 325E; proposing coding for new law 
  1.8             as Minnesota Statutes, chapter 13D. 
  1.9   BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 
  1.10     Section 1.  [13D.01] [SAMPLE ONLINE PRIVACY NOTICE.] 
  1.11     The commissioner of administration must develop a model 
  1.12  online sample privacy notice to be made available to any public 
  1.13  or private entity.  The model online privacy notice must 
  1.14  include, but not be limited to, the following Internet privacy 
  1.15  practices relating to data collection and the disclosure of 
  1.16  personal information: 
  1.17     (1) the nature of personal data collected or to be 
  1.18  collected with respect to the subscriber and the way the data 
  1.19  will be used; 
  1.20     (2) the nature, frequency, and purpose of any disclosure 
  1.21  which may be made of the data, including identifying the types 
  1.22  of persons to whom disclosure may be made; 
  1.23     (3) the period of time data will be maintained; 
  1.24     (4) a description of the procedures by which the subscriber 
  1.25  may gain access to personal data of the subscriber; 
  1.26     (5) a description of how data on the subscriber is 
  1.27  collected if not obvious, such as passive collection that 
  2.1   enables electronic monitoring; 
  2.2      (6) notice indicating if providing the requested data is 
  2.3   voluntary or required, and the consequences of a refusal to 
  2.4   provide the requested data; and 
  2.5      (7) the nature of the steps being taken by the entity to 
  2.6   ensure the confidentiality, integrity, and quality of the data. 
  2.7      Sec. 2.  [13D.02] [STATE AND LOCAL GOVERNMENT INTERNET 
  2.8   PRIVACY POLICY; DEFINITIONS.] 
  2.9      Subdivision 1.  [SCOPE.] The terms used in this chapter 
  2.10  have the meanings given in this section. 
  2.11     Subd. 2.  [INTERACTIVE COMPUTER SERVICE.] "Interactive 
  2.12  computer service" means the offering of a capability for 
  2.13  web-browsing, generating, acquiring, storing, transforming, 
  2.14  processing, retrieving, utilizing, transferring, or making 
  2.15  available information using computer-based telecommunications or 
  2.16  via modem to the Internet. 
  2.17     Subd. 3.  [INTERNET.] "Internet" means the international 
  2.18  computer network of interoperable packet switched data networks. 
  2.19     Subd. 4.  [PERSONAL DATA.] "Personal data" means: 
  2.20     (1) information which identifies a specific subscriber, 
  2.21  file, or service utilized or from an interactive computer 
  2.22  service and the subscriber or the interactive computer address 
  2.23  of the subscriber who obtained the file or service.  Personal 
  2.24  information does not include a record of aggregate data that 
  2.25  does not identify a file or service utilized by an identifiable 
  2.26  subscriber or the interactive computer address of the 
  2.27  subscriber; or 
  2.28     (2) information collected or submitted via the Internet or 
  2.29  Web site that identifies a subscriber's home or work address, 
  2.30  e-mail address, phone number, credit or debit card information, 
  2.31  social security number, birth date, gender, marital status, or 
  2.32  other personal identifier. 
  2.33     Subd. 5.  [DISCLOSE OR DISCLOSURE.] "Disclose" or 
  2.34  "disclosure" means the sale or rental of personal information. 
  2.35     Subd. 6.  [FILE.] "File" means a collection of related 
  2.36  records treated as a unit. 
  3.1      Subd. 7.  [RECORD.] "Record" means a group of distinct data 
  3.2   items in a computer system manipulated as a unit. 
  3.3      Subd. 8.  [SUBSCRIBER.] "Subscriber"  means anyone who uses 
  3.4   a computer capable of interacting with the Internet. 
  3.5      Sec. 3.  [13D.03] [DISCLOSURE LIMITS.] 
  3.6      A state agency, statewide system, or political subdivision 
  3.7   that provides an interactive computer service may not disclose 
  3.8   personal data concerning a subscriber to internal staff or to 
  3.9   any other state agency, statewide system, political subdivision, 
  3.10  or person unless the subscriber has received the notice provided 
  3.11  for in section 4 and has expressly consented to the disclosure. 
