Also, under the bill, a provider is prohibited from refusing to provide broadband
Internet access service because a customer or prospective customer does not grant
approval to the provider to use, disclose, or permit access to proprietary information.
The bill allows a provider to use, disclose, or permit access to both sensitive and
non-sensitive customer proprietary information without receiving the customer's
approval only for the following purposes: 1) to provide the broadband Internet access
service from which the information is derived; 2) to initiate, render, bill, or collect for
broadband Internet access service; 3) to protect the rights or property of a provider
or to protect users against fraudulent, abusive, or unlawful use of the service; 4) to
provide certain services to a customer during a real-time interaction with the
provider initiated by the customer; 5) to provide location information or
non-sensitive information in emergencies; or 6) as otherwise required or authorized
by law.
Under the bill, when a provider requests approval to use, disclose, or permit
access to a customer's proprietary information, the provider's request must
accompany a notice that includes a specific description of the following: 1) the types
of customer proprietary information that the provider will collect from providing
broadband Internet access service, and how it will use the information; 2) the
circumstances under which the provider discloses or permits access to each type of
customer proprietary information that it collects; 3) the categories of entities to
which the provider discloses or permits to access the customer's proprietary
information and the purposes for which that information will be used by each
category of entity; and 4) the customer's rights to grant, deny, or withdraw approval
concerning the customer's proprietary information. The notice must also include
access to a mechanism that the customer can use to grant, deny, or withdraw
approval at any time.
The bill requires that when a provider makes a material change to its policies
concerning the privacy of customer proprietary information, the provider must give
to each customer a similar notice that also includes a specific description of the
changes made to the privacy policies. The bill also requires that all notices and
mechanisms used for granting, denying, or withdrawing approval be translated into
the language that the provider uses to transact business with a customer.
The bill requires providers to take reasonable security measures to protect
customer proprietary information from unauthorized use, disclosure, or access.
Further, when a breach of the provider's security occurs, the provider is required to
notify each affected customer within 30 days after learning of the breach unless the
provider reasonably determines that no harm to the customer is reasonably likely to
occur as a result. The notification must describe the information that is reasonably
believed to have been involved in the security breach and include information about
how to contact the provider to inquire about the security breach and how to contact
relevant government agencies. If the security breach creates a risk of financial harm,
the notification must also include information about steps that the customer can take
to guard against identity theft.
The bill also requires a provider to notify the Department of Agriculture, Trade
and Consumer Protection and the Department of Justice within seven business days
of learning about a breach of security affecting 5,000 or more customers unless the
provider reasonably determines that no harm to customers is reasonably likely to
occur as a result of the breach. If a breach of security affects fewer than 5,000
customers, the bill requires a provider to notify DATCP within 30 days after learning
about the breach. Under the bill, a provider is required to maintain records for two
years that contain information about the notifications made to customers about a
breach of security.
A broadband Internet access service provider that intentionally violates the bill
is subject to a criminal fine of up to $1,000, or up to three months in jail, or both.
Alternatively, a provider that violates the bill is subject to a civil forfeiture of up to
$50,000 for the first violation, and up to $100,000 for each subsequent violation.
Additionally, under the bill, any person or class of persons that is adversely affected
by a violation by a broadband Internet access service provider can sue the provider
for appropriate relief. The bill also authorizes 1) DATCP; 2) DOJ, after consulting
with DATCP; or 3) any district attorney, upon informing DATCP, to bring an action
to restrain by temporary or permanent injunction any violation of the bill.
For further information see the state fiscal estimate, which will be printed as
an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB233,1
1Section
1. 100.70 of the statutes is created to read:
SB233,3,3
2100.70 Privacy and security of information obtained by an Internet
3service provider. (1) Definitions. In this section:
SB233,3,64
(a) “Breach of security” means any instance in which a person, without
5authorization or exceeding authorization, has gained access to, used, or disclosed
6customer proprietary information.
