Florida Senate - 2018 SB 1854 By Senator Rodriguez 37-00131-18 20181854__ 1 A bill to be entitled 2 An act relating to broadband service privacy; creating 3 s. 364.0131, F.S.; defining terms; prohibiting 4 Internet service providers from using, disclosing, 5 selling, or permitting external access to certain 6 customer information, except under specified 7 conditions; specifying an effective date for the 8 prohibition; requiring providers to furnish a prior 9 opt-in consent; specifying requirements and 10 disclosures for the consent; prohibiting providers 11 from retaining customer information any longer than 12 necessary; providing exceptions; requiring providers 13 to implement and maintain certain security procedures 14 and practices; specifying that providers may not 15 penalize customers for refusing to provide consent or 16 offer customers discounts for providing consent; 17 prohibiting providers from refusing or failing to 18 disclose customer personal information upon written 19 request from the customer; clarifying that generating, 20 using, disclosing, selling, or permitting access to 21 aggregate customer information is permissible; 22 specifying that providers may use customer information 23 to market communication-related services to the 24 customer under certain conditions; authorizing 25 providers to employ security measures; providing 26 applicability; specifying that customer waivers are 27 void and unenforceable; requiring the Public Service 28 Commission to administer and enforce the act and to 29 impose and collect certain penalties; authorizing the 30 commission to adopt rules; providing effective dates. 31 32 Be It Enacted by the Legislature of the State of Florida: 33 34 Section 1. Section 364.0131, Florida Statutes, is created 35 to read: 36 364.0131 Broadband service privacy.— 37 (1) As used in this section, the term: 38 (a) “Aggregate customer information” means collective data 39 that relates to a group or category of customers, from which 40 individual customer identities and characteristics have been 41 removed, and which is not linked or reasonably linkable to any 42 individual person, household, or device. The term does not 43 include individual customer records that have been deidentified. 44 (b) “Customer” means a current or former subscriber to the 45 broadband service, or an applicant for broadband service. 46 (c) “Customer personal information” means information 47 collected from or about an individual customer or user of the 48 customer’s subscription which is made available to the Internet 49 service provider by a customer or user of the customer’s 50 subscription solely by virtue of the provider-customer 51 relationship, including: 52 1. Name and billing information. 53 2. Government-issued identifiers such as, but not limited 54 to, a social security number, driver license number, military 55 identification, or passport number. 56 3. Information that could facilitate the physical or 57 electronic contacting of an individual, such as a physical 58 address, e-mail address, phone number, or Internet Protocol (IP) 59 address. 60 4. Demographic information, such as date of birth, age, 61 gender, race, ethnicity, nationality, religion, or sexual 62 orientation. 63 5. Financial information. 64 6. Health information. 65 7. Information pertaining to a minor child with whom the 66 customer or user has a parental, legal custodianship, permanent 67 guardianship, or foster parent relationship. 68 8. Geolocation information. 69 9. Information relating to individual customer user 70 behavior, such as Internet browsing history, application usage 71 history, content of communications, and origin and destination 72 IP addresses of all traffic. 73 10. Device identifiers, such as a media access control 74 (MAC) address or Internet mobile equipment identity (IMEI). 75 11. Any other information concerning a customer or user of 76 the customer’s subscription which is collected or made available 77 and is maintained in personally identifiable form. 78 (d) “Deidentified” means the details making it possible to 79 recognize a particular person have been removed from a record, 80 piece of information, or data set. 81 (e) “Internet service provider” means a person engaged in 82 providing broadband service. This only includes the extent of 83 the person’s business engaged in or supporting the provision of 84 broadband services. 85 (2) Effective July 1, 2019: 86 (a) An Internet service provider may not use, disclose, 87 sell, or permit external access to customer personal 88 information, except as provided in this section or other law. 89 (b) An Internet service provider may use, disclose, sell, 90 or permit access to customer personal information if the 91 customer gives the Internet service provider prior opt-in 92 consent. The customer may revoke this consent at any time. The 93 mechanism provided by the Internet service provider for 94 requesting and revoking consent under this subsection must be 95 clear and conspicuous, not misleading, in the language primarily 96 used to conduct business with the customer, and made available 97 to the customer at no additional cost. The mechanism must also 98 be persistently available on or through the Internet service 99 provider’s Internet website or mobile application if it provides 100 such a site or application for account management purposes. If 101 the Internet service provider does not have an Internet website, 102 it must provide a persistently available mechanism by another 103 means, such as a toll-free telephone number. The customer’s 104 granting, denial, or withdrawal of consent must be given effect 105 promptly and remain in effect until the customer revokes or 106 limits the granting, denial, or withdrawal of consent. 