NOTE: Chapter 325M, as added by Laws 2002, chapter 395, article 1, section 9, is effective March 1, 2003, and expires on the effective date of federal legislation that preempts state regulation of the release of personally identifiable information by Internet service providers. Laws 2002, chapter 395, article 1, section 11.
Section | Headnote |
---|---|
325M.01 | DEFINITIONS. |
325M.02 | WHEN DISCLOSURE OF PERSONAL INFORMATION PROHIBITED. |
325M.03 | WHEN DISCLOSURE OF PERSONAL INFORMATION REQUIRED. |
325M.04 | WHEN DISCLOSURE OF PERSONAL INFORMATION PERMITTED; AUTHORIZATION. |
325M.05 | SECURITY OF INFORMATION. |
325M.06 | EXCLUSION FROM EVIDENCE. |
325M.07 | ENFORCEMENT; CIVIL LIABILITY; DEFENSE. |
325M.08 | OTHER LAW. |
325M.09 | APPLICATION. |
NOTE: Chapter 325M, as added by Laws 2002, chapter 395, article 1, section 9, is effective March 1, 2003, and expires on the effective date of federal legislation that preempts state regulation of the release of personally identifiable information by Internet service providers. Laws 2002, chapter 395, article 1, section 11.
"Consumer" means a person who agrees to pay a fee to an Internet service provider for access to the Internet for personal, family, or household purposes, and who does not resell access.
"Internet service provider" means a business or person who provides consumers authenticated access to, or presence on, the Internet by means of a switched or dedicated telecommunications channel upon which the provider provides transit routing of Internet Protocol (IP) packets for and on behalf of the consumer. Internet service provider does not include the offering, on a common carrier basis, of telecommunications facilities or of telecommunications by means of these facilities.
"Ordinary course of business" means debt-collection activities, order fulfillment, request processing, or the transfer of ownership.
"Personally identifiable information" means information that identifies:
(1) a consumer by physical or electronic address or telephone number;
(2) a consumer as having requested or obtained specific materials or services from an Internet service provider;
(3) Internet or online sites visited by a consumer; or
(4) any of the contents of a consumer's data-storage devices.
Except as provided in sections 325M.03 and 325M.04, an Internet service provider may not knowingly disclose personally identifiable information concerning a consumer of the Internet service provider.
An Internet service provider shall disclose personally identifiable information concerning a consumer:
(1) pursuant to a grand jury subpoena;
(2) to an investigative or law enforcement officer as defined in section 626A.01, subdivision 7, while acting as authorized by law;
(3) pursuant to a court order in a civil proceeding upon a showing of compelling need for the information that cannot be accommodated by other means;
(4) to a court in a civil action for conversion commenced by the Internet service provider or in a civil action to enforce collection of unpaid subscription fees or purchase amounts, and then only to the extent necessary to establish the fact of the subscription delinquency or purchase agreement, and with appropriate safeguards against unauthorized disclosure;
(5) to the consumer who is the subject of the information, upon written or electronic request and upon payment of a fee not to exceed the actual cost of retrieving the information;
(6) pursuant to subpoena, including an administrative subpoena, issued under authority of a law of this state or another state or the United States; or
(7) pursuant to a warrant or court order.
An Internet service provider may disclose personally identifiable information concerning a consumer to:
(1) any person if the disclosure is incident to the ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes of reporting or preventing violations of the published acceptable use policy or customer service agreement of the Internet service provider; except that the recipient may further disclose the personally identifiable information only as provided by this chapter;
(3) any person with the authorization of the consumer; or
(4) as provided by section 626A.27.
The Internet service provider may obtain the consumer's authorization of the disclosure of personally identifiable information in writing or by electronic means. The request for authorization must reasonably describe the types of persons to whom personally identifiable information may be disclosed and the anticipated uses of the information. In order for an authorization to be effective, a contract between an Internet service provider and the consumer must state either that the authorization will be obtained by an affirmative act of the consumer or that failure of the consumer to object after the request has been made constitutes authorization of disclosure. The provision in the contract must be conspicuous. Authorization may be obtained in a manner consistent with self-regulating guidelines issued by representatives of the Internet service provider or online industries, or in any other manner reasonably designed to comply with this subdivision.
The Internet service provider shall take reasonable steps to maintain the security and privacy of a consumer's personally identifiable information. The Internet service provider is not liable for actions that would constitute a violation of section 609.88, 609.89, or 609.891, if the Internet service provider does not participate in, authorize, or approve the actions.
Except for purposes of establishing a violation of this chapter, personally identifiable information obtained in any manner other than as provided in this chapter may not be received in evidence in a civil action.
A consumer who prevails or substantially prevails in an action brought under this chapter is entitled to the greater of $500 or actual damages. Costs, disbursements, and reasonable attorney fees may be awarded to a party awarded damages for a violation of this section. No class action shall be brought under this chapter.
In an action under this chapter, it is a defense that the defendant has established and implemented reasonable practices and procedures to prevent violations of this chapter.
This chapter does not limit any greater protection of the privacy of information under other law, except that:
(1) nothing in this chapter limits the authority under other state or federal law of law enforcement or prosecuting authorities to obtain information; and
(2) if federal law is enacted that regulates the release of personally identifiable information by Internet service providers but does not preempt state law on the subject, the federal law supersedes any conflicting provisions of this chapter.
This chapter applies to Internet service providers in the provision of services to consumers in this state.
Official Publication of the State of Minnesota
Revisor of Statutes