SECTION 1. Section 1 of chapter 93H of the General Laws, as appearing in the 2014 Official Edition, is hereby amended by inserting after the definition of “Breach of security” the following 3 definitions:-
“Broadband internet access service” or “BIAS”, a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service; provided, that “broadband internet access service” shall also include any service that the Federal Communications Commission finds to be providing a functional equivalent of the service described in this definition.
“Customer”, a current or former subscriber to an internet service in the commonwealth or an applicant for an internet service in the commonwealth.
“Customer’s proprietary information”, the customer’s information which is protected under this chapter, including the following 3 types of information collected by telecommunications carriers through the provision of broadband or other telecommunications services that are not mutually exclusive: (i) individually identifiable customer proprietary network information, CPNI, as defined in 47 U.S.C. 222 (h)(1), including, but not limited to, website browsing history and application usage; (ii) personally identifiable information, PII; and (iii) content of communications.
SECTION 2. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Encrypted” the following definition:-
“Internet service provider” or “BIAS provider”, a person who provides BIAS to customers in the commonwealth.
SECTION 3. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Notice” the following definition:-
“Opt-in approval”, a method for obtaining customer consent to collect, use, disclose or permit third-party access to customer proprietary information; provided, however, that the approval method shall require that the internet service provider obtain from the customer affirmative, expressed consent allowing the requested collection, usage, disclosure or access to the customer’s proprietary information after the customer is provided appropriate notification of the internet service provider’s request as required by this chapter.
SECTION 4. Said chapter 93H is hereby further amended by inserting after section 6 the following 3 sections:-
Section 7. (a) An internet service provider shall be subject to all the data security regulations and data breach reporting requirements of this chapter.
(b) An internet service provider may not collect, use, disclose or permit third-party access to a customer’s proprietary information except as described in subsection (c) or with the opt-in approval of a customer under subsection (d).
(c) An internet service provider may collect, use, disclose or permit third-party access to a customer’s proprietary information without customer approval for the following purposes: (i) to provide internet service from which such information is derived or to provide services necessary to or used in the provision of such internet service; (ii) to initiate, render, bill or collect payment for internet service; (iii) to protect the rights or property of the internet service provider or to protect users of the internet service and other internet service providers from fraudulent, abusive or unlawful use of the service; (iv) to provide any inbound marketing, referral or administrative services to the customer for the duration of a real-time interaction, if such interaction was initiated by the customer; (v) to provide location information or other customer proprietary information to: (1) a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, law enforcement official or hospital emergency or trauma care facility, in order to respond to the customer’s request for emergency services; or (2) providers of information or database management services solely to assist in the delivery of emergency services in response to an emergency; or (vi) as otherwise required or authorized by law.
(d) Except as otherwise provided in this section, an internet service provider shall obtain opt-in approval from a customer to: (i) collect, use, disclose or permit third-party access to a customer’s proprietary information for any purpose not authorized under subsection (c); or (ii) when making a material, retroactive change that would result in a use, disclosure or permission of third-party access to the customer’s proprietary information previously collected by the internet service provider for which the customer did not previously grant approval for such use, disclosure or permission of access.
(e) An internet service provider shall, at a minimum, solicit customer opt-in approval pursuant to subsection (d), as applicable, at the point of sale and when making a material change to a privacy policy. The request for customer approval shall be clear and conspicuous and shall not be misleading. The request for customer approval shall disclose: (i) the type of proprietary information that the internet service provider is seeking customer approval to collect, use, disclose or permit third-party access to; (ii) the purpose for which the customer’s proprietary information will be used; and (iii) the type of entity that the internet service provider intends to disclose or grant access to the customer’s proprietary information. The request for customer approval shall be translated into a language other than English if the internet service provider transacts business with the customer in that other language.
(f) An internet service provider shall make available a simple, easy-to-use mechanism for customers to grant, deny or withdraw opt-in approval at any time. The mechanism to grant, deny or withdraw opt-in approval shall be clear and conspicuous, and shall not be misleading and shall be made available at no additional cost to the customer. Such mechanism shall be available at all times (i) on or through the internet service provider’s website, (ii) in the internet service provider’s application, if it provides an application for account management purposes, and (iii) any functional equivalent to the internet service provider’s homepage or application. If an internet service provider does not have a website, the internet service provider shall provide a mechanism by another means that is available at all times including, but not limited to, a toll-free telephone number. The customer’s grant, denial or withdrawal of approval shall take effect immediately and remain in effect until the customer revokes or limits such grant, denial or withdrawal of approval.
(g) An internet service provider shall not add a surcharge for service to customers that do not provide opt-in approval and shall not refuse to provide services to a customer on the grounds that the customer refused to give opt-in approval. An internet service provider shall not offer a financial incentive in exchange for a customer’s opt-in approval.
(h) An internet service provider shall provide a customer with an itemized list of all of the proprietary information associated with that customer’s account within 30 days of a written and signed request by the customer.
Section 8. A customer may bring an action pursuant to section 9 of chapter 93A against an internet service provider to remedy violations of this chapter and for other relief that may be appropriate. An internet service provider shall not require binding arbitration of disputes that arise under this chapter.
Section 9. Notwithstanding section 6A of chapter 25C, the department of telecommunications and cable shall have the authority to promulgate regulations to effectuate this chapter.
SECTION 5. This act shall apply to all existing customers of an internet service provider as well as future customers. This act shall apply to all customer proprietary information that has already been collected by an internet service provider. An internet service provider shall seek opt-in approval from existing customers for purposes other than those authorized under subsection (c) of section 7 of chapter 93H of the General Laws not later than 30 days after the effective date of this act.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.