Amendment ID: S2455-11
Amendment 11
Net Neutrality and ISP Privacy
Ms. Creem moves to amend the amendment by inserting the following new sections:-
SECTION X: Section 11E of chapter 12, as appearing in the 2016 Official Edition, is hereby amended by inserting in the second sentence, in line 7, after the words “transmission company,” the following words:- “internet service provider,”
SECTION X: Section 6A of said chapter 25C, as so appearing, is hereby amended by inserting in paragraph (e) the following words:-
(1) The department shall review any interconnection agreement for IP enabled service adopted by negotiation or arbitration which effects Massachusetts customers pursuant to 47 U.S.C. \s 252(e)(2). The department shall not approve of any agreement which does not contain a contract term prohibiting each party from:
(i) Blocking lawful content, applications, services, or nonharmful devices, subject to reasonable network management;
(ii) Impairing or degrading lawful internet traffic, subject to reasonable network management; or
(iii) Engaging in paid prioritization.
(2) IP enabled service providers who are engaged in a contract negotiation regarding interconnection must disclose to the department if that negotiation has resulted in degraded service to customers in Massachusetts for more than a 24 hour period. The department shall attempt to mediate or arbitrate the dispute to avoid harm to customers. If the dispute cannot be resolved by voluntary means within 30 days, the department shall publish on its website a notice regarding the scope of the dispute and its effect on consumers in Massachusetts. Any IP enabled service providers involved in the dispute must also notify, in writing, all affected customers about the cause of the degradation of the service if the dispute cannot be resolved within 30 days from the date the degradation notice was filed with the department.
(3) Nothing in this section shall affect the authority of the attorney general to bring an action pursuant to chapter 93 or chapter 93A against a person or otherwise to remedy violations of those chapters and for other relief that may be appropriate.
SECTION X: Section 8 of said chapter 25C, as so appearing, is hereby amended by inserting after the paragraph (b) the following paragraph:-
(c) The department shall review any interconnection agreement for wireless service adopted by negotiation or arbitration which effects Massachusetts customers pursuant to 47 U.S.C. \s 252(e)(2). The department shall not approve of any agreement which does not contain a contract term prohibiting each party from:
(1) Blocking lawful content, applications, services, or nonharmful devices, subject to reasonable network management;
(2) Impairing or degrading lawful internet traffic, subject to reasonable network management; or
(3) Engaging in paid prioritization.
(d) Wireless service providers who are engaged in a contract negotiation regarding interconnection must disclose to the department if that negotiation has resulted in degraded service to customers in Massachusetts for more than a 24 hour period. The department shall attempt to mediate or arbitrate the dispute to avoid harm to customers. If the dispute cannot be resolved by voluntary means within 30 days, the department shall publish on its website a notice regarding the scope of the dispute and its effect on consumers in Massachusetts. Any wireless service provider involved in the dispute must also notify, in writing, all affected customers about the cause of the degradation of the service if the dispute cannot be resolved within 30 days from the date the degradation notice was filed with the department.
(e) Nothing in this section shall affect the authority of the attorney general to bring an action pursuant to chapter 93 or chapter 93A against a person or otherwise to remedy violations of those chapters and for other relief that may be appropriate.
SECTION X: Chapter 25C of the General Laws, as so appearing, is hereby amended by adding the following section:—
Section 9. Protecting consumers from blocking, throttling, or paid prioritization in the provision of internet service
(a) The following words as used in this section shall have the following meanings, unless the context clearly requires otherwise:
"Broadband internet access service" a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service or any service that the federal communications commission finds to be providing a functional equivalent thereof that is used to evade the protections set forth in this section.
"Paid prioritization" the management of a broadband provider's network to favor, either directly or indirectly, certain traffic over other traffic. Paid prioritization may include the use of techniques such as traffic shaping, prioritization, resource reservation, or other forms of preferential traffic management, either:
(1)In exchange for consideration (monetary or otherwise) from a third party; or
(2)to benefit an affiliated entity.
“Reasonable network management" a practice that has a primarily technical congestion control justification, but does not include other business practices. A network management practice is reasonable if it is primarily used for and tailored to achieving a legitimate network management purpose, taking into account the particular network architecture and technology of the broadband internet access service and is only employed in the event of limited capacity in the network. The department shall have the authority to promulgate regulations further defining “reasonable network management” that promote the public interest and equitable access to the internet for each user.
(b) A person or entity engaged in the provision of broadband internet access service in Commonwealth shall not:
(1) Block lawful content, applications, services, or nonharmful devices, subject to reasonable network management;
(2) Impair or degrade lawful internet traffic, subject to reasonable network management; or
(3) Engage in paid prioritization.
