Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-375 Broadband Internet access service providers: customer privacy.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 09/12/2017 02:24 PM
AB375:v95#DOCUMENT

Amended  IN  Senate  September 12, 2017
Amended  IN  Senate  August 21, 2017
Amended  IN  Senate  June 19, 2017
Amended  IN  Assembly  April 27, 2017

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 375


Introduced by Assembly Member Chau
(Principal coauthor: Senator Jackson)
(Coauthors: Assembly Members Dababneh, Gloria, and Mark Stone)

February 09, 2017


An act to add Chapter 21.7 (commencing with Section 22550) to Division 8 of the Business and Professions Code, relating to customer privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 375, as amended, Chau. Communications Broadband Internet access service providers: customer privacy.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Internet Web site or online service to conspicuously post, or make available, its privacy policy, as specified. Under existing law, an operator violates this provision only if the operator fails to post its policy within 30 days after being notified of noncompliance. Existing law requires, among other things, that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers and the categories of 3rd-party persons or entities with whom the operator may share that information.
Existing law prohibits telephone and telegraph corporations from releasing certain information regarding residential subscribers without their written consent, except in specified circumstances.
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system to specified residents of California, as specified. Existing law requires that disclosure to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
This bill would enact the California Broadband Internet Privacy Act. The act would require communications providers, defined as providers that offer telecommunications in California for a fee directly to the public, as specified, to notify their customers of their privacy policies. The act act, beginning January 1, 2019, would, except as provided, prohibit those providers broadband Internet access service providers, as defined, from using, disclosing, or permitting access to customer proprietary information, as defined. The act would require those providers to take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access, considering the nature and scope of the provider’s activities, the sensitivity of the data it collects, the size of the provider, and technical feasibility. The act would require those providers to notify an affected customer of any breach of the security of the service that may expose the customer’s proprietary information, as specified, and to maintain a record of any breaches and related notifications made to customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The act act, beginning January 1, 2019, would prohibit a broadband Internet access service provider, as defined, those providers from refusing to provide broadband Internet access service, or in any way limiting that service, to a customer who does not waive his or her privacy rights guaranteed by law or regulation, and would prohibit those providers from charging a customer a penalty, penalizing a customer in any way, or offering a customer a discount or another benefit, as a direct or indirect consequence of a customer’s decision to, or refusal to, waive his or her privacy rights guaranteed by law or regulation.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 21.7 (commencing with Section 22550) is added to Division 8 of the Business and Professions Code, to read:
CHAPTER  21.7. California Broadband Internet Privacy Act

22550.
 This chapter shall be known, and may be cited, as the California Broadband Internet Privacy Act.

22550.5.
 It is the intent of the Legislature in enacting this chapter to incorporate into statute certain provisions of the Federal Communications Commission Report and Order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (FCC 16-148), which were revoked by Senate Joint Resolution 34 (Public Law 115-22), which became effective April 3, 2017. In adopting the specified provisions incorporated into this act, it is the intent of the Legislature to give consumers greater control over their personal information when accessing the Internet through a broadband Internet access service provider and thereby better protect their own privacy and autonomy. It is also the intent of the Legislature that the consumer protections set forth in this chapter be interpreted broadly and any exceptions interpreted narrowly narrowly, using the Federal Communications Commission Report and Order as persuasive guidance, in order to maximize individual privacy and autonomy.

22551.
 For purposes of this chapter:
(a) (1) “Aggregate customer information” means collective data that relates to a group or category of customers, from which individual customer identities and characteristics have been removed, that is not linked or reasonably linkable to any individual person, household, or device.
(2) “Aggregate customer information” does not mean one or more individual customer records that have been de-identified.

(a)

(b) “Broadband Internet access service” or “BIAS” means a mass market retail service by wire or radio in California that provides the capability to transmit data and to receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to, and enable the operation of, the communications service, but excluding dial-up Internet access service. The term also encompasses any service that provides a functional equivalent of the service described in this subdivision, or that is used to evade the protections set forth in this chapter.

(b)

(c) (1) “Broadband Internet access service provider” means a person engaged in the provision of broadband Internet access service BIAS to a customer account located in California.

(c)“Breach of security,” “breach,” and “data breach” mean any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.

