On May 22, 2002, Minnesota Governor Jesse Ventura signed into law a new Internet consumer privacy act (“the Act”). The Act regulates the collection, maintenance, use and disclosure of “personally identifiable information” by an Internet Service Provider (“ISP”) and regulates “commercial electronic mail messages.” See Minnesota Laws 2002, Chapter 395.
This new Minnesota privacy law is the first law enacted by a state that regulates disclosure by ISPs of personally identifiable information. Those regulated by the Act are concerned with the possible proliferation of different and potentially conflicting laws in other states. At some point, Congress may pass new federal laws that would preempt this and similar state laws, but no such federal laws exist now.
Disclosure of Personally Identifiable Information
Effective March 1, 2003, an ISP providing Internet services to consumers in Minnesota may not knowingly disclose “personally identifiable information” about its customers or users, except as set out in the Act.
Key definitions. An ISP is defined as a business or person who “provides consumers authenticated access to, or presence on, the Internet by means of a switched or dedicated telecommunications channel upon which the provider provides transit routing of Internet Protocol (IP) packets for and on behalf of the consumer.” Common carrier telecommunication services are not ISPs under the Act. The “consumer” protected by the Act is any person who pays a fee to an ISP for access to the Internet for personal, family or household purposes and who does not resell access. The Act defines “personally identifiable information” as information that identifies: (1) a consumer by physical or electronic address or telephone number; (2) a consumer as having requested or obtained specific materials or services from an ISP; (3) Internet or online sites visited by a consumer; or (4) any of the contents of a consumer's data-storage devices.
Permissible and mandatory disclosure. An ISP may disclose personally identifiable information to other ISPs if necessary in connection with enforcing applicable terms of use of the ISP or pursuant to an informed authorization by the consumer. An ISP must disclose information concerning a consumer: (a) to a grand jury; (b) to an investigative or law enforcement officer acting pursuant to the wiretap law; (c) pursuant to a court order upon a showing of compelling need; (d) to a court in a civil action brought by the ISP for conversion or to enforce collection of fees; or (e) to the consumer.
Authorized disclosure. Data containing personally identifiable information can be disclosed with written or electronic authorization from the subject of such data. The ISP’s request for authorization must reasonably describe the types of persons to whom personally identifiable information may be disclosed and the anticipated uses of the information. The authorization can be obtained either by an opt-out or an opt-in procedure, but to be valid, a contract must exist between the ISP and the subject of the data that conspicuously sets out whether an opt-in or an opt-out consent will be used. Authorization, alternatively, may be obtained in a manner consistent with self-regulating guidelines issued by representatives of ISPs or online industries, if those guidelines are reasonably designed to comply with the requirements of the Act.
Enforcement and preemption. Any consumer who successfully brings a claim for improper disclosure of personally identifiable information is entitled to the greater of $500 or actual damages as well as attorneys’ fees. Class actions, however, are prohibited. Moreover, it is a defense to a claim of unlawful disclosure that the defendant established and implemented reasonable practices and procedures to prevent violations of the Act. If a federal law were to be enacted that regulated the release of personally identifiable information by ISPs, the federal law would supercede any conflicting provisions of the Act, even if the federal law did not explicitly preempt state law regarding the release of personally identifiable information.
Commercial Electronic Mail Solicitation
Effective March 1, 2003, the Act regulates the dissemination of commercial electronic mail messages by: (1) prohibiting false or misleading messages; (2) requiring subject line disclosure; (3) requiring an opt-out option; (4) allowing blocking of commercial electronic mail with impunity; and (5) imposing civil liability for violation of the Act. A “commercial electronic mail message” is defined as an electronic mail message which promotes the sale or lease of real property, goods or services sent through an ISP facility located in Minnesota to a Minnesota resident.
False or misleading messages. False and misleading commercial electronic mail messages prohibited by the Act include messages that:
- use a third party's Internet domain name without permission or otherwise misrepresent any information in identifying the point of origin or the transmission path of a message; or
- contain false or misleading information in the subject line.
