The state of Minnesota now has the nation’s first online privacy bill, following Gov. Jesse Ventura’s signing of S.F. No. 2908, which also enacts several anti-spam protections.
The act, which will go into effect next March, requires Internet Service Providers — even those based in other states — to alert their Minnesota-based subscribers before disclosing to marketers information such as users’ e-mail addresses, home addresses, telephone numbers, and which sites their users visit. ISPs also must tell why they are disclosing the information.
Additionally, ISPs must also specify in their signup contracts whether their users would have to opt-out of information sharing, or whether subscribers would have to opt-in to information sharing.
The law grants Minnesota citizens rights to sue ISPs that release information without their knowledge or break their opt-in agreement, unless the information is released to law enforcement authorities. Consumers are entitled to $500 or actual damages, whichever is greater. ISPs are not liable under the law for use of information that it did not authorize or participate in, such as theft by a hacker.
Citizens also have the right to write to request to see the information collected about them.
The act requires that unsolicited commercial e-mail include “ADV” in the subject and “ADV-ADULT” for material of a sexual nature. Additionally, H.F. No. 3625 also prohibits the sending of e-mail with deceptive or misleading origins or subject lines (both common tactics for spammers).
The rules do not apply to messages sent to an Internet user with whom the marketer had a prior or current business relationship — suggesting that controversial practices such as “e-mail append” could be protected under the law.
E-mail marketers also must include a valid toll-free number or e-mail address through which recipients can opt-out.
The act also protects ISPs that block e-mail that it “reasonably believes” is in violation of the law. No ISP or online service can be held liable for blocking efforts made in good faith, the law states.
Recipients of e-mail that is sent in violation of the law are entitled to damages. For e-mail with deceptive origins or subject lines, they can receive $25 for each violating e-mail, or $35,000 per day, whichever is less. For e-mail lacking the appropriate “ADV” label, consumers can sue for $10 per e-mail, or $25,000 per day, whichever is less.
ISPs also have the right to sue for actual damages, or for the same damages to which consumers are entitled.
ISP advocates had fought unsuccessfully against the law’s privacy regulations, claiming they put undue liabilities on Internet services firms and could hurt efforts to fight online crime.
While the law is the first to spell out the rules of sharing online privacy information, several other states have enacted anti-spam bills of their own. California and Colorado, for instance, each require that e-mailers include “ADV” in their subject lines.
Meanwhile, the U.S. Congress is also considering privacy protection and anti-spam legislation, which would supersede states’ laws.