MISSISSIPPI LEGISLATURE

2023 Regular Session

To: Banking and Financial Services

By: Representatives Turner, Hulum, Stamps

House Bill 880

(As Passed the House)

AN ACT TO CREATE NEW SECTION 25-61-11.1, MISSISSIPPI CODE OF 1972, TO ESTABLISH THE "MISSISSIPPI CONSUMER PRIVACY ACT FOR STATE AGENCIES"; TO CREATE NEW SECTION 25-61-11.3, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT CERTAIN RECORDS OF ANY PROFESSIONAL OR OCCUPATIONAL LICENSEE THAT ARE HELD BY A STATE AGENCY THAT LICENSES PROFESSIONS OR OCCUPATIONS SHALL NOT BE DEEMED PUBLIC RECORDS, UNLESS THE LICENSEE HAS CONSENTED TO THE RELEASE OF SUCH RECORDS; TO CREATE NEW SECTION 25-61-11.4, MISSISSIPPI CODE OF 1972, TO DEFINE CERTAIN TERMS; TO CREATE NEW SECTION 25-61-11.5, MISSISSIPPI CODE OF 1972, TO PROHIBIT AN AGENCY FROM DISCLOSING A PERSON'S PERSONAL INFORMATION OBTAINED BY THE AGENCY IN CONNECTION WITH A MOTOR VEHICLE RECORD, EXCEPT AS PROVIDED IN THIS ACT; TO CREATE NEW SECTION 25-61-11.6, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT PERSONAL INFORMATION OBTAINED BY AN AGENCY IN CONNECTION WITH A MOTOR VEHICLE RECORD SHALL BE DISCLOSED FOR USE IN CONNECTION WITH CERTAIN MATTERS; TO CREATE NEW SECTION 25-61-11.7, MISSISSIPPI CODE OF 1972, TO PROVIDE PENALTIES FOR ANY REQUESTOR WHO MISREPRESENTS HIS OR HER PURPOSE FOR SEEKING MOTOR VEHICLE INFORMATION, OR WHO VIOLATES ANY PROVISION OF THIS ACT OR ANY RULES OF AN AGENCY PROMULGATED TO CARRY OUT THE PROVISIONS OF THIS ACT, OR ANY CORPORATION, ASSOCIATION, FIRM OR OTHER ENTITY WHO VIOLATES ANY PROVISION OF THIS ACT; TO CREATE NEW SECTION 25-61-11.8, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT A PERSON WHO SELLS TO A PERSON WHO IS NOT AN AUTHORIZED RECIPIENT OF PERSONAL INFORMATION OBTAINED BY AN AGENCY IN CONNECTION WITH A MOTOR VEHICLE RECORD IS LIABLE TO THE PERSON WHO IS THE SUBJECT OF THE INFORMATION FOR DAMAGES, COURT COSTS, FEES, OR ANY OTHER EQUITABLE REMEDY DETERMINED TO BE APPROPRIATE BY THE COURT; TO CREATE NEW SECTION 25-61-11.9, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT AN AUTHORIZED RECIPIENT OF PERSONAL INFORMATION MAY REDISCLOSE THE INFORMATION, INCLUDING REDISCLOSURE FOR COMPENSATION, ONLY FOR A CERTAIN PERMITTED USE, AND TO PROVIDE CERTAIN REQUIREMENTS FOR SUCH REDISCLOSURE; TO CREATE NEW SECTION 25-61-11.10, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT CERTAIN RECORDS HELD BY THE MISSISSIPPI DEPARTMENT OF WILDLIFE, FISHERIES AND PARKS OF ANY PERSON WHO HAS DONE BUSINESS WITH THE DEPARTMENT SHALL NOT BE PUBLIC RECORD; TO CREATE NEW SECTION 25-61-11.11, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT, IN ADDITION TO ANY PENALTIES PROVIDED FOR UNDER THIS ACT, PERSONS WHO VIOLATE THE PROVISIONS OF THIS ACT BY USING INFORMATION THAT WAS UNLAWFULLY OBTAINED TO CONTACT INDIVIDUALS BY TELEPHONE, MAY ALSO BE INVESTIGATED AND SANCTIONED UNDER THE PROVISIONS OF THE MISSISSIPPI TELEPHONE SOLICITATION ACT; TO BRING FORWARD SECTION 49-7-4, MISSISSIPPI CODE OF 1972, WHICH RELATES TO RECORDS OF THE DEPARTMENT OF WILDLIFE, FISHERIES AND PARKS FOR APPLICATIONS FOR AND SALES OF ANY RESIDENT OR NONRESIDENT LICENSES, FOR PURPOSES OF POSSIBLE AMENDMENT; TO BRING FORWARD SECTION 77-3-725, MISSISSIPPI CODE OF 1972, WHICH RELATES TO VIOLATIONS OF THE MISSISSIPPI TELEPHONE SOLICITATION ACT, FOR PURPOSES OF POSSIBLE AMENDMENT; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  The following shall be codified as Section 25-61-11.1, Mississippi Code of 1972:

