In a surprise move, the Minnesota Senate on Wednesday voted to bar internet service providers from selling their users’ personal data without express written consent.
Here is the proposed legislation…
1.3 “Sec. 17. [237.417] PERSONAL INFORMATION; PROHIBITION.
1.4No telecommunications or internet service provider that has entered into a franchise
1.5agreement, right-of-way agreement, or other contract with the state of Minnesota or a
1.6political subdivision, or that uses facilities that are subject to such agreements, even if it is
1.7not a party to the agreement, may collect personal information from a customer resulting
1.8from the customer’s use of the telecommunications or internet service provider without
1.9express written approval from the customer. No such telecommunication or internet service
1.10provider shall refuse to provide its services to a customer on the grounds that the customer
1.11has not approved collection of the customer’s personal information.
1.12EFFECTIVE DATE.This section is effective the day following final enactment.”
1.13Renumber the sections in sequence and correct the internal references
1.14Amend the title accordingly
1.15The motion prevailed. #did not prevail. So the amendment was #not adopted.
But what about existing Minnesota Internet Privacy Statutes? Turns out existing legislation already exists and may already meet the needs – although there is one important change required.
Here’s the crux of that law…
325M.02 WHEN DISCLOSURE OF PERSONAL INFORMATION PROHIBITED.
And definition of Personally identifiable information…
Subd. 5.Personally identifiable information.
“Personally identifiable information” means information that identifies:
(1) a consumer by physical or electronic address or telephone number;
(2) a consumer as having requested or obtained specific materials or services from an Internet service provider;
(3) Internet or online sites visited by a consumer; or
(4) any of the contents of a consumer’s data-storage devices.
325M.04 WHEN DISCLOSURE OF PERSONAL INFORMATION PERMITTED; AUTHORIZATION.
Subdivision 1.Conditions of disclosure.
An Internet service provider may disclose personally identifiable information concerning a consumer to:
(1) any person if the disclosure is incident to the ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes of reporting or preventing violations of the published acceptable use policy or customer service agreement of the Internet service provider; except that the recipient may further disclose the personally identifiable information only as provided by this chapter;
(3) any person with the authorization of the consumer; or
(4) as provided by section 626A.27.
The proposed and existing legislation are not exactly the same – but similar enough that the authors and committees may consider going back to the original and modifying if necessary. I’m not a lawyer, so the details often get by me. But I do know online marketing. The proposed legislation feels like an opt-out policy – similar to getting an email that says “reply if you don’t want to get more emails from us”. The existing legislation feels like opt-in – similar to getting an email that says “reply if you want to get more emails from us”. My impression probably speaks more to the need for the policy than actual legislation but I do know that the existing legislation has a lot of details that may prove useful to deploying the spirit of the proposed legislation. It’s seems like a mashup may be beneficial.
Here’s the important change, the existing law seems to defer to federal legislation. Clearly if the goal is to maintain privacy they will want to change that…
NOTE: Chapter 325M, as added by Laws 2002, chapter 395, article 1, section 9, is effective March 1, 2003, and expires on the effective date of federal legislation that preempts state regulation of the release of personally identifiable information by Internet service providers. Laws 2002, chapter 395, article 1, section 11.