SB233,4,27
(b) 1. “Broadband Internet access service” means a mass-market retail service
8by wire or radio that provides the capability to transmit data and receive data from
9all or substantially all Internet endpoints, including any capabilities that are
1incidental to and enable the operation of the service, but excluding dial-up Internet
2access service.
SB233,4,53
2. “Broadband Internet access service” includes any service that the
4department finds is a functional equivalent of the service specified in subd. 1. or is
5used to evade the requirements under this section.
SB233,4,66
(c) “Customer” means any of the following:
SB233,4,87
1. A current or former subscriber to broadband Internet access service who
8resides in this state.
SB233,4,129
2. A person who resides in this state and uses or has used broadband Internet
10access service that is provided under an agreement between a current or former
11subscriber who resides in this state and a broadband Internet access service
12provider.
SB233,4,1413
(d) “Customer proprietary information” means any of the following
14information:
SB233,4,1815
1. Individually identifiable information that relates to the quantity, technical
16configuration, type, destination, location, or amount of use of a broadband Internet
17access service subscribed to by a customer of a provider of that service, and that is
18made available to the provider by the customer.
SB233,4,2019
2. Any information that is linked or reasonably able to be linked to an
20individual or a device.
SB233,4,2121
3. Content of a customer's communications.
SB233,4,2522
(e) “Material change” means any change that a customer, acting reasonably
23under the circumstances, would consider important to his or her decisions
24concerning his or her privacy, including any change to information required to be
25presented in the notice required under sub. (2) (b).
SB233,5,2
1(f) “Non-sensitive customer proprietary information” means customer
2proprietary information that is not sensitive customer proprietary information.
SB233,5,53
(g) “Opt-in approval” means the method for obtaining customer consent in
4which a provider obtains from the customer affirmative, express consent after the
5customer is provided appropriate notification of the provider's request for consent.
SB233,5,96
(h) “Opt-out approval” means the method for obtaining customer consent in
7which a customer is deemed to have consented if the customer has failed to object to
8a provider's request after the customer is provided with appropriate notification of
9the provider's request for consent.
SB233,5,1110
(i) “Prospective customer” means an applicant for broadband Internet access
11service who resides in this state.
SB233,5,1312
(j) “Sensitive customer proprietary information” means customer proprietary
13information that is any of the following:
SB233,5,1414
1. Financial information.
SB233,5,1515
2. Health information.
SB233,5,1616
3. Information pertaining to a child.
SB233,5,1717
4. A social security number.
SB233,5,1818
5. Precise geo-location information.
SB233,5,1919
6. Content of communications.
SB233,5,2120
7. Web browsing history, smart phone or tablet computer application usage
21history, and the functional equivalents of either.
SB233,5,2422
(k) “Subscriber” means a person who enters into an agreement for the provision
23of broadband Internet access services with a provider of broadband Internet access
24services. “Subscriber” does not include a person who resells services.
SB233,6,4
1(2) Notice requirements. (a)
When notice required. 1. A broadband Internet
2access service provider shall make a notice available at all times to customers about
3its policies concerning the privacy of the information that the provider obtains about
4customers.
SB233,6,75
2. A broadband Internet access service provider shall notify a prospective
6customer, at the point of sale, prior to a purchase of service, about its policies
7concerning the privacy of information that the provider obtains about customers.
SB233,6,98
(b)
Contents. A broadband Internet access service provider shall include all of
9the following in the notice provided to customers under par. (a):
SB233,6,1210
1. A specific description of the types of customer proprietary information that
11the broadband Internet access service provider collects from providing broadband
12Internet access service and how it uses that information.
SB233,6,1513
2. A specific description of the circumstances under which the broadband
14Internet access service provider discloses or permits access to each type of customer
15proprietary information that it collects.
SB233,6,1916
3. A specific description of the categories of entities to which the broadband
17Internet access service provider discloses or permits to access customer proprietary
18information and the purposes for which that information will be used by each
19category of entities.
