SENATE DOCKET, NO. 2165        FILED ON: 4/14/2017

SENATE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 2062

 

The Commonwealth of Massachusetts

_________________

PRESENTED BY:

Cynthia Stone Creem

_________________

To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:

The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:

An Act relative to internet service providers.

_______________

PETITION OF:

 

Name:

District/Address:

 

Cynthia Stone Creem

First Middlesex and Norfolk

 

James B. Eldridge

Middlesex and Worcester

4/14/2017

Jennifer E. Benson

37th Middlesex

4/18/2017

Kay Khan

11th Middlesex

4/18/2017

David Paul Linsky

5th Middlesex

4/18/2017

Harriette L. Chandler

First Worcester

4/18/2017

Ruth B. Balser

12th Middlesex

4/18/2017

Steven Ultrino

33rd Middlesex

4/18/2017

Sal N. DiDomenico

Middlesex and Suffolk

4/18/2017

Patricia D. Jehlen

Second Middlesex

4/20/2017

Eric P. Lesser

First Hampden and Hampshire

4/19/2017

Thomas M. Stanley

9th Middlesex

4/19/2017

Brian M. Ashe

2nd Hampden

4/19/2017

William N. Brownsberger

Second Suffolk and Middlesex

4/19/2017

Jay R. Kaufman

15th Middlesex

4/20/2017

Gailanne M. Cariddi

1st Berkshire

4/20/2017

Marc R. Pacheco

First Plymouth and Bristol

4/20/2017

Alice Hanlon Peisch

14th Norfolk

4/21/2017

Walter F. Timilty

Norfolk, Bristol and Plymouth

4/21/2017

Frank I. Smizik

15th Norfolk

4/25/2017

Eileen M. Donoghue

First Middlesex

5/24/2017


SENATE DOCKET, NO. 2165        FILED ON: 4/14/2017

SENATE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 2062

By Ms. Creem, a petition (accompanied by bill, Senate, No. 2062) (subject to Joint Rule 12) of Cynthia S. Creem, James B. Eldridge, Jennifer E. Benson, Kay Khan and other members of the General Court for legislation relative to internet service providers.  Economic Development and Emerging Technologies.

 

The Commonwealth of Massachusetts

 

_______________

In the One Hundred and Ninetieth General Court
(2017-2018)

_______________

 

An Act relative to internet service providers.

 

Whereas, The deferred operation of this act would tend to defeat its purpose, which is to protect the internet privacy of the residents of the commonwealth, therefore, it is hereby declared to be an emergency law, necessary for the immediate preservation of the public safety.
 

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
 

SECTION 1. Section 1 of chapter 93H of the General Laws, as appearing in the 2014 Official Edition, is hereby amended by inserting after the definition of “Breach of security” the following 3 definitions:-

“Broadband internet access service” or “BIAS”, a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service; provided, that “broadband internet access service” shall also include any service that the Federal Communications Commission finds to be providing a functional equivalent of the service described in this definition.

“Customer”, a current or former subscriber to an internet service in the commonwealth or an applicant for an internet service in the commonwealth.

“Customer’s proprietary information”, the customer’s information which is protected under this chapter, including the following 3 types of information collected by telecommunications carriers through the provision of broadband or other telecommunications services that are not mutually exclusive: (i) individually identifiable customer proprietary network information, CPNI, as defined in 47 U.S.C. 222 (h)(1), including, but not limited to, website browsing history and application usage; (ii) personally identifiable information, PII; and (iii) content of communications.

SECTION 2. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Encrypted” the following definition:-

“Internet service provider” or “BIAS provider”, a person who provides BIAS to customers in the commonwealth.

SECTION 3. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Notice” the following definition:-

“Opt-in approval”, a method for obtaining customer consent to collect, use, disclose or permit third-party access to customer proprietary information; provided, however, that the approval method shall require that the internet service provider obtain from the customer affirmative, expressed consent allowing the requested collection, usage, disclosure or access to the customer’s proprietary information after the customer is provided appropriate notification of the internet service provider’s request as required by this chapter.

