Download Zipped Introduced WP 9 HB0105.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
H.B. 105
1
INTERNET PRIVACY AND SECURITY
2
AMENDMENTS
3
2003 GENERAL SESSION
4
STATE OF UTAH
5
Sponsor: Wayne A. Harper
6
This act modifies Commerce and Trade Provisions to enact the Internet Privacy Act and
7
modifies the Information Technology Act to enact the Governmental Internet
8
Information Privacy Act.
9
This act affects sections of Utah Code Annotated 1953 as follows:
10
ENACTS:
11
13-37-101, Utah Code Annotated 1953
12
13-37-102, Utah Code Annotated 1953
13
13-37-103, Utah Code Annotated 1953
14
13-37-201, Utah Code Annotated 1953
15
13-37-202, Utah Code Annotated 1953
16
13-37-203, Utah Code Annotated 1953
17
13-37-301, Utah Code Annotated 1953
18
13-37-302, Utah Code Annotated 1953
19
13-37-401, Utah Code Annotated 1953
20
13-37-402, Utah Code Annotated 1953
21
63D-1-401, Utah Code Annotated 1953
22
63D-1-402, Utah Code Annotated 1953
23
63D-1-403, Utah Code Annotated 1953
24
Be it enacted by the Legislature of the state of Utah:
25
Section 1.
Section
13-37-101
is enacted to read:
26
CHAPTER 37. INTERNET PRIVACY ACT
27
Part 1. General Provisions
28
13-37-101. Title.
29
This chapter is known as the "Internet Privacy Act."
30
Section 2.
Section
13-37-102
is enacted to read:
31
13-37-102. Definitions.
32
As used in this chapter:
33
(1) (a) Except as provided in Subsection (1)(b), "consumer" means a person who:
34
(i) is a resident of the state;
35
(ii) enters into a contract with an Internet service provider for access to the Internet for
36
personal, family, or household purposes; and
37
(iii) receives the access described in Subsection (1)(a)(ii).
38
(b) "Consumer" does not include a person that resells the access described in
39
Subsection (1)(a)(ii).
40
(2) (a) Except as provided in Subsection (2)(b), "Internet service provider" means a
41
person who:
42
(i) provides a consumer:
43
(A) authenticated access to the Internet; or
44
(B) authenticated presence on the Internet; and
45
(ii) provides the access or presence described in Subsection (2)(a)(i) by providing
46
transit routing of Internet protocol packets for and on behalf of the consumer.
47
(b) "Internet service provider" does not include a person that offers on a common
48
carrier basis:
49
(i) access to telecommunications facilities; or
50
(ii) telecommunication services by means of telecommunications facilities.
51
(3) "Ordinary course of business" means activities related to an Internet service
52
provider:
53
(a) collecting debts owed to the Internet service provider;
54
(b) processing a request for materials or services to be provided by the Internet service
55
provider; or
56
(c) transferring ownership.
57
(4) "Personally identifiable information" means information that identifies:
58
(a) a consumer by:
59
(i) name;
60
(ii) account number;
61
(iii) physical address;
62
(iv) electronic address;
63
(v) telephone number; or
64
(vi) Social Security number;
65
(b) a consumer as having requested or obtained specific materials or services from an
66
Internet service provider;
67
(c) an Internet site visited by a consumer; or
68
(d) any of the contents of a consumer's data-storage device.
69
Section 3.
Section
13-37-103
is enacted to read:
70
13-37-103. Other law.
71
(1) Except as provided in Subsection (2), this chapter does not limit any greater
72
protection of the privacy of personally identifiable information under other law.
73
(2) This chapter may not be interpreted as limiting the authority under other state or
74
federal law under which a peace officer or prosecuting authority may obtain information.
75
Section 4.
Section
13-37-201
is enacted to read:
76
Part 2. Disclosure of Personally Identifiable Information
77
13-37-201. Disclosure of personally identifiable information.
78
Except as provided in Section
13-37-202
or
13-37-203
, an Internet service provider
79
may not knowingly disclose to any person the personally identifiable information concerning a
80
consumer of the Internet service provider.
81
Section 5.
Section
13-37-202
is enacted to read:
82
13-37-202. When disclosure of personally identifiable information is required.
