Florida Senate - 2018 SB 1854
By Senator Rodriguez
37-00131-18 20181854__
1 A bill to be entitled
2 An act relating to broadband service privacy; creating
3 s. 364.0131, F.S.; defining terms; prohibiting
4 Internet service providers from using, disclosing,
5 selling, or permitting external access to certain
6 customer information, except under specified
7 conditions; specifying an effective date for the
8 prohibition; requiring providers to furnish a prior
9 opt-in consent; specifying requirements and
10 disclosures for the consent; prohibiting providers
11 from retaining customer information any longer than
12 necessary; providing exceptions; requiring providers
13 to implement and maintain certain security procedures
14 and practices; specifying that providers may not
15 penalize customers for refusing to provide consent or
16 offer customers discounts for providing consent;
17 prohibiting providers from refusing or failing to
18 disclose customer personal information upon written
19 request from the customer; clarifying that generating,
20 using, disclosing, selling, or permitting access to
21 aggregate customer information is permissible;
22 specifying that providers may use customer information
23 to market communication-related services to the
24 customer under certain conditions; authorizing
25 providers to employ security measures; providing
26 applicability; specifying that customer waivers are
27 void and unenforceable; requiring the Public Service
28 Commission to administer and enforce the act and to
29 impose and collect certain penalties; authorizing the
30 commission to adopt rules; providing effective dates.
31
32 Be It Enacted by the Legislature of the State of Florida:
33
34 Section 1. Section 364.0131, Florida Statutes, is created
35 to read:
36 364.0131 Broadband service privacy.—
37 (1) As used in this section, the term:
38 (a) “Aggregate customer information” means collective data
39 that relates to a group or category of customers, from which
40 individual customer identities and characteristics have been
41 removed, and which is not linked or reasonably linkable to any
42 individual person, household, or device. The term does not
43 include individual customer records that have been deidentified.
44 (b) “Customer” means a current or former subscriber to the
45 broadband service, or an applicant for broadband service.
46 (c) “Customer personal information” means information
47 collected from or about an individual customer or user of the
48 customer’s subscription which is made available to the Internet
49 service provider by a customer or user of the customer’s
50 subscription solely by virtue of the provider-customer
51 relationship, including:
52 1. Name and billing information.
53 2. Government-issued identifiers such as, but not limited
54 to, a social security number, driver license number, military
55 identification, or passport number.
56 3. Information that could facilitate the physical or
57 electronic contacting of an individual, such as a physical
58 address, e-mail address, phone number, or Internet Protocol (IP)
59 address.
60 4. Demographic information, such as date of birth, age,
61 gender, race, ethnicity, nationality, religion, or sexual
62 orientation.
63 5. Financial information.
64 6. Health information.
65 7. Information pertaining to a minor child with whom the
66 customer or user has a parental, legal custodianship, permanent
67 guardianship, or foster parent relationship.
68 8. Geolocation information.
69 9. Information relating to individual customer user
70 behavior, such as Internet browsing history, application usage
71 history, content of communications, and origin and destination
72 IP addresses of all traffic.
73 10. Device identifiers, such as a media access control
74 (MAC) address or Internet mobile equipment identity (IMEI).
75 11. Any other information concerning a customer or user of
76 the customer’s subscription which is collected or made available
77 and is maintained in personally identifiable form.
78 (d) “Deidentified” means the details making it possible to
79 recognize a particular person have been removed from a record,
80 piece of information, or data set.
81 (e) “Internet service provider” means a person engaged in
82 providing broadband service. This only includes the extent of
83 the person’s business engaged in or supporting the provision of
84 broadband services.
85 (2) Effective July 1, 2019:
86 (a) An Internet service provider may not use, disclose,
87 sell, or permit external access to customer personal
88 information, except as provided in this section or other law.
89 (b) An Internet service provider may use, disclose, sell,
90 or permit access to customer personal information if the
91 customer gives the Internet service provider prior opt-in
92 consent. The customer may revoke this consent at any time. The
93 mechanism provided by the Internet service provider for
94 requesting and revoking consent under this subsection must be
95 clear and conspicuous, not misleading, in the language primarily
96 used to conduct business with the customer, and made available
97 to the customer at no additional cost. The mechanism must also
98 be persistently available on or through the Internet service
99 provider’s Internet website or mobile application if it provides
100 such a site or application for account management purposes. If
101 the Internet service provider does not have an Internet website,
102 it must provide a persistently available mechanism by another
103 means, such as a toll-free telephone number. The customer’s
104 granting, denial, or withdrawal of consent must be given effect
105 promptly and remain in effect until the customer revokes or
106 limits the granting, denial, or withdrawal of consent.