SECTION 4. Said chapter 93H is hereby further amended by inserting after section 6 the following 3 sections:-

Section 7. (a) An internet service provider shall be subject to all the data security regulations and data breach reporting requirements of this chapter.

(b) An internet service provider may not collect, use, disclose or permit third-party access to a customer’s proprietary information except as described in subsection (c) or with the opt-in approval of a customer under subsection (d).

(c) An internet service provider may collect, use, disclose or permit third-party access to a customer’s proprietary information without customer approval for the following purposes: (i) to provide internet service from which such information is derived or to provide services necessary to or used in the provision of such internet service; (ii) to initiate, render, bill or collect payment for internet service; (iii) to protect the rights or property of the internet service provider or to protect users of the internet service and other internet service providers from fraudulent, abusive or unlawful use of the service; (iv) to provide any inbound marketing, referral or administrative services to the customer for the duration of a real-time interaction, if such interaction was initiated by the customer; (v) to provide location information or other customer proprietary information to: (1) a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, law enforcement official or hospital emergency or trauma care facility, in order to respond to the customer’s request for emergency services; or (2) providers of information or database management services solely to assist in the delivery of emergency services in response to an emergency; or (vi) as otherwise required or authorized by law.

(d) Except as otherwise provided in this section, an internet service provider shall obtain opt-in approval from a customer to: (i) collect, use, disclose or permit third-party access to a customer’s proprietary information for any purpose not authorized under subsection (c); or (ii) when making a material, retroactive change that would result in a use, disclosure or permission of third-party access to the customer’s proprietary information previously collected by the internet service provider for which the customer did not previously grant approval for such use, disclosure or permission of access.

(e) An internet service provider shall, at a minimum, solicit customer opt-in approval pursuant to subsection (d), as applicable, at the point of sale and when making a material change to a privacy policy. The request for customer approval shall be clear and conspicuous and shall not be misleading. The request for customer approval shall disclose: (i) the type of proprietary information that the internet service provider is seeking customer approval to collect, use, disclose or permit third-party access to; (ii) the purpose for which the customer’s proprietary information will be used; and (iii) the type of entity that the internet service provider intends to disclose or grant access to the customer’s proprietary information. The request for customer approval shall be translated into a language other than English if the internet service provider transacts business with the customer in that other language.

(f) An internet service provider shall make available a simple, easy-to-use mechanism for customers to grant, deny or withdraw opt-in approval at any time. The mechanism to grant, deny or withdraw opt-in approval shall be clear and conspicuous, and shall not be misleading and shall be made available at no additional cost to the customer. Such mechanism shall be available at all times (i) on or through the internet service provider’s website, (ii) in the internet service provider’s application, if it provides an application for account management purposes, and (iii) any functional equivalent to the internet service provider’s homepage or application. If an internet service provider does not have a website, the internet service provider shall provide a mechanism by another means that is available at all times including, but not limited to, a toll-free telephone number. The customer’s grant, denial or withdrawal of approval shall take effect immediately and remain in effect until the customer revokes or limits such grant, denial or withdrawal of approval.

(g) An internet service provider shall not add a surcharge for service to customers that do not provide opt-in approval and shall not refuse to provide services to a customer on the grounds that the customer refused to give opt-in approval. An internet service provider shall not offer a financial incentive in exchange for a customer’s opt-in approval.

(h) An internet service provider shall provide a customer with an itemized list of all of the proprietary information associated with that customer’s account within 30 days of a written and signed request by the customer.

Section 8. A customer may bring an action pursuant to section 9 of chapter 93A against an internet service provider to remedy violations of this chapter and for other relief that may be appropriate. An internet service provider shall not require binding arbitration of disputes that arise under this chapter.

Section 9. Notwithstanding section 6A of chapter 25C, the department of telecommunications and cable shall have the authority to promulgate regulations to effectuate this chapter.

SECTION 5. This act shall apply to all existing customers of an internet service provider as well as future customers. This act shall apply to all customer proprietary information that has already been collected by an internet service provider. An internet service provider shall seek opt-in approval from existing customers for purposes other than those authorized under subsection (c) of section 7 of chapter 93H of the General Laws not later than 30 days after the effective date of this act.