SB233,6,2220
4. A specific description of the customer's rights to grant, deny, or withdraw
21approval concerning the customer's proprietary information, including each of the
22following:
SB233,6,2523
a. A statement that the customer's denial or withdrawal of approval to use,
24disclose, or permit access to customer proprietary information will not affect the
25provision of any broadband Internet access services to the customer.
SB233,7,3
1b. A statement that any grant, denial, or withdrawal of approval for the use,
2disclosure, or permission of access to customer proprietary information is valid until
3the customer affirmatively revokes the grant, denial, or withdrawal.
SB233,7,54
c. A statement that the customer has the right to deny or withdraw approval
5to use, disclose, or permit access to customer proprietary information at any time.
SB233,7,66
5. Access to a mechanism required under sub. (3) (d) 3.
SB233,7,117
(c)
Material changes to a privacy policy. A broadband Internet access service
8provider shall provide a notice, through electronic mail or another means of prompt
9communication agreed upon by the customer, to a customer of a material change to
10its policies concerning the privacy of information that the provider obtains about the
11customer. The notice shall include all of the following:
SB233,7,1612
1. A specific description of the changes made to the provider's privacy policies,
13including any changes to what customer proprietary information the provider
14collects; how the provider uses, discloses, or permits access to that information; the
15categories of entities to which it discloses or permits access to customer proprietary
16information; and which, if any, changes are retroactive.
SB233,7,1717
2. The description required under par. (b) 4.
SB233,7,1818
3. Access to a mechanism required under sub. (3) (d) 3.
SB233,7,2219
(d)
When translation required. If a broadband Internet access service provider
20transacts business with a customer in a language other than English, the provider
21shall translate the contents of the notices required under pars. (b) and (c) into the
22language through which the provider transacts business with the customer.
SB233,7,25
23(3) Customer approval. (a)
Opt-in approval required. Except as provided
24under par. (c), a broadband Internet access service provider may not do any of the
25following unless the provider obtains opt-in approval from the customer:
SB233,8,2
11. Use, disclose, or permit access to any of the customer's sensitive customer
2proprietary information.
SB233,8,53
2. Use, disclose, or permit access to any of the customer's proprietary
4information previously collected by the provider for which the customer has not
5previously granted approval under this paragraph or par. (b).
SB233,8,96
(b)
Opt-out approval required. 1. Except as provided under subd. 2. or par. (c),
7a broadband Internet access service provider may not use, disclose, or permit access
8to any of a customer's non-sensitive customer proprietary information unless the
9provider obtains opt-out approval from the customer.
SB233,8,1210
2. A broadband Internet access service provider may obtain opt-in approval
11from a customer to use, disclose, or permit access to any of the customer's
12non-sensitive customer proprietary information.
SB233,8,1613
(c)
Permissible use without customer approval. A broadband Internet access
14service provider may use, disclose, or permit access to customer proprietary
15information without approval from the customer under par. (a) or (b) only for the
16following purposes:
SB233,8,1917
1. To provide the broadband Internet access service from which the information
18is derived, or in its provision of services necessary to, or used in, the provision of that
19service.
SB233,8,2020
2. To initiate, render, bill, or collect for broadband Internet access service.
SB233,8,2321
3. To protect the rights or property of the broadband Internet access service
22provider, or to protect users of the broadband Internet access service and other
23providers from fraudulent, abusive, or unlawful use of the service.
SB233,9,3
14. To provide any marketing, referral, or administrative services to a customer
2for the duration of a real-time interaction if the interaction was initiated by the
3customer.
SB233,9,54
5. To provide location information or non-sensitive customer proprietary
5information to any of the following:
SB233,9,96
a. A public safety answering point, as defined in s. 256.35 (1) (gm), emergency
7medical service provider, emergency dispatch provider, public safety official, fire
8service official, law enforcement official, or hospital emergency or trauma care
9facility, in order to respond to the user's request for emergency services.