(c) The Department of Telecommunications and Cable may waive the prohibition on paid prioritization in subsection (b)(3) of this section only if the petitioner demonstrates that the practice would serve a legitimate and significant public interest and would not harm the open nature of the internet in the Commonwealth.
(d) The attorney general may enforce compliance with this section in accordance with sections 4 to 8, inclusive, of chapter 93A.
SECTION X: Chapter 25C of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by adding the following section:—
Section 10: Massachusetts Internet Service Provider Registry
(a) The following words as used in this chapter shall have the following meanings, unless the context clearly requires otherwise:
“Broadband internet access service” or “BIAS”, a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the service, but excluding dial-up internet access service.
“Internet service provider” or “BIAS provider”, a person who provides BIAS to customers in the commonwealth.
(b) There is established in the department the "Massachusetts Internet Service Provider Registry" for the purpose of making internet service quality and network management practices readily available to customers within the commonwealth.
(c) The department shall promulgate regulations that require all internet service providers to affirmatively disclose the following network management information to the department:
(i) Blocking. Any practice, other than reasonable network management elsewhere disclosed, that blocks or otherwise prevents end user access to lawful content, applications, service, or non-harmful devices, including a description of what is blocked.
(ii) Throttling. Any practice, other than reasonable network management elsewhere disclosed, that degrades or impairs access to lawful Internet traffic, including a description of what is throttled.
(iii) Affiliated Prioritization. Any practice that directly or indirectly favors some traffic over other traffic, including through use of techniques such as traffic shaping, prioritization, or resource reservation, to benefit an affiliate, including identification of the affiliate.
(iv) Paid Prioritization. Any practice that directly or indirectly favors some traffic over other traffic, including through use of techniques such as traffic shaping, prioritization, or resource reservation, in exchange for consideration, monetary or otherwise.
(v) Congestion Management. Descriptions of congestion management practices, if any. These descriptions should include the types of traffic subject to the practices; the purposes served by the practices; the practices’ effects on end users’ experience; criteria used in practices, such as indicators of congestion that trigger a practice, including any usage limits triggering the practice, and the typical frequency of congestion; usage limits and the consequences of exceeding them; and references to engineering standards, where appropriate.
(vi) Application-Specific Behavior. Whether and why the ISP blocks or rate-controls specific protocols or protocol ports, modifies protocol fields in ways not prescribed by the protocol standard, or otherwise inhibits or favors certain applications or classes of applications.
(d) The department shall conduct regular verification tests, on its own or through a third-party, to determine the accuracy of the disclosures made by each internet service provider under subsection (c).
(e) The department shall compile the information disclosed by all of the internet service providers within the commonwealth pursuant to this section and from the department's own verification tests, conducted pursuant to this section, into an "Internet Service Provider Registry." The department shall organize the registry in a format that is conducive to review and comparison by customers and prospective customers of internet service.
(f) The department shall establish minimum standards for a “Massachusetts Net Neutrality Seal” which will set an expectation of equal access to an open and neutral internet. The department shall publicly disclose the criteria by which it will measure the network management practices of each internet service provider. The department shall determine whether each internet service provider complies with the criteria set forth by the department. If an internet service provider is voluntarily in compliance with the department’s standards for net neutrality, the internet service provider may display the “Massachusetts Net Neutrality Seal” on its marketing materials. Use of the “Massachusetts Net Neutrality Seal,” while not in compliance with the standards set forth by the department, shall be a deceptive practice under chapter 93A.
(g) The department shall develop regulations to rank all internet service providers on the quality of their net neutrality practices based on the disclosures and verification tests in this section. The department will score each internet service provider against its criteria to determine a net neutrality score for each internet service provider.
(h) The department shall make available electronically on its internet website in English and Spanish the information contained in the registry, including net neutrality scores in one comparison chart for fixed line internet service providers and one comparison chart for wireless internet service providers, and shall provide the information to customers and prospective customers upon request by means of a toll-free telephone service operated by the department.
(i) Each internet service provider that conducts business in the commonwealth must display its net neutrality score to all customers at the point of sale. The internet service provider must also provide the website and phone number for the "Massachusetts Internet Service Provider Registry" for consumers to learn more about what the score means. Each internet service provider that conducts business in the commonwealth shall also disclose its net neutrality score to all customers in the commonwealth upon entering into an agreement for service and annually thereafter. Failure to disclose a net neutrality score as required by this section shall be a deceptive practice under chapter 93A.
SECTION X: Chapter 25C of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by adding the following section:—
Section 11: (a) Notwithstanding any provision of chapter 25C or any other general or special law to the contrary, the department shall have jurisdiction, general supervision, regulation and control over an internet service provider’s compliance with section 10.
(b) Any internet service provider who fails to comply with any requirement of section 10 of this chapter may be fined not more than one thousand dollars per violation, per day, by the department.
