(b) Certain terms defined. -- As used in this section:
(1) The term "confidential taxpayer information" means all information that is protected under section five-d, article ten of this chapter;
(2) The term "personally identifiable information" means information that identifies a person; and
(3) The term "anonymous data" means information that does not identify a person.
(c) Certified service providers. -- With very limited exceptions, a certified service provider shall perform its tax calculation, remittance and reporting functions without retaining the personally identifiable information of consumers.
(d) Certification of service providers. -- The governing board may certify a service provider only if that certified service provider certifies that:
(1) Its system has been designed and tested to ensure that the fundamental precept of anonymity is respected;
(2) That personally identifiable information is only used and retained to the extent necessary for the administration of Model I with respect to exempt purchasers and proper identification of taxing jurisdictions;
(3) It provides consumers clear and conspicuous notice of its information practices, including what information it collects, how it collects the information, how it uses the information, how long, if at all, it retains the information and whether it discloses the information to member states. This notice is satisfied by a written privacy policy statement accessible by the public on the official website of the certified service provider;
(4) Its collection, use and retention of personally identifiable information is limited to that required by the states that are members of the Streamlined Sales and Use Tax Agreement to ensure the validity of exemptions from taxation that are claimed by reason of a consumer's status or the intended use of the goods or services purchased and for documentation of the correct assignment of taxing jurisdictions; and
(5) It provides adequate technical, physical and administrative safeguards as to protect personally identifiable information from unauthorized access and disclosure.
(e) State notification of privacy policy. -- The Tax Commissioner shall provide public notification to consumers, including their exempt purchasers, of this state's practices relating to the collection, use and retention of personally identifiable information.
(f) Destruction of confidential information. -- When any personally identifiable information that has been collected and retained by the Tax Commissioner is no longer required for the purposes set forth in subdivision (4), subsection (d) of this section, the information shall no longer be retained by the Tax Commissioner.
(g) Review and correction by individuals. -- When personally identifiable information regarding an individual is retained by or on behalf of the Tax Commissioner, the commissioner shall provide reasonable access by an individual to his or her own information in the commissioner's possession and a right to correct any inaccurately recorded information.
(h) Discovery by other persons. -- If anyone other than the individual, or a person authorized in writing by the individual, or by controlling law seeks to discover personally identifiable information, the Tax Commissioner shall make a reasonable and timely effort to notify the individual of the request.
(i) Enforcement. -- This privacy policy shall be enforced by the Tax Commissioner or the Attorney General of this State.
(j) This section shall not be interpreted as limiting or abrogating any other statutory or regulatory provision of this State regarding the collection, use and maintenance of confidential taxpayer information, which provisions remain fully applicable and binding. This section and the Streamlined Sales and Use Tax Agreement do not enlarge or limit the authority of this State to:
(1) Conduct audits or other reviews as provided under the Streamlined Sales and Use Tax Agreement and state law;
(2) Provide records pursuant to the Freedom of Information Act, disclosure laws with governmental agencies or other laws or regulations;
(3) Prevent, consistent with state law, disclosures of confidential taxpayer information;
(4) Prevent, consistent with federal law, disclosures or misuse of federal return information obtained under a disclosure agreement with the Internal Revenue Service; or
(5) Collect, disclose, disseminate or otherwise use anonymous data for governmental purposes.
(k) Service provider's confidentiality policy may be more restrictive. -- This privacy policy does not preclude the governing board from certifying a certified service provider whose privacy policy is more protective of confidential taxpayer information or personally identifiable information than is required by the agreement or the laws of this state.