AB64-SA17,7,75
3. To protect the rights or property of the broadband Internet access service
6provider, or to protect users of the broadband Internet access service and other
7providers from fraudulent, abusive, or unlawful use of the service.
AB64-SA17,7,108
4. To provide any marketing, referral, or administrative services to a customer
9for the duration of a real-time interaction if the interaction was initiated by the
10customer.
AB64-SA17,7,1211
5. To provide location information or non-sensitive customer proprietary
12information to any of the following:
AB64-SA17,7,1613
a. A public safety answering point, as defined in s. 256.35 (1) (gm), emergency
14medical service provider, emergency dispatch provider, public safety official, fire
15service official, law enforcement official, or hospital emergency or trauma care
16facility, in order to respond to the user's request for emergency services.
AB64-SA17,7,1917
b. The user's legal guardian or a member of the user's immediate family, to
18inform about the user's location in an emergency situation that involves the risk of
19death or serious physical harm.
AB64-SA17,7,2220
c. A provider of information or database management services only for the
21purpose of assisting in the delivery of emergency services in response to an
22emergency.
AB64-SA17,7,2323
6. As otherwise required or authorized by law.
AB64-SA17,8,324
(d)
Solicitation and exercise of customer approval. 1. A broadband Internet
25access service provider shall request the approval required under par. (a) or (b) at the
1point of sale to a customer and at the time the provider makes a material change to
2its policies concerning the privacy of information that the provider obtains about a
3customer.
AB64-SA17,8,64
2. A broadband Internet access service provider shall request customer
5approval clearly and conspicuously, in language that is readily understandable and
6not misleading, and each request shall include all of the following:
AB64-SA17,8,87
a. A disclosure of the types of customer proprietary information for which the
8provider is seeking customer approval to use, disclose, or permit access to.
AB64-SA17,8,109
b. A disclosure of the purposes for which the customer's proprietary
10information will be used.
AB64-SA17,8,1211
c. A disclosure of the categories of entities to which the provider intends to
12disclose or permit access to the customer proprietary information.
AB64-SA17,8,1313
d. A means to easily access the notice required under sub. (2) (a) or (c).
AB64-SA17,8,1414
e. A means to easily access the mechanism required under subd. 3.
AB64-SA17,8,1715
3. A broadband Internet access service provider shall make available, at no
16additional cost to the customer, a mechanism for a customer to grant, deny, or
17withdraw opt-in approval or opt-out approval, or both, at any time.
AB64-SA17,8,2118
4. A broadband Internet access service provider shall give effect to a customer's
19grant, denial, or withdrawal of approval promptly, and the grant, denial, or
20withdrawal of approval shall remain in effect until the customer revokes or limits the
21grant, denial, or withdrawal of approval.
AB64-SA17,9,222
5. If a broadband Internet access service provider transacts business with a
23customer in a language other than English, the provider shall translate the contents
24required under subd. 2. and the instructions for using the mechanism required under
1subd. 3. into the language through which the provider transacts business with the
2customer.
AB64-SA17,9,5
3(4) Data security. (a) A broadband Internet access service provider shall take
4reasonable security measures to protect customer proprietary information from
5unauthorized use, disclosure, or access.
AB64-SA17,9,86
(b) In implementing reasonable security measures under par. (a), a broadband
7Internet access service provider shall appropriately take into account each of the
8following factors:
AB64-SA17,9,99
1. The nature and scope of the provider's activities.
AB64-SA17,9,1010
2. The sensitivity of the data it collects.
AB64-SA17,9,1111
3. The size of the provider.
AB64-SA17,9,1212
4. The technical feasibility of implementing the security measures.
AB64-SA17,9,19
13(5) Data breach notification. (a)
Customer notification. 1. Except as provided
14in subd. 4., a broadband Internet access service provider shall, without unreasonable
15delay, notify a customer about any breach of security involving customer proprietary
16information pertaining to that customer within 30 days after the provider reasonably
17determines that a breach of security has occurred unless the provider reasonably
18determines that no harm to the customer is reasonably likely to occur as a result of
19the breach of security.
AB64-SA17,9,2120
2. A broadband Internet access service provider shall notify a customer about
21a breach of security under subd. 1. by at least one of the following methods:
AB64-SA17,9,2522
a. A written notification sent to either the customer's electronic mail address
23or the postal address of record of the customer, or, for former customers, to the last
24postal address ascertainable after reasonable investigation using commonly
25available sources.
AB64-SA17,10,2
1b. Other electronic means of prompt communication agreed upon by the
2customer for contacting that customer for breach of security notification purposes.
