Bill Text: CA AB375 | 2017-2018 | Regular Session | Amended
Bill Title: Privacy: personal information: businesses.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Passed) 2018-06-28 - Chaptered by Secretary of State - Chapter 55, Statutes of 2018. [AB375 Detail]
Download: California-2017-AB375-Amended.html
Amended
IN
Senate
September 12, 2017 |
Amended
IN
Senate
August 21, 2017 |
Amended
IN
Senate
June 19, 2017 |
Amended
IN
Assembly
April 27, 2017 |
Assembly Bill | No. 375 |
Introduced by Assembly Member Chau (Principal coauthor: Senator Jackson) (Coauthors: Assembly Members Dababneh, Gloria, and Mark Stone) |
February 09, 2017 |
LEGISLATIVE COUNSEL'S DIGEST
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Chapter 21.7 (commencing with Section 22550) is added to Division 8 of the Business and Professions Code, to read:CHAPTER 21.7. California Broadband Internet Privacy Act
22550.
This chapter shall be known, and may be cited, as the California Broadband Internet Privacy Act.22550.5.
It is the intent of the Legislature in enacting this chapter to incorporate into statute certain provisions of the Federal Communications Commission Report and Order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (FCC 16-148), which were revoked by Senate Joint Resolution 34 (Public Law 115-22), which became effective April 3, 2017. In adopting the specified provisions incorporated into this act, it is the intent of the Legislature to give consumers greater control over their personal information when accessing the Internet through a broadband Internet access service provider and thereby better protect their own privacy and autonomy. It is also the intent of the Legislature that the consumer protections set forth in this chapter be interpreted broadly and any exceptions interpreted22551.
For purposes of this chapter:(a)
(b)
(c)“Breach of security,” “breach,” and “data breach” mean any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.
(d)“Call detail information” means information that pertains to the transmission of specific telephone calls, including the following:
(1)For any call, its time, location, and duration.
(2)For an outbound call, the telephone number called.
(3)For an inbound call, the telephone number from which the call was placed.
(e)“Communications provider” or
“provider” means any provider of communications services in California, except that this term does not include aggregators of communications services, as defined in Section 226 of Title 47 of the United States Code. For purposes of this chapter, the term “communications provider” or “provider” shall include a person engaged in the provision of VoIP service or broadband Internet access service.
(f)“Communications service” means the offering of telecommunications in California for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used. For the purposes of this chapter, the term “communications service” shall include VoIP service and broadband Internet access service.
(g)
(h)
(i)
(B)Information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a provider.
(2)“Customer proprietary network information” does not include subscriber list information.
(j)“Interconnected Voice over Internet Protocol service” or “VoIP service” means a service that does all of the following:
(1)Enables real-time, two-way voice communications.
(2)Requires a broadband connection from the user’s location.
(3)Requires Internet protocol-compatible customer premises equipment.
(4)Permits users generally to receive calls that originate on the public switched telephone network and to terminate calls to the public switched telephone network.
(k)
(l)
(m)
(n)
(o)
(p)
(7)Call detail information.
(8)Web
(q)“Telecommunications” means the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.
(a)In addition to the requirements of Chapter 22 (commencing with Section 22575), as applicable, a communications provider shall notify its customers of its privacy policies. The notice shall be clear and conspicuous, and in language that is comprehensible and not misleading, and shall do all of the following:
(1)Specify and describe the types of customer proprietary information that the provider collects by virtue of its provision of communications service and how it uses that information.
(2)Specify and describe under what circumstances the provider discloses or permits access to each type of customer proprietary information that it collects.
(3)Specify and describe the categories of entities to which the provider discloses or permits access to customer proprietary information and the purposes for which the customer proprietary information will be used by each category of entities.
(4)Specify and describe a customer’s opt-in approval and opt-out approval rights with respect to his or her customer proprietary information, including both of the following:
(A)That a customer’s denial or withdrawal of approval to use, disclose, or permit access to customer proprietary information shall not affect the provision of any communications services of which he or she is a customer.
(B)That any grant, denial, or withdrawal of approval for the use, disclosure, or permission of access to the customer
proprietary information is valid until the customer affirmatively revokes that grant, denial, or withdrawal. The notice shall inform the customer of his or her right to deny or withdraw access to the proprietary information at any time.
(5)Provide for access to a mechanism for a customer to grant, deny, or withdraw approval for the provider to use, disclose, or provide access to customer proprietary information as required by Section 22553.
(6)Be completely translated into a language other than English if the provider transacts business with the customer in that language.
(b)Notice required under subdivision (a) shall be made pursuant to both of the following requirements:
(1)The provider shall make the notice to a prospective customer at the point
of sale, prior to the purchase of service, whether the point of sale is in person, online, over the telephone, or via another means.
