AB123-SA1,2,1512
2. A person who resides in this state and uses or has used broadband Internet
13access service that is provided under an agreement between a current or former
14subscriber who resides in this state and a broadband Internet access service
15provider.
AB123-SA1,2,1716
(d) “Customer proprietary information” means any of the following
17information:
AB123-SA1,2,2118
1. Individually identifiable information that relates to the quantity, technical
19configuration, type, destination, location, or amount of use of a broadband Internet
20access service subscribed to by a customer of a provider of that service, and that is
21made available to the provider by the customer.
AB123-SA1,2,2322
2. Any information that is linked or reasonably able to be linked to an
23individual or a device.
AB123-SA1,2,2424
3. Content of a customer's communications.
AB123-SA1,3,4
1(e) “Material change” means any change that a customer, acting reasonably
2under the circumstances, would consider important to his or her decisions
3concerning his or her privacy, including any change to information required to be
4presented in the notice required under sub. (2) (b).
AB123-SA1,3,65
(f) “Non-sensitive customer proprietary information” means customer
6proprietary information that is not sensitive customer proprietary information.
AB123-SA1,3,97
(g) “Opt-in approval” means the method for obtaining customer consent in
8which a provider obtains from the customer affirmative, express consent after the
9customer is provided appropriate notification of the provider's request for consent.
AB123-SA1,3,1310
(h) “Opt-out approval” means the method for obtaining customer consent in
11which a customer is deemed to have consented if the customer has failed to object to
12a provider's request after the customer is provided with appropriate notification of
13the provider's request for consent.
AB123-SA1,3,1514
(i) “Prospective customer” means an applicant for broadband Internet access
15service who resides in this state.
AB123-SA1,3,1716
(j) “Sensitive customer proprietary information” means customer proprietary
17information that is any of the following:
AB123-SA1,3,1818
1. Financial information.
AB123-SA1,3,1919
2. Health information.
AB123-SA1,3,2020
3. Information pertaining to a child.
AB123-SA1,3,2121
4. A social security number.
AB123-SA1,3,2222
5. Precise geo-location information.
AB123-SA1,3,2323
6. Content of communications.
AB123-SA1,3,2524
7. Web browsing history, smart phone or tablet computer application usage
25history, and the functional equivalents of either.
AB123-SA1,4,3
1(k) “Subscriber” means a person who enters into an agreement for the provision
2of broadband Internet access services with a provider of broadband Internet access
3services. “Subscriber” does not include a person who resells services.
AB123-SA1,4,7
4(2) Notice requirements. (a)
When notice required. 1. A broadband Internet
5access service provider shall make a notice available at all times to customers about
6its policies concerning the privacy of the information that the provider obtains about
7customers.
AB123-SA1,4,108
2. A broadband Internet access service provider shall notify a prospective
9customer, at the point of sale, prior to a purchase of service, about its policies
10concerning the privacy of information that the provider obtains about customers.
AB123-SA1,4,1211
(b)
Contents. A broadband Internet access service provider shall include all of
12the following in the notice provided to customers under par. (a):
AB123-SA1,4,1513
1. A specific description of the types of customer proprietary information that
14the broadband Internet access service provider collects from providing broadband
15Internet access service and how it uses that information.
AB123-SA1,4,1816
2. A specific description of the circumstances under which the broadband
17Internet access service provider discloses or permits access to each type of customer
18proprietary information that it collects.
AB123-SA1,4,2219
3. A specific description of the categories of entities to which the broadband
20Internet access service provider discloses or permits to access customer proprietary
21information and the purposes for which that information will be used by each
22category of entities.
AB123-SA1,4,2523
4. A specific description of the customer's rights to grant, deny, or withdraw
24approval concerning the customer's proprietary information, including each of the
25following:
AB123-SA1,5,3
1a. A statement that the customer's denial or withdrawal of approval to use,
2disclose, or permit access to customer proprietary information will not affect the
3provision of any broadband Internet access services to the customer.
AB123-SA1,5,64
b. A statement that any grant, denial, or withdrawal of approval for the use,
5disclosure, or permission of access to customer proprietary information is valid until
6the customer affirmatively revokes the grant, denial, or withdrawal.
AB123-SA1,5,87
c. A statement that the customer has the right to deny or withdraw approval
8to use, disclose, or permit access to customer proprietary information at any time.
AB123-SA1,5,99
5. Access to a mechanism required under sub. (3) (d) 3.
AB123-SA1,5,1410
(c)
Material changes to a privacy policy. A broadband Internet access service
11provider shall provide a notice, through electronic mail or another means of prompt
12communication agreed upon by the customer, to a customer of a material change to
13its policies concerning the privacy of information that the provider obtains about the
14customer. The notice shall include all of the following:
AB123-SA1,5,1915
1. A specific description of the changes made to the provider's privacy policies,
16including any changes to what customer proprietary information the provider
17collects; how the provider uses, discloses, or permits access to that information; the
18categories of entities to which it discloses or permits access to customer proprietary
19information; and which, if any, changes are retroactive.
AB123-SA1,5,2020
2. The description required under par. (b) 4.
AB123-SA1,5,2121
3. Access to a mechanism required under sub. (3) (d) 3.
AB123-SA1,5,2522
(d)
When translation required. If a broadband Internet access service provider
23transacts business with a customer in a language other than English, the provider
24shall translate the contents of the notices required under pars. (b) and (c) into the
25language through which the provider transacts business with the customer.
AB123-SA1,6,3
1(3) Customer approval. (a)
Opt-in approval required. Except as provided
2under par. (c), a broadband Internet access service provider may not do any of the
3following unless the provider obtains opt-in approval from the customer:
AB123-SA1,6,54
1. Use, disclose, or permit access to any of the customer's sensitive customer
5proprietary information.
AB123-SA1,6,86
2. Use, disclose, or permit access to any of the customer's proprietary
7information previously collected by the provider for which the customer has not
8previously granted approval under this paragraph or par. (b).
AB123-SA1,6,129
(b)
Opt-out approval required. 1. Except as provided under subd. 2. or par. (c),
10a broadband Internet access service provider may not use, disclose, or permit access
11to any of a customer's non-sensitive customer proprietary information unless the
12provider obtains opt-out approval from the customer.
AB123-SA1,6,1513
2. A broadband Internet access service provider may obtain opt-in approval
14from a customer to use, disclose, or permit access to any of the customer's
15non-sensitive customer proprietary information.
AB123-SA1,6,1916
(c)
Permissible use without customer approval. A broadband Internet access
17service provider may use, disclose, or permit access to customer proprietary
18information without approval from the customer under par. (a) or (b) only for the
19following purposes:
AB123-SA1,6,2220
1. To provide the broadband Internet access service from which the information
21is derived, or in its provision of services necessary to, or used in, the provision of that
22service.
AB123-SA1,6,2323
2. To initiate, render, bill, or collect for broadband Internet access service.
AB123-SA1,7,3
13. To protect the rights or property of the broadband Internet access service
2provider, or to protect users of the broadband Internet access service and other
3providers from fraudulent, abusive, or unlawful use of the service.
AB123-SA1,7,64
4. To provide any marketing, referral, or administrative services to a customer
5for the duration of a real-time interaction if the interaction was initiated by the
6customer.
AB123-SA1,7,87
5. To provide location information or non-sensitive customer proprietary
8information to any of the following:
AB123-SA1,7,129
a. A public safety answering point, as defined in s. 256.35 (1) (gm), emergency
10medical service provider, emergency dispatch provider, public safety official, fire
11service official, law enforcement official, or hospital emergency or trauma care
12facility, in order to respond to the user's request for emergency services.
AB123-SA1,7,1513
b. The user's legal guardian or a member of the user's immediate family, to
14inform about the user's location in an emergency situation that involves the risk of
15death or serious physical harm.
AB123-SA1,7,1816
c. A provider of information or database management services only for the
17purpose of assisting in the delivery of emergency services in response to an
18emergency.
AB123-SA1,7,1919
6. As otherwise required or authorized by law.
AB123-SA1,7,2420
(d)
Solicitation and exercise of customer approval. 1. A broadband Internet
21access service provider shall request the approval required under par. (a) or (b) at the
22point of sale to a customer and at the time the provider makes a material change to
23its policies concerning the privacy of information that the provider obtains about a
24customer.
AB123-SA1,8,3
12. A broadband Internet access service provider shall request customer
2approval clearly and conspicuously, in language that is readily understandable and
3not misleading, and each request shall include all of the following:
AB123-SA1,8,54
a. A disclosure of the types of customer proprietary information for which the
5provider is seeking customer approval to use, disclose, or permit access to.
AB123-SA1,8,76
b. A disclosure of the purposes for which the customer's proprietary
7information will be used.