AB64-SA17,10,43
3. A broadband Internet access service provider shall provide all of the
4following information in a notice required under subd. 1.:
AB64-SA17,10,55
a. The date, estimated date, or estimated date range of the breach of security.
AB64-SA17,10,86
b. A description of the customer proprietary information that was involved in
7the breach of security or reasonably believed to have been involved in the breach of
8security.
AB64-SA17,10,119
c. Information that the customer may use to contact the provider to inquire
10about the breach of security and the customer proprietary information that the
11provider maintains about that customer.
AB64-SA17,10,1312
d. Information about how to contact the department and any federal agencies
13relevant to the service provided to the customer.
AB64-SA17,10,1814
e. If the breach of security creates a risk of financial harm, information about
15the national credit-reporting agencies and the steps customers can take to guard
16against identity theft, including any credit monitoring, credit reporting, credit
17freezes, or other consumer protections that the provider is offering customers
18affected by the breach of security, including security freezes under s. 100.54.
AB64-SA17,10,2019
4. Upon the request of a law enforcement agency, a broadband Internet access
20service provider shall not disclose a breach of security to a customer.
AB64-SA17,11,221
(b)
Notification to government agencies. 1. Except as provided in subd. 3., a
22broadband Internet access service provider shall notify the department and the
23department of justice of any breach of security affecting 5,000 or more customers no
24later than 7 business days after the provider reasonably determines that a breach
1of security has occurred and at least 3 business days before notifying the affected
2customers under par. (a) 1.
AB64-SA17,11,63
2. Except as provided in subd. 3., a broadband Internet access service provider
4shall, without unreasonable delay, notify the department of any breach of security
5affecting fewer than 5,000 customers within 30 days after the provider reasonably
6determines that a breach of security has occurred.
AB64-SA17,11,97
3. A broadband Internet access service provider is not required to notify the
8department under subd. 1. or 2. if it reasonably determines that no harm to
9customers is reasonably likely to occur as a result of the breach of security.
AB64-SA17,11,1310
(c)
Record keeping. 1. Except as provided in subd. 3., a broadband Internet
11access service provider shall maintain a record, electronically or in some other
12manner, of each breach of security and the notifications made to customers under
13par. (a) 1. regarding that breach. The record shall include all of the following:
AB64-SA17,11,1514
a. The date that the provider first determines that the breach of security
15occurred.
AB64-SA17,11,1616
b. The date that customers were notified.
AB64-SA17,11,1717
c. A written copy of all customer notifications.
AB64-SA17,11,2018
2. A broadband Internet access service provider shall retain the record required
19under subd. 1. for at least 2 years from the date on which the provider first
20determines that the breach of security occurred.
AB64-SA17,11,2321
3. A broadband Internet access service provider is not required to maintain a
22record under subd. 1. if it reasonably determines that no harm to customers is
23reasonably likely to occur as a result of the breach of security.
AB64-SA17,12,2
24(6) Internet access service offers conditioned on waiver of privacy. (a) A
25broadband Internet access service provider may not refuse to provide broadband
1Internet access service because a customer or prospective customer does not provide
2approval required under sub. (3) (a) or (b).
AB64-SA17,12,63
(b) A broadband Internet access service provider that offers a financial
4incentive program, such as lower rates, in exchange for a customer's approval to use,
5disclose, or permit access to the customer's proprietary information shall do all of the
6following:
AB64-SA17,12,87
1. Provide a notice explaining the terms of the financial incentive program that
8includes all of the following:
AB64-SA17,12,109
a. An explanation that the program requires opt-in approval from the
10customer to use, disclose, or permit access to the customer's proprietary information.
AB64-SA17,12,1311
b. Information about what customer proprietary information the provider will
12collect, how it will be used, and the categories of entities with which it will be shared
13and for what purposes.
AB64-SA17,12,1614
c. Information, prominently displayed, about the equivalent service plan that
15does not necessitate the use, disclosure, or access to customer proprietary
16information beyond that required or permitted under sub. (3) (c).
AB64-SA17,12,1817
2. Obtain opt-in approval from the customer for consent to participate in the
18financial incentive program.
AB64-SA17,12,2019
3. Provide the notice required under subd. 1. at the time the program is offered
20to a customer and at the time that a customer elects to participate in the program.
AB64-SA17,12,2321
4. Make the notice required under subd. 1. easily accessible and available
22separate from any other privacy notifications, including the notifications required
23under sub. (2) (a) or (c).
AB64-SA17,13,3
15. If the provider transacts business with a customer in a language other than
2English, translate the contents required under subd. 1. into the language through
3which the provider transacts business with the customer.
AB64-SA17,13,74
6. If the customer grants the opt-in approval required under subd. 2., a
5broadband Internet access service provider shall make available a mechanism for
6the customer to withdraw approval for participation in the financial incentive
7program under this paragraph at any time.
