A bill for an act relating to data privacy; regulating electronic mail
solicitations; protecting privacy of Internet consumers; regulating use of
data about Internet users; providing penalties; amending Minnesota
Statutes 2000, section 626A.28, subdivision 3; proposing coding for new
law in Minnesota Statutes, chapter 325F; proposing coding for new law as
Minnesota Statutes, chapter 325M.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
ARTICLE 1
INTERNET PRIVACY
Section 1. [325M.01]
[DEFINITIONS.]
Subdivision 1. [SCOPE.] The terms used in this chapter have
the meanings given them in this section.
Subd. 2. [CONSUMER.] "Consumer" means a person who agrees to
pay a fee to an Internet service provider for access to the Internet for
personal, family, or household purposes, and who does not resell access.
Subd. 3. [INTERNET SERVICE PROVIDER.] "Internet service
provider" means a business or person who provides consumers authenticated
access to, or presence on, the Internet by means of a switched or dedicated
telecommunications channel upon which the provider provides transit routing of
Internet Protocol (IP) packets for and on behalf of the consumer. Internet
service provider does not include the offering, on a common carrier basis, of
telecommunications facilities or of telecommunications by means of these
facilities.
Subd. 4. [ORDINARY COURSE OF BUSINESS.] "Ordinary course of
business" means debt-collection activities, order fulfillment, request
processing, or the transfer of ownership.
Subd. 5. [PERSONALLY IDENTIFIABLE INFORMATION.] "Personally
identifiable information" means information that identifies:
(1) a consumer by physical or electronic address or telephone
number;
(2) a consumer as having requested or obtained
specific materials or services from an Internet service provider;
(3) Internet or online sites visited by a consumer; or
(4) any of the contents of a consumer's data-storage devices.
Sec. 2. [325M.02] [WHEN
DISCLOSURE OF PERSONAL INFORMATION PROHIBITED.]
Except as provided in sections 325M.03 and 325M.04, an
Internet service provider may not knowingly disclose personally identifiable
information concerning a consumer of the Internet service provider.
Sec. 3. [325M.03] [WHEN
DISCLOSURE OF PERSONAL INFORMATION REQUIRED.]
An Internet service provider shall disclose personally
identifiable information concerning a consumer:
(1) pursuant
to a grand jury subpoena;
(2) to an investigative or law
enforcement officer as defined in section 626A.01, subdivision 7, while acting
as authorized by law;
(3) pursuant to a court order in a
civil proceeding upon a showing of compelling need for the information that
cannot be accommodated by other means;
(4) to a court in a
civil action for conversion commenced by the Internet service provider or in a
civil action to enforce collection of unpaid subscription fees or purchase
amounts, and then only to the extent necessary to establish the fact of the
subscription delinquency or purchase agreement, and with appropriate
safeguards against unauthorized disclosure;
(5) to the
consumer who is the subject of the information, upon written or electronic
request and upon payment of a fee not to exceed the actual cost of retrieving
the information;
(6) pursuant to subpoena, including an
administrative subpoena, issued under authority of a law of this state or
another state or the United States; or
(7) pursuant to a
warrant or court order.
Sec. 4. [325M.04] [WHEN
DISCLOSURE OF PERSONAL INFORMATION PERMITTED; AUTHORIZATION.]
Subdivision 1. [CONDITIONS OF DISCLOSURE.] An Internet
service provider may disclose personally identifiable information concerning a
consumer to:
(1) any person if the disclosure is incident to
the ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes of reporting or
preventing violations of the published acceptable use policy or customer
service agreement of the Internet service provider; except that the recipient
may further disclose the personally identifiable information only as provided
by this chapter;
(3) any person with the authorization of the
consumer; or
(4) as provided by section 626A.27.
Subd. 2. [AUTHORIZATION.] The Internet service provider may
obtain the consumer's authorization of the disclosure of personally
identifiable information in writing or by electronic means. The request for
authorization must reasonably describe the types of persons to whom personally
identifiable information may be disclosed and the anticipated uses of the
information. In order for an authorization to be effective, a contract between
an Internet service provider and the consumer must state either that the
authorization will be obtained by an affirmative act of the consumer or that
failure of the consumer to object after the request has been made constitutes
authorization of disclosure. The provision in the contract must be
conspicuous. Authorization may be obtained in a manner consistent with
self-regulating guidelines issued by representatives of the Internet service
provider or online industries, or in any other manner reasonably designed to
comply with this subdivision.
Sec. 5. [325M.05] [SECURITY OF
INFORMATION.]
The Internet service provider shall take reasonable steps to
maintain the security and privacy of a consumer's personally identifiable
information. The Internet service provider is not liable for actions that
would constitute a violation of section 609.88, 609.89, or 609.891, if the
Internet service provider does not participate in, authorize, or approve the
actions.
Sec. 6. [325M.06] [EXCLUSION
FROM EVIDENCE.]
Except for purposes of establishing a violation of this
chapter, personally identifiable information obtained in any manner other than
as provided in this chapter may not be received in evidence in a civil
action.
Sec. 7. [325M.07] [ENFORCEMENT;
CIVIL LIABILITY; DEFENSE.]
A consumer who prevails or substantially prevails in an
action brought under this chapter is entitled to the greater of $500 or actual
damages. Costs, disbursements, and reasonable attorney fees may be awarded to
a party awarded damages for a violation of this section. No class action shall
be brought under this chapter.
In an action under this
chapter, it is a defense that the defendant has established and implemented
reasonable practices and procedures to prevent violations of this
chapter.
Sec. 8. [325M.08] [OTHER
LAW.]
This chapter does not limit any greater protection of the
privacy of information under other law, except that:
(1)
nothing in this chapter limits the authority under other state or federal law
of law enforcement or prosecuting authorities to obtain information;
and
(2) if federal law is enacted that regulates the release
of personally identifiable information by Internet service providers but does
not preempt state law on the subject, the federal law supersedes any
conflicting provisions of this chapter.
Sec. 9. [325M.09]
[APPLICATION.]
This chapter applies to Internet service providers in the
provision of services to consumers in this state.
Sec. 10. Minnesota Statutes 2000,
section 626A.28, subdivision 3, is amended to read:
Subd. 3. [RECORDS CONCERNING ELECTRONIC COMMUNICATION
SERVICE OR REMOTE COMPUTING SERVICE.] (a)(1) Except as provided in clause
(2) or chapter 325M, a provider of electronic communication service or
remote computing service may disclose a record or other information
pertaining to a subscriber to or customer of the service, not including the
contents of communications covered by subdivision 1 or 2, to any person
other than a governmental entity.
(2) A provider of
electronic communication service or remote computing service may disclose a
record or other information pertaining to a subscriber to or customer of the
service, not including the contents of communications covered by subdivision
1 or 2, to a governmental entity only when the governmental
entity:
(i) uses an administrative subpoena authorized by
statute, or a grand jury subpoena;
(ii) obtains a
warrant;
(iii) obtains a court order for such disclosure
under subdivision 4; or
(iv) has the consent of the
subscriber or customer to the disclosure.
(b) A governmental entity receiving records or information
under this subdivision is not required to provide notice to a subscriber or
customer.
Sec. 11. [EFFECTIVE DATE; EXPIRATION.]
Article 1 is effective March 1, 2003.
Article 1 expires on the effective date of federal legislation that preempts
state regulation of the release of personally identifiable information by
Internet service providers.
ARTICLE 2
COMMERCIAL ELECTRONIC MAIL
SOLICITATION
Section 1. [325F.694] [FALSE OR
MISLEADING COMMERCIAL ELECTRONIC MAIL MESSAGES.]
Subdivision 1. [DEFINITIONS.] (a) The terms used in this
section have the meanings given them in this subdivision.
(b)
"Commercial electronic mail message" means an electronic mail message sent
through an Internet service provider's facilities located in this state to a
resident of this state for promoting real property, goods, or services for
sale or lease.
(c) "Electronic mail address" means a
destination, commonly expressed as a string of characters, to which electronic
mail may be sent or delivered.
(d) "Electronic mail service
provider" means a business, nonprofit organization, educational institution,
library, or government entity that provides a set of users the ability to send
or receive electronic mail messages via the Internet.
(e)
"Initiate the transmission" refers to the action by the original sender of an
electronic mail message, not to the action by an intervening Internet service
provider or electronic mail service provider that may handle or retransmit the
message.
(f) "Internet service provider" means a business or
person who provides users authenticated access to, or presence on, the
Internet by means of a switched or dedicated telecommunications channel upon
which the provider provides transit routing of Internet Protocol (IP) packets
for and on behalf of the user.
(g) "Internet domain name"
refers to a globally unique, hierarchical reference to an Internet host or
service, assigned through centralized Internet naming authorities, comprising
a series of character strings separated by periods, with the rightmost string
specifying the top of the hierarchy.
Subd. 2. [FALSE OR MISLEADING MESSAGES PROHIBITED.] No person
may initiate the transmission of a commercial electronic mail message
that:
(1) uses a third party's Internet domain name without
permission of the third party, or otherwise misrepresents any information in
identifying the point of origin or the transmission path of a commercial
electronic mail message; or
(2) contains false or misleading
information in the subject line.
Subd. 3. [SUBJECT DISCLOSURE.] The subject line of a
commercial electronic mail message must include "ADV" as the first characters.
If the message contains information that consists of material of a sexual
nature that may only be viewed by an individual 18 years of age and older, the
subject line of the message must include "ADV-ADULT" as the first characters.
For purposes of this subdivision, "commercial electronic mail message" does
not include a message:
(1) if the recipient has consented to
receive or has solicited electronic mail messages from the
initiator;
(2) from an organization using electronic mail to
communicate exclusively with its members;
(3) from an entity
which uses electronic mail to communicate exclusively with its employees or
contractors; or
(4) if there is a business or personal
relationship between the initiator and the recipient. For purposes of this
subdivision, "business relationship" means a prior or existing relationship
formed between the initiator and the recipient, with or without an exchange of
consideration, on the basis of an inquiry, application, purchase, or use by
the recipient of or regarding products, information, or services offered by
the initiator or an affiliate or agent of the initiator. For purposes of this
paragraph, "affiliate" means a person that directly or indirectly controls, is
controlled by, or is under common control with a specified person.
Subd. 4. [TOLL-FREE NUMBER.] (a) A sender initiating the
transmission of a commercial electronic mail message must establish a
toll-free telephone number, a valid sender-operated return electronic mail
address, or another easy-to-use electronic method that the recipient of the
commercial electronic mail message may call or access by electronic mail or
other electronic means to notify the sender not to transmit by electronic mail
any further unsolicited commercial electronic mail messages. The notification
process may include the ability for the commercial electronic mail messages
recipient to direct the initiator to transmit or not transmit particular
commercial electronic mail messages based upon products, services, divisions,
organizations, companies, or other selections of the recipient's
choice.
(b) A commercial electronic mail message must include
a statement informing the recipient of a toll-free telephone number that the
recipient may call, or a valid return address to which the recipient may write
or access by electronic mail or another electronic method established by the
initiator, notifying the sender not to transmit to the recipient any further
unsolicited commercial electronic mail messages to the electronic mail
address, or addresses, specified by the recipient, and explaining the manner
in which the recipient may specify what commercial electronic mail messages
the recipient does and does not wish to receive.
Subd. 5. [BLOCKING RECEIPT OR TRANSMISSION.] No electronic
mail service provider may be held liable in an action by a recipient for any
act voluntarily taken in good faith to block the receipt or transmission
through its service of any commercial electronic mail message that the
electronic mail service provider reasonably believes is, or will be, sent in
violation of this section.
Subd. 6. [DEFENSES.] (a) A person is not liable for a
commercial electronic mail message sent in violation of this section if the
person can show by a preponderance of the evidence that the commercial
electronic mail message was not initiated by the person or was initiated in a
manner and form not subject to the control of the person.
(b) In an action under this section it is a defense that the
defendant has established and implemented reasonable practices and procedures
to prevent violations of this section.
Subd. 7. [DAMAGES.] (a) A person injured by a violation of
this section may recover damages caused by the violation as specified in this
subdivision.
(b) An injured person, other than an electronic mail service
provider, may recover:
(1) the lesser of $25 for each
commercial electronic mail message received that violates subdivision 2, or
$35,000 per day; or
(2) the lesser of $10 for each commercial
electronic mail message received that violates subdivision 3, or $25,000 per
day.
(c) An injured electronic mail service provider may recover
actual damages or elect, in lieu of actual damages, to recover:
(1) the lesser of $25 for each commercial electronic mail message
received that violates subdivision 2, or $35,000 per day; or
(2) the lesser of $10 for each commercial electronic mail message received
that violates subdivision 3, or $25,000 per day.
(d) At the request of any party to an action brought under
this section, the court may, at its discretion, conduct all legal proceedings
in such a way as to protect the secrecy and security of the computer, computer
network, computer data, computer program, and computer software involved in
order to prevent possible recurrence of the same or a similar act by another
person and to protect any trade secrets of any party.
(e) Costs, disbursements, and reasonable attorney fees may be
awarded to a party awarded damages for a violation of this section. No class
action shall be brought under this section.
(f) Except as otherwise provided in this subdivision, the
remedies in this subdivision are in addition to remedies available under
section 8.31, 325F.70, or other law.
Subd. 8. [RELATIONSHIP TO FEDERAL LAW.] If federal law is
enacted that regulates false, misleading, or unsolicited commercial electronic
mail messages but does not preempt state law on the subject, the federal law
supersedes any conflicting provisions of this section.
Sec. 2. [EFFECTIVE DATE;
EXPIRATION.]
Article 2 is effective March 1, 2003.
Article 2 expires on the effective date of federal legislation that preempts
state regulation of false, misleading, or unsolicited commercial electronic
mail messages.
