190 likes | 370 Vues
Minnesota Passes the Nation’s First Internet Privacy Law. Jody Blanke, Professor Computer Information Systems and Law Mercer University, Atlanta. Minnesota’s Internet Privacy Act. Enacted on May 22, 2002 To be effective on March 1, 2003 Applies (only) to Internet service providers [ISPs]
E N D
Minnesota Passes the Nation’s First Internet Privacy Law Jody Blanke, Professor Computer Information Systems and Law Mercer University, Atlanta ALSB - July 30, 2002
Minnesota’s Internet Privacy Act • Enacted on May 22, 2002 • To be effective on March 1, 2003 • Applies (only) to Internet service providers [ISPs] • ISPs may not disclose personally identifiable information [PII] except as provided in this act ALSB - July 30, 2002
"Personally identifiable information“ defined as • Information that identifies: • a consumer by physical or electronic address or telephone number; • a consumer as having requested or obtained specific materials or services from an Internet service provider; • Internet or online sites visited by a consumer; or • any of the contents of a consumer's data-storage devices. ALSB - July 30, 2002
Required Disclosures of PII • Pursuant to subpoena • Pursuant to warrant or court order • For certain law enforcement purposes • In a civil action for conversion • To the consumer, upon request ALSB - July 30, 2002
Permitted Disclosures of PII • In the “ordinary course of business” • “debt-collections activities, order fulfillment, request processing, or the transfer of ownership” • As provided by wiretap law • To other ISPs for purposes of enforcing acceptable use policies • To any person with the consumer’s authorization ALSB - July 30, 2002
Authorization • May be written or electronic • Must describe persons to whom PII will be disclosed and anticipated uses • Must state conspicuously whether authorization will be obtained on an opt-in or opt-out basis ALSB - July 30, 2002
Civil Action • May claim actual damages or $500, plus costs and attorney fees • No class actions permitted • It is a defense that the defendant has established and implemented reasonable practices and procedures to prevent violations of this chapter ALSB - July 30, 2002
Preemption • Expires on the effective date of federal legislation that preempts state regulation of the release of PII by ISPs • If federal legislation were enacted that did not preempt state law, any such federal law would supercede conflicting provisions of the Minnesota law ALSB - July 30, 2002
Online Personal Privacy Act • Senate bill co-sponsored by Senator Hollings and ten other Senators • Would preempt Minnesota law • Applies to [ISPs], online service providers [OSPs], and operators of commercial websites [OCWs] • Restricts collection, use and disclosure of PII ALSB - July 30, 2002
“Collect” broadly defined as • The gathering of PII by any means, direct or indirect, active or passive, including • an online request for PII • PII gathered in chat room or from message board • “tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies or other tracking technology” ALSB - July 30, 2002
“Fair information practices” • Consistent with the “five core principles of privacy protection” • Notice/awareness • Choice/consent • Access/participation • Integrity/security • Enforcement/redress ALSB - July 30, 2002
Notice • Must be “clear and conspicuous” • Must disclose • the types of information collected • the methods of collecting and using the information • all the disclosure practices, including whether it will be disclosed to third parties ALSB - July 30, 2002
Opt-in Consent • Required for sensitive PII • Sensitive PII includes • individually identifiable health information • race or ethnicity • political party affiliation • religious beliefs • sexual orientation • social Security number • sensitive financial information ALSB - July 30, 2002
Opt-out Consent • Requires “clear and conspicuous notice” and “robust notice” for PII • PII includes • first and last name, home or other physical address, e-mail address, telephone number, birth certificate number • any other identifier that would permit the physical or online contacting of a specific individual • information that is collected and combined with an identifier described above ALSB - July 30, 2002
Exceptions • Does not apply to the collection, disclosure or use of information that is necessary • to protect security and integrity of the service or website, or the safety of people or property • to conduct a transaction for the user • Good faith disclosures may be made under the Children’s Online Privacy Protection Act • Disclosures may be made pursuant to a warrant or court order ALSB - July 30, 2002
Changes in Privacy Policy • Whenever an ISP, OSP or OCW makes a material change in its policy for the collection, use or disclosure of sensitive or nonsensitive PII, it must notify all users of that service or website of the change, and may not act in accordance with the changed policy until the user is afforded an opportunity to consent or withhold consent to the new policy ALSB - July 30, 2002
Access • Must provide access to PII collected from the user online, provide an opportunity for the user to suggest a correction or deletion of any such information, and make the correction or deletion • May decline to make the correction or deletion if it reasonably believes that it is inaccurate or inappropriate, and it so notifies the user, and provides an opportunity for the user to refute the reasons given for declining to make the suggested correction or deletion • May charge an access fee of no more than $3 ALSB - July 30, 2002
Security • Must establish and maintain reasonable procedures necessary to protect the security, confidentiality and integrity of the PII it maintains ALSB - July 30, 2002
Enforcement • By FTC • as unfair or deceptive acts or practices • By individuals • for violations regarding sensitive PII • By state attorneys general • on behalf of state residents ALSB - July 30, 2002