(d)“Call detail information” means information that pertains to the transmission of specific telephone calls, including the following:

(1)For any call, its time, location, and duration.

(2)For an outbound call, the telephone number called.

(3)For an inbound call, the telephone number from which the call was placed.

(e)“Communications provider” or “provider” means any provider of communications services in California, except that this term does not include aggregators of communications services, as defined in Section 226 of Title 47 of the United States Code. For purposes of this chapter, the term “communications provider” or “provider” shall include a person engaged in the provision of VoIP service or broadband Internet access service.

(f)“Communications service” means the offering of telecommunications in California for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used. For the purposes of this chapter, the term “communications service” shall include VoIP service and broadband Internet access service.

(2) “Broadband Internet access service provider” does not include a premises operator, including a coffee shop, bookstore, airline, private end-user network, or other business that acquires BIAS from a BIAS provider to enable patrons to access the Internet from its respective establishment.

(g)

(d) “Customer” means either of the following:
(1) A current or former subscriber to communications service BIAS in California.
(2) An applicant for communications service BIAS in California.

(h)

(e) “Customer proprietary information” means any of the following that a communications BIAS provider acquires in connection with its provision of communications service: BIAS:
(1) Individually identifiable customer proprietary network information.
(2) Personally identifiable information.
(3) Content of a communication.

(i)

(f) (1) “Customer proprietary network information” or “CPNI” means both of the following:
(A)Information information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a communications service BIAS subscribed to by a customer of a communications BIAS provider, and that is made available to the BIAS provider by the customer solely by virtue of the provider-customer relationship.

(B)Information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a provider.

(2)“Customer proprietary network information” does not include subscriber list information.

(j)“Interconnected Voice over Internet Protocol service” or “VoIP service” means a service that does all of the following:

(1)Enables real-time, two-way voice communications.

(2)Requires a broadband connection from the user’s location.

(3)Requires Internet protocol-compatible customer premises equipment.

(4)Permits users generally to receive calls that originate on the public switched telephone network and to terminate calls to the public switched telephone network.

(2) (A) CPNI includes, but is not limited to, all of the following: broadband service plans, geo-location data, Media Access Control (MAC) addresses and other device identifiers, source and destination Internet Protocol (IP) addresses and domain name information, other information in the network layer protocol headers, traffic statistics, including both short-term and long-term measurements, port information and other transport layer protocol header information, application headers including any information a BIAS provider injects into the application header, application usage, application payload, customer premises equipment, and other customer device information.
(B) CPNI includes any information falling within a CPNI category that the BIAS provider collects or accesses in connection with the provision of BIAS.
(C) CPNI includes information that a BIAS provider causes to be collected or stored on a customer’s device, including customer premises equipment and mobile stations.

(k)

(g) “Material change” means any change that a customer, acting reasonably under the circumstances, would consider important to his or her decisions regarding his or her privacy, including any change to information required by the privacy notice described in Section 22552. privacy.
(h) “Nonsensitive customer proprietary information” means customer proprietary information that is not sensitive customer proprietary information.

(l)

(i) “Opt-in approval” means a method for obtaining customer consent to use, disclose, or permit access to the customer’s proprietary information. This approval method requires that the communications BIAS provider obtain from the customer affirmative, express consent allowing the requested usage, disclosure, or access to the customer proprietary information after the customer is provided appropriate notification of the BIAS provider’s request, consistent with the requirements of this chapter.

(m)

(j) “Opt-out approval” means a method for obtaining customer consent to use, disclose, or permit access to the customer’s proprietary information. Under this approval method, a customer is deemed to have consented to the use or disclosure of, or access to, the customer’s proprietary information if the customer has failed to object to that use, disclosure, or access after the customer is provided appropriate notification of the communications BIAS provider’s request for consent, consistent with the requirements of this chapter.

(n)

(k) “Person” includes an individual, partnership, association, joint-stock company, trust, or corporation.

(o)

(l) “Personally identifiable information” means any information that is linked or reasonably linkable to an individual or device. Information is linked or reasonably linkable to an individual or device if it can reasonably be used on its own, in context, or in combination to identify an individual or device, or to logically associate it with other information about a specific individual or device. Personally identifiable information includes, but is not limited to each of the following: name; address; Social Security number; date of birth; mother’s maiden name; government-issued identifiers, including a driver’s license number; physical address; email address or other online contact information; phone numbers; MAC addresses or other unique device identifiers; IP addresses; and persistent online or unique advertising identifiers.

(p)

(m) “Sensitive customer proprietary information” includes all of the following:
(1) Financial information.
(2) Health information.
(3) Information pertaining to children.
(4) Social security numbers.
(5) Precise geolocation information.
(6) Content of communications.

(7)Call detail information.

(8)Web

(7) (A) Internet Web site browsing history, application usage history, and the functional equivalents of either.

(q)“Telecommunications” means the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.

(B) “Internet Web site browsing history and application usage history” means information from network traffic related to Internet Web site browsing or other applications, including the application layer of that traffic, and information from network traffic indicating the Internet Web site or party with which the customer is communicating, including a domain or IP address.

22552.

(a)In addition to the requirements of Chapter 22 (commencing with Section 22575), as applicable, a communications provider shall notify its customers of its privacy policies. The notice shall be clear and conspicuous, and in language that is comprehensible and not misleading, and shall do all of the following:

(1)Specify and describe the types of customer proprietary information that the provider collects by virtue of its provision of communications service and how it uses that information.

(2)Specify and describe under what circumstances the provider discloses or permits access to each type of customer proprietary information that it collects.

(3)Specify and describe the categories of entities to which the provider discloses or permits access to customer proprietary information and the purposes for which the customer proprietary information will be used by each category of entities.

(4)Specify and describe a customer’s opt-in approval and opt-out approval rights with respect to his or her customer proprietary information, including both of the following:

(A)That a customer’s denial or withdrawal of approval to use, disclose, or permit access to customer proprietary information shall not affect the provision of any communications services of which he or she is a customer.

(B)That any grant, denial, or withdrawal of approval for the use, disclosure, or permission of access to the customer proprietary information is valid until the customer affirmatively revokes that grant, denial, or withdrawal. The notice shall inform the customer of his or her right to deny or withdraw access to the proprietary information at any time.

(5)Provide for access to a mechanism for a customer to grant, deny, or withdraw approval for the provider to use, disclose, or provide access to customer proprietary information as required by Section 22553.

(6)Be completely translated into a language other than English if the provider transacts business with the customer in that language.

(b)Notice required under subdivision (a) shall be made pursuant to both of the following requirements:

(1)The provider shall make the notice to a prospective customer at the point of sale, prior to the purchase of service, whether the point of sale is in person, online, over the telephone, or via another means.

(2)The provider shall make the notice persistently available through a clear and conspicuous link on the communications provider’s homepage, the provider’s application if it provides one for account management purposes, and any functional equivalent to the provider’s homepage or application. If a provider does not have an Internet Web site, it shall provide notice to a customer in paper form or another format agreed upon by the customer.

(c)A communications provider shall provide an existing customer with advance notice of one or more material changes to the provider’s privacy policies. The notice shall be clear and conspicuous, in language that is comprehensible and not misleading, and shall satisfy all of the following:

(1)It shall be provided through email or another means of active communication agreed upon by the customer.

(2)It shall specify and describe both of the following:

(A)The changes made to the provider’s privacy policies, including any changes to what customer proprietary information the provider collects, and how it uses, discloses, or permits access to that information, the categories of entities to which it discloses or permits access to customer proprietary information, and which, if any, changes are retroactive.

(B)A customer’s opt-in approval or opt-out approval rights with respect to his or her customer proprietary information, including the material specified in paragraph (4) of subdivision (a).

(3)It shall provide for access to a mechanism for a customer to grant, deny, or withdraw approval for the provider to use, disclose, or permit access to his or her customer proprietary information as required by Section 22553.

(4)It shall be completely translated into a language other than English if the provider transacts business with the customer in that language.

22553.22552.
 (a) (1) Except as described in paragraph (2), a communications BIAS provider shall not use, disclose, or permit access to customer proprietary information except with the opt-out or opt-in approval of a customer as described in this section.
(2) A BIAS provider may use, disclose, or permit access to customer proprietary information without customer approval for any of the following purposes:
(A) In its provision of the communications BIAS service from which the information is derived, or in its provision of services necessary to, or used in, the provision of the service.
(B) To initiate, render, bill, and collect for communications service. BIAS.
(C) To protect the rights or property of the BIAS provider, or to protect users of the communications service BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service.
(D) To provide any inbound marketing, referral, or administrative services to the customer for the duration of a real-time interaction, if the interaction was initiated by the customer. interaction.
(E) To provide location information or nonsensitive customer proprietary information to any of the following:
(i) A public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user’s request for emergency services.
(ii) The user’s legal guardian or members of the user’s immediate family of the user’s location in an emergency situation that involves the risk of death or serious physical harm.
(iii) Providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
(F) To generate an aggregate customer information dataset using customer personal information, or using, disclosing, or permitting access to the aggregate customer information dataset it generated.
(G) For any other lawful purpose if the BIAS provider ensures the customer proprietary information is not individually identifiable by doing all of the following:
(i) Determining that the information is not reasonably linkable to an individual or device.
(ii) Publicly committing to maintain and use the data in a non-individually identifiable fashion and to not attempt to re-identify the data.
(iii) Contractually prohibiting any entity to which it discloses or permits access to the de-identified data from attempting to re-identify the data.

(F)

(H) As otherwise required or authorized by law.
(b) Except as otherwise provided in this section, a communications BIAS provider shall obtain opt-out approval from a customer to use, disclose, or permit access to any of the customer’s nonsensitive customer proprietary information. If it so chooses, a BIAS provider may instead obtain opt-in approval from a customer to use, disclose, or permit access to any of the customer’s nonsensitive customer proprietary information.
(c) Except as otherwise provided in this section, a communications BIAS provider shall obtain opt-in approval from a customer to do either of the following:
(1) Use, disclose, or permit access to any of the customer’s sensitive customer proprietary information.
(2) Make any material retroactive change, including a material change that would result in a use, disclosure, or permission of access to any of the customer’s proprietary information previously collected by the BIAS provider for which the customer did not previously grant approval, either through opt-in or opt-out consent, as required by subdivision (b) and this subdivision.
(d) (1) Except as described in subdivision (a), a communications BIAS provider shall, at a minimum, solicit customer approval pursuant to subdivision (b) or (c), as applicable, at the point of sale and when making one or more material changes to privacy policies. The solicitation may be part of, or the same communication as, a notice required by Section 22552.
(2) A provider’s solicitation of customer approval shall be clear and conspicuous, and in language that is comprehensible and not misleading. The solicitation shall disclose all of the following:
(A) The types of customer proprietary information that the BIAS provider is seeking customer approval to use, disclose, or permit access to.
(B) The purposes for which the customer proprietary information will be used.
(C) The categories of entities to which the BIAS provider intends to disclose or permit access to the customer proprietary information.

(D)A means to easily access the notice required by subdivision (a) of Section 22552 and a means to access the mechanism required by subdivision (e).

(3) A BIAS provider’s solicitation of customer approval shall be completely translated into a language other than English if the BIAS provider transacts business with the customer in that language.
(e) A communications BIAS provider shall make available a simple, easy-to-use mechanism for customers a customer to grant, deny, or withdraw opt-in approval and opt-out approval at any time. The mechanism shall be clear and conspicuous, in language that is comprehensible and not misleading, and made available at no additional cost to the customer. The mechanism shall be persistently available on or through the BIAS provider’s homepage on its Internet Web site, the BIAS provider’s application if it provides one for account management purposes, and any functional equivalent to the BIAS provider’s homepage or application. If the BIAS provider does not have an Internet Web site, a homepage, it shall provide a persistently available mechanism by another means such as a toll-free telephone number. The customer’s grant, denial, or withdrawal of approval shall be given effect promptly and remain in effect until the customer revokes or limits the grant, denial, or withdrawal of approval.

22554.

(a)In addition to the requirements of Section 1798.81.5 of the Civil Code, a communications provider shall take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access.

(b)The security measures taken by a communications provider to implement the requirement set forth in this section shall, as appropriate, take into account each of the following factors:

(1)The nature and scope of the provider’s activities.

(2)The sensitivity of the data it collects.

(3)The size of the provider.

(4)Technical feasibility.

(c)A communications provider may employ a lawful security measure that allows it to implement the requirement set forth in this section.

22555.

