2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts provisions related to broadband Internet access service.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ prohibits a broadband Internet access service provider from using, disclosing,
14 selling, or permitting access to a customer's personal information except under
15 certain circumstances;
16 ▸ places requirements on broadband Internet access service providers related to:
17 • providing notice to customers related to the use of customer personal
18 information; and
19 • maintaining measures to protect customer personal information;
20 ▸ enacts other provisions related to requirements on a broadband Internet access
21 service provider;
22 ▸ requires the state and political subdivisions to purchase broadband Internet access
23 service from a provider that engages in certain conduct related to:
24 • public disclosure of network management practices;
25 • blocking content, applications, or services;
26 • impairing Internet traffic; and
27 • interfering with a user's choice of service or device; and
28 ▸ makes technical and conforming changes.
29 Money Appropriated in this Bill:
30 None
31 Other Special Clauses:
32 None
33 Utah Code Sections Affected:
34 ENACTS:
35 13-54-101, Utah Code Annotated 1953
36 13-54-201, Utah Code Annotated 1953
37 13-54-202, Utah Code Annotated 1953
38 13-54-203, Utah Code Annotated 1953
39 13-54-204, Utah Code Annotated 1953
40 13-54-205, Utah Code Annotated 1953
41 13-54-206, Utah Code Annotated 1953
42 63G-24-101, Utah Code Annotated 1953
43 63G-24-201, Utah Code Annotated 1953
44 63G-24-202, Utah Code Annotated 1953
45
46 Be it enacted by the Legislature of the state of Utah:
47 Section 1. Section 13-54-101 is enacted to read:
48
49
50 13-54-101. Title.
51 This chapter is known as "Internet Service Customer Privacy."
52 Section 2. Section 13-54-201 is enacted to read:
53
54 13-54-201. Definitions.
55 As used in this part:
56 (1) "Aggregate customer personal information dataset" means collective data that
57 relates to a group of customers:
58 (a) from which individual customer identities and characteristics have been removed;
59 and
60 (b) that is not linked or reasonably linkable to a specific individual, household, or
61 device.
62 (2) (a) "Broadband Internet access service" or "broadband service" means:
63 (i) a mass market retail service by wire or radio that provides the capability to transmit
64 data to and receive data from all or substantially all Internet endpoints; or
65 (ii) a capability that is incidental to and enables the operation of a mass market retail
66 service described in Subsection (2)(a)(i).
67 (b) "Broadband Internet access service" or "broadband service" does not include
68 dial-up Internet access service.
69 (3) "Customer" means an individual who:
70 (a) (i) is a current or former subscriber to broadband service; or
71 (ii) is an applicant for broadband service; and
72 (b) physically resides in the state.
73 (4) "Customer personal information" means information collected by a service provider
74 from or about a customer that a customer makes available to the service provider solely due to
75 the service provider-customer relationship, including the customer's:
76 (a) name;
77 (b) billing information;
78 (c) government-issued identifier, including a social security number or a driver's
79 license number;
80 (d) other contact information, including a physical address, email address, or phone
81 number;
82 (e) demographic information, such as:
83 (i) date of birth;
84 (ii) age;
85 (iii) race;
86 (iv) ethnicity;
87 (v) nationality;
88 (vi) religion;
89 (vii) political beliefs;
90 (viii) gender; or
91 (ix) sexual orientation;
92 (f) financial information;
93 (g) health information;
94 (h) information related to children;
95 (i) geolocation information sufficient to identify the name of a street and the name of a
96 city or town;
97 (j) information that relates to the quantity, technical configuration, type, destination,
98 location, or amount of use of the broadband service, including:
99 (i) web browsing history;
100 (ii) application usage history;
101 (iii) timing of use;
102 (iv) origin or destination Internet Protocol addresses of traffic;
103 (k) content of communications, including:
104 (i) application payload;
105 (ii) any part of the substance, purpose, or meaning of a communication; or
106 (iii) any part of a communication that is highly suggestive of the substance, purpose, or
107 meaning of the communication;
108 (l) a device identifier, including:
109 (i) a Media Access Control address;
110 (ii) an International Mobile Equipment Identity number; or
111 (iii) an Internet Protocol address; or
112 (m) any other information maintained in a way that the information is linked or
113 reasonably linkable to a customer or device.
114 (5) "Material change" means a change that a reasonable customer would consider
115 important to the customer's decisions regarding the customer's privacy.
116 (6) "Opt-in consent" means affirmative, express customer approval:
117 (a) to use, disclose, sell, or permit access to the customer's personal information; and
118 (b) that the customer gives to a service provider after service provider provides the
119 customer notice described in Section 13-54-206.
120 (7) "Service provider" means a person engaged in the business of providing to
121 customers:
122 (a) fixed broadband service; or
123 (b) mobile broadband service.
124 Section 3. Section 13-54-202 is enacted to read:
125 13-54-202. Applicability of part -- General prohibition on service providers.
126 (1) Except as provided in this part, a service provider may not use, disclose, sell, or
127 permit access to customer personal information.
128 (2) Nothing in this part prohibits a service provider from:
129 (a) generating an aggregate customer personal information dataset using customer
130 personal information; or
131 (b) using, disclosing, selling, or permitting access to an aggregate customer personal
132 information dataset the service provider generates.
133 Section 4. Section 13-54-203 is enacted to read:
134 13-54-203. Customer consent -- Mechanism -- Effect of consent.
135 (1) A service provider may use, disclose, sell, or permit access to customer personal
136 information if the customer provides prior opt-in consent.
137 (2) A customer may withdraw consent the customer previously provided.
138 (3) A service provider shall provide a mechanism for a customer to provide, deny, or
139 withdraw consent that is:
140 (a) easy to use;
141 (b) clear and conspicuous;
142 (c) not misleading;
143 (d) available to the customer through the method the service provider primarily uses to
144 conduct business with the customer;
145 (e) in the language the service provider primarily uses to conduct business with the
146 customer; and
147 (f) available to the customer for no additional cost.
148 (4) If a customer provides, denies, or withdraws consent, the service provider shall give
149 the customer's action effect:
150 (a) promptly; and
151 (b) until the customer revokes or limits the customer's action.
152 (5) A service provider may not:
153 (a) refuse to provide broadband services to a customer who does not provide opt-in
154 consent; or
155 (b) require a higher payment from or offer a discount to a customer based on the
156 customer's decision to provide, deny, or withdraw consent.
157 Section 5. Section 13-54-204 is enacted to read:
158 13-54-204. Use, disclosure, sale, or access to customer personal information
159 without consent.
160 (1) A service provider may only use, disclose, sell, or permit access to customer
161 personal information without customer consent:
162 (a) for the purpose of providing the broadband services to the customer;
163 (b) to comply with legal processes or other laws, court orders, or administrative orders;
164 (c) to initiate, render, bill for, or collect payment for the broadband services;
165 (d) to protect the following from fraudulent, abusive, or unlawful use:
166 (i) the rights or property of the service provider; or
167 (ii) the rights or property of the customer; or
168 (e) to provide location information related to the customer for the purpose of:
169 (i) responding to the customer's request for emergency services by providing the
170 location information to:
171 (A) a public safety answering point as defined in Section 63H-7a-103;
172 (B) an emergency medical service provider or emergency dispatch provider;
173 (C) a public safety, fire service, or law enforcement agency; or
174 (D) a hospital emergency or trauma care facility;
175 (ii) informing the following of the customer's location in an emergency situation that
176 involves the risk of death or serious injury:
177 (A) the customer's family member;
178 (B) the customer's legal guardian; or
179 (C) an individual the service provider determines is a close personal friend of the
180 customer; or
181 (iii) assisting in the delivery of emergency services to the customer by providing the
182 location information to a provider of information or database management services.
183 (2) (a) Unless otherwise provided by law, and except as provided in Subsection (2)(b),
184 a service provider may use, disclose, sell, or permit access to customer personal information to
185 advertise or market the service provider's other services to the customer.
186 (b) A service provider shall:
187 (i) provide a customer the option to opt out of the conduct described in Subsection
188 (2)(a); and
189 (ii) include the customer's option described in Subsection (2)(b)(i) in the notice
190 required under Section 13-54-206.
191 Section 6. Section 13-54-205 is enacted to read:
192 13-54-205. Protection and retention of customer personal information.
193 (1) A service provider shall implement and maintain reasonable measures to protect
194 customer personal information from unauthorized:
195 (a) use;
196 (b) sale;
197 (c) access;
198 (d) destruction; and
199 (e) modification.
200 (2) Whether a measure described in Subsection (1) is reasonable is informed by the
201 following factors:
202 (a) the nature and scope of the service provider's activities;
203 (b) the sensitivity of the customer personal information;
204 (c) the size of the service provider; and
205 (d) the technical feasibility of the measure.
206 (3) (a) Except as provided in Subsection (3)(b), a service provider may not retain
207 customer personal information for longer than reasonably necessary for the service provider to
208 accomplish the purpose for which the service provider collected the customer personal
209 information.
210 (b) A service provider may retain customer personal information for longer than
211 described in Subsection (3)(a) if:
212 (i) the service provider only uses the customer personal information for a purpose
213 described in Section 13-54-204; or
214 (ii) the customer personal information is within an aggregate customer personal
215 information dataset.
216 Section 7. Section 13-54-206 is enacted to read:
217 13-54-206. Service provider notice to customer -- Material change.
218 (1) A service provider shall provide notice to a customer of how the service provider
219 complies with the requirements described in this part.
