2022 Regular Session
To: Banking and Financial Services
By: Representatives Turner, Arnold
AN ACT TO CREATE THE MISSISSIPPI CONSUMER PRIVACY ACT; TO PROVIDE THAT ANY RECORDS THAT INCLUDE THE ADDRESS, DATE OF BIRTH OR SOCIAL SECURITY NUMBER OF ANY LICENSEE AND ARE HELD BY A STATE AGENCY THAT LICENSES PROFESSIONS OR OCCUPATIONS SHALL NOT BE DEEMED PUBLIC RECORDS, UNLESS THAT LICENSEE HAS CONSENTED TO THE RELEASE OF SUCH INFORMATION; TO PROVIDE LIMITED SITUATIONS WHEN PERSONAL INFORMATION OBTAINED BY THE DEPARTMENT OF REVENUE IN CONNECTION WITH A MOTOR VEHICLE RECORD MAY BE DISCLOSED TO ANY REQUESTOR BY THE DEPARTMENT; TO PROVIDE PENALTIES FOR THE IMPROPER USE OF PERSONAL INFORMATION; TO PROVIDE THAT WHENEVER THE DEPARTMENT OF REVENUE PROVIDES A REQUESTOR ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION IN BULK UNDER A CONTRACT, THE CONTRACT SHALL REQUIRE CERTAIN INFORMATION; TO PROVIDE THAT ANY RECORDS HELD BY THE DEPARTMENT OF WILDLIFE, FISHERIES AND PARKS THAT INCLUDE THE ADDRESSES, DATES OF BIRTH OR SOCIAL SECURITY NUMBERS OF ANY PERSON WHO HAS DONE BUSINESS WITH THE DEPARTMENT SHALL NOT BE PUBLIC RECORDS; TO BRING FORWARD SECTION 49-7-4, MISSISSIPPI CODE OF 1972, FOR THE PURPOSE OF POSSIBLE AMENDMENT; AND FOR RELATED PURPOSES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:
SECTION 1. The provisions of this act shall be known and may be cited as the "Mississippi Consumer Privacy Act".
SECTION 2. The following shall be codified as Section 25-61-11.3, Mississippi Code of 1972:
25-61-11.3. (1) Any records that include the address, date of birth or social security number of any licensee and are held by a state agency that licenses professions or occupations shall not be deemed public records as provided in Section 25-61-3, unless that licensee has consented to the release of such information.
(2) The provisions of this section shall not prohibit the agency from posting information on an internet site that the agency deems necessary to inform consumers of disciplinary proceedings filed against the licensee.
SECTION 3. The following shall be codified as Section 25-61-11.4, Mississippi Code of 1972:
25-61-11.4. (1) Except as otherwise provided in this section, the Department of Revenue ("department") shall not disclose to any person, firm, corporation, association or other enterprise any personally identifiable information obtained in connection with a motor vehicle. The department may adopt any rules and regulations as necessary to effectuate the purposes of this section.
(2) Personal information obtained by the department in connection with a motor vehicle record may be disclosed to any requestor by the department if the requestor:
(a) Provides the requestor's name and address and any proof of that information required by the agency; and
(b) Represents that the use of the personal information will be strictly limited to use:
(i) By a government agency, including any court or law enforcement agency, in carrying out its functions; or
(ii) By a private person or entity acting on behalf of a government agency in carrying out the functions of the agency; or
(iii) In connection with:
1. Motor vehicle or motor vehicle operator safety;
2. Motor vehicle theft;
3. Motor vehicle product alterations, recalls or advisories;
4. Performance monitoring of motor vehicles, motor vehicle parts or motor vehicle dealers;
5. Motor vehicle market research activities, including survey research; or
6. Removal of nonowner records from the original owner records of motor vehicle manufacturers;
(iv) In the normal course of business by a legitimate business or an authorized agent of the business, but only to verify the accuracy of personal information submitted by the individual to the business or the agent of the business, and if the information is not correct, to obtain the correct information, for the sole purpose of preventing fraud by, pursuing a legal remedy against, or recovering on a debt or security interest against the individual;
(v) In conjunction with a civil, criminal, administrative or arbitral proceeding in any court or government agency or before any self-regulatory body, including service of process, investigation in anticipation of litigation, execution or enforcement of a judgment or order, or under an order of any court;
(vi) In research or in producing statistical reports, but only if the personal information is not published, disclosed to another person or entity or used to contact any individual;
(vii) By an insurer, or insurance support organization, or by a self-insured entity, or an authorized agent of an insurer, insurance support organization, or self-insured entity, in connection with claims processing or investigation activities, anti-fraud activities, rating or underwriting;
(viii) In providing notice to an owner of a vehicle that was towed or impounded and is in the possession of a vehicle storage facility;
(ix) By an employer or an agent or insurer of the employer to obtain or verify information relating to a holder of a commercial driver's license that is required under 49 USC Chapter 313;
(x) By a consumer reporting agency, as defined by the Fair Credit Reporting Act (15 USC Section 1681 et seq.), for a purpose permitted under that act;
(xi) By a motor vehicle manufacturer, dealership, or distributor, or an agent of or provider of services to a motor vehicle manufacturer, dealership, or distributor, for motor vehicle market research activities, including survey research;
(xii) In the ordinary course of business by a person or authorized agent of a person who holds a license from the Mississippi Motor Vehicle Commission, or is licensed by the Department of Consumer Finance, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, or the National Credit Union Administration.