(c) The department shall have the right to institute, or to intervene as a party in, any action in any court of competent jurisdiction seeking injunctive or other relief to compel compliance with any provision of section 10 or any rule, regulation or order adopted thereunder, or to restrain or otherwise prevent or prohibit any illegal or unauthorized conduct in connection therewith.
(d) The department or its employees may visit the places of business and other premises and examine the records and facilities of all internet service providers to ascertain if all rules and regulations and orders of the department have been complied with. The department shall also have the power to issue subpoenas to compel the attendance of witnesses and the production of documents, papers, books, records, and other evidence before it in any matter over which it has jurisdiction, control or supervision. The department shall have the power to administer oaths and affirmations to persons whose testimony is required.
(e) Subject to section 4 of chapter 25C, the commissioner of the department shall have all the powers and duties under this chapter including, but not limited to: presiding at hearings; maintaining or intervening in an action; hearing appeals and issuing enforcement orders; enforcement powers; and all other authority to carry out the duties and responsibilities of section 10.
(g) Nothing in this section shall be construed to affect or modify the authority of the attorney general to apply and enforce chapter 93A and other consumer protection laws of general applicability.
SECTION X: Chapter 30B of the General Laws is hereby amended by inserting after section 23 the following section:-
Section 24: Net Neutrality and Internet Service Providers Entering into State Contracts
a) A person that submits a bid or proposal to, or otherwise proposes to enter into or renew, a contract with a governmental body with respect to the provision of internet service shall provide the contracting authority with copies of all disclosures required in Section10 of chapter 25C.
b) A governmental body shall consult with the Department of Telecommunication and Cable about the network management practices of each internet service provider under consideration for the award of a contract. The internet service provider’s network management practices shall be a factor in the government body’s decision about awarding the broadband internet service contract. Preference shall be given to internet service providers who are compliant with the Department’s standards for the “Massachusetts Net Neutrality Seal.”
SECTION X. Section 1 of chapter 93H of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting after the definition of “Breach of security” the following 3 definitions:-
“Broadband internet access service” or “BIAS”, a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the service, but excluding dial-up internet access service.
“Customer”, a current or former subscriber to an internet service in the commonwealth or an applicant for an internet service in the commonwealth.
“Customer’s proprietary information”, includes—
(A) financial information;
(B) health information;
(C) information pertaining to children;
(D) Social Security numbers;
(E) precise geolocation information;
(F) driver's license number or state-issued identification card number;
(G) content of communications;
(H) web browsing history, application usage history, and the functional equivalents of either; and
(I) any information, including metadata and de-identified data, that is linked, or reasonably may be linked, to a specific individual or device.
SECTION X. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Encrypted” the following definition:-
“Internet service provider” or “BIAS provider”, a person who provides BIAS to customers in the commonwealth.
SECTION X. Said section 1 of said chapter 93H, as so appearing, is hereby further amended by inserting after the definition of “Notice” the following definition:-
“Opt-in approval”, a method by which an internet service provider may obtain from a customer affirmative, express consent to collect, use, disclose, or permit access to the customer proprietary information of the customer after the customer has received explicit notification of the request of the internet service provider with respect to that information.
SECTION X. Said chapter 93H is hereby further amended by inserting after section 6 the following 3 sections:-
Section 7. (a) Customer proprietary information in the possession of an internet service provider shall be subject to the data breach requirements of sections 1 through 6 of this chapter.
(b) An internet service provider may not collect, use, disclose or permit third-party access to a customer’s proprietary information except as described in subsection (c) or with the opt-in approval of a customer under subsection (d).
(c) An internet service provider may collect, use, disclose or permit third-party access to a customer’s proprietary information without customer approval for the following purposes: (i) to provide internet service from which such information is derived or to provide services necessary to or used in the provision of such internet service; (ii) to initiate, render, bill or collect payment for internet service; (iii) to protect the rights or property of the internet service provider or to protect users of the internet service and other internet service providers from fraudulent, abusive or unlawful use of the service; (iv) to provide any inbound marketing, referral or administrative services to the customer for the duration of a real-time interaction, if such interaction was initiated by the customer; (v) to provide first-party marketing to customers about improved service offerings within the scope of service to which they already subscribe; (vi) to provide location information or other customer proprietary information to: (1) a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, law enforcement official or hospital emergency or trauma care facility, in order to respond to the customer’s request for emergency services; or (2) providers of information or database management services solely to assist in the delivery of emergency services in response to an emergency; or (vi) as otherwise required or authorized by law.