(a)(1)In addition to the requirements of Section 1798.82 of the Civil Code, a communications provider shall notify an affected customer of any breach without unreasonable delay and in any event no later than 30 calendar days after the provider reasonably determines that a breach has occurred, subject to law enforcement needs, unless the provider can reasonably determine that no harm to the customer is reasonably likely to occur as a result of the breach.

(2)A provider required to provide notification to a customer under this subdivision shall provide the notice by one or both of the following methods:

(A)Written notification sent to either the customer’s email address or the postal address on record of the customer, or, for former customers, to the last postal address ascertainable after reasonable investigation using commonly available sources.

(B)Other electronic means of active communications agreed upon by the customer for contacting that customer for data breach notification purposes.

(3)The customer notification required to be provided under this subdivision shall include all of the following:

(A)The date, estimated date, or estimated date range of the breach of security.

(B)A description of the customer proprietary information that was breached or reasonably believed to have been breached.

(C)Information the customer can use to contact the provider to inquire about the breach of security and the customer proprietary information that the provider maintains about that customer.

(D)Information about how to contact the Federal Communications Commission.

(E)If the breach creates a risk of financial harm, information about the national credit-reporting agencies and the steps the customer can take to guard against identity theft, including any credit monitoring, credit reporting, credit freezes, or other consumer protections the provider is offering customers affected by the breach of security.

(b)A communications provider shall notify the Federal Communications Commission of any breach affecting 5,000 or more customers no later than seven business days after the provider reasonably determines that a breach has occurred and at least three business days before notification to the affected customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. A provider shall notify the Federal Communications Commission of any breach affecting fewer than 5,000 customers without unreasonable delay and no later than 30 calendar days after the provider reasonably determines that a breach has occurred, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.

(c)A communications provider shall notify the Federal Bureau of Investigation and the United States Secret Service of a breach that affects 5,000 or more customers no later than seven business days after the provider reasonably determines that a breach has occurred and at least three business days before notification to the affected customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.

(d)A communications provider shall maintain a record, electronically or in some other manner, of any breaches and notifications made to customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The record shall include the dates on which the provider determines that a reportable breach has occurred and the dates of customer notification. The record shall include a written copy of all customer notifications. A provider shall retain the record for a minimum of two years from the date on which it determines that a reportable breach has occurred.

22556.

A communications provider may bind itself contractually to privacy and data security regimes other than those described in this chapter for the provision of communications services other than broadband Internet access service to enterprise customers if the provider’s contract with that customer specifically addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for the customer to communicate with the provider about privacy and data security concerns.

22557.22553.
 A broadband Internet access service BIAS provider shall not do either of the following:
(a) Refuse to provide broadband Internet access service, BIAS, or in any way limit that service, to a customer who does not waive his or her privacy rights guaranteed by law or regulation, including this chapter.
(b) Charge a customer a penalty, penalize a customer in any way, or offer a customer a discount or another benefit, as a direct or indirect consequence of a customer’s decision to, or refusal to, waive his or her privacy rights guaranteed by law or regulation, including this chapter.

22558.22554.
 This chapter shall not limit the other statutory rights of a customer or the statutory obligations of a communications BIAS provider, including, but not limited to, the rights and obligations described in this division, Section 1798.82 of the Civil Code, and Article 3 (commencing with Section 2891) of Chapter 10 of Part 2 of Division 1 of the Public Utilities Code.

22559.22555.
 The requirements of this chapter shall apply to broadband Internet access service BIAS providers operating within California when providing broadband Internet access service BIAS to their customers who are residents of and physically located in California. Except as described in Section 22556, any Any waiver by the customer of the provisions of this chapter shall be deemed contrary to public policy and shall be void and unenforceable.

22560.22556.
 California adopts this chapter pursuant to all inherent state authority under the Tenth Amendment of the United States Constitution and all relevant authority granted and reserved to the states by Title 47 of the United States Code, including the authority to impose requirements necessary to protect public safety and welfare, safeguard the rights of consumers, manage public rights-of-way, and regulate franchises. California further adopts this law pursuant to the inalienable right of privacy granted under the authority of Article I, Section 1 of the California Constitution.

22557.
 This chapter shall become operative on January 1, 2019.

SEC. 2.

 The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.