     25-61-11.1.  The provisions of this act shall be known and may be cited as the "Mississippi Consumer Privacy Act for State Agencies".

     SECTION 2.  The following shall be codified as Section 25-61-11.3, Mississippi Code of 1972:

     25-61-11.3.  (1)  Any records that include the address, telephone number, electronic mail address, date of birth, or social security number of any professional or occupational licensee, and are held by a state agency that licenses professions or occupations, shall not be deemed public records as provided in Section 25-61-3, unless the licensee has consented to the release of such records.

     (2)  The provisions of this section shall not prohibit the agency from posting information on an internet site that the agency deems necessary to inform consumers of disciplinary proceedings filed against the licensee.

     SECTION 3.  The following shall be codified as Section 25-61-11.4, Mississippi Code of 1972:

     25-61-11.4.  For purposes of Sections 4 through 8 of this act, the following terms have the meanings as defined in this section, unless the context clearly indicates otherwise:

          (a)  "Agency" includes any agency or political subdivision of this state, or an authorized agent or contractor of an agency or political subdivision of this state, that compiles or maintains motor vehicle records.

          (b)  "Authorized recipient" means a person who is permitted to receive and use personal information from an agency in a manner authorized by this chapter.

          (c)  "Disclose" means to make available or make known personal information contained in a motor vehicle record about a person to another person, by any means of communication.

          (d)  "Individual record" means a motor vehicle record obtained by an agency containing personal information about an individual who is the subject of the record as identified in a request.

          (e)  "Motor vehicle record" means a record that pertains to a motor vehicle operator's or driver's license or permit, motor vehicle traffic citations, motor vehicle registration, motor vehicle title, or identification document issued by an agency of this state or a local agency authorized to issue an identification document. The term "motor vehicle record" does not include:

               (i)  A record that pertains to a motor carrier; or

               (ii)  An accident report prepared in accordance with law.

          (f)  "Person" means an individual, organization, or entity, but does not include this state or an agency of this state.

          (g)  "Personal information" means information that identifies a person, including a person's photograph or computerized image, social security number, date of birth, driver identification number, name, address, email address, telephone number, or medical or disability information.  The term "personal information" does not include information on vehicle accidents, driving or equipment-related violations, or driver's license or registration status, or information contained in an accident report prepared under law.

          (h)  "Record" means any book, paper, photograph, photostat, card, film, tape, recording, electronic data, printout, or other documentary material regardless of physical form or characteristics.

     SECTION 4.  The following shall be codified as Section 25-61-11.5, Mississippi Code of 1972:

     25-61-11.5.  An agency shall not knowingly disclose personal information about any person obtained by the agency in connection with a motor vehicle record, except as provided by Sections 4 through 8 of this act.  An agency that maintains motor vehicle records that contain personal information is authorized to adopt rules and regulations necessary to carry out the purposes of this act.

