LRBa0497/1
KP:emw
2017 - 2018 LEGISLATURE
SENATE AMENDMENT 1,
TO ASSEMBLY BILL 123
May 10, 2017 - Offered by Senators
Carpenter, Hansen, Vinehout, Wirch and
Risser.
AB123-SA1,1,5
21. Page 1, line 11: delete the material beginning with “and making" and ending
3with “appropriations" on line 12 and substitute “privacy and security of customer
4information obtained by a broadband Internet access service provider, making
5appropriations, and providing a criminal penalty”.
AB123-SA1,1,7
7“
Section 21m. 100.70 of the statutes is created to read:
AB123-SA1,1,9
8100.70 Privacy and security of information obtained by an Internet
9service provider. (1) Definitions. In this section:
AB123-SA1,1,1210
(a) “Breach of security” means any instance in which a person, without
11authorization or exceeding authorization, has gained access to, used, or disclosed
12customer proprietary information.
AB123-SA1,2,5
1(b) 1. “Broadband Internet access service” means a mass-market retail service
2by wire or radio that provides the capability to transmit data and receive data from
3all or substantially all Internet endpoints, including any capabilities that are
4incidental to and enable the operation of the service, but excluding dial-up Internet
5access service.
AB123-SA1,2,86
2. “Broadband Internet access service” includes any service that the
7department finds is a functional equivalent of the service specified in subd. 1. or is
8used to evade the requirements under this section.
AB123-SA1,2,99
(c) “Customer” means any of the following:
AB123-SA1,2,1110
1. A current or former subscriber to broadband Internet access service who
11resides in this state.
AB123-SA1,2,1512
2. A person who resides in this state and uses or has used broadband Internet
13access service that is provided under an agreement between a current or former
14subscriber who resides in this state and a broadband Internet access service
15provider.
AB123-SA1,2,1716
(d) “Customer proprietary information” means any of the following
17information:
AB123-SA1,2,2118
1. Individually identifiable information that relates to the quantity, technical
19configuration, type, destination, location, or amount of use of a broadband Internet
20access service subscribed to by a customer of a provider of that service, and that is
21made available to the provider by the customer.
AB123-SA1,2,2322
2. Any information that is linked or reasonably able to be linked to an
23individual or a device.
AB123-SA1,2,2424
3. Content of a customer's communications.
AB123-SA1,3,4
1(e) “Material change” means any change that a customer, acting reasonably
2under the circumstances, would consider important to his or her decisions
3concerning his or her privacy, including any change to information required to be
4presented in the notice required under sub. (2) (b).
AB123-SA1,3,65
(f) “Non-sensitive customer proprietary information” means customer
6proprietary information that is not sensitive customer proprietary information.
AB123-SA1,3,97
(g) “Opt-in approval” means the method for obtaining customer consent in
8which a provider obtains from the customer affirmative, express consent after the
9customer is provided appropriate notification of the provider's request for consent.
AB123-SA1,3,1310
(h) “Opt-out approval” means the method for obtaining customer consent in
11which a customer is deemed to have consented if the customer has failed to object to
12a provider's request after the customer is provided with appropriate notification of
13the provider's request for consent.
AB123-SA1,3,1514
(i) “Prospective customer” means an applicant for broadband Internet access
15service who resides in this state.
AB123-SA1,3,1716
(j) “Sensitive customer proprietary information” means customer proprietary
17information that is any of the following:
AB123-SA1,3,1818
1. Financial information.
AB123-SA1,3,1919
2. Health information.
AB123-SA1,3,2020
3. Information pertaining to a child.
AB123-SA1,3,2121
4. A social security number.
AB123-SA1,3,2222
5. Precise geo-location information.
AB123-SA1,3,2323
6. Content of communications.
AB123-SA1,3,2524
7. Web browsing history, smart phone or tablet computer application usage
25history, and the functional equivalents of either.
AB123-SA1,4,3
1(k) “Subscriber” means a person who enters into an agreement for the provision
2of broadband Internet access services with a provider of broadband Internet access
3services. “Subscriber” does not include a person who resells services.
AB123-SA1,4,7
4(2) Notice requirements. (a)
When notice required. 1. A broadband Internet
5access service provider shall make a notice available at all times to customers about
6its policies concerning the privacy of the information that the provider obtains about
7customers.
AB123-SA1,4,108
2. A broadband Internet access service provider shall notify a prospective
9customer, at the point of sale, prior to a purchase of service, about its policies
10concerning the privacy of information that the provider obtains about customers.
AB123-SA1,4,1211
(b)
Contents. A broadband Internet access service provider shall include all of
12the following in the notice provided to customers under par. (a):
AB123-SA1,4,1513
1. A specific description of the types of customer proprietary information that
14the broadband Internet access service provider collects from providing broadband
15Internet access service and how it uses that information.
AB123-SA1,4,1816
2. A specific description of the circumstances under which the broadband
17Internet access service provider discloses or permits access to each type of customer
18proprietary information that it collects.
AB123-SA1,4,2219
3. A specific description of the categories of entities to which the broadband
20Internet access service provider discloses or permits to access customer proprietary
21information and the purposes for which that information will be used by each
22category of entities.
AB123-SA1,4,2523
4. A specific description of the customer's rights to grant, deny, or withdraw
24approval concerning the customer's proprietary information, including each of the
25following:
AB123-SA1,5,3
1a. A statement that the customer's denial or withdrawal of approval to use,
2disclose, or permit access to customer proprietary information will not affect the
3provision of any broadband Internet access services to the customer.
AB123-SA1,5,64
b. A statement that any grant, denial, or withdrawal of approval for the use,
5disclosure, or permission of access to customer proprietary information is valid until
6the customer affirmatively revokes the grant, denial, or withdrawal.
AB123-SA1,5,87
c. A statement that the customer has the right to deny or withdraw approval
8to use, disclose, or permit access to customer proprietary information at any time.
AB123-SA1,5,99
5. Access to a mechanism required under sub. (3) (d) 3.
AB123-SA1,5,1410
(c)
Material changes to a privacy policy. A broadband Internet access service
11provider shall provide a notice, through electronic mail or another means of prompt
12communication agreed upon by the customer, to a customer of a material change to
13its policies concerning the privacy of information that the provider obtains about the
14customer. The notice shall include all of the following:
AB123-SA1,5,1915
1. A specific description of the changes made to the provider's privacy policies,
16including any changes to what customer proprietary information the provider
17collects; how the provider uses, discloses, or permits access to that information; the
18categories of entities to which it discloses or permits access to customer proprietary
19information; and which, if any, changes are retroactive.
AB123-SA1,5,2020
2. The description required under par. (b) 4.
AB123-SA1,5,2121
3. Access to a mechanism required under sub. (3) (d) 3.
AB123-SA1,5,2522
(d)
When translation required. If a broadband Internet access service provider
23transacts business with a customer in a language other than English, the provider
24shall translate the contents of the notices required under pars. (b) and (c) into the
25language through which the provider transacts business with the customer.
AB123-SA1,6,3
1(3) Customer approval. (a)
Opt-in approval required. Except as provided
2under par. (c), a broadband Internet access service provider may not do any of the
3following unless the provider obtains opt-in approval from the customer: