Today's Law As Amended

PDF |Add To My Favorites |Track Bill | print page

AB-375 Broadband Internet access service providers: customer privacy.(2017-2018)



SECTION 1.

 Chapter 21.7 (commencing with Section 22550) is added to Division 8 of the Business and Professions Code, to read:

CHAPTER  21.7. California Broadband Internet Privacy Act
22550.
 This chapter shall be known, and may be cited, as the California Broadband Internet Privacy Act.
22550.5.
 It is the intent of the Legislature in enacting this chapter to incorporate into statute certain provisions of the Federal Communications Commission Report and Order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (FCC 16-148), which were revoked by Senate Joint Resolution 34 (Public Law 115-22), which became effective April 3, 2017. In adopting the specified provisions incorporated into this act, it is the intent of the Legislature to give consumers greater control over their personal information when accessing the Internet through a broadband Internet access service provider and thereby better protect their own privacy and autonomy. It is also the intent of the Legislature that the consumer protections set forth in this chapter be interpreted broadly and any exceptions interpreted narrowly, using the Federal Communications Commission Report and Order as persuasive guidance, in order to maximize individual privacy and autonomy.
22551.
 For purposes of this chapter:
(a) (1) “Aggregate customer information” means collective data that relates to a group or category of customers, from which individual customer identities and characteristics have been removed, that is not linked or reasonably linkable to any individual person, household, or device.
(2) “Aggregate customer information” does not mean one or more individual customer records that have been de-identified.
(b) “Broadband Internet access service” or “BIAS” means a mass market retail service by wire or radio in California that provides the capability to transmit data and to receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to, and enable the operation of, the service, but excluding dial-up Internet access service. The term also encompasses any service that provides a functional equivalent of the service described in this subdivision, or that is used to evade the protections set forth in this chapter.
(c) (1) “Broadband Internet access service provider” means a person engaged in the provision of BIAS to a customer account located in California.
(2) “Broadband Internet access service provider” does not include a premises operator, including a coffee shop, bookstore, airline, private end-user network, or other business that acquires BIAS from a BIAS provider to enable patrons to access the Internet from its respective establishment.
(d) “Customer” means either of the following:
(1) A current or former subscriber to BIAS in California.
(2) An applicant for BIAS in California.
(e) “Customer proprietary information” means any of the following that a BIAS provider acquires in connection with its provision of BIAS:
(1) Individually identifiable customer proprietary network information.
(2) Personally identifiable information.
(3) Content of a communication.
(f) (1) “Customer proprietary network information” or “CPNI” means
information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a BIAS subscribed to by a customer of a BIAS provider, and that is made available to the BIAS provider by the customer solely by virtue of the provider-customer relationship.
(2) (A) CPNI includes, but is not limited to, all of the following: broadband service plans, geo-location data, Media Access Control (MAC) addresses and other device identifiers, source and destination Internet Protocol (IP) addresses and domain name information, other information in the network layer protocol headers, traffic statistics, including both short-term and long-term measurements, port information and other transport layer protocol header information, application headers including any information a BIAS provider injects into the application header, application usage, application payload, customer premises equipment, and other customer device information.
(B) CPNI includes any information falling within a CPNI category that the BIAS provider collects or accesses in connection with the provision of BIAS.
(C) CPNI includes information that a BIAS provider causes to be collected or stored on a customer’s device, including customer premises equipment and mobile stations.
(g) “Material change” means any change that a customer, acting reasonably under the circumstances, would consider important to his or her decisions regarding his or her privacy.
(h) “Nonsensitive customer proprietary information” means customer proprietary information that is not sensitive customer proprietary information.
(i) “Opt-in approval” means a method for obtaining customer consent to use, disclose, or permit access to the customer’s proprietary information. This approval method requires that the BIAS provider obtain from the customer affirmative, express consent allowing the requested usage, disclosure, or access to the customer proprietary information after the customer is provided appropriate notification of the BIAS provider’s request, consistent with the requirements of this chapter.
(j) “Opt-out approval” means a method for obtaining customer consent to use, disclose, or permit access to the customer’s proprietary information. Under this approval method, a customer is deemed to have consented to the use or disclosure of, or access to, the customer’s proprietary information if the customer has failed to object to that use, disclosure, or access after the customer is provided appropriate notification of the BIAS provider’s request for consent, consistent with the requirements of this chapter.
(k) “Person” includes an individual, partnership, association, joint-stock company, trust, or corporation.
(l) “Personally identifiable information” means any information that is linked or reasonably linkable to an individual or device. Information is linked or reasonably linkable to an individual or device if it can reasonably be used on its own, in context, or in combination to identify an individual or device, or to logically associate it with other information about a specific individual or device. Personally identifiable information includes, but is not limited to each of the following: name; address; Social Security number; date of birth; mother’s maiden name; government-issued identifiers, including a driver’s license number; physical address; email address or other online contact information; phone numbers; MAC addresses or other unique device identifiers; IP addresses; and persistent online or unique advertising identifiers.
(m) “Sensitive customer proprietary information” includes all of the following:
(1) Financial information.
(2) Health information.
(3) Information pertaining to children.
(4) Social security numbers.
(5) Precise geolocation information.
(6) Content of communications.
(7) (A) Internet Web site browsing history, application usage history, and the functional equivalents of either.