(d) Except as otherwise provided in this section, an internet service provider shall obtain opt-in approval from a customer to: (i) collect, use, disclose or permit third-party access to a customer’s proprietary information for any purpose not authorized under subsection (c); or (ii) when making a material, retroactive change that would result in a use, disclosure or permission of third-party access to the customer’s proprietary information previously collected by the internet service provider for which the customer did not previously grant approval for such use, disclosure or permission of access.
(e) An internet service provider shall, solicit customer opt-in approval pursuant to subsection (d), as applicable, at the point of sale and when making a material change to a privacy policy. The request for customer approval shall be clear and conspicuous and shall not be misleading. The request for customer approval shall disclose: (i) the type of proprietary information that the internet service provider is seeking customer approval to collect, use, disclose or permit third-party access to; (ii) the purpose for which the customer’s proprietary information will be used; and (iii) the type of entity that the internet service provider intends to disclose or grant access to the customer’s proprietary information. The request for customer approval shall be translated into a language other than English if the internet service provider transacts business with the customer in that other language.
(f) An internet service provider shall make available a simple, easy-to-use mechanism for customers to grant, deny or withdraw opt-in approval at any time. The mechanism to grant, deny or withdraw opt-in approval shall be clear and conspicuous, and shall not be misleading and shall be made available at no additional cost to the customer. Such mechanism shall be available at all times (i) on or through the internet service provider’s website, (ii) in the internet service provider’s application, if it provides an application for account management purposes, and (iii) any functional equivalent to the internet service provider’s homepage or application. If an internet service provider does not have a website, the internet service provider shall provide a mechanism by another means that is available at all times including, but not limited to, a toll-free telephone number. The customer’s grant, denial or withdrawal of approval shall take effect immediately and remain in effect until the customer revokes or limits such grant, denial or withdrawal of approval.
(g) An internet service provider shall not add a surcharge for service to customers that do not provide opt-in approval and shall not refuse to provide services to a customer on the grounds that the customer refused to give opt-in approval. An internet service provider shall not offer any incentive in exchange for a customer’s opt-in approval.
(h) The customer shall have the right to obtain from the internet service provider confirmation as to whether or not the customer’s proprietary information is being collected, used, or disclosed to third-parties, and, where that is the case, access to the customer’s proprietary information and the following information:
(i) the purposes for which the customer’s proprietary information is being collected, used, or disclosed to third-parties;
(ii) the categories of customer’s proprietary information concerned;
(iii) the recipients or categories of recipient to whom the customer’s proprietary information have been or will be disclosed, in particular recipients in third countries or international organizations;
(iv) where possible, the envisaged period for which the customer’s proprietary information will be stored, or, if not possible, the criteria used to determine that period;
(v) the existence of the right to request from the internet service provider rectification or erasure of the customer’s proprietary information;
(vi) the right to lodge a complaint with the department of telecommunications and cable;
The internet service provider shall provide a copy of the customer’s proprietary information collected, used, or disclosed to third-parties. Where the customer makes the request by electronic means, and unless otherwise requested by the customer, the customer’s proprietary information shall be provided in a commonly used electronic form.
Section 8. Notwithstanding sections 6A and section 8 of chapter 25C, the department of telecommunications and cable shall have the authority to promulgate regulations and enforce section 7 of this chapter under its powers to monitor and enforce the "Massachusetts Internet Service Provider Registry" under Section 11 of Chapter 25C.
Section 9. Civil Liability
(a) Statutory Damages. Any person who negligently or willfully fails to comply with any requirement imposed under this chapter shall be liable to any person whose personal information or customer proprietary information was involved in such violation for the following statutory damages: $1000 per person, per violation or actual damages, whichever is greater. These statutory damages shall be indexed to inflation starting in the year that this act is enacted.
(b) Punitive Damages. Any person who willfully fails to comply with any requirement imposed under this chapter shall be liable to any person whose personal information or customer proprietary information was involved in such violation for such punitive damages as the court may allow. Any calculation of punitive damages shall take into account the size of the defendant’s business and its annual profits.
(c) Attorney’s Fees. In the case of any successful action to enforce any liability under this section, the plaintiff shall be entitled to the costs of the action together with reasonable attorney’s fees as determined by the court.
(d) Nothing in this section shall affect the authority of the attorney general to bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.
Section 10. An internet service provider shall not require binding arbitration of disputes that arise under this chapter.
SECTION X: The first sentence of section 47E of chapter 164 of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting, in line 6, after the word “system” the following words:-
“, including, but not limited to, internet access including wireless internet access,”
SECTION X: The department shall promulgate regulations to effectuate Sections 5 and 6 of this act with 60 days of the effective date of this act. The department shall begin enforcement of such regulations on January 1, 2019.
SECTION X: Internet service providers shall seek opt-in approval from existing customers under Section 11 of this act not later than 30 days after the effective date of this act.