As of today, nearly every state has an Internet privacy law in effect. Minnesota and Nevada led the way with their prototype Privacy Acts which are heavily based on the various federal Internet privacy acts that already existed, such as the Electronic Communications Privacy Act, the Consumer Internet Privacy Protection Act, and Children’s Online Privacy Protection Act.

What Is the Primary Purpose of these Privacy Acts?

State internet privacy acts generally are interested in maintaining the confidentiality of Internet service provider subscriber information. These acts apply to physical hosts of a site, but also apply to companies providing third party services to web users.

How Do these Privacy Acts Work?

Internet privacy legislation provides that unless a subscriber gives permission in writing or by electronic mail, all information concerning the subscriber, other than the subscriber’s e-mail address, must be kept confidential by the Internet Service Provider (ISP). With certain exceptions, the statute prohibits ISP’s from disclosing personally identifiable subscriber information. These statutes typically provide that any ISP that violates the statute will be guilty of a misdemeanor and punished by a fine of not less than $50 or more than $500 for each violation.

How Is a Service Provider Defined under these Acts?

For purposes of the statute, an Internet service provider (ISP) includes a provider of Internet service who charges a subscriber for access to the Internet or the e-mail address of the subscriber. The definitions of an ISP under these statutes also includes businesses or persons who provide consumers authenticated access to, or presence on, the Internet through means of a switch or dedicated telecommunications channel, but does not include offering telecommunications or telecommunications facilities on a common carrier basis.

What Makes a Piece of Information “Personally Identifiable” to a Particular Person?

Personally identifiable information includes information that:

  • Identifies a consumer by physical address, electronic address, or telephone number
  • Identifies a consumer as requesting or obtaining specific materials or services from the provider
  • Identifies the Internet or online sites visited by a consumer
  • Identifies any contents of a consumer’s data storage devices

When May an ISP Be Forced to Divulge Private Information?

State Internet privacy statutes generally permit disclosure of personally identifiable information in the following situations:

  • In response to a grand jury subpoena
  • In order to assist an investigative or law enforcement agency, pursuant to court order in certain civil proceedings
  • To the consumer upon written or electronic request and upon payment of a fee, or pursuant to a subpoena, warrant, or court order
  • To any person if the disclosure is incident to the ordinary course of business of the provider
  • To other Internet service providers to report or prevent violations of the published acceptable use policy or the customer agreement of the provider
  • To any person with the consumer’s authorization

Do ISPs Have to Make any Efforts to Protect My Information?

Many statutes require ISPs to take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information. All statutes permit an ISP to obtain customer consent to release private information by employing either an opt-out or an opt-in procedure to determine the users attitude towards disclosure or information.

Should I Contact a Lawyer?

If a company has disclosed valuable private information and you have suffered damages as a result the ISP may be liable to you for breach of contract and reasonably related damages, as well as civil penalties from the state where the ISP does business. Contacting a consumer protection lawyer will enable you to determine where, when, and for how much you may wish to sue the wrongdoer for.