(B) “Internet Web site browsing history and application usage history” means information from network traffic related to Internet Web site browsing or other applications, including the application layer of that traffic, and information from network traffic indicating the Internet Web site or party with which the customer is communicating, including a domain or IP address.
22552.
 (a) (1) Except as described in paragraph (2), a BIAS provider shall not use, disclose, or permit access to customer proprietary information except with the opt-out or opt-in approval of a customer as described in this section.
(2) A BIAS provider may use, disclose, or permit access to customer proprietary information without customer approval for any of the following purposes:
(A) In its provision of the BIAS service from which the information is derived, or in its provision of services necessary to, or used in, the provision of the service.
(B) To initiate, render, bill, and collect for BIAS.
(C) To protect the rights or property of the BIAS provider, or to protect users of the BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service.
(D) To provide any inbound marketing, referral, or administrative services to the customer for the duration of a real-time interaction.
(E) To provide location information or nonsensitive customer proprietary information to any of the following:
(i) A public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user’s request for emergency services.
(ii) The user’s legal guardian or members of the user’s immediate family of the user’s location in an emergency situation that involves the risk of death or serious physical harm.
(iii) Providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
(F) To generate an aggregate customer information dataset using customer personal information, or using, disclosing, or permitting access to the aggregate customer information dataset it generated.
(G) For any other lawful purpose if the BIAS provider ensures the customer proprietary information is not individually identifiable by doing all of the following:
(i) Determining that the information is not reasonably linkable to an individual or device.
(ii) Publicly committing to maintain and use the data in a non-individually identifiable fashion and to not attempt to re-identify the data.
(iii) Contractually prohibiting any entity to which it discloses or permits access to the de-identified data from attempting to re-identify the data.
(H) As otherwise required or authorized by law.
(b) Except as otherwise provided in this section, a BIAS provider shall obtain opt-out approval from a customer to use, disclose, or permit access to any of the customer’s nonsensitive customer proprietary information. If it so chooses, a BIAS provider may instead obtain opt-in approval from a customer to use, disclose, or permit access to any of the customer’s nonsensitive customer proprietary information.
(c) Except as otherwise provided in this section, a BIAS provider shall obtain opt-in approval from a customer to do either of the following:
(1) Use, disclose, or permit access to any of the customer’s sensitive customer proprietary information.
(2) Make any material retroactive change, including a material change that would result in a use, disclosure, or permission of access to any of the customer’s proprietary information previously collected by the BIAS provider for which the customer did not previously grant approval, either through opt-in or opt-out consent, as required by subdivision (b) and this subdivision.
(d) (1) Except as described in subdivision (a), a BIAS provider shall, at a minimum, solicit customer approval pursuant to subdivision (b) or (c), as applicable, at the point of sale and when making one or more material changes to privacy policies.
(2) A provider’s solicitation of customer approval shall be clear and conspicuous, and in language that is comprehensible and not misleading. The solicitation shall disclose all of the following:
(A) The types of customer proprietary information that the BIAS provider is seeking customer approval to use, disclose, or permit access to.
(B) The purposes for which the customer proprietary information will be used.
(C) The categories of entities to which the BIAS provider intends to disclose or permit access to the customer proprietary information.
(3) A BIAS provider’s solicitation of customer approval shall be completely translated into a language other than English if the BIAS provider transacts business with the customer in that language.
(e) A BIAS provider shall make available a simple, easy-to-use mechanism for a customer to grant, deny, or withdraw opt-in approval and opt-out approval at any time. The mechanism shall be clear and conspicuous, in language that is comprehensible and not misleading, and made available at no additional cost to the customer. The mechanism shall be persistently available on or through the BIAS provider’s homepage on its Internet Web site, the BIAS provider’s application if it provides one for account management purposes, and any functional equivalent to the BIAS provider’s homepage or application. If the BIAS provider does not have a homepage, it shall provide a persistently available mechanism by another means such as a toll-free telephone number. The customer’s grant, denial, or withdrawal of approval shall be given effect promptly and remain in effect until the customer revokes or limits the grant, denial, or withdrawal of approval.
22553.
 A BIAS provider shall not do either of the following:
(a) Refuse to provide BIAS, or in any way limit that service, to a customer who does not waive his or her privacy rights guaranteed by law or regulation, including this chapter.
(b) Charge a customer a penalty, penalize a customer in any way, or offer a customer a discount or another benefit, as a direct or indirect consequence of a customer’s decision to, or refusal to, waive his or her privacy rights guaranteed by law or regulation, including this chapter.
22554.
 This chapter shall not limit the other statutory rights of a customer or the statutory obligations of a BIAS provider, including, but not limited to, the rights and obligations described in this division, Section 1798.82 of the Civil Code, and Article 3 (commencing with Section 2891) of Chapter 10 of Part 2 of Division 1 of the Public Utilities Code.
22555.
 The requirements of this chapter shall apply to BIAS providers operating within California when providing BIAS to their customers who are residents of and physically located in California. Any waiver by the customer of the provisions of this chapter shall be deemed contrary to public policy and shall be void and unenforceable.
22556.
 California adopts this chapter pursuant to all inherent state authority under the Tenth Amendment of the United States Constitution and all relevant authority granted and reserved to the states by Title 47 of the United States Code, including the authority to impose requirements necessary to protect public safety and welfare, safeguard the rights of consumers, manage public rights-of-way, and regulate franchises. California further adopts this law pursuant to the inalienable right of privacy granted under the authority of Article I, Section 1 of the California Constitution.
22557.
 This chapter shall become operative on January 1, 2019.
SEC. 2.
 The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.