Download Zipped Enrolled WP 9 HB0105.ZIP
[Introduced][Status][Bill Documents][Fiscal Note] [Bills Directory]

H.B. 105 Enrolled

                 

INTERNET PRIVACY AND SECURITY

                 
AMENDMENTS

                 
2003 GENERAL SESSION

                 
STATE OF UTAH

                 
Sponsor: Wayne A. Harper

                  This act modifies the Information Technology Act to enact the Governmental Internet
                  Information Privacy Act. The act mandates that the Legislative Management Committee
                  direct the Utah Information Technology Commission to study and make
                  recommendations to the Legislature related to Internet privacy and security. The act
                  takes effect July 1, 2003. This act provides a coordination clause.
                  This act affects sections of Utah Code Annotated 1953 as follows:
                  ENACTS:
                      63D-1-401, Utah Code Annotated 1953
                      63D-1-402, Utah Code Annotated 1953
                      63D-1-403, Utah Code Annotated 1953
                  This act enacts uncodified material.
                  Be it enacted by the Legislature of the state of Utah:
                      Section 1. Section 63D-1-401 is enacted to read:
                 
Part 4. Governmental Internet Information Privacy Act

                      63D-1-401. Title.
                      This part is known as the "Governmental Internet Information Privacy Act."
                      Section 2. Section 63D-1-402 is enacted to read:
                      63D-1-402. Definitions.
                      As used in this part:
                      (1) (a) "Collect" means the gathering of personally identifiable information:
                      (i) from a user of a governmental website; or
                      (ii) about a user of the governmental website.
                      (b) "Collect" includes use of any identifying code linked to a user of a governmental
                  website.


                      (2) "Governmental entity" means a state agency.
                      (3) "Governmental website" means a website that is operated by or on behalf of a
                  governmental entity.
                      (4) "Governmental website operator" means a governmental entity or person acting on
                  behalf of the governmental entity that:
                      (a) operates a governmental website located on the Internet; and
                      (b) collects or maintains personally identifiable information from or about a user of that
                  website.
                      (5) "Personally identifiable information" means information that identifies:
                      (a) a user by:
                      (i) name;
                      (ii) account number;
                      (iii) physical address;
                      (iv) electronic address;
                      (v) telephone number; or
                      (vi) Social Security number;
                      (b) a user as having requested or obtained specific materials or services from a
                  governmental website;
                      (c) Internet sites visited by a user; or
                      (d) any of the contents of a user's data-storage device.
                      (6) "User" means a person who accesses a governmental website.
                      Section 3. Section 63D-1-403 is enacted to read:
                      63D-1-403. Collection of personally identifiable information -- Privacy policy
                  statements.
                      (1) A government entity may not collect personally identifiable information related to a
                  user of the governmental entity's governmental website unless the governmental entity has taken
                  reasonable steps to ensure that on the day on which the personally identifiable information is
                  collected the governmental entity's governmental website complies with Subsection (2).

- 2 -


                      (2) A government website shall contain a privacy policy statement that discloses:
                      (a) (i) the identity of the governmental website operator; and
                      (ii) how the governmental website operator may be contacted:
                      (A) by telephone; or
                      (B) electronically;
                      (b) (i) the personally identifiable information collected by the governmental entity;
                      (ii) the means by which personally identifiable information is collected;
                      (iii) whether the personally identifiable information collected by the governmental entity
                  is retained by the governmental entity; and
                      (iv) if personally identifiable information collected by the governmental entity is
                  retained, the time period for which the personally identifiable information is retained;
                      (c) a summary of how the personally identifiable information is used by:
                      (i) the governmental entity; or
                      (ii) the governmental website operator;
                      (d) the practices of the following related to disclosure of personally identifiable
                  information collected:
                      (i) the governmental entity; or
                      (ii) the governmental website operator;
                      (e) the options, if any, available to a person who wants to obtain services from the
                  governmental entity but chooses not to provide personally identifiable information through a
                  governmental website;
                      (f) the procedures, if any, by which a user of a governmental entity may request:
                      (i) access to the user's personally identifiable information; and
                      (ii) to correct the user's personally identifiable information; and
                      (g) without compromising the integrity of the security measures, a general description of
                  the security measures in place to protect a user's personally identifiable information from
                  unintended disclosure.
                      Section 4. Internet privacy and security study.

