Chapter 93 of the General Laws is hereby amended by adding the following section:-

Section 115. (a) As used in this section, the following words shall, unless the context clearly requires otherwise, have the following meanings:-

“Customer”, a current or former subscriber to an internet service in the commonwealth or an applicant for an internet service in the commonwealth.

“Opt-in approval”, the method for obtaining customer consent to collect, use, disclose, or permit access to sensitive customer proprietary information. This approval method requires that the provider obtain from the customer affirmative, express consent allowing the requested collection, usage, disclosure, or access to the sensitive customer proprietary information after the customer is provided appropriate notification of the provider’s request.

“Sensitive customer proprietary information”, financial information, health information, information pertaining to children, Social Security numbers, precise geo-location information, content of communications, call detail information, and web browsing history, application usage history, and the functional equivalents of either.

(b) An internet service provider may not collect, use, disclose, or permit access to sensitive customer proprietary information except as described in subsection (c) or with the opt-in approval of a customer as described in subsection (d).

(c) An internet service provider may collect, use, disclose, or permit access to sensitive customer proprietary information without customer approval for the following purposes: (1) in its provision of the internet service from which such information is derived, or in its provision of services necessary to, or used in, the provision of such service; (2) to initiate, render, bill, and collect for internet service; (3) to protect the rights or property of the internet service provider, or to protect users of the internet service and other providers from fraudulent, abusive, or unlawful use of the service; (4) to provide any inbound marketing, referral, or administrative services to the customer for the duration of a real-time interaction, if such interaction was initiated by the customer; (5) to provide location information or other customer proprietary information to: (i) a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user’s request for emergency services; (ii) inform the user’s legal guardian or members of the user’s immediate family of the user’s location in an emergency situation that involves the risk of death or serious physical harm; or (iii) providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency; or (6) as otherwise required or authorized by law.

(d) Except as otherwise provided in this section, an internet service provider shall obtain opt-in approval from a customer to: (1) collect, use, disclose, or permit access to any of the customer’s sensitive customer proprietary information; or (2) make any material retroactive change that would result in a use, disclosure, or permission of access to any of the customer’s proprietary information previously collected by the provider for which the customer did not previously grant approval.

(e) An internet service provider shall, at a minimum solicit customer approval pursuant to subsection (d), as applicable, at the point of sale and when making 1 or more material changes to privacy policies. The solicitation of customer approval must be clear and conspicuous, and in language that is comprehensible and not misleading. The solicitation must disclose: (i) the types of sensitive customer proprietary information for which the provider is seeking customer approval to collect, use, disclose, or permit access to; (ii) the purposes for which such sensitive customer proprietary information will be used; and (iii) the categories of entities to which the provider intends to disclose or permit access to such sensitive customer proprietary information. The solicitation of customer approval must be completely translated into a language other than English if the internet service provider transacts business with the customer in that language.

(f) An internet service provider shall make available a simple, easy-to-use mechanism for customers to grant, deny, or withdraw opt-in approval at any time. The mechanism must be clear and conspicuous, in language that is comprehensible and not misleading, and made available at no additional cost to the customer. The mechanism must be persistently available on or through the provider’s website; the provider’s application, if it provides an application for account management purposes; and any functional equivalent to the provider’s homepage or application. If a provider does not have a website, the provider shall provide a persistently available mechanism by another means, including, but not limited to, a toll-free telephone number. The customer’s grant, denial, or withdrawal of approval must be given effect promptly and remain in effect until the customer revokes or limits such grant, denial, or withdrawal of approval.