This bill generally prohibits a broadband Internet access service provider
(“provider”) from using, disclosing, or permitting access to a customer's proprietary
information unless the customer grants approval to the provider to use, disclose, or
permit access to that information. The bill defines “customer” as 1) a current or
former subscriber to broadband Internet access service who resides in this state; or
2) a person who resides in this state and uses broadband Internet access service that
is provided under an agreement between a current or former subscriber who resides
in this state and a provider. With certain exceptions described below, the bill requires
different types of approval for sensitive and nonsensitive customer proprietary
information. For sensitive information, the customer must grant express,
affirmative consent after receiving a notification that is required to accompany a
provider's request to use, disclose, or permit access to that information. Sensitive
information includes the following: 1) financial information; 2) health information;
3) information pertaining to a child; 4) a social security number; 5) precise
geolocation information; 6) content of communications; and 7) web browsing history
and smart phone or tablet computer application usage history.

For nonsensitive information, the customer must object to the provider's
request to use, disclose, or permit access to that information after the customer

---

receives a notification that is required to accompany the provider's request. Under
the bill, nonsensitive information is the following information that is not sensitive
information: 1) information that is linked or reasonably able to be linked to an
individual or a device; or 2) information that identifies an individual and that relates
to the quantity, technical configuration, type, destination, location, or amount of use
of broadband Internet access service.

Also, under the bill, a provider is prohibited from refusing to provide broadband
Internet access service because a customer or prospective customer does not grant
approval to the provider to use, disclose, or permit access to proprietary information.

The bill allows a provider to use, disclose, or permit access to both sensitive and
nonsensitive customer proprietary information without receiving the customer's
approval only for the following purposes: 1) to provide the broadband Internet access
service from which the information is derived; 2) to initiate, render, bill, or collect for
broadband Internet access service; 3) to protect the rights or property of a provider
or to protect users against fraudulent, abusive, or unlawful use of the service; 4) to
provide certain services to a customer during a real-time interaction with the
provider initiated by the customer; 5) to provide location information or nonsensitive
information in emergencies; or 6) as otherwise required or authorized by law.

Under the bill, when a provider requests approval to use, disclose, or permit
access to a customer's proprietary information, the provider's request must
accompany a notice that includes a specific description of the following: 1) the types
of customer proprietary information that the provider will collect from providing
broadband Internet access service, and how it will use the information; 2) the
circumstances under which the provider discloses or permits access to each type of
customer proprietary information that it collects; 3) the categories of entities to
which the provider discloses or permits to access the customer's proprietary
information and the purposes for which that information will be used by each
category of entity; and 4) the customer's rights to grant, deny, or withdraw approval
concerning the customer's proprietary information. The notice must also include
access to a mechanism that the customer can use to grant, deny, or withdraw
approval at any time.

The bill requires that when a provider makes a material change to its policies
concerning the privacy of customer proprietary information, the provider must give
to each customer a similar notice that also includes a specific description of the
changes made to the privacy policies. The bill also requires that all notices and
mechanisms used for granting, denying, or withdrawing approval be translated into
the language that the provider uses to transact business with a customer.

The bill requires providers to take reasonable security measures to protect
customer proprietary information from unauthorized use, disclosure, or access.
Further, when a breach of the provider's security occurs, the provider is required to
notify each affected customer within 30 days after learning of the breach unless the
provider reasonably determines that no harm to the customer is reasonably likely to
occur as a result. The notification must describe the information that is reasonably
believed to have been involved in the security breach and include information about
how to contact the provider to inquire about the security breach and how to contact

---

relevant government agencies. If the security breach creates a risk of financial harm,
the notification must also include information about steps that the customer can take
to guard against identity theft.

The bill also requires a provider to notify the Department of Agriculture, Trade
and Consumer Protection and the Department of Justice within seven business days
of learning about a breach of security affecting 5,000 or more customers unless the
provider reasonably determines that no harm to customers is reasonably likely to
occur as a result of the breach. If a breach of security affects fewer than 5,000
customers, the bill requires a provider to notify DATCP within 30 days after learning
about the breach. Under the bill, a provider is required to maintain records for two
years that contain information about the notifications made to customers about a
breach of security.

A broadband Internet access service provider that intentionally violates the bill
is subject to a criminal fine of up to $1,000, or up to three months in jail, or both.
Alternatively, a provider that violates the bill is subject to a civil forfeiture of up to
$50,000 for the first violation, and up to $100,000 for each subsequent violation.
Additionally, under the bill, any person or class of persons that is adversely affected
by a violation by a broadband Internet access service provider can sue the provider
for appropriate relief. The bill also authorizes 1) DATCP; 2) DOJ, after consulting
with DATCP; or 3) any district attorney, upon informing DATCP, to bring an action
to restrain by temporary or permanent injunction any violation of the bill.