PROTECT PRIVACY INFO FROM DISCLOSURE BY ISP'S

House Bill 5774

Sponsor: Rep. Ken Bradstreet

Committee: Energy and Technology

Complete to 3-21-02

A SUMMARY OF HOUSE BILL 5774 AS INTRODUCED 3-6-02

House Bill 5774 would create the "Internet Privacy Protection Act" to prohibit an Internet service provider (ISP) from disclosing a subscriber's "personally identifying information" without obtaining the subscriber's affirmative consent. An ISP who intended to cause the subscriber physical or financial harm by violating the prohibition would be guilty of a felony punishable by up to two years in prison and a $5,000 fine. Other violations would be misdemeanors punishable by imprisonment up to 90 days and a fine of $100. Whether or not intent to harm was established, an injured subscriber could file a civil action to recover damages against a ISP who violated the prohibition. A more detailed summary of the proposed act's prohibition on disclosing personally identifying information without affirmative consent is provided below.

An ISP that provided direct Internet access services to state residents could not disclose any personally identifying information about a subscriber in the state to an affiliate or third party for marketing or other purposes without the knowledge and affirmative consent of the subscriber. A subscriber's affirmative consent would have to be in writing and would have to be obtained by the ISP on a form separate and distinct from the ISP's generally applicable service agreement or contract. A subscriber could provide such consent by electronic mail or other electronic means. The consent would have to identify each affiliate and third party to whom the ISP would disclose the subscriber's personally identifying information as well as each affiliate and third party who would have access to the information. An ISP would have to obtain a separate affirmative consent from a subscriber, and confirm its receipt of the consent, prior to each disclosure of the subscriber's personally identifying information to an affiliate or third party. An ISP could not disclose personally identifying information about a subscriber to an affiliate or third party who was not named on the consent.

The bill would define an ISP as a business or organization qualified to do business in Michigan that provided direct Internet access services, including dial-up modem connections via telephone, ISDN, DSL, or coaxial cable, or any other means of providing direct TCP/IP services that included access to both a domain name server and an electronic mail server. "Personally identifying information" would include a subscriber's electronic mail address, Social Security number, date of birth, income, occupation, credit card or debit card information, current and prior addresses, telephone number, and mother's maiden name. It would also include any

 

 


information gathered by means of a subscriber's Internet usage, IP connection history, preferences, equipment, software, or user profile. The term would not include aggregated data that could not be used to identify a subscriber or information disclosed by the ISP to an affiliate or to a third party in connection with the processing, billing, collection, or maintenance of a subscriber's account.

Analyst: J. Caver

_____________________________________________________________________________________________________________________

This analysis was prepared by nonpartisan House staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.