House File 649 - Introduced HOUSE FILE BY HEATON, KAUFMANN, LUKAN, DE BOEF, SCHULTE, STRUYK, SANDS, SODERBERG, L. MILLER, and UPMEYER Passed House, Date Passed Senate, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act prohibiting the disclosure of specified consumer 2 information by internet service providers and providing a 3 penalty. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 2554YH 83 6 rn/nh/14 PAG LIN 1 1 Section 1. NEW SECTION. 715D.1 DEFINITIONS. 1 2 As used in this chapter, unless the context otherwise 1 3 requires: 1 4 1. "Consumer" means a resident of this state who agrees to 1 5 pay a fee to an internet service provider for access to the 1 6 internet for personal, family, or household purposes, and who 1 7 does not resell that access. 1 8 2. "Internet" means the same as defined in section 4.1. 1 9 3. "Internet service provider" means a person or entity 1 10 who provides consumers authenticated access to, or presence 1 11 on, the internet by means of a switched or dedicated 1 12 telecommunications channel upon which the provider furnishes 1 13 transit routing of internet protocol packets for and on behalf 1 14 of the consumer. "Internet service provider" does not include 1 15 a person or entity who offers, on a common carrier basis, 1 16 telecommunications facilities or telecommunications by means 1 17 of those facilities. 1 18 4. "Ordinary course of business" means debt=collection 1 19 activities, order fulfillment, request processing, or a 1 20 transfer of ownership. 1 21 5. "Personally identifiable information" means any of the 1 22 following information with respect to a consumer: 1 23 a. A home or other physical address including street name. 1 24 b. An electronic mail address. 1 25 c. A telephone number. 1 26 d. Requests for specific materials or services from an 1 27 internet service provider, and the obtaining of such materials 1 28 or services. 1 29 e. Internet or online sites visited by a consumer. 1 30 f. Any of the contents of a consumer's data=storage 1 31 device. 1 32 Sec. 2. NEW SECTION. 715D.2 DISCLOSURE OF PERSONALLY 1 33 IDENTIFIABLE INFORMATION == PROHIBITION. 1 34 1. Except as provided in subsection 2, an internet service 1 35 provider shall not knowingly disclose a consumer's personally 2 1 identifiable information. 2 2 2. An internet service provider may disclose personally 2 3 identifiable information concerning a consumer under any of 2 4 the following circumstances: 2 5 a. Disclosure is incident to the ordinary course of 2 6 business of the internet service provider. 2 7 b. Disclosure is made to another internet service provider 2 8 for purposes of reporting or preventing violations of the 2 9 published acceptable use policy or customer service agreement 2 10 of the internet service provider. An internet service 2 11 provider receiving disclosure pursuant to this paragraph may 2 12 further disclose the personally identifiable information only 2 13 as provided by this chapter. 2 14 c. The consumer has authorized the disclosure pursuant to 2 15 subsection 3. 2 16 3. An internet service provider may obtain a consumer's 2 17 authorization of the disclosure of personally identifiable 2 18 information in writing or by electronic means. The request 2 19 for authorization must reasonably describe the persons to whom 2 20 personally identifiable information may be disclosed and the 2 21 anticipated uses of the information. In order for an 2 22 authorization to be effective, the contract between an 2 23 internet service provider and a consumer must state either 2 24 that the authorization will be obtained by an affirmative act 2 25 of the consumer, or that failure of the consumer to object 2 26 after a request for authorization has been made by the 2 27 internet service provider constitutes authorization of 2 28 disclosure. The provision in the contract shall be 2 29 conspicuously placed. Authorization may alternatively be 2 30 obtained in a manner consistent with self=regulating 2 31 guidelines issued by representatives of the internet service 2 32 provider or internet industries. 2 33 Sec. 3. NEW SECTION. 715D.3 EXCEPTIONS. 2 34 The prohibition against disclosure pursuant to section 2 35 715D.2 shall not apply to the following: 3 1 1. Disclosure pursuant to a court order, warrant, or 3 2 subpoena. 3 3 2. In the course of a civil or criminal investigation 3 4 conducted by a law enforcement officer while acting as 3 5 authorized by law. 3 6 3. Pursuant to a civil action for conversion commenced by 3 7 an internet service provider or a civil action to enforce 3 8 collection of unpaid subscription fees or purchase amounts. 3 9 Disclosure pursuant to this subsection shall be limited to the 3 10 extent necessary to establish the fact of the subscription 3 11 delinquency or purchase agreement, with appropriate safeguards 3 12 against unauthorized disclosure. 3 13 4. To a consumer who is the subject of the personally 3 14 identifiable information, upon written or electronic request 3 15 and upon payment of a fee not to exceed the actual cost of 3 16 retrieving the information. 3 17 Sec. 4. NEW SECTION. 715D.4 SECURITY OF INFORMATION == 3 18 EXCLUSION FROM EVIDENCE. 3 19 1. An internet service provider shall take reasonable 3 20 steps to maintain the security and privacy of a consumer's 3 21 personally identifiable information. 3 22 2. Except for purposes of establishing a violation of this 3 23 chapter, personally identifiable information obtained in any 3 24 manner other than as provided pursuant to this chapter may not 3 25 be received in evidence in a civil action. 3 26 Sec. 5. NEW SECTION. 715D.5 ENFORCEMENT. 3 27 A violation of this chapter is a violation of section 3 28 714.16, subsection 2, paragraph "a". All powers conferred 3 29 upon the attorney general to accomplish the objectives and 3 30 carry out the duties prescribed in section 714.16 are also 3 31 conferred upon the attorney general to enforce this chapter 3 32 including but not limited to the power to issue subpoenas, 3 33 adopt rules, and seek injunctive relief and a monetary award 3 34 for civil penalties, attorney fees, and costs. Additionally, 3 35 the attorney general may seek and recover the greater of five 4 1 hundred dollars or actual damages for each consumer injured by 4 2 a violation of this chapter. 4 3 EXPLANATION 4 4 This bill prohibits disclosure of personally identifying 4 5 consumer information by internet service providers, as these 4 6 terms are defined in the bill. 4 7 The bill provides that it is unlawful for an internet 4 8 service provider to knowingly disclose a consumer's personally 4 9 identifiable information, unless the disclosure is incident to 4 10 the ordinary course of business of the internet service 4 11 provider, or made to another internet service provider for 4 12 purposes of reporting or preventing violations of the 4 13 published acceptable use policy or customer service agreement 4 14 of the internet service provider, or the consumer has 4 15 authorized the disclosure. The bill specifies a procedure 4 16 whereby a consumer's authorization of the disclosure of 4 17 personally identifiable information can be obtained by an 4 18 internet service provider either in writing or by electronic 4 19 means. 4 20 The bill specifies exceptions to the prohibition against 4 21 disclosure, if disclosure is made pursuant to a court order, 4 22 warrant, or subpoena; in the course of a civil or criminal 4 23 investigation; pursuant to a civil action for conversion 4 24 commenced by an internet service provider or a civil action to 4 25 enforce collection of unpaid subscription fees or purchase 4 26 amounts; or to a consumer who is the subject of the personally 4 27 identifiable information upon the consumer's request. 4 28 The bill requires an internet service provider to take 4 29 reasonable steps to maintain the security and privacy of a 4 30 consumer's personally identifiable information, and provides 4 31 that except for purposes of establishing a violation of the 4 32 bill's provisions, personally identifiable information 4 33 obtained in an unauthorized manner may not be received in 4 34 evidence in a civil action. 4 35 The bill provides that a violation of the bill's provisions 5 1 constitutes a consumer fraud under Code section 714.16, 5 2 subsection 2, paragraph "a", punishable by a civil penalty of 5 3 up to $40,000 per violation and $5,000 per day for a violation 5 4 of an injunction. Additionally, the attorney general may seek 5 5 and recover the greater of $500 or actual damages for each 5 6 consumer injured by a violation of this Code chapter. 5 7 LSB 2554YH 83 5 8 rn/nh/14