83
Notwithstanding Section
13-37-201
, an Internet service provider shall disclose
84
personally identifiable information concerning a consumer:
85
(1) to the extent not otherwise prohibited by law, pursuant to:
86
(a) a subpoena;
87
(b) a warrant; or
88
(c) subject to the requirements of Subsections (2) and (3), a court order;
89
(2) pursuant to a court order in a civil proceeding if the person seeking the personally
90
identifiable information shows:
91
(a) a compelling need for the information; and
92
(b) that the compelling need described in Subsection (2)(a) cannot be accommodated
93
by other means;
94
(3) only to the extent necessary to establish a fact described in Subsection (3)(b), to a
95
court in a civil action if:
96
(a) the civil action is:
97
(i) commenced by the Internet service provider; and
98
(ii) brought:
99
(A) for conversion; or
100
(B) to enforce collection of the following that are unpaid:
101
(I) subscription fees; or
102
(II) purchase amounts;
103
(b) disclosure of the personally identifiable information is necessary to establish the
104
fact of:
105
(i) conversion; or
106
(ii) the failure to pay an amount described in Subsection (3)(a)(ii)(B); and
107
(c) if the court finds that there is appropriate safeguards against unauthorized
108
disclosure of the personally identifiable information; or
109
(4) to the consumer who is the subject of the personally identifiable information upon:
110
(a) written or electronic request by the consumer; and
111
(b) payment of a fee:
112
(i) if the Internet service provider charges a fee; and
113
(ii) only to the extent that the fee does not exceed the actual costs of retrieving the
114
personally identifiable information.
115
Section 6.
Section
13-37-203
is enacted to read:
116
13-37-203. When disclosure of personally identifiable information is permitted --
117
Authorization -- Contract requirements.
118
(1) Notwithstanding Section
13-37-201
, an Internet service provider may disclose
119
personally identifiable information concerning a consumer to:
120
(a) any person if the disclosure is incident to the ordinary course of business of the
121
Internet service provider;
122
(b) another Internet service provider if:
123
(i) the Internet service provider that discloses the information has reason to believe that
124
a person is violating any of the following of the Internet service provider that discloses the
125
personally identifiable information:
126
(A) a published acceptable use policy; or
127
(B) customer service agreement;
128
(ii) the Internet service provider that discloses the personally identifiable information
129
discloses only the personally identifiable information necessary to report a violation of a policy
130
or agreement described in Subsection (1)(b)(i); and
131
(iii) the Internet service provider that receives the personally identifiable information
132
discloses the personally identifiable information only as provided by this chapter;
133
(c) any person, if the Internet service provider obtains the authorization of the
134
consumer in accordance with Subsection (2); or
135
(d) any person to the extent authorized under Title 77, Chapter 23a, Interception of
136
Communications.
137
(2) (a) In accordance with this Subsection (2), an Internet service provider may obtain a
138
consumer's authorization of the disclosure of personally identifiable information related to the
139
consumer:
140
(i) only if the contract between the Internet service provider and the consumer complies
141
with Subsection (3); and
142
(ii) the authorization is obtained in accordance with the contract described in
143
Subsection (2)(a)(i).
144
(b) An Internet service provider's requests from a customer for authorization to disclose
145
personally identifiable information related to the consumer shall reasonably describe:
146
(i) the types of persons to whom personally identifiable information may be disclosed;
147
and
148
(ii) the anticipated uses of the personally identifiable information that is disclosed.
149
(c) Subject to the requirements of this section, authorization may be obtained:
150
(i) in a manner consistent with self-regulating guidelines generally followed by the
151
industry of Internet service providers; or
152
(ii) in any other manner reasonably designed to comply with this section.
153
(3) (a) A contract between an Internet service provider and a consumer shall notify the
154
consumer as to whether the contract requires that for an authorization described in Subsection
155
(2) to be effective the customer must:
156
(i) affirmatively respond to a request by the Internet service provider for authorization:
157
(A) in writing; or
158
(B) by electronic means; or
159
(ii) fail to respond to a request by the Internet service provider for authorization in the
160
time period specified in the request for authorization.
161
(b) The notice required by this Subsection (3) shall be:
162
(i) conspicuous; and
163
(ii) written such that a consumer without technical knowledge of the Internet can
164
understand the notice.
165
Section 7.
Section
13-37-301
is enacted to read:
166
Part 3. Security and Privacy Measures
167
13-37-301. Security of information.
168
An Internet service provider that provides access to consumers shall take reasonable
169
steps to maintain the security and privacy of a consumer's personally identifiable information.
170
Section 8.
Section
13-37-302
is enacted to read:
171
13-37-302. Privacy notices.
172
(1) An Internet service provider that provides access to the Internet to a consumer shall
173
provide the consumer notice of:
174
(a) the privacy policy of the Internet service provider;
175
(b) subject to Section
13-37-203
, the procedure followed by the Internet service
176
provider to obtain authorization from the consumer for disclosure of personally identifiable
177
information; and
178
(c) the services provided by the Internet service provider to a consumer that a consumer
179
can use to increase the privacy of the consumer's personally identifiable information that is
180
available through the Internet service provider.
181
(2) The notice required by Subsection (1) shall be:
182
(a) conspicuous; and
183
(b) written such that a consumer without technical knowledge of the Internet can
184
understand the notice.
185
Section 9.
Section
13-37-401
is enacted to read:
186
Part 4. Remedies
187
13-37-401. Civil liability -- Prohibit class action.
188
(1) A consumer may bring a civil action in a court of competent jurisdiction against an
189
Internet service provider for a violation of this chapter.
190
(2) (a) If an Internet service provider is found to have violated this chapter in a civil
191
action brought under Subsection (1), the Internet service provider is liable to the consumer for
192
the greater of:
193
(i) $500; or
194
(ii) actual damages.