107 (c) An Internet service provider may not retain a
108 customer’s information for longer than is reasonably necessary
109 to accomplish the purposes for which the information was
110 collected, unless the information is aggregate customer
111 information or is otherwise required by this section or other
112 law.
113 (d) An Internet service provider must implement and
114 maintain reasonable security procedures and practices
115 appropriate to the nature of the information to protect customer
116 personal information from unauthorized use, disclosure, access,
117 destruction, or modification.
118 (3) The request for consent specified in paragraph (2)(b)
119 must disclose to the customer all of the following:
120 (a) The types of customer personal information for which
121 the Internet service provider is seeking customer approval to
122 use, disclose, sell, or permit external access.
123 (b) The purposes for which the customer personal
124 information will be used.
125 (c) The categories of entities to which the Internet
126 service provider intends to disclose, sell, or permit access to
127 the customer personal information.
128 (4) An Internet service provider may not:
129 (a) Refuse to serve a customer, or in any way limit or
130 reduce services to a customer, who does not provide consent
131 under paragraph (2)(b).
132 (b) Charge a customer a penalty, or penalize a customer in
133 any way, or offer a customer a discount or another benefit based
134 on the customer’s decision to provide or not provide consent
135 under paragraph (2)(b).
136 (c) Refuse or fail to disclose the customer personal
137 information of a customer upon affirmative written request from
138 such customer, to any person designated by such customer.
139 (5) An Internet service provider may use, disclose, or
140 permit access to customer personal information without customer
141 consent, unless otherwise prohibited by law, only to the extent
142 necessary to achieve the stated purpose in one or more of the
143 following circumstances:
144 (a) To provide the broadband service from which the
145 information is derived, or business functions necessary for
146 providing that service.
147 (b) To comply with a legal process or other law, court
148 order, administrative order, or by order of the commission.
149 (c) To initiate, render, bill for, and collect payment for
150 broadband service.
151 (d) To protect the rights or property of the Internet
152 service, or to protect customers of those services and other
153 carriers from fraudulent, abusive, or unlawful use of or
154 subscription to those services.
155 (e) To provide location information concerning the customer
156 as follows:
157 1. To a public safety answering point, emergency medical
158 service provider, or emergency dispatch provider, public safety,
159 fire service, or law enforcement official, or hospital emergency
160 or trauma care facility, in order to respond to the customer’s
161 request for emergency services.
162 2. To inform the customer’s legal guardian, members of the
163 customer’s family, or a person reasonably believed by the
164 Internet service provider to be a close personal friend of the
165 customer of the customer’s location in an emergency situation
166 that involves the risk of death or life-threatening harm.
167 3. To providers of information or database management
168 services solely for purposes of assisting in the delivery of
169 emergency services in response to an emergency.
170 (6) This section does not restrict an Internet service
171 provider from generating an aggregate customer information
172 dataset using customer personal information, or using,
173 disclosing, selling, or permitting access to the aggregate
174 customer information dataset it generated.
175 (7) Unless otherwise prohibited by law, an Internet service
176 provider may use, disclose, or permit access to customer
177 personal information to advertise or market the provider’s
178 communications-related services to the customer, provided that
179 the customer may opt out of that use, disclosure, or access at
180 any time, and the customer is notified of the right to opt out
181 in a manner that is clear and conspicuous, not misleading, in
182 the language primarily used to conduct business with the
183 consumer, persistently available, and made available to the
184 customer at no additional cost.
185 (8) An Internet service provider may employ any lawful
186 security measures to comply with the requirements of this
187 section.
188 (9) The requirements of this section apply to Internet
189 service providers operating within this state when providing
190 broadband service to their customers who are residents of and
191 physically located in this state. Any waiver by the customer of
192 the provisions of this section is against the public policy of
193 this state and shall be void and unenforceable.
194 (10) The commission shall:
195 (a) Administer and enforce this section and any rules
196 adopted pursuant to this section.
197 (b) Impose and collect penalties relating to violations of
198 this section pursuant to s. 364.285.
199 (c) Adopt rules necessary to implement this section.
200 Section 2. This act shall take effect July 1, 2018.