(3) Any requestor who misrepresents his or her purpose for seeking motor vehicle information, or who has violated any provision of this section, or any rules of the department promulgated to carry out the provisions of this section, shall be guilty of a felony and upon conviction, shall be sentenced to the custody of the Department of Corrections for not more than five (5) years. Any corporation, association, firm or other entity that has violated the provisions of this section shall be fined in an amount not to exceed One Hundred Thousand Dollars ($100,000.00) for each violation.
(4) Whenever the department provides a requestor access to personally identifiable information in bulk under a contract, the contract shall require:
(a) That the requestor post a performance bond in an amount of not more than One Million Dollars ($1,000,000.00);
(b) A prohibition on the sale or redistribution of the personal information for the purpose of marketing extended vehicle warranties by telephone;
(c) That the requestor provide proof of general liability and cyber-threat insurance coverage in an amount specified by the contracting agency that is at least Three Million Dollars ($3,000,000.00) and reasonably related to the risks associated with unauthorized access and use of the records;
(d) That if a requestor experiences a breach of system security that includes data obtained under authority of this section, the requestor shall notify the department of the breach not later than forty-eight (48) hours after the discovery of the breach;
(e) That the requestor include in each contract with a third party that receives the personal information from the requestor that the third party must comply with federal and state laws regarding the records;
(f) That the requestor and any third party receiving the personal information from the requestor protect the personal information with appropriate and accepted industry standard security measures for the type of information and the known risks from unauthorized access and use of the information; and
(g) That the requestor annually provides to the agency a report of all third parties to which the personal information was disclosed under this section and the purpose of the disclosure.
(5) The bond and insurance requirements of this section shall not apply to a government agency, including a court of law or law enforcement agency.
(6) An agency that discloses any motor vehicle records in bulk shall include in the records at least two (2) records that are created solely for the purpose of monitoring compliance with this chapter and detecting, by receipt of certain forms of communications or actions directed at the subjects of the created records, potential violations of this chapter or contract terms required by this section.
(7) An agency that discloses motor vehicle records shall designate an employee to be responsible for:
(a) Monitoring compliance with this chapter and contract terms required by this section;
(b) Referring potential violations of this chapter to law enforcement agencies; and
(c) Making recommendations to the administrative head of the agency or his or her designee on the eligibility of a person under this section to receive personal information.
(8) This section does not affect any rights or remedies available under a contract or any other law. If an agency determines that a person has violated the terms of a contract with the agency that authorized the disclosure of personal information in connection with a motor vehicle record, the agency may:
(a) Cease disclosing personal information to that person; and
(b) Allow the person to remedy the violation and continue receiving personal information.
(9) Nothing in this section shall be construed to prohibit the Department of Revenue from providing information to a private firm for the management and upkeep of a tax lien registry.
SECTION 4. The following shall be codified as Section 25-61-11.5, Mississippi Code of 1972:
25-61-11.5. In addition to the records of licensees exempted from the Public Records Act of 1983 by Section 49-7-4, any records held by the Department of Wildlife, Fisheries and Parks that include the addresses, dates of birth or social security numbers of any person who has done business with the department shall not be public records as defined by Section 25-61-3.
SECTION 5. Section 49-7-4, Mississippi Code of 1972, is brought forward as follows:
49-7-4. The records of the Department of Wildlife, Fisheries and Parks relating to applications for and sales of any resident or nonresident licenses issued under this chapter, and all records related to holders of such licenses, are exempt from the provisions of the Mississippi Public Records Act of 1983, in accordance with Section 25-61-11, and shall be released only upon order of a court having proper jurisdiction over a petition for release of the record or records. However, upon request, the records specified in this section shall be available to all law enforcement agencies.
SECTION 6. This act shall take effect and be in force from and after July 1, 2022.