HOUSE BILL No. 5020

September 27, 2017, Introduced by Rep. Lucido and referred to the Committee on Communications and Technology.

     A bill to regulate the protection and disclosure of personal

information by private entities; and to provide remedies.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

     Sec. 1. This act shall be known and may be cited as the "right

to know act".

     Sec. 3. As used in this act:

     (a) "Categories of personal information" includes, but is not

limited to, each of the following:

     (i) Identity information, including, but not limited to, real

name, alias, nickname, and user name.

     (ii) Address information, including, but not limited to,

postal or electronic mail.

     (iii) Telephone number.

     (iv) Account name.

     (v) Social Security number or other government-issued

identification number, including, but not limited to, Social

Security number, driver license number, identification card number,

or passport number.

     (vi) Birth date or age.

     (vii) Physical characteristic information, including, but not

limited to, height and weight.

     (viii) Sexual information, including, but not limited to,

sexual orientation, sex, gender status, gender identity, or gender

expression.

     (ix) Race or ethnicity.

     (x) Religious affiliation or activity.

     (xi) Political affiliation or activity.

     (xii) Professional or employment-related information.

     (xiii) Educational information.

     (xiv) Medical information, including, but not limited to,

medical conditions or drugs, therapies, mental health, or medical

products or equipment used.

     (xv) Financial information, including, but not limited to,

credit, debit, or account numbers, account balances, payment

history, or information related to assets, liabilities, or general

creditworthiness.

     (xvi) Commercial information, including, but not limited to,

records of property, products or services provided, obtained, or

considered, or other purchasing or consumer histories or

tendencies.

     (xvii) Location information.

     (xviii) Internet or mobile activity information, including,

but not limited to, internet protocol addresses or information

concerning the access or use of any internet or mobile-based site

or service.

     (xix) Content, including text, photographs, audio or video

recordings, or other material generated by or provided by the

customer.

     (xx) Any of the categories of information described in

subparagraphs (i) to (xix) as they pertain to a child of a

customer.

     (b) "Customer" means an individual who resides in this state

and who provides, either knowingly or unknowingly, personal

information to a private entity, with or without an exchange of

consideration, in the course of purchasing, viewing, accessing,

renting, leasing, or otherwise using real or personal property, or

any interest in real or personal property, or obtaining a product

or service from the private entity, including responding to

advertising or any other content.

     (c) "Designated request address" means an electronic mail

address or toll-free telephone number a customer may use to request

or obtain the information described in section 5(a) to (c).

     (d) "Disclose" means to disclose, release, transfer, share,

disseminate, make available, or otherwise communicate orally, in

writing, or by electronic or any other means to any third party.

The term does not include any of the following:

     (i) Disclosure of personal information by a private entity to

a third party under a written contract that authorizes the third

party to utilize the personal information to perform services on

behalf of the private entity, including, but not limited to,

maintaining or servicing accounts, providing customer service,

processing or fulfilling orders and transactions, verifying

customer information, processing payments, providing financing, or

similar services, but only if both of the following are met:

     (A) The contract prohibits the third party from using the

personal information for any reason other than performing the

specified service or services on behalf of the private entity and

from disclosing any of the personal information to additional third

parties.

     (B) The private entity effectively enforces the prohibitions

described in sub-subparagraph (A).

     (ii) Disclosure of personal information by a business to a

third party based on a good-faith belief that disclosure is

required to comply with applicable law, regulation, legal process,

or court order.

     (iii) Disclosure of personal information by a private entity

to a third party that is reasonably necessary to address fraud,

security, or technical issues; to protect the disclosing private

entity's rights or property; or to protect customers or the public

from illegal activities as required or permitted by law.

     (e) "Operator" means any individual or entity that owns a

website located on the internet or an online service that collects

and maintains personal information from a customer who resides in

this state and who uses or visits the website or online service if

the website or online service is operated for commercial purposes.

The term does not include any third party that operates, hosts, or

manages, but does not own, a website or online service on the

owner's behalf or by processing information on behalf of the owner.

     (f) "Personal information" means any of the following:

     (i) Information that identifies, relates to, describes, or is

capable of being associated with, a particular individual,

including, but not limited to, his or her name, signature, physical

characteristics or description, address, telephone number, passport

number, driver license or state identification card number,

insurance policy number, education, employment, employment history,

bank account number, credit card number, debit card number, or any

other financial information.

     (ii) Data or information pertaining to an individual's income,

assets, liabilities, purchases, leases, or rentals of goods,

services, or real property, if that information is disclosed, or is

intended to be disclosed, with any identifying information, such as

the individual's name, address, telephone number, or Social

Security number.

     (g) "Third party" means any of the following:

     (i) A private entity that is a separate legal entity from the

private entity that has disclosed personal information.

     (ii) A private entity that does not share common ownership or

common corporate control with the private entity that has disclosed

personal information.

     (iii) A private entity that does not share a brand name or

common branding with the private entity that has disclosed personal

information that would make the affiliate relationship clear to a

customer.

     Sec. 5. An operator of a commercial website or online service

that collects personal information through the internet about

individual customers who reside in this state and who use or visit

its commercial website or online service shall do all of the

following in its customer agreement or in an incorporated addendum:

     (a) Identify all categories of personal information that the

operator collects through the website or online service about

individual customers who use or visit its commercial website or

online service.

     (b) Identify all categories of third party individuals or

entities to which the operator may disclose that personal

information.

     (c) Provide a description of a customer's rights under section

9 accompanied by 1 or more designated request addresses.

     Sec. 7. (1) An operator that discloses a customer's personal

information to a third party shall make the following information

available to the customer free of charge:

     (a) All categories of personal information that were

disclosed.

     (b) The names of each third party that received the customer's

personal information.

     (2) This section applies only to personal information

disclosed after the effective date of this act.

     Sec. 9. (1) An operator that is subject to section 7 shall

make the required information available by providing a designated

request address in its customer agreement or incorporated addendum,

and, on receipt of a request under this section, shall provide the

customer with the information required under section 7 for all

disclosures occurring in the preceding 12 months.

     (2) An operator that receives a request from a customer under

subsection (1) at a designated address shall provide a response to

the customer within 30 days.

     Sec. 11. An individual who is aggrieved by a violation of this

act has a right of action against an offending party and shall

recover all of the following in that action:

     (a) Liquidated damages of $10.00, or actual damages, whichever

is greater.

     (b) Injunctive relief, if appropriate.

     (c) Reasonable attorney fees, costs, and expenses.

     Sec. 13. A waiver of any of the provisions of this act is void

and unenforceable. An agreement that does not comply with the

applicable provisions of this act is void and unenforceable.

     Sec. 15. (1) This act shall not be construed to conflict with

the health insurance portability and accountability act of 1996,

Public Law 104-191, or the regulations promulgated under that act.

     (2) This act shall not be considered to apply in any manner to

a financial institution or an affiliate of a financial institution

that is subject to subtitle A of title V of the Gramm-Leach-Bliley

act, 15 USC 6801 to 6809, or the regulations promulgated under that

act.

     (3) This act shall not be considered to apply to the

activities of an individual or entity to the extent that those

activities are subject to 47 USC 222 or 47 USC 551.

     (4) This act shall not be construed to apply to a contractor,

subcontractor, or agent of a state agency or local unit of

government when working for that state agency or local unit of

government.

     Enacting section 1. This act takes effect 90 days after the

date it is enacted into law.