     SECTION 5.  The following shall be codified as Section 25-61-11.6, Mississippi Code of 1972:

     25-61-11.6.  (1)  Personal information obtained by an agency in connection with a motor vehicle record shall be disclosed for use in connection with any matter of:

          (a)  Motor vehicle or motor vehicle operator safety;

          (b)  Motor vehicle theft;

          (c)  Motor vehicle product alterations, recalls, or advisories;

          (d)  Performance monitoring of motor vehicles or motor vehicle dealers by a motor vehicle manufacturer;

          (e)  Removal of nonowner records from the original owner records of a motor vehicle manufacturer to carry out the purposes of:

               (i)  The Automobile Information Disclosure Act, 15 U.S.C. Section 1231 et seq.;

               (ii)  49 U.S.C. Chapters 301, 305, 323, 325, 327, 329, and 331;

               (iii)  The Anti Car Theft Act of 1992, 18 U.S.C. Sections 553, 981, 982, 2119, 2312, 2313, and 2322, 19 U.S.C. Sections 164Gb and 1646c, and 42 U.S.C. Section 3 75 Oa et seq., all as amended;

               (iv)  The Clean Air Act, 42 U.S.C. Section 7401 et seq., as amended; and

               (v)  Any other statute or regulation enacted or adopted under, or in relation to, a law included in this section.

          (f)  Child support enforcement activities as provided in Section 93-11-155;

          (g)  Voter registration matters, as provided in Section 23-15-169 et seq; or

          (h)  Motor vehicle emissions information.

     (2)  Personal information obtained by an agency in connection with a motor vehicle record shall be disclosed to a requestor who:

          (a)  Is the subject of the information; or

          (b)  Demonstrates, in such form and manner as the agency requires, that the requestor has obtained the written consent of the person who is the subject of the information.

     (3)  Personal information obtained by an agency in connection with a motor vehicle record may be disclosed to any requestor by an agency if the requestor:

          (a)  Provides his or her name and address, and any proof of that information as required by the agency; and

          (b)  Represents that the use of the personal information will be strictly limited to use by:

               (i)  A government agency, including any court or law enforcement agency, in carrying out its functions;

               (ii)  A private person or entity acting on behalf of a government agency in carrying out the functions of the agency;

               (iii)  Use in connection with a matter of:

                    1.  Motor vehicle or motor vehicle operator safety;

                    2.  Motor vehicle theft;

                    3.  Motor vehicle product alterations, recalls, or advisories;

                    4.  Performance monitoring of motor vehicles, motor vehicle parts, or motor vehicle dealers; or

                    5.  Removal of nonowner records from the original owner records of motor vehicle manufacturers.

               (iv)  Use in the normal course of business by a legitimate business, or an authorized agent of the business, but only:

                    1.  To verify the accuracy of personal information submitted by the individual to the business or the agent of the business; and

                    2.  If the information is not correct, to obtain the correct information for the sole purpose of preventing fraud by pursuing a legal remedy against or recovering on a debt or security interest against the individual.

               (v)  Use in conjunction with a civil, criminal, administrative, or arbitral proceeding in any court or government agency or before any self-regulatory body, including service of process, investigation in anticipation of litigation, execution or enforcement of a judgment or order, or under an order of any court;

               (vi)  Use by a motor vehicle manufacturer, dealership, or distributor, or an agent of or provider of services to a motor vehicle manufacturer, dealership, or distributor, for motor vehicle market research activities, including survey research, but only if the personal information is not published, redisclosed, or used to contact any individual;

               (vii)  Use by an insurer, insurance support organization, or self-insured entity, or an authorized agent of an insurer, insurance support organization, or self-insured entity, in connection with claims processing or investigation activities, antifraud activities, rating, or underwriting;

               (viii)  Use in providing notice to an owner or lien holder of a vehicle that was towed or impounded, and is in the possession of a vehicle storage facility;

               (ix)  Use by an employer or an agent or insurer of the employer to obtain or verify information relating to a holder of a commercial driver's license that is required under 49 U.S.C. Chapter 313;

               (x)  Use by a consumer reporting agency, as defined by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.), for a purpose permitted under that act;

               (xi)  In the normal course of business by a person, or authorized agent of a person, who holds a license from the Mississippi Motor Vehicle Commission, or is regulated by the Department of Banking and Consumer Finance, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, or the National Credit Union Administration;

               (xii)  In connection with the operation of private toll transportation facilities.

     (4)  Subsection (3)(b)(iv) of this section does not authorize the disclosure of personal information to a person who is not a business licensed by, registered with, or subject to regulatory oversight by a government agency.

     (5)  The only personal information an agency may release under subsection (3) of this section is the person's

name, address, date of birth, email address, telephone number, medical or disability information and driver's license number.

     SECTION 6.  The following shall be codified as Section 25-61-11.7, Mississippi Code of 1972:

     25-61-11.7.  (1)  Any requestor who misrepresents his or her purpose for seeking motor vehicle information, or who has violated any provision of this act, or any rules of an agency promulgated to carry out the provisions of this act, shall be guilty of a felony, and upon conviction, shall be sentenced to the custody of the Mississippi Department of Corrections for not more than five (5) years.  Any corporation, association, firm or other entity that has violated the provisions of this act shall be fined in an amount not to exceed One Hundred Thousand Dollars ($100,000.00) for each violation.

     (2)  Whenever the agency provides a requestor access to personal information in bulk as provided under Section 5 of this act, the agency shall enter into a contract with the requestor which shall require:

          (a)  That the requestor post a performance bond in an amount of not more than One Million Dollars ($ 1,000,000.00);

          (b)  A prohibition on the sale or redistribution of the personal information for the purpose of marketing extended vehicle warranties by telephone;

          (c)  That the requestor provide proof of general liability and cyber-threat insurance coverage in an amount specified by the contracting agency, that is at least Three Million Dollars ($3,000,000.00), and reasonably related to the risks associated with unauthorized access and use of the records;

          (d)  That if a requestor experiences a breach of system security that includes data obtained under authority of this section, the requestor shall notify the agency of the breach not later than forty-eight (48) hours after the discovery of the breach;

          (e)  That the requestor include in each contract with a third party that receives the personal information from the requestor, that the third party must comply with federal and state laws regarding the records;

          (f)  That the requester, and any third party receiving the personal information from the requestor, protect the personal information with appropriate and accepted industry standard security measures for the type of information and the known risks from unauthorized access and use of the information; and

          (g)  That the requestor annually provides to the agency a report of all third parties to which the personal information was disclosed under this act and the purpose of the disclosure.

     Nothing in this subsection (5) shall bar an agency from adopting a rule that prohibits the bulk transfer of data.

     (6)  The bond and insurance requirements of this act shall not apply to a government agency, including a court of law or law enforcement agency.

     (7)  An agency that discloses any motor vehicle records in bulk shall include in the records at least two (2) records that are created solely for the purpose of monitoring compliance with this act and detecting by receipt of certain forms of communications or actions directed at the subjects of the created records, potential violations of this act or contract terms required by this act.

     (8)  An agency that discloses motor vehicle records shall designate an employee to be responsible for:

          (a)  Monitoring compliance with this act and contract terms required by this act;

          (b)  Referring potential violations of this act to law enforcement agencies; and

          (c)  Making recommendations to the administrative head of the agency or his or her designee on the eligibility of a person under this act to receive personal information.

     (9)  This act does not affect any rights or remedies available under a contract or any other law.  If an agency determines that a person has violated the terms of a contract with the agency that authorized the disclosure of personal information in connection with a motor vehicle record, the agency may:

          (a)  Cease disclosing personal information to that person; and

          (b)  Allow the person to remedy the violation and continue receiving personal information.

     (10)  Nothing in this act shall be construed to prohibit the Mississippi Department of Revenue from providing information to a private firm for the management and upkeep of a tax lien registry.

     SECTION 7.  The following shall be codified as Section 25-61-11.8, Mississippi Code of 1972:

     25-61-11.8.  (1)  A person who sells to a person who is not an authorized recipient of personal information obtained by an agency in connection with a motor vehicle record is liable to the person who is the subject of the information for:

          (a)  Actual damages;

          (b)  If the actual damages to the person are less than Two Thousand Five Hundred Dollars ($2,500.00), an additional amount so that the total amount of damages equals Two Thousand Five Hundred Dollars ($2,500.00); and

          (c)  Court costs incurred by the person who is the subject of the information in bringing the action.