AB64-SA17,13,12
8(7) Remedies and penalties. (a) 1. A person or class of persons adversely
9affected by a broadband Internet access service provider's violation of this section
10has a claim for appropriate relief, including damages, injunctive relief, and
11rescission and may bring an action in circuit court against the broadband Internet
12access service provider.
AB64-SA17,13,1413
2. Notwithstanding s. 814.04 (1), a person or class of persons entitled to relief
14under subd. 1 may recover costs, disbursements, and reasonable attorney fees.
AB64-SA17,13,1715
(b) 1. Any of the following may bring an action in circuit court in the name of
16the state to restrain by temporary or permanent injunction any violation of this
17section:
AB64-SA17,13,1818
a. The department.
AB64-SA17,13,1919
b. The department of justice, after consulting with the department.
AB64-SA17,13,2020
c. Any district attorney, upon informing the department.
AB64-SA17,13,2421
2. Before entry of final judgment, the court may make any order or judgment
22necessary to restore to any person any pecuniary loss suffered because of a violation
23that is the subject of the action under subd. 1., if proof of the violation is submitted
24to the satisfaction of the court.
AB64-SA17,14,5
1(c) 1. For any violation of this section, the department of justice, after
2consulting with the department, or the district attorney for the county where the
3violation occurs, upon informing the department, may commence an action in the
4name of the state to recover a forfeiture of not more than $50,000 for the first
5violation and not more than $100,000 for each subsequent violation.
AB64-SA17,14,86
2. Each occasion that a broadband Internet access service provider uses,
7discloses, or permits access to an individual customer's proprietary information in
8violation of sub. (3) (a) or (b) constitutes a separate violation.”.
AB64-SA17,14,11
10“
Section 1695b. 196.504 (1) (a) of the statutes is renumbered 196.504 (1) (ad),
11and 196.504 (1) (ad) 2., as renumbered, is amended to read:
AB64-SA17,14,13
12196.504 (1) (ad) 2. A telecommunications utility
that has not received or
13applied for A-CAM or phase II support.
AB64-SA17,1695c
14Section 1695c. 196.504 (1) (aa) of the statutes is created to read:
AB64-SA17,14,1915
196.504
(1) (aa) “A-CAM support” means support for the deployment of voice
16and broadband-capable networks from the federal Connect America Fund that is
17made to telecommunications utilities regulated as rate-of-return carriers by the
18federal communications commission and that is based on the federal
19communications commission's Alternative Connect America Cost Model.
AB64-SA17,1695d
20Section 1695d. 196.504 (1) (ab) of the statutes is created to read:
AB64-SA17,14,2321
196.504
(1) (ab) “Broadband infrastructure” means infrastructure for the
22provision of broadband service at a minimum download speed of 25 megabits per
23second and a minimum upload speed of 3 megabits per second.”.
AB64-SA17,15,3
3“
Section 1695p. 196.504 (1) (ae) of the statutes is renumbered 196.504 (1) (ak).
AB64-SA17,1695r
4Section 1695r. 196.504 (1) (ah) of the statutes is created to read:
AB64-SA17,15,85
196.504
(1) (ah) “Phase II support” means the federal communications
6commission's 2nd phase of support for rural broadband deployment from the federal
7Connect America Fund that is made to telecommunications utilities regulated as
8price cap carriers by the federal communications commission.”.
AB64-SA17,15,14
12“196.504
(2) (a) To make broadband expansion grants to eligible applicants for
13the purpose of constructing broadband infrastructure in underserved areas
14designated under par. (d).
AB64-SA17,15,19
15(2m) Grants awarded under this section shall be paid from the
appropriation 16appropriations under s. 20.155 (3)
(a), (r)
. In each fiscal year, the total amount of the
17grants may not exceed $1,500,000, and (rm). Not less than 85 percent of the grants
18awarded in a fiscal year shall be for the construction of broadband infrastructure in
19counties with populations of 65,000 or less.
AB64-SA17,1698m
20Section 1698m. 196.504 (2) (am) of the statutes is created to read:
AB64-SA17,15,2421
196.504
(2) (am) To make broadband expansion grants to organizations
22specified in sub. (1) (ad) 1., telecommunications utilities, or political subdivisions for
23project planning related to broadband infrastructure construction in underserved
24areas designated under par. (d).”.
AB64-SA17,16,2
110. Page 860, line 16: after “those providers." insert “
The criteria shall give
2first priority to projects for areas in which no broadband service is available.".
AB64-SA17,16,8
8“
Section 1699t. 196.504 (2m) of the statutes is created to read: