Chief Sponsor: Brian S. King

Senate Sponsor: ____________


8     General Description:
9          This bill enacts provisions related to broadband Internet access service.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     prohibits a broadband Internet access service provider from using, disclosing,
14     selling, or permitting access to a customer's personal information except under
15     certain circumstances;
16          ▸     places requirements on broadband Internet access service providers related to:
17               •     providing notice to customers related to the use of customer personal
18     information; and
19               •     maintaining measures to protect customer personal information;
20          ▸     enacts other provisions related to requirements on a broadband Internet access
21     service provider;
22          ▸     requires the state and political subdivisions to purchase broadband Internet access
23     service from a provider that engages in certain conduct related to:
24               •     public disclosure of network management practices;
25               •     blocking content, applications, or services;
26               •     impairing Internet traffic; and
27               •     interfering with a user's choice of service or device; and

28          ▸     makes technical and conforming changes.
29     Money Appropriated in this Bill:
30          None
31     Other Special Clauses:
32          None
33     Utah Code Sections Affected:
34     ENACTS:
35          13-54-101, Utah Code Annotated 1953
36          13-54-201, Utah Code Annotated 1953
37          13-54-202, Utah Code Annotated 1953
38          13-54-203, Utah Code Annotated 1953
39          13-54-204, Utah Code Annotated 1953
40          13-54-205, Utah Code Annotated 1953
41          13-54-206, Utah Code Annotated 1953
42          63G-24-101, Utah Code Annotated 1953
43          63G-24-201, Utah Code Annotated 1953
44          63G-24-202, Utah Code Annotated 1953

46     Be it enacted by the Legislature of the state of Utah:
47          Section 1. Section 13-54-101 is enacted to read:

Part 1. General Provisions

50          13-54-101. Title.
51          This chapter is known as "Internet Service Customer Privacy."
52          Section 2. Section 13-54-201 is enacted to read:
Part 2. Broadband Internet Access Service Customer Privacy

54          13-54-201. Definitions.
55          As used in this part:
56          (1) "Aggregate customer personal information dataset" means collective data that
57     relates to a group of customers:
58          (a) from which individual customer identities and characteristics have been removed;

59     and
60          (b) that is not linked or reasonably linkable to a specific individual, household, or
61     device.
62          (2) (a) "Broadband Internet access service" or "broadband service" means:
63          (i) a mass market retail service by wire or radio that provides the capability to transmit
64     data to and receive data from all or substantially all Internet endpoints; or
65          (ii) a capability that is incidental to and enables the operation of a mass market retail
66     service described in Subsection (2)(a)(i).
67          (b) "Broadband Internet access service" or "broadband service" does not include
68     dial-up Internet access service.
69          (3) "Customer" means an individual who:
70          (a) (i) is a current or former subscriber to broadband service; or
71          (ii) is an applicant for broadband service; and
72          (b) physically resides in the state.
73          (4) "Customer personal information" means information collected by a service provider
74     from or about a customer that a customer makes available to the service provider solely due to
75     the service provider-customer relationship, including the customer's:
76          (a) name;
77          (b) billing information;
78          (c) government-issued identifier, including a social security number or a driver's
79     license number;
80          (d) other contact information, including a physical address, email address, or phone
81     number;
82          (e) demographic information, such as:
83          (i) date of birth;
84          (ii) age;
85          (iii) race;
86          (iv) ethnicity;
87          (v) nationality;
88          (vi) religion;
89          (vii) political beliefs;

90          (viii) gender; or
91          (ix) sexual orientation;
92          (f) financial information;
93          (g) health information;
94          (h) information related to children;
95          (i) geolocation information sufficient to identify the name of a street and the name of a
96     city or town;
97          (j) information that relates to the quantity, technical configuration, type, destination,
98     location, or amount of use of the broadband service, including:
99          (i) web browsing history;
100          (ii) application usage history;
101          (iii) timing of use;
102          (iv) origin or destination Internet Protocol addresses of traffic;
103          (k) content of communications, including:
104          (i) application payload;
105          (ii) any part of the substance, purpose, or meaning of a communication; or
106          (iii) any part of a communication that is highly suggestive of the substance, purpose, or
107     meaning of the communication;
108          (l) a device identifier, including:
109          (i) a Media Access Control address;
110          (ii) an International Mobile Equipment Identity number; or
111          (iii) an Internet Protocol address; or
112          (m) any other information maintained in a way that the information is linked or
113     reasonably linkable to a customer or device.
114          (5) "Material change" means a change that a reasonable customer would consider
115     important to the customer's decisions regarding the customer's privacy.
116          (6) "Opt-in consent" means affirmative, express customer approval:
117          (a) to use, disclose, sell, or permit access to the customer's personal information; and
118          (b) that the customer gives to a service provider after service provider provides the
119     customer notice described in Section 13-54-206.
120          (7) "Service provider" means a person engaged in the business of providing to

121     customers:
122          (a) fixed broadband service; or
123          (b) mobile broadband service.
124          Section 3. Section 13-54-202 is enacted to read:
125          13-54-202. Applicability of part -- General prohibition on service providers.
126          (1) Except as provided in this part, a service provider may not use, disclose, sell, or
127     permit access to customer personal information.
128          (2) Nothing in this part prohibits a service provider from:
129          (a) generating an aggregate customer personal information dataset using customer
130     personal information; or
131          (b) using, disclosing, selling, or permitting access to an aggregate customer personal
132     information dataset the service provider generates.
133          Section 4. Section 13-54-203 is enacted to read:
134          13-54-203. Customer consent -- Mechanism -- Effect of consent.
135          (1) A service provider may use, disclose, sell, or permit access to customer personal
136     information if the customer provides prior opt-in consent.
137          (2) A customer may withdraw consent the customer previously provided.
138          (3) A service provider shall provide a mechanism for a customer to provide, deny, or
139     withdraw consent that is:
140          (a) easy to use;
141          (b) clear and conspicuous;
142          (c) not misleading;
143          (d) available to the customer through the method the service provider primarily uses to
144     conduct business with the customer;
145          (e) in the language the service provider primarily uses to conduct business with the
146     customer; and
147          (f) available to the customer for no additional cost.
148          (4) If a customer provides, denies, or withdraws consent, the service provider shall give
149     the customer's action effect:
150          (a) promptly; and
151          (b) until the customer revokes or limits the customer's action.

152          (5) A service provider may not:
153          (a) refuse to provide broadband services to a customer who does not provide opt-in
154     consent; or
155          (b) require a higher payment from or offer a discount to a customer based on the
156     customer's decision to provide, deny, or withdraw consent.
157          Section 5. Section 13-54-204 is enacted to read:
158          13-54-204. Use, disclosure, sale, or access to customer personal information
159     without consent.
160          (1) A service provider may only use, disclose, sell, or permit access to customer
161     personal information without customer consent:
162          (a) for the purpose of providing the broadband services to the customer;
163          (b) to comply with legal processes or other laws, court orders, or administrative orders;
164          (c) to initiate, render, bill for, or collect payment for the broadband services;
165          (d) to protect the following from fraudulent, abusive, or unlawful use:
166          (i) the rights or property of the service provider; or
167          (ii) the rights or property of the customer; or
168          (e) to provide location information related to the customer for the purpose of:
169          (i) responding to the customer's request for emergency services by providing the
170     location information to:
171          (A) a public safety answering point as defined in Section 63H-7a-103;
172          (B) an emergency medical service provider or emergency dispatch provider;
173          (C) a public safety, fire service, or law enforcement agency; or
174          (D) a hospital emergency or trauma care facility;
175          (ii) informing the following of the customer's location in an emergency situation that
176     involves the risk of death or serious injury:
177          (A) the customer's family member;
178          (B) the customer's legal guardian; or
179          (C) an individual the service provider determines is a close personal friend of the
180     customer; or
181          (iii) assisting in the delivery of emergency services to the customer by providing the
182     location information to a provider of information or database management services.

183          (2) (a) Unless otherwise provided by law, and except as provided in Subsection (2)(b),
184     a service provider may use, disclose, sell, or permit access to customer personal information to
185     advertise or market the service provider's other services to the customer.
186          (b) A service provider shall:
187          (i) provide a customer the option to opt out of the conduct described in Subsection
188     (2)(a); and
189          (ii) include the customer's option described in Subsection (2)(b)(i) in the notice
190     required under Section 13-54-206.
191          Section 6. Section 13-54-205 is enacted to read:
192          13-54-205. Protection and retention of customer personal information.
193          (1) A service provider shall implement and maintain reasonable measures to protect
194     customer personal information from unauthorized:
195          (a) use;
196          (b) sale;
197          (c) access;
198          (d) destruction; and
199          (e) modification.
200          (2) Whether a measure described in Subsection (1) is reasonable is informed by the
201     following factors:
202          (a) the nature and scope of the service provider's activities;
203          (b) the sensitivity of the customer personal information;
204          (c) the size of the service provider; and
205          (d) the technical feasibility of the measure.
206          (3) (a) Except as provided in Subsection (3)(b), a service provider may not retain
207     customer personal information for longer than reasonably necessary for the service provider to
208     accomplish the purpose for which the service provider collected the customer personal
209     information.
210          (b) A service provider may retain customer personal information for longer than
211     described in Subsection (3)(a) if:
212          (i) the service provider only uses the customer personal information for a purpose
213     described in Section 13-54-204; or

214          (ii) the customer personal information is within an aggregate customer personal
215     information dataset.
216          Section 7. Section 13-54-206 is enacted to read:
217          13-54-206. Service provider notice to customer -- Material change.
218          (1) A service provider shall provide notice to a customer of how the service provider
219     complies with the requirements described in this part.
220          (2) The service provider shall ensure that the notice described in Subsection (1):
221          (a) is clear, conspicuous, and not misleading;
222          (b) is provided to the customer:
223          (i) through the method the service provider primarily uses to conduct business with the
224     customer; and
225          (ii) (A) at the point of sale of the broadband services; and
226          (B) when the service provider seeks opt-in consent from the customer; and
227          (c) describes or links to a resource that describes:
228          (i) the types of customer personal information the service provider collects;
229          (ii) how the service provider uses customer personal information;
230          (iii) the service provider's retention schedule for customer personal information;
231          (iv) the circumstances under which the service provider discloses, sells, or permits
232     access to the customer personal information the service provider collects;
233          (v) the categories of entities to which, and the purposes for which, the service provider
234     discloses, sells, or permits access to customer personal information; and
235          (vi) methods for and rights of a customer related to consent.
236          (3) A service provider shall provide to a customer advanced notice of a material change
237     to the information described in a notice described in Subsection (1).
238          Section 8. Section 63G-24-101 is enacted to read:

Part 1. General Provisions

241          63G-24-101. Title.
242          This chapter is known as "Purchase of Services."
243          Section 9. Section 63G-24-201 is enacted to read:
Part 2. Purchase of Broadband Internet Access Service

245          63G-24-201. Definitions.
246          As used in this part:
247          (1) (a) "Broadband Internet access service" or "broadband service" means:
248          (i) a mass market retail service by wire or radio that provides the capability to transmit
249     data to and receive data from all or substantially all Internet endpoints; or
250          (ii) a capability that is incidental to and enables the operation of a mass market retail
251     service described in Subsection (1)(a)(i).
252          (b) "Broadband Internet access service" or "broadband service" does not include
253     dial-up Internet access service.
254          (2) "Content, application, or service" means any traffic that is transmitted to or from an
255     end user of a broadband Internet access service.
256          (3) "Edge provider" means a person that provides:
257          (a) any content, application, or service over the Internet; or
258          (b) a device used for accessing any content, application, or service over the Internet.
259          (4) "End user" means a person that uses a broadband service.
260          (5) (a) "Fixed broadband service" means a broadband service that serves end users
261     primarily at fixed endpoints using stationary equipment.
262          (b) "Fixed broadband service" includes:
263          (i) a fixed wireless service, including a fixed unlicensed wireless service; and
264          (ii) a fixed satellite service.
265          (6) "Mobile broadband service" means a broadband service that serves end users
266     primarily using mobile stations.
267          (7) (a) "Paid prioritization" means a service provider's management of the service
268     provider's network to directly or indirectly favor certain content, applications, or services over
269     other content, applications, or services:
270          (i) in exchange for monetary or other consideration; or
271          (ii) to benefit an affiliated person.
272          (b) "Paid prioritization" may include the use of one of the following techniques:
273          (i) traffic shaping;
274          (ii) prioritization;
275          (iii) resource reservation; or

276          (iv) another form of preferential traffic management.
277          (8) "Political subdivision" means:
278          (a) a municipality as defined in Section 10-1-104;
279          (b) a county;
280          (c) a limited purpose entity as defined in Section 17-15-32; or
281          (d) a school district, a charter school, or the Utah Schools for the Deaf and the Blind.
282          (9) "Reasonable network management" means a network management practice that:
283          (a) is primarily used for and tailored to achieve a network management purpose with a
284     technical justification; and
285          (b) takes into account the particular architecture and technology of the broadband
286     service.
287          (10) "Service provider" means a person engaged in the business of providing:
288          (a) fixed broadband service; or
289          (b) mobile broadband service.
290          Section 10. Section 63G-24-202 is enacted to read:
291          63G-24-202. State or political subdivision purchase of broadband Internet access
292     service.
293          (1) The state or a political subdivision may only purchase or provide funding for the
294     purchase of fixed broadband service or mobile broadband service from a service provider that:
295          (a) publicly discloses information regarding the service provider's:
296          (i) network management practices;
297          (ii) performance; and
298          (iii) commercial terms;
299          (b) does not, subject to reasonable network management:
300          (i) block:
301          (A) lawful content, applications, or services; or
302          (B) a nonharmful device;
303          (ii) impair or degrade lawful Internet traffic on the basis of:
304          (A) content, application, or service; or
305          (B) the use of a nonharmful device;
306          (iii) unreasonably interfere with or unreasonably disadvantage:

307          (A) an end user's ability to select, access, or use broadband service or lawful devices,
308     content, applications, or services of the end user's choice; or
309          (B) an edge provider's ability to make lawful devices, content, applications, or services
310     available to an end user; and
311          (c) does not engage in paid prioritization, unless the state or political subdivision
312     determines that the paid prioritization:
313          (i) will provide a significant public interest benefit; and
314          (ii) will not harm the open nature of the broadband services the service provider will
315     provide.
316          (2) Nothing in this part supersedes or limits a service provider's obligation or
317     authorization to lawfully address the needs of:
318          (a) emergency communication; or
319          (b) a law enforcement, public safety, or national security authority.
320          (3) Nothing in this part prohibits a service provider's reasonable efforts to address
321     copyright infringement or other unlawful activity.
322          (4) Notwithstanding the provisions of this section, in a geographic location where
323     broadband service is only available from a single service provider, a state or political
324     subdivision may purchase or provide funding for the purchase of fixed broadband service or
325     mobile broadband service from a service provider other than a service provider described in
326     Subsection (1).