- 3 -


                      (1) The Legislative Management Committee shall direct the Utah Information
                  Technology Commission created in Section 63D-1-202 to review:
                      (a) issues related to Internet privacy and security raised in:
                      (i) H.B. 105, 2003 Gen. Sess. (Utah 2003), including:
                      (A) disclosure of personally identifiable information by an Internet service provider;
                      (B) privacy notices and records maintained by an Internet service provider; and
                      (C) security and privacy measures by an Internet service provider; and
                      (ii) the following Minnesota Senate bills:
                      (A) S.F. No. 156, 83rd Leg. Sess. (Minn. 2003-2004); and
                      (B) S.F. No. 487, 83rd Leg. Sess. (Minn. 2003-2004);
                      (b) issues related to:
                      (i) Internet sites;
                      (ii) Internet servers; and
                      (iii) Internet "pop-up" banner advertisements;
                      (c) any other issues related to security of information in the electronic age;
                      (d) whether to apply Title 63D, Chapter 1, Part 4, Governmental Internet Information
                  Privacy Act, to political subdivisions and school districts; and
                      (e) the definitions contained in Subsection (3).
                      (2) After completing a comprehensive review of the issues described in Subsection (1),
                  the Utah Information Technology Commission shall recommend to the Legislature provisions
                  that may be enacted related to the issues described in Subsection (1).
                      (3) For purposes of the study described in Subsection (1):
                      (a) (i) Except as provided in Subsection (3)(a)(ii), "consumer" means a person who:
                      (A) is a resident of the state;
                      (B) enters into a contract with an Internet service provider for access to the Internet for
                  personal, family, or household purposes; and
                      (C) receives the access described in Subsection (3)(a)(i)(B).
                      (ii) "Consumer" does not include a person that resells the access described in Subsection

- 4 -


                  (3)(a)(i)(B).
                      (b) (i) Except as provided in Subsection (3)(b)(ii), "Internet service provider" means a
                  person who:
                      (A) provides a consumer:
                      (I) authenticated access to the Internet; or
                      (II) authenticated presence on the Internet; and
                      (B) provides the access or presence described in Subsection (3)(b)(i)(A) by providing
                  transit routing of Internet protocol packets for and on behalf of the consumer.
                      (ii) "Internet service provider" does not include a person that offers on a common carrier
                  basis:
                      (A) access to telecommunications facilities; or
                      (B) telecommunication services by means of telecommunications facilities.
                      (c) "Ordinary course of business" means activities related to an Internet service provider:
                      (i) collecting debts owed to the Internet service provider;
                      (ii) processing a request for materials or services to be provided by the Internet service
                  provider; or
                      (iii) transferring ownership.
                      (d) "Personally identifiable information" means information that identifies:
                      (i) a consumer by:
                      (A) name;
                      (B) account number;
                      (C) physical address;
                      (D) electronic address;
                      (E) telephone number; or
                      (F) Social Security number;
                      (ii) a consumer as having requested or obtained specific materials or services from an
                  Internet service provider;
                      (iii) an Internet site visited by a consumer; or

- 5 -


                      (iv) any of the contents of a consumer's data-storage device.
                      Section 5. Effective date.
                      This act takes effect on July 1, 2003.
                      Section 6. Coordination clause.
                      If this bill and S.B. 151, Amendments Related to Information Technology, both pass, it is
                  the intent of the Legislature that the Office of Legislative Research and General Counsel in
                  preparing the Utah Code database for publication:
                      (1) treat this coordination clause as superseding the coordination clause in S.B. 151 to
                  the extent that the coordination clause in S.B. 151 refers to this bill;
                      (2) delete the phrase "a state agency" in Subsection 63D-1-402(2) in this bill and replace
                  it with "an executive branch agency"; and
                      (3) renumber Title 63D, Chapter 1, Part 4, as enacted in this bill to Title 63D, Chapter
                  1a, Part 4.

- 6 -


[Bill Documents][Bills Directory]