Florida Senate - 2018                                    SB 1854
       
       
        
       By Senator Rodriguez
       
       
       
       
       
       37-00131-18                                           20181854__
    1                        A bill to be entitled                      
    2         An act relating to broadband service privacy; creating
    3         s. 364.0131, F.S.; defining terms; prohibiting
    4         Internet service providers from using, disclosing,
    5         selling, or permitting external access to certain
    6         customer information, except under specified
    7         conditions; specifying an effective date for the
    8         prohibition; requiring providers to furnish a prior
    9         opt-in consent; specifying requirements and
   10         disclosures for the consent; prohibiting providers
   11         from retaining customer information any longer than
   12         necessary; providing exceptions; requiring providers
   13         to implement and maintain certain security procedures
   14         and practices; specifying that providers may not
   15         penalize customers for refusing to provide consent or
   16         offer customers discounts for providing consent;
   17         prohibiting providers from refusing or failing to
   18         disclose customer personal information upon written
   19         request from the customer; clarifying that generating,
   20         using, disclosing, selling, or permitting access to
   21         aggregate customer information is permissible;
   22         specifying that providers may use customer information
   23         to market communication-related services to the
   24         customer under certain conditions; authorizing
   25         providers to employ security measures; providing
   26         applicability; specifying that customer waivers are
   27         void and unenforceable; requiring the Public Service
   28         Commission to administer and enforce the act and to
   29         impose and collect certain penalties; authorizing the
   30         commission to adopt rules; providing effective dates.
   31          
   32  Be It Enacted by the Legislature of the State of Florida:
   33  
   34         Section 1. Section 364.0131, Florida Statutes, is created
   35  to read:
   36         364.0131 Broadband service privacy.—
   37         (1)As used in this section, the term:
   38         (a)“Aggregate customer information” means collective data
   39  that relates to a group or category of customers, from which
   40  individual customer identities and characteristics have been
   41  removed, and which is not linked or reasonably linkable to any
   42  individual person, household, or device. The term does not
   43  include individual customer records that have been deidentified.
   44         (b)“Customer” means a current or former subscriber to the
   45  broadband service, or an applicant for broadband service.
   46         (c)“Customer personal information” means information
   47  collected from or about an individual customer or user of the
   48  customer’s subscription which is made available to the Internet
   49  service provider by a customer or user of the customer’s
   50  subscription solely by virtue of the provider-customer
   51  relationship, including:
   52         1.Name and billing information.
   53         2.Government-issued identifiers such as, but not limited
   54  to, a social security number, driver license number, military
   55  identification, or passport number.
   56         3.Information that could facilitate the physical or
   57  electronic contacting of an individual, such as a physical
   58  address, e-mail address, phone number, or Internet Protocol (IP)
   59  address.
   60         4.Demographic information, such as date of birth, age,
   61  gender, race, ethnicity, nationality, religion, or sexual
   62  orientation.
   63         5.Financial information.
   64         6.Health information.
   65         7.Information pertaining to a minor child with whom the
   66  customer or user has a parental, legal custodianship, permanent
   67  guardianship, or foster parent relationship.
   68         8.Geolocation information.
   69         9.Information relating to individual customer user
   70  behavior, such as Internet browsing history, application usage
   71  history, content of communications, and origin and destination
   72  IP addresses of all traffic.
   73         10.Device identifiers, such as a media access control
   74  (MAC) address or Internet mobile equipment identity (IMEI).
   75         11.Any other information concerning a customer or user of
   76  the customer’s subscription which is collected or made available
   77  and is maintained in personally identifiable form.
   78         (d)“Deidentified” means the details making it possible to
   79  recognize a particular person have been removed from a record,
   80  piece of information, or data set.
   81         (e)“Internet service provider” means a person engaged in
   82  providing broadband service. This only includes the extent of
   83  the person’s business engaged in or supporting the provision of
   84  broadband services.
   85         (2)Effective July 1, 2019:
   86         (a)An Internet service provider may not use, disclose,
   87  sell, or permit external access to customer personal
   88  information, except as provided in this section or other law.
   89         (b)An Internet service provider may use, disclose, sell,
   90  or permit access to customer personal information if the
   91  customer gives the Internet service provider prior opt-in
   92  consent. The customer may revoke this consent at any time. The
   93  mechanism provided by the Internet service provider for
   94  requesting and revoking consent under this subsection must be
   95  clear and conspicuous, not misleading, in the language primarily
   96  used to conduct business with the customer, and made available
   97  to the customer at no additional cost. The mechanism must also
   98  be persistently available on or through the Internet service
