A BILL FOR AN ACT

RELATING TO INTERNET PRIVACY.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

INTERNET SERVICE PROVIDERS; CUSTOMER PRIVACY

     §   -1  Personal information of customers.  An internet service provider shall not use, disclose, sell, or permit access to the personal information of customers, except as provided in this chapter.

     §   -2  Customer consent.  (a)  An internet service provider may use, disclose, sell, or permit access to the personal information of customers; provided that the internet service provider obtains prior written consent from the customer, who may revoke such consent at any time.

     (b)  An internet service provider shall employ a mechanism for customers to grant, deny, or withdraw written consent that is easy to use, clear, conspicuous, comprehensible, not misleading, and persistently available through all methods that the internet service provider gives to customers for account management, in the language primarily used to conduct business with the customer, and made available to the customer for no additional cost.

     (c)  A customer's grant, denial, or withdrawal of written consent shall be given effect promptly and remain in effect until the customer revokes or limits the grant, denial, or withdrawal of such consent.

     (d)  An internet service provider shall not:

     (1)  Refuse to serve a customer who does not provide consent under this chapter; or

     (2)  Charge a customer a higher price or offer a customer a discount or any other benefit based on the customer's decision to provide or not to provide consent.

     §   -3  Exceptions.  (a)  An internet service provider may use, disclose, sell, or permit access to the personal information of customers without the customer's consent under the following circumstances:

     (1)  For the purpose of providing internet service from which such information is derived or for purposes necessary for the provision of such service;

     (2)  To comply with legal requirements, including court orders and administrative orders;

     (3)  To initiate, render, bill for, and collect payment for the internet service provided;

     (4)  To protect the rights or property of the internet service provider or to protect other customers and other internet service providers from fraudulent, abusive, or unlawful use of or subscription to the internet service provider's internet service network;

     (5)  To provide location information concerning the customer:

          (A)  To a public safety answering point; emergency medical services provider or emergency dispatch provider; public safety, fire service, or law enforcement official; or hospital emergency or trauma care facility, in order to respond to the customer's request for emergency services;

          (B)  To inform the customer's legal guardian, members of the customer's family, or to a person reasonably believed by the internet service provider to be a close personal friend of the customer regarding the customer's location in an emergency situation that involves the risk of death or serious injury; or

          (C)  To providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.

     (b)  Unless otherwise prohibited by law, an internet service provider may use, disclose, sell, or permit access to the personal information of a customer to advertise or market the internet service provider's communications-related services to the customer; provided that the customer may opt out, in writing, from such use, disclosure, sale, or access at any time.  All internet service providers shall provide notice to customers of the right to opt out in accordance with the requirements of this chapter.

     (c)  An internet service provider shall disclose the personal information of the customer, upon affirmative written request by the customer, to any person designated by the customer.

     §   -4  Aggregate customer personal information dataset.  Nothing in this chapter shall restrict an internet service provider from:

     (1)  Generating an aggregate customer personal information dataset using the personal information of customers; or

     (2)  Using, disclosing, selling, or permitting access to an aggregate customer personal information dataset that it generated.

     §   -5  Security of the personal information of customers.  (a)  An internet service provider shall implement and maintain reasonable security measures to protect the personal information of customers from unauthorized use, disclosure, sale, access, destruction, or modification.

     (b)  Whether security measures are reasonable shall be based on the following factors:

     (1)  The nature and scope of the internet service provider's activities;

     (2)  The sensitivity of the data that the internet service provider collects;

     (3)  The size of the internet service provider's operations; and

     (4)  The technical feasibility of the security measures.

     (c)  An internet service provider may employ any lawful security measures to comply with the requirements set forth in this section.

     (d)  An internet service provider shall not retain the personal information of customers for longer than reasonably necessary to accomplish the purposes for which the information was collected, unless otherwise required by section    -3 or unless the data is part of an aggregate customer personal information dataset.