(2)The provider shall make the notice persistently available through a clear and conspicuous link on the communications provider’s homepage, the provider’s application if it provides one for account management purposes, and any functional equivalent to the provider’s homepage or application. If a provider does not have an Internet Web site, it shall provide notice to a customer in paper form or another format agreed upon by the customer.
(c)A communications provider shall provide an existing customer with advance notice of one or more material changes to the provider’s privacy policies. The notice shall be clear and conspicuous, in language that is comprehensible and not misleading, and shall satisfy all of the following:
(1)It shall be provided through email or another means of active communication agreed upon by the customer.
(2)It shall specify and describe both of the following:
(A)The changes made to the provider’s privacy policies, including any changes to what customer proprietary information the provider collects, and how it uses, discloses, or permits access to that information, the categories of entities to which it discloses or permits access to customer proprietary information, and which, if any, changes are retroactive.
(B)A customer’s opt-in approval or opt-out approval rights with respect to his or her customer proprietary information, including the material specified in paragraph (4) of subdivision (a).
(3)It shall provide for access to a mechanism for a customer to grant, deny, or withdraw approval for the provider to use, disclose, or permit access to his or her customer proprietary information as required by Section 22553.
(4)It shall be completely translated into a language other than English if the provider transacts business with the customer in that language.
22553.22552.
(a) (1) Except as described in paragraph (2), a(F)
(D)A means to easily access the notice required by subdivision (a) of Section 22552 and a means to access the mechanism required by subdivision (e).
(a)In addition to the requirements of Section 1798.81.5 of the Civil Code, a communications provider shall take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access.
(b)The security measures taken by a communications provider to implement the requirement set forth in this section shall, as appropriate, take into account each of the following factors:
(1)The nature and scope of the provider’s activities.
(2)The sensitivity of the data it collects.
(3)The size of the provider.
(4)Technical feasibility.
(c)A communications provider may employ a lawful security measure that allows it to implement the requirement set forth in this section.
(a)(1)In addition to the requirements of Section 1798.82 of the Civil Code, a communications provider shall notify an affected customer of any breach without unreasonable delay and in any event no later than 30 calendar days after the provider reasonably determines that a breach has occurred, subject to law enforcement needs, unless the provider can reasonably determine that no harm to the customer is reasonably likely to occur as a result of the breach.
(2)A provider required to provide notification to a customer under this subdivision shall provide the notice by one or both of the following methods:
(A)Written notification sent to either the
customer’s email address or the postal address on record of the customer, or, for former customers, to the last postal address ascertainable after reasonable investigation using commonly available sources.
(B)Other electronic means of active communications agreed upon by the customer for contacting that customer for data breach notification purposes.
(3)The customer notification required to be provided under this subdivision shall include all of the following:
(A)The date, estimated date, or estimated date range of the breach of security.
(B)A description of the customer proprietary information that was breached or reasonably believed to have been breached.
(C)Information the customer
can use to contact the provider to inquire about the breach of security and the customer proprietary information that the provider maintains about that customer.
(D)Information about how to contact the Federal Communications Commission.
(E)If the breach creates a risk of financial harm, information about the national credit-reporting agencies and the steps the customer can take to guard against identity theft, including any credit monitoring, credit reporting, credit freezes, or other consumer protections the provider is offering customers affected by the breach of security.
(b)A communications provider shall notify the Federal Communications Commission of any breach affecting 5,000 or more customers no later than seven business days after the provider reasonably determines that a breach has occurred and at least
three business days before notification to the affected customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. A provider shall notify the Federal Communications Commission of any breach affecting fewer than 5,000 customers without unreasonable delay and no later than 30 calendar days after the provider reasonably determines that a breach has occurred, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.
(c)A communications provider shall notify the Federal Bureau of Investigation and the United States Secret Service of a breach that affects 5,000 or more customers no later than seven business days after the provider reasonably determines that a breach has occurred and at least three business days before notification to the affected customers, unless the provider can reasonably determine
that no harm to customers is reasonably likely to occur as a result of the breach.
(d)A communications provider shall maintain a record, electronically or in some other manner, of any breaches and notifications made to customers, unless the provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The record shall include the dates on which the provider determines that a reportable breach has occurred and the dates of customer notification. The record shall include a written copy of all customer notifications. A provider shall retain the record for a minimum of two years from the date on which it determines that a reportable breach has occurred.
A communications provider may bind itself contractually to privacy and data security regimes other than those described in this chapter for the provision of communications services other than broadband Internet access service to enterprise customers if the provider’s contract with that customer specifically addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for the customer to communicate with the provider about privacy and data security concerns.