  3.12     Sec. 4.  [13D.04] [NOTICE REQUIRED.] 
  3.13     When a state agency, statewide system, or political 
  3.14  subdivision is first contacted by a subscriber to provide any 
  3.15  online interactive service, including browsing a site, an 
  3.16  interactive computer service must provide notice in the form of 
  3.17  a separate statement to the subscriber clearly and conspicuously 
  3.18  disclosing the following: 
  3.19     (1) the nature of personal data collected or to be 
  3.20  collected with respect to the subscriber and how the data will 
  3.21  be used; 
  3.22     (2) the nature, frequency, and purpose of any disclosure 
  3.23  that may be made of the data, including an identification of the 
  3.24  types of persons to whom the disclosure may be made; 
  3.25     (3) the period of time the data will be maintained; 
  3.26     (4) a description of the procedures by which the subscriber 
  3.27  may gain access to the data; 
  3.28     (5) a description of how data on the subscriber is 
  3.29  collected if not obvious, such as passive collection that 
  3.30  enables electronic monitoring; 
  3.31     (6) a notice indicating if providing the requested data is 
  3.32  voluntary or required, and the consequences of a refusal to 
  3.33  provide the requested data; 
  3.34     (7) the nature of the steps being taken by the state 
  3.35  agency, statewide system, or political subdivision to ensure the 
  3.36  confidentiality, integrity, and quality of the data. 
  4.1      Sec. 5.  [13D.05] [SUBSCRIBER ACCESS.] 
  4.2      Upon request a subscriber must be provided access to all 
  4.3   personal data on the subscriber that is collected and maintained 
  4.4   by a state agency, statewide system, or political subdivision 
  4.5   via an interactive computer service.  The data must be made 
  4.6   available at reasonable times and at a convenient location to 
  4.7   the subscriber.  Computer-based telecommunications may be the 
  4.8   means by which the data is provided to the subscriber.  The 
  4.9   subscriber must be provided reasonable opportunity by the 
  4.10  interactive computer service to correct errors in personal data 
  4.11  and the interactive computer service must promptly correct the 
  4.12  data.  If the interactive computer service is unable to resolve 
  4.13  any remaining differences, a subscriber must also be provided 
  4.14  with the opportunity to file a statement of explanation 
  4.15  concerning the nature of any dispute. 
  4.16     Sec. 6.  [13D.06] [PERMITTED DISCLOSURE WITHOUT CONSENT.] 
  4.17     Notwithstanding section 3, a state agency may disclose 
  4.18  personal information without the subscriber's consent if the 
  4.19  disclosure is: 
  4.20     (1) in the ordinary course of business; 
  4.21     (2) pursuant to a court order or statute; 
  4.22     (3) for the purpose of validating the identity of the 
  4.23  subscriber; or 
  4.24     (4) if the information or data is used solely for 
  4.25  statistical purposes in aggregate form. 
  4.26     Sec. 7.  [325E.59] [DEFINITIONS.] 
  4.27     Subdivision 1.  [ONLINE COMPUTER SERVICE.] "Online computer 
  4.28  service" means the offering of a capability for generating, 
  4.29  acquiring, storing, transforming, processing, retrieving, 
  4.30  utilizing, or making available information using computer-based 
  4.31  telecommunications.  Online computer service also includes a 
  4.32  service that permits a subscriber to retrieve stored information 
  4.33  from or file information for storage in information storage 
  4.34  facilities, electronic publishing, or an electronic messaging 
  4.35  service. 
  4.36     Subd. 2.  [PERSONAL INFORMATION.] "Personal information" 
  5.1   means information which identifies either a specific file or 
  5.2   service utilized or from an online computer service and the 
  5.3   subscriber or the subscriber's online computer address who 
  5.4   obtained the file or service.  Personal information does not 
  5.5   include any record of aggregate data which does not identify a 
  5.6   file or service utilized and a subscriber or the subscriber's 
  5.7   online computer address. 
  5.8      Subd. 3.  [DISCLOSE OR DISCLOSURE.] "Disclose" or 
  5.9   "disclosure" means the sale, rental, or other dissemination of 
  5.10  personal information. 
  5.11     Subd. 4.  [FILE.] "File" means a collection of related 
  5.12  records treated as a unit. 
  5.13     Subd. 5.  [RECORDS.] "Records" means a group of distinct 
  5.14  data items in a computer system, manipulated as a unit. 
  5.15     Sec. 8.  [325E.60] [RESTRICTIONS ON RELEASE OF PERSONAL 
  5.16  INFORMATION.] 
  5.17     Subdivision 1.  [NOTICE AND CONSENT REQUIRED.] Any person, 
  5.18  firm, partnership, or corporation which provides an online 
  5.19  computer service may not disclose personal information 
  5.20  concerning a subscriber to any other person, firm, partnership, 
  5.21  or corporation unless the subscriber has received the notice 
  5.22  provided for in subdivision 2 and has consented to the 
  5.23  disclosure. 
  5.24     Subd. 2.  [NOTICE; CONTENTS.] At the time of entering into 
  5.25  an agreement to provide an online computer service to a 
  5.26  subscriber, and at the time when a service is obtained, each and 
  5.27  every online computer service shall provide notice in the form 
  5.28  of a separate statement to the subscriber that clearly and 
  5.29  conspicuously discloses the following to the subscriber: 
  5.30     (1) the nature of personal information collected or to be 
  5.31  collected with respect to the subscriber and the nature and use 
  5.32  of the information, if any; 
  5.33     (2) the nature, frequency, and purpose of any disclosure 
  5.34  which may be made of the information, including an 
  5.35  identification of the types of persons or person to whom the 
  5.36  disclosure may be made; 
  6.1      (3) the period of time the information will be maintained; 
  6.2   and 
  6.3      (4) a description of the procedures by which the subscriber 
  6.4   may gain access to the information. 
  6.5      The notices may be provided electronically by using 
  6.6   computer-based telecommunications. 
  6.7      Subd. 3.  [ACCESS TO DATA.] Upon request a subscriber shall 
  6.8   be provided access to all personal information regarding the 
  6.9   subscriber that is collected and maintained by an online 
  6.10  computer service.  The information must be made available at 
  6.11  reasonable times and at a convenient location to the subscriber. 
  6.12  Computer-based telecommunications may be the means by which the 
  6.13  information is provided to the subscriber.  The subscriber shall 
  6.14  be provided reasonable opportunity by the online computer 
  6.15  service to correct errors in personal information and the online 
  6.16  computer service shall promptly correct such information.  If 
  6.17  the online computer service is unable to resolve any remaining 
  6.18  differences, a subscriber shall also be provided with the 
  6.19  opportunity to file a statement of explanation concerning the 
  6.20  nature of any dispute. 
  6.21     Subd. 5.  [GOOD FAITH DEFENSE.] Notwithstanding subdivision 
  6.22  1, an online computer service may disclose personal information 
  6.23  if the disclosure is: 
  6.24     (1) necessary to render or conduct business or provide 
  6.25  service to the subscriber; 
  6.26     (2) made pursuant to a court order; 
  6.27     (3) for the purpose of extending credit to the subscriber 
  6.28  or for a check or credit card transaction when it is incidental 
  6.29  to the sale or other transfer of the accounts receivable of the 
  6.30  online computer service; and 
  6.31     (4) for the purpose of validating a check written by the 
  6.32  subscriber. 
  6.33     Subd. 6.  [REMEDIES.] No online computer service is 
  6.34  considered to have violated the provisions of this section, if 
  6.35  the online computer service shows by a preponderance of the 
  6.36  evidence that the violation was not intentional and that it 
  7.1   resulted from a bona fide error made notwithstanding the 
  7.2   maintenance of procedures reasonably adopted to avoid any such 
  7.3   error. 
  7.4      (a) Any subscriber who has been injured by reason of any 
  7.5   violation of this section may bring an action in the 
  7.6   subscriber's own name to enjoin the unlawful act or practice, an 
  7.7   action to recover actual damages or $100, whichever is greater, 
  7.8   or both actions.  The court may, in its discretion, increase the 
  7.9   award of damages to an amount not to exceed three times the 
  7.10  actual damages up to $1,000, if the court finds the defendant 
  7.11  willfully or knowingly violated this section.  The court may 
  7.12  award reasonable attorney fees to a prevailing plaintiff. 
  7.13     (b) The attorney general may bring an action to enforce 
  7.14  this section pursuant to section 8.31.