SB233,9,1210
b. The user's legal guardian or a member of the user's immediate family, to
11inform about the user's location in an emergency situation that involves the risk of
12death or serious physical harm.
SB233,9,1513
c. A provider of information or database management services only for the
14purpose of assisting in the delivery of emergency services in response to an
15emergency.
SB233,9,1616
6. As otherwise required or authorized by law.
SB233,9,2117
(d)
Solicitation and exercise of customer approval. 1. A broadband Internet
18access service provider shall request the approval required under par. (a) or (b) at the
19point of sale to a customer and at the time the provider makes a material change to
20its policies concerning the privacy of information that the provider obtains about a
21customer.
SB233,9,2422
2. A broadband Internet access service provider shall request customer
23approval clearly and conspicuously, in language that is readily understandable and
24not misleading, and each request shall include all of the following:
SB233,10,2
1a. A disclosure of the types of customer proprietary information for which the
2provider is seeking customer approval to use, disclose, or permit access to.
SB233,10,43
b. A disclosure of the purposes for which the customer's proprietary
4information will be used.
SB233,10,65
c. A disclosure of the categories of entities to which the provider intends to
6disclose or permit access to the customer proprietary information.
SB233,10,77
d. A means to easily access the notice required under sub. (2) (a) or (c).
SB233,10,88
e. A means to easily access the mechanism required under subd. 3.
SB233,10,119
3. A broadband Internet access service provider shall make available, at no
10additional cost to the customer, a mechanism for a customer to grant, deny, or
11withdraw opt-in approval or opt-out approval, or both, at any time.
SB233,10,1512
4. A broadband Internet access service provider shall give effect to a customer's
13grant, denial, or withdrawal of approval promptly, and the grant, denial, or
14withdrawal of approval shall remain in effect until the customer revokes or limits the
15grant, denial, or withdrawal of approval.
SB233,10,2016
5. If a broadband Internet access service provider transacts business with a
17customer in a language other than English, the provider shall translate the contents
18required under subd. 2. and the instructions for using the mechanism required under
19subd. 3. into the language through which the provider transacts business with the
20customer.
SB233,10,23
21(4) Data security. (a) A broadband Internet access service provider shall take
22reasonable security measures to protect customer proprietary information from
23unauthorized use, disclosure, or access.
SB233,11,3
1(b) In implementing reasonable security measures under par. (a), a broadband
2Internet access service provider shall appropriately take into account each of the
3following factors:
SB233,11,44
1. The nature and scope of the provider's activities.
SB233,11,55
2. The sensitivity of the data it collects.
SB233,11,66
3. The size of the provider.
SB233,11,77
4. The technical feasibility of implementing the security measures.
SB233,11,14
8(5) Data breach notification. (a)
Customer notification. 1. Except as provided
9in subd. 4., a broadband Internet access service provider shall, without unreasonable
10delay, notify a customer about any breach of security involving customer proprietary
11information pertaining to that customer within 30 days after the provider reasonably
12determines that a breach of security has occurred unless the provider reasonably
13determines that no harm to the customer is reasonably likely to occur as a result of
14the breach of security.
SB233,11,1615
2. A broadband Internet access service provider shall notify a customer about
16a breach of security under subd. 1. by at least one of the following methods:
SB233,11,2017
a. A written notification sent to either the customer's electronic mail address
18or the postal address of record of the customer, or, for former customers, to the last
19postal address ascertainable after reasonable investigation using commonly
20available sources.
SB233,11,2221
b. Other electronic means of prompt communication agreed upon by the
22customer for contacting that customer for breach of security notification purposes.
SB233,11,2423
3. A broadband Internet access service provider shall provide all of the
24following information in a notice required under subd. 1.:
SB233,11,2525
a. The date, estimated date, or estimated date range of the breach of security.
