423.56 Confidentiality and privacy protections under model 1.

1. As used in this section:

a. “Anonymous data” means information that does not identify a person.

b. “Confidential taxpayer information” means all information that is protected under this state’s laws, rules, and privileges.

c. “Personally identifiable information” means information that identifies a person.

2. With very limited exceptions, a certified service provider shall perform its tax calculation, remittance, and reporting functions without retaining the personally identifiable information of consumers.

3. A certified service provider may perform its services in this state only if the certified service provider certifies that:

a. Its system has been designed and tested to ensure that the fundamental precept of anonymity is respected.

b. Personally identifiable information is only used and retained to the extent necessary for the administration of model 1 sellers with respect to exempt purchasers.

c. It provides consumers clear and conspicuous notice of its information practices, including what information it collects, how it collects the information, how it uses the information, how long, if at all, it retains the information, and whether it discloses the information to member states. This notice shall be satisfied by a written privacy policy statement accessible by the public on the official internet site of the certified service provider.

d. Its collection, use, and retention of personally identifiable information is limited to that required by the member states to ensure the validity of exemptions from taxation that are claimed by reason of a consumer’s status or the intended use of the goods or services purchased.

e. It provides adequate technical, physical, and administrative safeguards so as to protect personally identifiable information from unauthorized access and disclosure.

4. The department shall provide public notification of its practices relating to the collection, use, and retention of personally identifiable information.

5. When any personally identifiable information that has been collected and retained by the department or certified service provider is no longer required for the purposes set forth in subsection 3, paragraph “d”, that information shall no longer be retained by the department or certified service provider.

6. When personally identifiable information regarding an individual is retained by or on behalf of this state, this state shall provide reasonable access by the individual to the individual’s own information in the state’s possession and a right to correct any inaccurately recorded information.

7. This privacy policy is subject to enforcement by the department and the attorney general.

8. This state’s laws and rules regarding the collection, use, and maintenance of confidential taxpayer information remain fully applicable and binding. Without limitation, the agreement does not enlarge or limit the state’s or department’s authority to:

a. Conduct audits or other review as provided under the agreement and state law.

b. Provide records pursuant to its examination of public records law, disclosure laws of individual governmental agencies, or other regulations.

c. Prevent, consistent with state law, disclosures of confidential taxpayer information.

d. Prevent, consistent with federal law, disclosures or misuse of federal return information obtained under a disclosure agreement with the internal revenue service.

e. Collect, disclose, disseminate, or otherwise use anonymous data for governmental purposes.

9. This privacy policy does not preclude the certification of a certified service provider whose privacy policy is more protective of confidential taxpayer information or personally identifiable information than is required by the agreement.

2003 Acts, 1st Ex, ch 2, §149, 205; 2005 Acts, ch 3, §69; 2013 Acts, ch 90, §257