September 27, 2017, Introduced by Rep. Lucido and referred to the Committee on Communications and Technology.
A bill to regulate the protection and disclosure of personal
information by private entities; and to provide remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the "right
to know act".
Sec. 3. As used in this act:
(a) "Categories of personal information" includes, but is not
limited to, each of the following:
(i) Identity information, including, but not limited to, real
name, alias, nickname, and user name.
(ii) Address information, including, but not limited to,
postal or electronic mail.
(iii) Telephone number.
(iv) Account name.
(v) Social Security number or other government-issued
identification number, including, but not limited to, Social
Security number, driver license number, identification card number,
or passport number.
(vi) Birth date or age.
(vii) Physical characteristic information, including, but not
limited to, height and weight.
(viii) Sexual information, including, but not limited to,
sexual orientation, sex, gender status, gender identity, or gender
expression.
(ix) Race or ethnicity.
(x) Religious affiliation or activity.
(xi) Political affiliation or activity.
(xii) Professional or employment-related information.
(xiii) Educational information.
(xiv) Medical information, including, but not limited to,
medical conditions or drugs, therapies, mental health, or medical
products or equipment used.
(xv) Financial information, including, but not limited to,
credit, debit, or account numbers, account balances, payment
history, or information related to assets, liabilities, or general
creditworthiness.
(xvi) Commercial information, including, but not limited to,
records of property, products or services provided, obtained, or
considered, or other purchasing or consumer histories or
tendencies.
(xvii) Location information.
(xviii) Internet or mobile activity information, including,
but not limited to, internet protocol addresses or information
concerning the access or use of any internet or mobile-based site
or service.
(xix) Content, including text, photographs, audio or video
recordings, or other material generated by or provided by the
customer.
(xx) Any of the categories of information described in
subparagraphs (i) to (xix) as they pertain to a child of a
customer.
(b) "Customer" means an individual who resides in this state
and who provides, either knowingly or unknowingly, personal
information to a private entity, with or without an exchange of
consideration, in the course of purchasing, viewing, accessing,
renting, leasing, or otherwise using real or personal property, or
any interest in real or personal property, or obtaining a product
or service from the private entity, including responding to
advertising or any other content.
(c) "Designated request address" means an electronic mail
address or toll-free telephone number a customer may use to request
or obtain the information described in section 5(a) to (c).
(d) "Disclose" means to disclose, release, transfer, share,
disseminate, make available, or otherwise communicate orally, in
writing, or by electronic or any other means to any third party.
The term does not include any of the following:
(i) Disclosure of personal information by a private entity to
a third party under a written contract that authorizes the third
party to utilize the personal information to perform services on
behalf of the private entity, including, but not limited to,
maintaining or servicing accounts, providing customer service,
processing or fulfilling orders and transactions, verifying
customer information, processing payments, providing financing, or
similar services, but only if both of the following are met:
(A) The contract prohibits the third party from using the
personal information for any reason other than performing the
specified service or services on behalf of the private entity and
from disclosing any of the personal information to additional third
parties.
(B) The private entity effectively enforces the prohibitions
described in sub-subparagraph (A).
(ii) Disclosure of personal information by a business to a
third party based on a good-faith belief that disclosure is
required to comply with applicable law, regulation, legal process,
or court order.
(iii) Disclosure of personal information by a private entity
to a third party that is reasonably necessary to address fraud,
security, or technical issues; to protect the disclosing private
entity's rights or property; or to protect customers or the public
from illegal activities as required or permitted by law.
(e) "Operator" means any individual or entity that owns a
website located on the internet or an online service that collects
and maintains personal information from a customer who resides in
this state and who uses or visits the website or online service if
the website or online service is operated for commercial purposes.
The term does not include any third party that operates, hosts, or
manages, but does not own, a website or online service on the
owner's behalf or by processing information on behalf of the owner.
(f) "Personal information" means any of the following:
(i) Information that identifies, relates to, describes, or is
capable of being associated with, a particular individual,
including, but not limited to, his or her name, signature, physical
characteristics or description, address, telephone number, passport
number, driver license or state identification card number,
insurance policy number, education, employment, employment history,
bank account number, credit card number, debit card number, or any
other financial information.
(ii) Data or information pertaining to an individual's income,
assets, liabilities, purchases, leases, or rentals of goods,
services, or real property, if that information is disclosed, or is
intended to be disclosed, with any identifying information, such as
the individual's name, address, telephone number, or Social
Security number.
(g) "Third party" means any of the following:
(i) A private entity that is a separate legal entity from the
private entity that has disclosed personal information.
(ii) A private entity that does not share common ownership or
common corporate control with the private entity that has disclosed
personal information.
(iii) A private entity that does not share a brand name or
common branding with the private entity that has disclosed personal
information that would make the affiliate relationship clear to a
customer.
Sec. 5. An operator of a commercial website or online service
that collects personal information through the internet about
individual customers who reside in this state and who use or visit
its commercial website or online service shall do all of the
following in its customer agreement or in an incorporated addendum:
(a) Identify all categories of personal information that the
operator collects through the website or online service about
individual customers who use or visit its commercial website or
online service.
(b) Identify all categories of third party individuals or
entities to which the operator may disclose that personal
information.
(c) Provide a description of a customer's rights under section
9 accompanied by 1 or more designated request addresses.
Sec. 7. (1) An operator that discloses a customer's personal
information to a third party shall make the following information
available to the customer free of charge:
(a) All categories of personal information that were
disclosed.
(b) The names of each third party that received the customer's
personal information.
(2) This section applies only to personal information
disclosed after the effective date of this act.
Sec. 9. (1) An operator that is subject to section 7 shall
make the required information available by providing a designated
request address in its customer agreement or incorporated addendum,
and, on receipt of a request under this section, shall provide the
customer with the information required under section 7 for all
disclosures occurring in the preceding 12 months.
(2) An operator that receives a request from a customer under
subsection (1) at a designated address shall provide a response to
the customer within 30 days.
Sec. 11. An individual who is aggrieved by a violation of this
act has a right of action against an offending party and shall
recover all of the following in that action:
(a) Liquidated damages of $10.00, or actual damages, whichever
is greater.
(b) Injunctive relief, if appropriate.
(c) Reasonable attorney fees, costs, and expenses.
Sec. 13. A waiver of any of the provisions of this act is void
and unenforceable. An agreement that does not comply with the
applicable provisions of this act is void and unenforceable.
Sec. 15. (1) This act shall not be construed to conflict with
the health insurance portability and accountability act of 1996,
Public Law 104-191, or the regulations promulgated under that act.
(2) This act shall not be considered to apply in any manner to
a financial institution or an affiliate of a financial institution
that is subject to subtitle A of title V of the Gramm-Leach-Bliley
act, 15 USC 6801 to 6809, or the regulations promulgated under that
act.
(3) This act shall not be considered to apply to the
activities of an individual or entity to the extent that those
activities are subject to 47 USC 222 or 47 USC 551.
(4) This act shall not be construed to apply to a contractor,
subcontractor, or agent of a state agency or local unit of
government when working for that state agency or local unit of
government.
Enacting section 1. This act takes effect 90 days after the
date it is enacted into law.