Sec. 27.
(1) Except as provided in subsection (3), a certified service provider shall not retain or disclose the personally identifiable information of consumers. A certified service provider’s system shall be designed and tested to assure the privacy of consumers by protecting their anonymity.
(2) A certified service provider shall provide clear and conspicuous notice of its information practices to consumers, including, but not limited to, what information it collects, how it collects the information, how it uses the information, how long it retains the information, and whether it discloses the information to member states.
(3) A certified service provider’s retention or disclosure to member states of personally identifiable information is limited to that required to ensure the validity of exemptions claimed because of a consumer’s status or intended use of the goods or services purchased.
(4) A certified service provider shall provide the necessary technical, physical, and administrative safeguards to protect personally identifiable information from unauthorized access and disclosure.
(5) This privacy policy is subject to enforcement by the attorney general.
(6) If personally identifiable information is retained by this state for the purpose of subsection (3), in the absence of exigent circumstances, a person shall be afforded reasonable access to their own data, with a right to correct inaccurately recorded data.
(7) The agreement does not enlarge or limit this state’s authority to do any of the following:
(a) Conduct audits or other reviews as provided under the agreement or this state’s law.
(b) Provide records pursuant to this state’s freedom of information act, disclosure laws with governmental agencies, or other regulations.
(c) Prevent, consistent with this state’s law, disclosures of confidential taxpayer information.
(d) Prevent, consistent with federal law, disclosures or misuse of federal return information obtained under a disclosure agreement with the internal revenue service.
(e) Collect, disclose, disseminate, or otherwise use anonymous data for governmental purposes.
(8) The department shall publish on the department’s website this state’s policy relating to the collection, use, and retention of personally identifiable information obtained from a certified service provider under subsection (3).
(9) The department shall destroy personally identifiable information obtained from a certified service provider when the information is no longer required for purposes under subsection (3).
(10) If a person other than a member state or person authorized by a member state’s law or the agreement seeks to discover personally identifiable information about an individual from this state, the department shall make a reasonable and timely effort to notify that individual of the request.
(11) As used in this section, “personally identifiable information” means information that identifies a specific person.
History: 2004, Act 174, Eff. July 1, 2004