107 (c) An Internet service provider may not retain a 108 customer’s information for longer than is reasonably necessary 109 to accomplish the purposes for which the information was 110 collected, unless the information is aggregate customer 111 information or is otherwise required by this section or other 112 law. 113 (d) An Internet service provider must implement and 114 maintain reasonable security procedures and practices 115 appropriate to the nature of the information to protect customer 116 personal information from unauthorized use, disclosure, access, 117 destruction, or modification. 118 (3) The request for consent specified in paragraph (2)(b) 119 must disclose to the customer all of the following: 120 (a) The types of customer personal information for which 121 the Internet service provider is seeking customer approval to 122 use, disclose, sell, or permit external access. 123 (b) The purposes for which the customer personal 124 information will be used. 125 (c) The categories of entities to which the Internet 126 service provider intends to disclose, sell, or permit access to 127 the customer personal information. 128 (4) An Internet service provider may not: 129 (a) Refuse to serve a customer, or in any way limit or 130 reduce services to a customer, who does not provide consent 131 under paragraph (2)(b). 132 (b) Charge a customer a penalty, or penalize a customer in 133 any way, or offer a customer a discount or another benefit based 134 on the customer’s decision to provide or not provide consent 135 under paragraph (2)(b). 136 (c) Refuse or fail to disclose the customer personal 137 information of a customer upon affirmative written request from 138 such customer, to any person designated by such customer. 139 (5) An Internet service provider may use, disclose, or 140 permit access to customer personal information without customer 141 consent, unless otherwise prohibited by law, only to the extent 142 necessary to achieve the stated purpose in one or more of the 143 following circumstances: 144 (a) To provide the broadband service from which the 145 information is derived, or business functions necessary for 146 providing that service. 147 (b) To comply with a legal process or other law, court 148 order, administrative order, or by order of the commission. 149 (c) To initiate, render, bill for, and collect payment for 150 broadband service. 151 (d) To protect the rights or property of the Internet 152 service, or to protect customers of those services and other 153 carriers from fraudulent, abusive, or unlawful use of or 154 subscription to those services. 155 (e) To provide location information concerning the customer 156 as follows: 157 1. To a public safety answering point, emergency medical 158 service provider, or emergency dispatch provider, public safety, 159 fire service, or law enforcement official, or hospital emergency 160 or trauma care facility, in order to respond to the customer’s 161 request for emergency services. 162 2. To inform the customer’s legal guardian, members of the 163 customer’s family, or a person reasonably believed by the 164 Internet service provider to be a close personal friend of the 165 customer of the customer’s location in an emergency situation 166 that involves the risk of death or life-threatening harm. 167 3. To providers of information or database management 168 services solely for purposes of assisting in the delivery of 169 emergency services in response to an emergency. 170 (6) This section does not restrict an Internet service 171 provider from generating an aggregate customer information 172 dataset using customer personal information, or using, 173 disclosing, selling, or permitting access to the aggregate 174 customer information dataset it generated. 175 (7) Unless otherwise prohibited by law, an Internet service 176 provider may use, disclose, or permit access to customer 177 personal information to advertise or market the provider’s 178 communications-related services to the customer, provided that 179 the customer may opt out of that use, disclosure, or access at 180 any time, and the customer is notified of the right to opt out 181 in a manner that is clear and conspicuous, not misleading, in 182 the language primarily used to conduct business with the 183 consumer, persistently available, and made available to the 184 customer at no additional cost. 185 (8) An Internet service provider may employ any lawful 186 security measures to comply with the requirements of this 187 section. 188 (9) The requirements of this section apply to Internet 189 service providers operating within this state when providing 190 broadband service to their customers who are residents of and 191 physically located in this state. Any waiver by the customer of 192 the provisions of this section is against the public policy of 193 this state and shall be void and unenforceable. 194 (10) The commission shall: 195 (a) Administer and enforce this section and any rules 196 adopted pursuant to this section. 197 (b) Impose and collect penalties relating to violations of 198 this section pursuant to s. 364.285. 199 (c) Adopt rules necessary to implement this section. 200 Section 2. This act shall take effect July 1, 2018.