220 (2) The service provider shall ensure that the notice described in Subsection (1):
221 (a) is clear, conspicuous, and not misleading;
222 (b) is provided to the customer:
223 (i) through the method the service provider primarily uses to conduct business with the
224 customer; and
225 (ii) (A) at the point of sale of the broadband services; and
226 (B) when the service provider seeks opt-in consent from the customer; and
227 (c) describes or links to a resource that describes:
228 (i) the types of customer personal information the service provider collects;
229 (ii) how the service provider uses customer personal information;
230 (iii) the service provider's retention schedule for customer personal information;
231 (iv) the circumstances under which the service provider discloses, sells, or permits
232 access to the customer personal information the service provider collects;
233 (v) the categories of entities to which, and the purposes for which, the service provider
234 discloses, sells, or permits access to customer personal information; and
235 (vi) methods for and rights of a customer related to consent.
236 (3) A service provider shall provide to a customer advanced notice of a material change
237 to the information described in a notice described in Subsection (1).
238 Section 8. Section 63G-24-101 is enacted to read:
239
240
241 63G-24-101. Title.
242 This chapter is known as "Purchase of Services."
243 Section 9. Section 63G-24-201 is enacted to read:
244
245 63G-24-201. Definitions.
246 As used in this part:
247 (1) (a) "Broadband Internet access service" or "broadband service" means:
248 (i) a mass market retail service by wire or radio that provides the capability to transmit
249 data to and receive data from all or substantially all Internet endpoints; or
250 (ii) a capability that is incidental to and enables the operation of a mass market retail
251 service described in Subsection (1)(a)(i).
252 (b) "Broadband Internet access service" or "broadband service" does not include
253 dial-up Internet access service.
254 (2) "Content, application, or service" means any traffic that is transmitted to or from an
255 end user of a broadband Internet access service.
256 (3) "Edge provider" means a person that provides:
257 (a) any content, application, or service over the Internet; or
258 (b) a device used for accessing any content, application, or service over the Internet.
259 (4) "End user" means a person that uses a broadband service.
260 (5) (a) "Fixed broadband service" means a broadband service that serves end users
261 primarily at fixed endpoints using stationary equipment.
262 (b) "Fixed broadband service" includes:
263 (i) a fixed wireless service, including a fixed unlicensed wireless service; and
264 (ii) a fixed satellite service.
265 (6) "Mobile broadband service" means a broadband service that serves end users
266 primarily using mobile stations.
267 (7) (a) "Paid prioritization" means a service provider's management of the service
268 provider's network to directly or indirectly favor certain content, applications, or services over
269 other content, applications, or services:
270 (i) in exchange for monetary or other consideration; or
271 (ii) to benefit an affiliated person.
272 (b) "Paid prioritization" may include the use of one of the following techniques:
273 (i) traffic shaping;
274 (ii) prioritization;
275 (iii) resource reservation; or
276 (iv) another form of preferential traffic management.
277 (8) "Political subdivision" means:
278 (a) a municipality as defined in Section 10-1-104;
279 (b) a county;
280 (c) a limited purpose entity as defined in Section 17-15-32; or
281 (d) a school district, a charter school, or the Utah Schools for the Deaf and the Blind.
282 (9) "Reasonable network management" means a network management practice that:
283 (a) is primarily used for and tailored to achieve a network management purpose with a
284 technical justification; and
285 (b) takes into account the particular architecture and technology of the broadband
286 service.
287 (10) "Service provider" means a person engaged in the business of providing:
288 (a) fixed broadband service; or
289 (b) mobile broadband service.
290 Section 10. Section 63G-24-202 is enacted to read:
291 63G-24-202. State or political subdivision purchase of broadband Internet access
292 service.
293 (1) The state or a political subdivision may only purchase or provide funding for the
294 purchase of fixed broadband service or mobile broadband service from a service provider that:
295 (a) publicly discloses information regarding the service provider's:
296 (i) network management practices;
297 (ii) performance; and
298 (iii) commercial terms;
299 (b) does not, subject to reasonable network management:
300 (i) block:
301 (A) lawful content, applications, or services; or
302 (B) a nonharmful device;
303 (ii) impair or degrade lawful Internet traffic on the basis of:
304 (A) content, application, or service; or
305 (B) the use of a nonharmful device;
306 (iii) unreasonably interfere with or unreasonably disadvantage:
307 (A) an end user's ability to select, access, or use broadband service or lawful devices,
308 content, applications, or services of the end user's choice; or
309 (B) an edge provider's ability to make lawful devices, content, applications, or services
310 available to an end user; and
311 (c) does not engage in paid prioritization, unless the state or political subdivision
312 determines that the paid prioritization:
313 (i) will provide a significant public interest benefit; and
314 (ii) will not harm the open nature of the broadband services the service provider will
315 provide.
316 (2) Nothing in this part supersedes or limits a service provider's obligation or
317 authorization to lawfully address the needs of:
318 (a) emergency communication; or
319 (b) a law enforcement, public safety, or national security authority.
320 (3) Nothing in this part prohibits a service provider's reasonable efforts to address
321 copyright infringement or other unlawful activity.
322 (4) Notwithstanding the provisions of this section, in a geographic location where
323 broadband service is only available from a single service provider, a state or political
324 subdivision may purchase or provide funding for the purchase of fixed broadband service or
325 mobile broadband service from a service provider other than a service provider described in
326 Subsection (1).