An Internet service provider may disclose personally identifiable information concerning a consumer to:
(1) any person if the disclosure is incident to the ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes of reporting or preventing violations of the published acceptable use policy or customer service agreement of the Internet service provider; except that the recipient may further disclose the personally identifiable information only as provided by this chapter;
(3) any person with the authorization of the consumer; or
(4) as provided by section 626A.27.
The Internet service provider may obtain the consumer's authorization of the disclosure of personally identifiable information in writing or by electronic means. The request for authorization must reasonably describe the types of persons to whom personally identifiable information may be disclosed and the anticipated uses of the information. In order for an authorization to be effective, a contract between an Internet service provider and the consumer must state either that the authorization will be obtained by an affirmative act of the consumer or that failure of the consumer to object after the request has been made constitutes authorization of disclosure. The provision in the contract must be conspicuous. Authorization may be obtained in a manner consistent with self-regulating guidelines issued by representatives of the Internet service provider or online industries, or in any other manner reasonably designed to comply with this subdivision.