     §   -6  Notice.  (a)  An internet service provider shall provide a clear, prominent, comprehensible, and not misleading notice of the requirements of sections    -1 to    -5 to each of its customers in the language primarily used to conduct business with the customer at the point of sale and when seeking the customer's written opt-in consent.  Each internet service provider shall make the notice subsequently and persistently available through all methods through which the internet service provider gives customers for account management.

     (b)  The notice required by this section shall specify and describe, or link electronically to a resource that specifies and describes:

     (1)  The types of personal information of customers collected, how that information is used by the internet service provider, and how long the internet service provider retains the data;

     (2)  The circumstances under which the internet service provider discloses, sells, or permits access to the information that it collects;

     (3)  The categories of entities to which the internet service provider discloses, sells, or permits access to the personal information of customers and the purposes for which each category of entity will use the information; and

     (4)  The customer's right to consent with regard to the use of, disclosure of, sale of, or access to the personal information of the customer and how that right may be exercised.

     (c)  An internet service provider shall provide advance notice of material changes to how it uses, discloses, sells, or permits access to the personal information of customers or the notice required under this section.  The advance notice provided pursuant to this subsection shall specify that a customer may grant, deny, or withdraw consent at any time in a manner that accords with the requirements of this chapter.

     §   -7  Enforcement.  Every person who violates this chapter shall be fined not less than $1,000 nor more than $3,000 for the first offense, and not less than $3,000 nor more than $9,000 for each offense thereafter.

     §   -8  Waiver; void and unenforceable.  Any waiver by a customer of the provisions of this chapter shall be deemed contrary to public policy and shall be void and unenforceable.

     §   -9  Applicability.  This chapter shall apply to all internet service providers operating within Hawaii when providing internet service to their customers who are residents of or physically located in Hawaii.

     §   -10  Definitions.  As used in this chapter:

     "Aggregate customer personal information dataset" means collective data that relates to a group or category of customers, from which individual customer identities and characteristics have been removed, and that is not linked or reasonably linkable to any individual person, household, or device.

     "Consent" means affirmative, explicit customer approval for the requested use, disclosure, sale, or access to the personal information of the customer after the customer has been provided appropriate notification of the internet service provider's practices under section    -6.

            "Material change" means any change that a customer, acting reasonably under the circumstances, would consider important to the customer's decisions regarding the customer's privacy.

     "Personal information of customers" and "personal information of the customer" mean information collected by an internet service provider from or about a customer that is made available to the internet service provider by a customer solely by virtue of the relationship between the internet service provider and the customer, including the following:

     (1)  Name and billing information of the customer;

     (2)  Government-issued identifiers, such as social security and driver's license numbers, of the customer;

     (3)  Other contact information, such as physical address, electronic mail address, or telephone number, of the customer;

     (4)  Demographic information, such as date of birth, age, race, ethnicity, nationality, religion, political beliefs, marital status, gender, or sexual orientation, of the customer;

     (5)  Financial information, health information, or information pertaining to children with respect to the customer;

     (6)  Geolocation information sufficient to identify street name and name of a city or town;

     (7)  Information that relates to the quantity, technical configuration, type, destination, location, and amount of use of the internet service provider, including web browsing history, application usage history, timing of use, quantity of use, and origin and destination internet protocol addresses of all internet traffic;

     (8)  Content of communications, which includes any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication, and includes application payload;

     (9)  Device identifiers, such as media access control address, international mobile equipment identity number, and internet protocol address;

    (10)  Information concerning a customer that is collected or made available and is maintained in a way that the information is linked or reasonably linkable to a particular customer or device; and

    (11)  Information related to a customer that has had the customer's identity and characteristics removed."

     SECTION 2.  If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

     SECTION 3.  This Act shall take effect on July 1, 3000.

Report Title:

Customer Privacy; Internet Service Providers

Description:

Prohibits internet service providers from using the personal information of customers for specific purposes without the prior written consent of customers.  (HB2296 HD1)

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.