Today's Law As Amended

PDF |Add To My Favorites |Track Bill | print page

AB-375 Internet service providers: customer privacy.(2017-2018)


 Chapter 36 (commencing with Section 22949.1) is added to Division 8 of the Business and Professions Code, to read:

CHAPTER  36. California Broadband Internet Privacy Act
 This chapter shall be known, and may be cited, as the California Broadband Internet Privacy Act.
 It is the intent of the Legislature in enacting this chapter to give consumers greater control over their personal information when accessing the Internet through an Internet service provider and thereby better protect their own privacy and autonomy. It is also the intent of the Legislature that the consumer protections set forth in this chapter be interpreted broadly and any exceptions interpreted narrowly in order to maximize individual privacy and autonomy.
 For purposes of this chapter, the following terms have the following meanings:
(a) “Aggregate customer information” means collective data that relates to a group or category of customers, from which individual customer identities and characteristics have been removed, that is not linked or reasonably linkable to any individual person, household, or device. “Aggregate customer information” does not mean one or more individual customer records that have been deidentified.
(b) “Customer” means a current or former subscriber to the Internet access service, or an applicant for Internet access service.
(c) “Customer personal information” means information collected from or about an individual customer or user of the customer’s subscription that is made available to the Internet service provider by a customer or user of the customer’s subscription solely by virtue of the provider-customer relationship, including:
(1) Name and billing information.
(2) Government-issued identifiers, including social security number.
(3) Information that would permit the physical or online contacting of an individual, such as physical address, email address, phone number, or IP address.
(4) Demographic information, such as date of birth, age, gender, race, ethnicity, nationality, religion, or sexual orientation.
(5) Financial information.
(6) Health information.
(7) Information pertaining to minors.
(8) Geolocation information.
(9) Information from the use of the service, such as Web browsing history, application usage history, content of communications, and origin and destination Internet Protocol (IP) addresses of all traffic.
(10) Device identifiers, such as media access control (MAC) address or Internet mobile equipment identity (IMEI).
(11) Information concerning a customer or user of the customer’s subscription that is collected or made available and is maintained in personally identifiable form.
(d) “Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up Internet access service. “Internet access service” also encompasses any service that the Federal Communications Commission or the Public Utilities Commission finds to be providing a functional equivalent to the service described in this subdivision.
(e) “Internet service provider” means a person or entity engaged in the provision of Internet access service, but only to the extent that the person or entity is providing Internet access service.
 (a) An Internet service provider shall not use, disclose, sell, or permit access to customer personal information, except as provided in this chapter.
(b) (1) An Internet service provider may use, disclose, sell, or permit access to customer personal information if the customer gives the Internet service provider prior opt-in consent, which may be revoked by the customer at any time. The mechanism for requesting and revoking consent under this subdivision shall be clear and conspicuous, as defined in subdivision (c) of Section 17601, not misleading, in the language primarily used to conduct business with the customer, and made available to the customer at no additional cost. The mechanism shall also be persistently available on or through the Internet service provider’s Internet Web site, or mobile application if it provides one for account management purposes. If the Internet service provider does not have an Internet Web site, it shall provide a persistently available mechanism by another means, such as a toll-free telephone number. The customer’s grant, denial, or withdrawal of consent shall be given effect promptly and remain in effect until the customer revokes or limits the grant, denial, or withdrawal of consent.
(2) The request for consent shall disclose to the customer all of the following:
(A) The types of customer personal information for which the Internet service provider is seeking customer approval to use, disclose, sell, or permit access.
(B) The purposes for which the customer personal information will be used.
(C) The categories of entities to which the Internet service provider intends to disclose, sell, or permit access to the customer personal information.
(c) An Internet service provider shall not do either of the following:
(1) Refuse to serve a customer, or in any way limit services to a customer, who does not provide consent under subdivision (b).
(2) Charge a customer a penalty, or penalize a customer in any way, or offer a customer a discount or another benefit based on the customer’s decision to provide or not provide consent under subdivision (b).
(d) An Internet service provider shall disclose the customer personal information of the customer upon affirmative written request by the customer, to any person designated by the customer.
 (a) An Internet service provider may use, disclose, or permit access to customer personal information without customer consent, but only to the extent necessary to achieve the stated purpose, in the following circumstances, unless otherwise prohibited by state law:
(1) To provide the Internet access service from which the information is derived, or services necessary to the provision of that service.
(2) To comply with legal process or other laws, court orders, or administrative orders.
(3) To initiate, render, bill for, and collect for Internet access service.
(4) To protect the rights or property of the Internet service provider, or to protect customers of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, those services.
(5) To provide location information concerning the customer as follows:
(A) To a public safety answering point, emergency medical service provider, or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the customer’s request for emergency services.
(B) To inform the customer’s legal guardian, members of the customer’s family, or a person reasonably believed by the Internet service provider, to be a close personal friend of the customer, of the customer’s location in an emergency situation that involves the risk of death or life-threatening harm.
(C) To providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
(b) Nothing in this chapter shall restrict an Internet service provider from generating an aggregate customer information dataset using customer personal information, or using, disclosing, selling, or permitting access to the aggregate customer information dataset it generated.
(c) Unless otherwise prohibited by state law, an Internet service provider may use, disclose, or permit access to customer personal information to advertise or market the provider’s communications-related services to the customer, provided that the customer may opt out of that use, disclosure, or access at any time, and the customer is notified of the right to opt out in a manner that is clear and conspicuous, as defined in subdivision (c) of Section 17601, not misleading, in the language primarily used to conduct business with the consumer, persistently available, and made available to the customer at no additional cost.
 (a) An Internet service provider shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect customer personal information from unauthorized use, disclosure, access, destruction, or modification.
(b) An Internet service provider may employ any lawful security measures that allow it to comply with the requirements set forth in this section.
(c) An Internet service provider shall not retain a customer’s information for longer than is reasonably necessary to accomplish the purposes for which the information was collected, unless the information is aggregate customer information, or as otherwise required by this chapter.
 The requirements of this chapter shall apply to Internet service providers operating within California when providing Internet access service to their customers who are residents of and physically located in California. Any waiver by the customer of the provisions of this chapter shall be deemed contrary to public policy and shall be void and unenforceable.
 The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
It is the intent of the Legislature that this chapter would have been adopted regardless of whether an invalid provision had not been included or an invalid application had not been made
 California adopts this chapter pursuant to all inherent state authority under the Tenth Amendment of the United States Constitution and all relevant authority granted and reserved to the states by Title 47 of the United States Code, including the authority to impose requirements necessary to protect public safety and welfare, safeguard the rights of consumers, manage public rights-of-way, and regulate franchises. California further adopts this law pursuant to the inalienable right of privacy granted under the authority of Article I, Section 1 of the California Constitution.