Internet Privacy: what’s in Minnesota’s current internet privacy law?

On March 31, I posted about Minnesota Legislature’s reaction to US Congress’ decision to overturn privacy protections…

In a surprise move, the Minnesota Senate on Wednesday voted to bar internet service providers from selling their users’ personal data without express written consent.

Here is the proposed legislation

1.3    “Sec. 17. [237.417] PERSONAL INFORMATION; PROHIBITION.
1.4No telecommunications or internet service provider that has entered into a franchise
1.5agreement, right-of-way agreement, or other contract with the state of Minnesota or a
1.6political subdivision, or that uses facilities that are subject to such agreements, even if it is
1.7not a party to the agreement, may collect personal information from a customer resulting
1.8from the customer’s use of the telecommunications or internet service provider without
1.9express written approval from the customer. No such telecommunication or internet service
1.10provider shall refuse to provide its services to a customer on the grounds that the customer
1.11has not approved collection of the customer’s personal information.
1.12EFFECTIVE DATE.This section is effective the day following final enactment.”
1.13Renumber the sections in sequence and correct the internal references
1.14Amend the title accordingly
1.15The motion prevailed. #did not prevail. So the amendment was #not adopted.

But what about existing Minnesota Internet Privacy Statutes? Turns out existing legislation already exists and may already meet the needs – although there is one important change required.

Here’s the crux of that law…

325M.02 WHEN DISCLOSURE OF PERSONAL INFORMATION PROHIBITED.

Except as provided in sections 325M.03 and 325M.04, an Internet service provider may not knowingly disclose personally identifiable information concerning a consumer of the Internet service provider.

And definition of Personally identifiable information…

Subd. 5.Personally identifiable information.

“Personally identifiable information” means information that identifies:

(1) a consumer by physical or electronic address or telephone number;

(2) a consumer as having requested or obtained specific materials or services from an Internet service provider;

(3) Internet or online sites visited by a consumer; or

(4) any of the contents of a consumer’s data-storage devices.

Provider can share info when required by law (325M.03) and in a few other circumstances (325M.04)…

325M.04 WHEN DISCLOSURE OF PERSONAL INFORMATION PERMITTED; AUTHORIZATION.

Subdivision 1.Conditions of disclosure.

An Internet service provider may disclose personally identifiable information concerning a consumer to:

(1) any person if the disclosure is incident to the ordinary course of business of the Internet service provider;

(2) another Internet service provider for purposes of reporting or preventing violations of the published acceptable use policy or customer service agreement of the Internet service provider; except that the recipient may further disclose the personally identifiable information only as provided by this chapter;

(3) any person with the authorization of the consumer; or

(4) as provided by section 626A.27.

The proposed and existing legislation are not exactly the same – but similar enough that the authors and committees may consider going back to the original and modifying if necessary. I’m not a lawyer, so the details often get by me. But I do know online marketing. The proposed legislation feels like an opt-out policy – similar to getting an email that says “reply if you don’t want to get more emails from us”. The existing legislation feels like opt-in – similar to getting an email that says “reply if you want to get more emails from us”. My impression probably speaks more to the need for the policy than actual legislation but I do know that the existing legislation has a lot of details that may prove useful to deploying the spirit of the proposed legislation. It’s seems like a mashup may be beneficial.

Here’s the important change, the existing law seems to defer to federal legislation. Clearly if the goal is to maintain privacy they will want to change that…

NOTE: Chapter 325M, as added by Laws 2002, chapter 395, article 1, section 9, is effective March 1, 2003, and expires on the effective date of federal legislation that preempts state regulation of the release of personally identifiable information by Internet service providers. Laws 2002, chapter 395, article 1, section 11.

This entry was posted in MN, Policy by Ann Treacy. Bookmark the permalink.

About Ann Treacy

I have a Master’s Degree in Library and Information Science. I have been interested or involved in providing access to information through the Internet since 1994, when I worked for Minnesota’s first Internet service provider. I am pleased to be a part of the Blandin on Broadband Team. I also work with MN Coalition on Government Information, Minnesota Rural Partners, and the American Society for Information Science and Technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s