     (2)  A person whose personal information has been disclosed for compensation to a person who is not an authorized recipient of such information may sue for:

              (i)  The damages, costs, and fees authorized under subsection (a) of this section;

               (ii)  Injunctive relief; and

                                    (iii)  Any other equitable remedy determined to be appropriate by the court.

     SECTION 8.  The following section shall be codified as Section 25-61-11.9, Mississippi Code of 1972:

     25-61-11.9.  (1)  An authorized recipient of personal information may redisclose the information, including redisclosure for compensation, only for a use permitted under Section 5 of this act.

     (2)  An authorized recipient who rediscloses personal information obtained from an agency shall be required by that agency to:

          (a)  Maintain for a period of not less than five (5) years, records as to any person or entity receiving that information and the permitted use for which it was obtained; and

          (b)  Provide copies of those records to the agency upon request.

     (3)  A person who receives personal information under subsection (2) of this section may not redisclose the personal information, including redisclosure for compensation, to a person who is not an authorized recipient of such information.

     (4)  An authorized recipient shall notify each person who receives such personal information that the person may not redisclose the personal information to a person who is not an authorized recipient of such information.

     (5)  A person commits an offense if he or she violates this section. The penalties established in Section 6, subsection (l) of this act shall apply to violations of this section.

     SECTION 9.  The following shall be codified as Section 25-61-11.10, Mississippi Code of 1972:

     25-61-11.10.  In addition to the records of licensees exempted from the Public Records Act of 1983, by Section 49-7-4, any records held by the Mississippi Department of Wildlife, Fisheries and Parks that include the addresses, telephone numbers, electronic mail addresses, dates of birth, or social security numbers of any person who has done business with the department shall not be public records as defined by Section 25-61-3.

     SECTION 10.  The following shall be codified as Section 25-61-11.11, Mississippi Code of 1972:

     25-61-11.11.  In addition to any penalties provided for under this act, persons who violate the provisions of this act by using information that was unlawfully obtained to contact individuals by telephone, may also be investigated and sanctioned under the provisions of the Mississippi Telephone Solicitation Act.

     SECTION 11.  Section 49-7-4, Mississippi Code of 1972, is brought forward as follows:

     49-7-4.  The records of the Department of Wildlife, Fisheries and Parks relating to applications for and sales of any resident or nonresident licenses issued under this chapter, and all records related to holders of such licenses, are exempt from the provisions of the Mississippi Public Records Act of 1983, in accordance with Section 25-61-11, and shall be released only upon order of a court having proper jurisdiction over a petition for release of the record or records.  However, upon request, the records specified in this section shall be available to all law enforcement agencies.

     SECTION 12.  Section 77-3-725, Mississippi Code of 1972, is brought forward as follows:

     77-3-725.  The commission may investigate alleged violations and initiate proceedings relative to a violation of this article or any rules and regulations promulgated pursuant to this article.  Such proceedings include, without limitation, proceedings to issue a cease and desist order, and to issue an order imposing a civil penalty not to exceed Ten Thousand Dollars ($10,000.00) for each violation.  The commission shall afford an opportunity for a fair hearing to the alleged violator(s) after giving written notice of the time and place for said hearing.  Failure to appear at any such hearing may result in the commission finding the alleged violator(s) liable by default.  Any telephone solicitor found to have violated this article, pursuant to a hearing or by default, may be subject to a civil penalty not to exceed Ten Thousand Dollars ($10,000.00) for each violation to be assessed and collected by the commission.  Each telephonic communication shall constitute a separate violation.

     All penalties collected by the commission shall be deposited in the special fund created under Section 77-3-721 for the administration of this article.

     The commission may issue subpoenas, require the production of relevant documents, administer oaths, conduct hearings, and do all things necessary in the course of investigating, determining and adjudicating an alleged violation.

     The remedies, duties, prohibitions and penalties set forth under this article shall not be exclusive and shall be in addition to all other causes of action, remedies and penalties provided by law, including, but not limited to, the penalties provided by Section 77-1-53.

     SECTION 13.  This act shall take effect and be in force from and after July 1, 2023.