   99  provider’s Internet website or mobile application if it provides
  100  such a site or application for account management purposes. If
  101  the Internet service provider does not have an Internet website,
  102  it must provide a persistently available mechanism by another
  103  means, such as a toll-free telephone number. The customer’s
  104  granting, denial, or withdrawal of consent must be given effect
  105  promptly and remain in effect until the customer revokes or
  106  limits the granting, denial, or withdrawal of consent.
  107         (c)An Internet service provider may not retain a
  108  customer’s information for longer than is reasonably necessary
  109  to accomplish the purposes for which the information was
  110  collected, unless the information is aggregate customer
  111  information or is otherwise required by this section or other
  112  law.
  113         (d)An Internet service provider must implement and
  114  maintain reasonable security procedures and practices
  115  appropriate to the nature of the information to protect customer
  116  personal information from unauthorized use, disclosure, access,
  117  destruction, or modification.
  118         (3)The request for consent specified in paragraph (2)(b)
  119  must disclose to the customer all of the following:
  120         (a)The types of customer personal information for which
  121  the Internet service provider is seeking customer approval to
  122  use, disclose, sell, or permit external access.
  123         (b)The purposes for which the customer personal
  124  information will be used.
  125         (c)The categories of entities to which the Internet
  126  service provider intends to disclose, sell, or permit access to
  127  the customer personal information.
  128         (4)An Internet service provider may not:
  129         (a)Refuse to serve a customer, or in any way limit or
  130  reduce services to a customer, who does not provide consent
  131  under paragraph (2)(b).
  132         (b)Charge a customer a penalty, or penalize a customer in
  133  any way, or offer a customer a discount or another benefit based
  134  on the customer’s decision to provide or not provide consent
  135  under paragraph (2)(b).
  136         (c)Refuse or fail to disclose the customer personal
  137  information of a customer upon affirmative written request from
  138  such customer, to any person designated by such customer.
  139         (5)An Internet service provider may use, disclose, or
  140  permit access to customer personal information without customer
  141  consent, unless otherwise prohibited by law, only to the extent
  142  necessary to achieve the stated purpose in one or more of the
  143  following circumstances:
  144         (a)To provide the broadband service from which the
  145  information is derived, or business functions necessary for
  146  providing that service.
  147         (b)To comply with a legal process or other law, court
  148  order, administrative order, or by order of the commission.
  149         (c)To initiate, render, bill for, and collect payment for
  150  broadband service.
  151         (d)To protect the rights or property of the Internet
  152  service, or to protect customers of those services and other
  153  carriers from fraudulent, abusive, or unlawful use of or
  154  subscription to those services.
  155         (e)To provide location information concerning the customer
  156  as follows:
  157         1.To a public safety answering point, emergency medical
  158  service provider, or emergency dispatch provider, public safety,
  159  fire service, or law enforcement official, or hospital emergency
  160  or trauma care facility, in order to respond to the customer’s
  161  request for emergency services.
  162         2.To inform the customer’s legal guardian, members of the
  163  customer’s family, or a person reasonably believed by the
  164  Internet service provider to be a close personal friend of the
  165  customer of the customer’s location in an emergency situation
  166  that involves the risk of death or life-threatening harm.
  167         3.To providers of information or database management
  168  services solely for purposes of assisting in the delivery of
  169  emergency services in response to an emergency.
  170         (6)This section does not restrict an Internet service
  171  provider from generating an aggregate customer information
  172  dataset using customer personal information, or using,
  173  disclosing, selling, or permitting access to the aggregate
  174  customer information dataset it generated.
  175         (7)Unless otherwise prohibited by law, an Internet service
  176  provider may use, disclose, or permit access to customer
  177  personal information to advertise or market the provider’s
  178  communications-related services to the customer, provided that
  179  the customer may opt out of that use, disclosure, or access at
  180  any time, and the customer is notified of the right to opt out
  181  in a manner that is clear and conspicuous, not misleading, in
  182  the language primarily used to conduct business with the
  183  consumer, persistently available, and made available to the
  184  customer at no additional cost.
  185         (8)An Internet service provider may employ any lawful
  186  security measures to comply with the requirements of this
  187  section.
  188         (9)The requirements of this section apply to Internet
  189  service providers operating within this state when providing
  190  broadband service to their customers who are residents of and
  191  physically located in this state. Any waiver by the customer of
  192  the provisions of this section is against the public policy of
  193  this state and shall be void and unenforceable.
  194         (10)The commission shall:
  195         (a)Administer and enforce this section and any rules
  196  adopted pursuant to this section.
  197         (b)Impose and collect penalties relating to violations of
  198  this section pursuant to s. 364.285.
  199         (c)Adopt rules necessary to implement this section.
  200         Section 2. This act shall take effect July 1, 2018.