MINNESOTA LAWS 2002, CH. 395
SENATE FILE NO. 2908 (2002)
Introduced February 11, 2002
Approved by Governor May 20, 2002
A bill for an act relating to data privacy; regulating
electronic mail solicitations; protecting privacy of Internet
consumers; regulating use of data about Internet users; providing
penalties; amending Minnesota Statutes 2000, section 626A.28,
subdivision 3; proposing coding for new law in Minnesota Statutes,
chapter 325F; proposing coding for new law as Minnesota Statutes,
chapter 325M.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
ARTICLE 1
INTERNET PRIVACY
Section 1. [325M.01]
[DEFINITIONS.]
Subdivision 1. [SCOPE.] The terms used in this
chapter have the meanings given them in this section.
Subd. 2. [CONSUMER.] "Consumer" means
a person who agrees to pay a fee to an Internet service provider for
access to the Internet for personal, family, or household purposes,
and who does not resell access.
Subd. 3. [INTERNET SERVICE PROVIDER.]
"Internet service provider" means a business or person who
provides consumers authenticated access to, or presence on, the
Internet by means of a switched or dedicated telecommunications
channel upon which the provider provides transit routing of Internet
Protocol (IP) packets for and on behalf of the consumer. Internet
service provider does not include the offering, on a common carrier
basis, of telecommunications facilities or of telecommunications by
means of these facilities.
Subd. 4. [ORDINARY COURSE OF BUSINESS.]
"Ordinary course of business" means debt-collection
activities, order fulfillment, request processing, or the transfer of
ownership.
Subd. 5. [PERSONALLY IDENTIFIABLE INFORMATION.]
"Personally identifiable information" means information that
identifies:
(1) a consumer by physical or electronic address or
telephone number;
(2) a consumer as having requested or obtained
specific materials or services from an Internet service provider;
(3) Internet or online sites visited by a consumer;
or
(4) any of the contents of a consumer's
data-storage devices.
Sec. 2. [325M.02]
[WHEN DISCLOSURE OF PERSONAL INFORMATION PROHIBITED.]
Except as provided in sections 325M.03 and
325M.04, an Internet service provider may not knowingly disclose
personally identifiable information concerning a consumer of the
Internet service provider.
Sec. 3. [325M.03]
[WHEN DISCLOSURE OF PERSONAL INFORMATION REQUIRED.]
An Internet service provider shall disclose
personally identifiable information concerning a consumer:
(1) pursuant to a grand jury subpoena;
(2) to an investigative or law enforcement officer
as defined in section 626A.01, subdivision 7, while acting as
authorized by law;
(3) pursuant to a court order in a civil proceeding
upon a showing of compelling need for the information that cannot be
accommodated by other means;
(4) to a court in a civil action for conversion
commenced by the Internet service provider or in a civil action to
enforce collection of unpaid subscription fees or purchase amounts,
and then only to the extent necessary to establish the fact of the
subscription delinquency or purchase agreement, and with appropriate
safeguards against unauthorized disclosure;
(5) to the consumer who is the subject of the
information, upon written or electronic request and upon payment of a
fee not to exceed the actual cost of retrieving the information;
(6) pursuant to subpoena, including an
administrative subpoena, issued under authority of a law of this state
or another state or the United States; or
(7) pursuant to a warrant or court order.
Sec. 4. [325M.04]
[WHEN DISCLOSURE OF PERSONAL INFORMATION PERMITTED; AUTHORIZATION.]
Subdivision 1. [CONDITIONS OF DISCLOSURE.] An
Internet service provider may disclose personally identifiable
information concerning a consumer to:
(1) any person if the disclosure is incident to the
ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes
of reporting or preventing violations of the published acceptable use
policy or customer service agreement of the Internet service provider;
except that the recipient may further disclose the personally
identifiable information only as provided by this chapter;
(3) any person with the authorization of the
consumer; or
(4) as provided by section 626A.27.
Subd. 2. [AUTHORIZATION.] The Internet service
provider may obtain the consumer's authorization of the disclosure of
personally identifiable information in writing or by electronic means.
The request for authorization must reasonably describe the types of
persons to whom personally identifiable information may be disclosed
and the anticipated uses of the information. In order for an
authorization to be effective, a contract between an Internet service
provider and the consumer must state either that the authorization
will be obtained by an affirmative act of the consumer or that failure
of the consumer to object after the request has been made constitutes
authorization of disclosure. The provision in the contract must be
conspicuous. Authorization may be obtained in a manner consistent with
self-regulating guidelines issued by representatives of the Internet
service provider or online industries, or in any other manner
reasonably designed to comply with this subdivision.
Sec. 5. [325M.05]
[SECURITY OF INFORMATION.]
The Internet service provider shall take
reasonable steps to maintain the security and privacy of a consumer's
personally identifiable information. The Internet service provider is
not liable for actions that would constitute a violation of section
609.88, 609.89, or 609.891, if the Internet service provider does not
participate in, authorize, or approve the actions.
Sec. 6. [325M.06]
[EXCLUSION FROM EVIDENCE.]
Except for purposes of establishing a violation
of this chapter, personally identifiable information obtained in any
manner other than as provided in this chapter may not be received in
evidence in a civil action.
Sec. 7. [325M.07]
[ENFORCEMENT; CIVIL LIABILITY; DEFENSE.]
A consumer who prevails or substantially
prevails in an action brought under this chapter is entitled to the
greater of $500 or actual damages. Costs, disbursements, and
reasonable attorney fees may be awarded to a party awarded damages for
a violation of this section. No class action shall be brought under
this chapter.
In an action under this chapter, it is a defense
that the defendant has established and implemented reasonable
practices and procedures to prevent violations of this chapter.
Sec. 8. [325M.08]
[OTHER LAW.]
This chapter does not limit any greater
protection of the privacy of information under other law, except that:
(1) nothing in this chapter limits the authority
under other state or federal law of law enforcement or prosecuting
authorities to obtain information; and
(2) if federal law is enacted that regulates the
release of personally identifiable information by Internet service
providers but does not preempt state law on the subject, the federal
law supersedes any conflicting provisions of this chapter.
Sec. 9. [325M.09]
[APPLICATION.]
This chapter applies to Internet service
providers in the provision of services to consumers in this state.
Sec. 10. Minnesota Statutes
2000, section 626A.28, subdivision 3, is amended to read:
Subd. 3. [RECORDS CONCERNING ELECTRONIC
COMMUNICATION SERVICE OR REMOTE COMPUTING SERVICE.] (a)(1) Except as
provided in clause (2) or chapter 325M, a provider of electronic
communication service or remote computing service may disclose a
record or other information pertaining to a subscriber to or
customer of the service, not including the contents of
communications covered by subdivision 1 or 2, to any person other
than a governmental entity.
(2) A provider of electronic communication
service or remote computing service may disclose a record or other
information pertaining to a subscriber to or customer of the
service, not including the contents of communications covered by
subdivision 1 or 2, to a governmental entity only when the
governmental entity:
(i) uses an administrative subpoena authorized by
statute, or a grand jury subpoena;
(ii) obtains a warrant;
(iii) obtains a court order for such disclosure
under subdivision 4; or
(iv) has the consent of the subscriber or
customer to the disclosure.
(b) A governmental entity receiving records or
information under this subdivision is not required to provide notice
to a subscriber or customer.
Sec. 11. [EFFECTIVE DATE;
EXPIRATION.]
Article 1 is effective March 1, 2003.
Article 1 expires on the effective date of federal
legislation that preempts state regulation of the release of
personally identifiable information by Internet service providers.
ARTICLE 2
COMMERCIAL ELECTRONIC MAIL SOLICITATION
Section 1. [325F.694]
[FALSE OR MISLEADING COMMERCIAL ELECTRONIC MAIL MESSAGES.]
Subdivision 1. [DEFINITIONS.] (a) The terms used
in this section have the meanings given them in this subdivision.
(b) "Commercial electronic mail message"
means an electronic mail message sent through an Internet service
provider's facilities located in this state to a resident of this
state for promoting real property, goods, or services for sale or
lease.
(c) "Electronic mail address" means a
destination, commonly expressed as a string of characters, to which
electronic mail may be sent or delivered.
(d) "Electronic mail service provider"
means a business, nonprofit organization, educational institution,
library, or government entity that provides a set of users the ability
to send or receive electronic mail messages via the Internet.
(e) "Initiate the transmission" refers to
the action by the original sender of an electronic mail message, not
to the action by an intervening Internet service provider or
electronic mail service provider that may handle or retransmit the
message.
(f) "Internet service provider" means a
business or person who provides users authenticated access to, or
presence on, the Internet by means of a switched or dedicated
telecommunications channel upon which the provider provides transit
routing of Internet Protocol (IP) packets for and on behalf of the
user.
(g) "Internet domain name" refers to a
globally unique, hierarchical reference to an Internet host or
service, assigned through centralized Internet naming authorities,
comprising a series of character strings separated by periods, with
the rightmost string specifying the top of the hierarchy.
Subd. 2. [FALSE OR MISLEADING MESSAGES
PROHIBITED.] No person may initiate the transmission of a commercial
electronic mail message that:
(1) uses a third party's Internet domain name
without permission of the third party, or otherwise misrepresents any
information in identifying the point of origin or the transmission
path of a commercial electronic mail message; or
(2) contains false or misleading information in the
subject line.
Subd. 3. [SUBJECT DISCLOSURE.] The subject line
of a commercial electronic mail message must include "ADV"
as the first characters. If the message contains information that
consists of material of a sexual nature that may only be viewed by an
individual 18 years of age and older, the subject line of the message
must include "ADV-ADULT" as the first characters. For
purposes of this subdivision, "commercial electronic mail
message" does not include a message:
(1) if the recipient has consented to receive or
has solicited electronic mail messages from the initiator;
(2) from an organization using electronic mail to
communicate exclusively with its members;
(3) from an entity which uses electronic mail to
communicate exclusively with its employees or contractors; or
(4) if there is a business or personal relationship
between the initiator and the recipient. For purposes of this
subdivision, "business relationship" means a prior or
existing relationship formed between the initiator and the recipient,
with or without an exchange of consideration, on the basis of an
inquiry, application, purchase, or use by the recipient of or
regarding products, information, or services offered by the initiator
or an affiliate or agent of the initiator. For purposes of this
paragraph, "affiliate" means a person that directly or
indirectly controls, is controlled by, or is under common control with
a specified person.
Subd. 4. [TOLL-FREE NUMBER.] (a) A sender
initiating the transmission of a commercial electronic mail message
must establish a toll-free telephone number, a valid sender-operated
return electronic mail address, or another easy-to-use electronic
method that the recipient of the commercial electronic mail message
may call or access by electronic mail or other electronic means to
notify the sender not to transmit by electronic mail any further
unsolicited commercial electronic mail messages. The notification
process may include the ability for the commercial electronic mail
messages recipient to direct the initiator to transmit or not transmit
particular commercial electronic mail messages based upon products,
services, divisions, organizations, companies, or other selections of
the recipient's choice.
(b) A commercial electronic mail message must
include a statement informing the recipient of a toll-free telephone
number that the recipient may call, or a valid return address to which
the recipient may write or access by electronic mail or another
electronic method established by the initiator, notifying the sender
not to transmit to the recipient any further unsolicited commercial
electronic mail messages to the electronic mail address, or addresses,
specified by the recipient, and explaining the manner in which the
recipient may specify what commercial electronic mail messages the
recipient does and does not wish to receive.
Subd. 5. [BLOCKING RECEIPT OR TRANSMISSION.] No
electronic mail service provider may be held liable in an action by a
recipient for any act voluntarily taken in good faith to block the
receipt or transmission through its service of any commercial
electronic mail message that the electronic mail service provider
reasonably believes is, or will be, sent in violation of this section.
Subd. 6. [DEFENSES.] (a) A person is not liable
for a commercial electronic mail message sent in violation of this
section if the person can show by a preponderance of the evidence that
the commercial electronic mail message was not initiated by the person
or was initiated in a manner and form not subject to the control of
the person.
(b) In an action under this section it is a
defense that the defendant has established and implemented reasonable
practices and procedures to prevent violations of this section.
Subd. 7. [DAMAGES.] (a) A person injured by a
violation of this section may recover damages caused by the violation
as specified in this subdivision.
(b) An injured person, other than an electronic
mail service provider, may recover:
(1) the lesser of $25 for each commercial
electronic mail message received that violates subdivision 2, or
$35,000 per day; or
(2) the lesser of $10 for each commercial
electronic mail message received that violates subdivision 3, or
$25,000 per day.
(c) An injured electronic mail service provider
may recover actual damages or elect, in lieu of actual damages, to
recover:
(1) the lesser of $25 for each commercial
electronic mail message received that violates subdivision 2, or
$35,000 per day; or
(2) the lesser of $10 for each commercial
electronic mail message received that violates subdivision 3, or
$25,000 per day.
(d) At the request of any party to an action
brought under this section, the court may, at its discretion, conduct
all legal proceedings in such a way as to protect the secrecy and
security of the computer, computer network, computer data, computer
program, and computer software involved in order to prevent possible
recurrence of the same or a similar act by another person and to
protect any trade secrets of any party.
(e) Costs, disbursements, and reasonable
attorney fees may be awarded to a party awarded damages for a
violation of this section. No class action shall be brought under this
section.
(f) Except as otherwise provided in this
subdivision, the remedies in this subdivision are in addition to
remedies available under section 8.31, 325F.70, or other law.
Subd. 8. [RELATIONSHIP TO FEDERAL LAW.] If
federal law is enacted that regulates false, misleading, or
unsolicited commercial electronic mail messages but does not preempt
state law on the subject, the federal law supersedes any conflicting
provisions of this section.
Sec. 2. [EFFECTIVE DATE;
EXPIRATION.]
Article 2 is effective March 1, 2003.
Article 2 expires on the effective date of federal
legislation that preempts state regulation of false, misleading, or
unsolicited commercial electronic mail messages.