Subject line disclosure. Under the Act, the subject line disclosure of a commercial electronic mail message must include the legend “ADV” as its first characters. In addition, if a commercial electronic mail message contains material of a sexual nature that may be viewed only by an individual 18 years of age and older, the subject line of the message must include the legend “ADV-ADULT” as its first characters. For purposes of subject line disclosure only, the Act excludes messages from the definition of “commercial electronic mail messages:” (a) when the recipient has consented to receive or has solicited the message; (b) which are from an organization using electronic mail to communicate exclusively with its members; (c) which are from an entity that uses electronic mail to communicate exclusively with its employees or contractors; or (d) if there is a prior business or personal relationship between the initiator and the recipient. A “business relationship” is defined as “a prior or existing relationship formed between the initiator and the recipient [of the electronic communication], … on the basis of an inquiry, application, purchase, or use by the recipient of or regarding products, information, or services offered by the initiator or an affiliate or agent of the initiator.” An “affiliate” is a person that directly or indirectly controls, is controlled by, or is under common control with an initiator.
Opt-out option. To allow recipients to opt out of receiving unsolicited commercial electronic mail messages, the Act requires initiators of commercial electronic mail messages to establish a toll-free telephone number, a valid sender-operated return electronic mail address, or another easy-to-use electronic method that the recipient may call or access to opt out of receiving further messages. All commercial electronic mail messages must include a notice to the recipient setting out how to opt out of receiving any further messages to the electronic mail address or addresses specified by the recipient.
Blocking. To protect the ultimate recipient and encourage compliance, the Act allows an electronic mail service provider to block the receipt or transmission of any commercial electronic mail message that it reasonably believes is or will be sent in violation of the Act and immunizes the provider from suit by the intended recipient of such commercial electronic mail message. An “electronic mail service provider” is defined as a “business, nonprofit organization, educational institution, library, or government entity that provides a set of users the ability to send or receive electronic mail messages via the Internet.”
Enforcement and preemption. An electronic mail service provider may recover either actual damages or the lesser of $10 to $25 (depending on the type of violation) for each commercial electronic mail message received in violation of the Act or $25,000 to $35,000 (depending on the type of violation) for each day the violation continues. Attorneys’ fees may be awarded to a party awarded damages under the Act,(insert comma) but class actions are prohibited. Legal proceedings must be conducted in a manner that protects the privacy and security of the computer systems involved in violations of the Act. A defendant is not liable under the Act, however, if it can show by a preponderance of the evidence that it did not initiate the commercial electronic mail message or that it was initiated in a manner and form not subject to the defendant’s control. Any federal law enacted that regulates false, misleading or unsolicited commercial electronic mail messages supersedes conflicting provisions of the Act, even if the federal law does not explicitly preempt state law. On the effective date of any federal legislation that does preempt state regulation of false, misleading or unsolicited commercial electronic mail messages, this portion of the Act expires.
Conclusion
Unless superseded by federal law, after March 1, 2003, any ISP offering services to consumers in Minnesota will have to:
- request authorization from the consumer to disclose personally identifiable information, describing in the request to whom the ISP will or may disclose the information; and
- update its user or service contract to conspicuously set out how the ISP will obtain authorization for any disclosures of personally identifiable information.
In addition, unless preempted by federal law, all persons or entities sending “commercial electronic mail messages” to recipients in Minnesota will have to:
- properly mark commercial electronic mail messages with “ADV” or “ADV-ADULT”;
- ensure that the subject line description properly reflects the content of the message; and
- implement procedures to allow the recipient to opt out of receiving further commercial electronic mail messages.
The new Minnesota privacy law may be more nuisance for ISPs than protector of consumer privacy with respect to the disclosure of personally identifiable information. Individual consumers are unlikely to pursue a damage award of $500 in the event of an improper disclosure of personally identifiable information. Without a meaningful enforcement mechanism, ISPs may be unwilling to implement its requirements when Minnesota consumers are a small part of the market.
In contrast, the potential penalties for violation of the restrictions on commercial electronic mail solicitation may present a real deterrent to commercial solicitation by electronic mail. However, an electronic mail service provider is more likely to use electronic mail blocking than litigation to protect its customers, making compliance with the commercial electronic mail solicitation provisions of the new privacy law less likely. Ultimately, Minnesota’s new privacy law may simply point out the need for federal regulation in the area of Internet privacy.