Ventura Signs Online Privacy, Spam Bill
The law requires that ISPs disclose data-collection practices, and lays down guidelines on unsolicited commercial e-mail.
The law requires that ISPs disclose data-collection practices, and lays down guidelines on unsolicited commercial e-mail.
The state of Minnesota now has the nation’s first online privacy bill, following Gov. Jesse Ventura’s signing of S.F. No. 2908, which also enacts several anti-spam protections.
The act, which will go into effect next March, requires Internet Service Providers — even those based in other states — to alert their Minnesota-based subscribers before disclosing to marketers information such as users’ email addresses, home addresses, telephone numbers, and which sites their users visit. ISPs also must tell why they are disclosing the information.
Additionally, ISPs must also specify in their signup contracts whether their users would have to opt-out of information sharing, or whether subscribers would have to opt-in to information sharing.
The law grants Minnesota citizens rights to sue ISPs that release information without their knowledge or break their opt-in agreement, unless the information is released to law enforcement authorities. Consumers are entitled to $500 or actual damages, whichever is greater. ISPs are not liable under the law for use of information that it did not authorize or participate in, such as theft by a hacker.
Citizens also have the right to write to request to see the information collected about them.
The act requires that unsolicited commercial email include “ADV” in the subject and “ADV-ADULT” for material of a sexual nature. Additionally, H.F. No. 3625 also prohibits the sending of email with deceptive or misleading origins or subject lines (both common tactics for spammers).
The rules do not apply to messages sent to an Internet user with whom the marketer had a prior or current business relationship — suggesting that controversial practices such as “email append” could be protected under the law.
E-mail marketers also must include a valid toll-free number or email address through which recipients can opt-out.
The act also protects ISPs that block email that it “reasonably believes” is in violation of the law. No ISP or online service can be held liable for blocking efforts made in good faith, the law states.
Recipients of email that is sent in violation of the law are entitled to damages. For email with deceptive origins or subject lines, they can receive $25 for each violating email, or $35,000 per day, whichever is less. For email lacking the appropriate “ADV” label, consumers can sue for $10 per email, or $25,000 per day, whichever is less.
ISPs also have the right to sue for actual damages, or for the same damages to which consumers are entitled.
ISP advocates had fought unsuccessfully against the law’s privacy regulations, claiming they put undue liabilities on Internet services firms and could hurt efforts to fight online crime.
While the law is the first to spell out the rules of sharing online privacy information, several other states have enacted anti-spam bills of their own. California and Colorado, for instance, each require that emailers include “ADV” in their subject lines.
Meanwhile, the U.S. Congress is also considering privacy protection and anti-spam legislation, which would supersede states’ laws.