195
(b) In addition to amounts described in Subsection (2)(a), the court may award a
196
customer:
197
(i) reasonable attorney fees; and
198
(ii) court costs.
199
(3) A person may not bring a class action under this chapter.
200
Section 10.
Section
13-37-402
is enacted to read:
201
13-37-402. Defenses.
202
In an action under this chapter, it is a defense that the Internet service provider has
203
established and implemented reasonable practices and procedures to prevent a violation of this
204
chapter.
205
Section 11.
Section
63D-1-401
is enacted to read:
206
Part 4. Governmental Internet Information Privacy Act
207
63D-1-401. Title.
208
This part is known as the "Governmental Internet Information Privacy Act."
209
Section 12.
Section
63D-1-402
is enacted to read:
210
63D-1-402. Definitions.
211
As used in this part:
212
(1) (a) "Collect" means the gathering of personally identifiable information:
213
(i) from a user of a governmental website; or
214
(ii) about a user of the governmental website.
215
(b) "Collect" includes use of any identifying code linked to a user of a governmental
216
website.
217
(2) Subject to Subsection (6), "governmental entity" means:
218
(a) a state agency; or
219
(b) a political subdivision of the state:
220
(i) as defined in Section
17B-2-101
; and
221
(ii) including a school district.
222
(3) "Governmental website" means a website that is operated by or on behalf of a
223
governmental entity.
224
(4) "Governmental website operator" means a governmental entity or person acting on
225
behalf of the governmental entity that:
226
(a) operates a governmental website located on the Internet; and
227
(b) collects or maintains personally identifiable information from or about a user of
228
that website.
229
(5) "Personally identifiable information" means information that identifies:
230
(a) a user by:
231
(i) name;
232
(ii) account number;
233
(iii) physical address;
234
(iv) electronic address;
235
(v) telephone number; or
236
(vi) Social Security number;
237
(b) a user as having requested or obtained specific materials or services from a
238
governmental website;
239
(c) Internet sites visited by a user; or
240
(d) any of the contents of a user's data-storage device.
241
(6) Notwithstanding Section
63D-1-104
, "state agency" includes:
242
(a) the legislative branch;
243
(b) the judicial branch;
244
(c) the State Board of Education;
245
(d) the Board of Regents; and
246
(e) institutions of higher education.
247
(7) "User" means a person who accesses a governmental website.
248
Section 13.
Section
63D-1-403
is enacted to read:
249
63D-1-403. Collection of personally identifiable information.
250
(1) A government entity may not collect personally identifiable information related to a
251
user of the governmental entity's governmental website unless the governmental entity has
252
taken reasonable steps to ensure that on the day on which the personally identifiable
253
information is collected the governmental entity's governmental website complies with
254
Subsection (2).
255
(2) A government website shall contain a privacy policy statement that discloses:
256
(a) (i) the identity of the governmental website operator; and
257
(ii) how the governmental website operator may be contacted:
258
(A) by telephone; or
259
(B) electronically;
260
(b) (i) the personally identifiable information collected by the governmental entity;
261
(ii) the means by which personally identifiable information is collected;
262
(iii) whether the personally identifiable information collected by the governmental
263
entity is retained by the governmental entity; and
264
(iv) if personally identifiable information collected by the governmental entity is
265
retained, the time period for which the personally identifiable information is retained;
266
(c) a summary of how the personally identifiable information is used by:
267
(i) the governmental entity; or
268
(ii) the governmental website operator;
269
(d) the practices of the following related to disclosure of personally identifiable
270
information collected:
271
(i) the governmental entity; or
272
(ii) the governmental website operator;
273
(e) the options, if any, available to a person who wants to obtain services from the
274
governmental entity but chooses not to provide personally identifiable information through a
275
governmental website;
276
(f) the procedures, if any, by which a user of a governmental entity may request:
277
(i) access to the user's personally identifiable information; and
278
(ii) to correct the user's personally identifiable information; and
279
(g) without compromising the integrity of the security measures, a general description
280
of the security measures in place to protect a user's personally identifiable information from
281
unintended disclosure.
Legislative Review Note
as of 1-24-03 12:10 PM
This bill regulates Internet service providers who provide Internet access to consumers in the
state. Case law surrounding state regulation of Internet activities is evolving. State regulation
of Internet activities have been challenged as violating constitutional principles such as the
Commerce Clause of the Constitution of the United States. At least one court has indicated that
in considering state laws that directly regulate Internet activities, the need for national
uniformity might limit a state's ability to regulate those activities. If the regulation of Internet
activities is incidental to the regulation of other activities and no distinction is made between in
state and out of state providers, some courts have upheld the constitutionality of the regulation.
It would be for a court to decide whether the bill is unconstitutional as the bill does not impose
a greater burden on out of state Internet service providers than is imposed on in state Internet
service providers and regulates only service that is to residents of the state.