AB123-SA1,8,98
c. A disclosure of the categories of entities to which the provider intends to
9disclose or permit access to the customer proprietary information.
AB123-SA1,8,1010
d. A means to easily access the notice required under sub. (2) (a) or (c).
AB123-SA1,8,1111
e. A means to easily access the mechanism required under subd. 3.
AB123-SA1,8,1412
3. A broadband Internet access service provider shall make available, at no
13additional cost to the customer, a mechanism for a customer to grant, deny, or
14withdraw opt-in approval or opt-out approval, or both, at any time.
AB123-SA1,8,1815
4. A broadband Internet access service provider shall give effect to a customer's
16grant, denial, or withdrawal of approval promptly, and the grant, denial, or
17withdrawal of approval shall remain in effect until the customer revokes or limits the
18grant, denial, or withdrawal of approval.
AB123-SA1,8,2319
5. If a broadband Internet access service provider transacts business with a
20customer in a language other than English, the provider shall translate the contents
21required under subd. 2. and the instructions for using the mechanism required under
22subd. 3. into the language through which the provider transacts business with the
23customer.
AB123-SA1,9,3
1(4) Data security. (a) A broadband Internet access service provider shall take
2reasonable security measures to protect customer proprietary information from
3unauthorized use, disclosure, or access.
AB123-SA1,9,64
(b) In implementing reasonable security measures under par. (a), a broadband
5Internet access service provider shall appropriately take into account each of the
6following factors:
AB123-SA1,9,77
1. The nature and scope of the provider's activities.
AB123-SA1,9,88
2. The sensitivity of the data it collects.
AB123-SA1,9,99
3. The size of the provider.
AB123-SA1,9,1010
4. The technical feasibility of implementing the security measures.
AB123-SA1,9,17
11(5) Data breach notification. (a)
Customer notification. 1. Except as provided
12in subd. 4., a broadband Internet access service provider shall, without unreasonable
13delay, notify a customer about any breach of security involving customer proprietary
14information pertaining to that customer within 30 days after the provider reasonably
15determines that a breach of security has occurred unless the provider reasonably
16determines that no harm to the customer is reasonably likely to occur as a result of
17the breach of security.
AB123-SA1,9,1918
2. A broadband Internet access service provider shall notify a customer about
19a breach of security under subd. 1. by at least one of the following methods:
AB123-SA1,9,2320
a. A written notification sent to either the customer's electronic mail address
21or the postal address of record of the customer, or, for former customers, to the last
22postal address ascertainable after reasonable investigation using commonly
23available sources.
AB123-SA1,9,2524
b. Other electronic means of prompt communication agreed upon by the
25customer for contacting that customer for breach of security notification purposes.
AB123-SA1,10,2
13. A broadband Internet access service provider shall provide all of the
2following information in a notice required under subd. 1.:
AB123-SA1,10,33
a. The date, estimated date, or estimated date range of the breach of security.
AB123-SA1,10,64
b. A description of the customer proprietary information that was involved in
5the breach of security or reasonably believed to have been involved in the breach of
6security.
AB123-SA1,10,97
c. Information that the customer may use to contact the provider to inquire
8about the breach of security and the customer proprietary information that the
9provider maintains about that customer.
AB123-SA1,10,1110
d. Information about how to contact the department and any federal agencies
11relevant to the service provided to the customer.
AB123-SA1,10,1612
e. If the breach of security creates a risk of financial harm, information about
13the national credit-reporting agencies and the steps customers can take to guard
14against identity theft, including any credit monitoring, credit reporting, credit
15freezes, or other consumer protections that the provider is offering customers
16affected by the breach of security, including security freezes under s. 100.54.
AB123-SA1,10,1817
4. Upon the request of a law enforcement agency, a broadband Internet access
18service provider shall not disclose a breach of security to a customer.
AB123-SA1,10,2419
(b)
Notification to government agencies. 1. Except as provided in subd. 3., a
20broadband Internet access service provider shall notify the department and the
21department of justice of any breach of security affecting 5,000 or more customers no
22later than 7 business days after the provider reasonably determines that a breach
23of security has occurred and at least 3 business days before notifying the affected
24customers under par. (a) 1.
AB123-SA1,11,4
12. Except as provided in subd. 3., a broadband Internet access service provider
2shall, without unreasonable delay, notify the department of any breach of security
3affecting fewer than 5,000 customers within 30 days after the provider reasonably
4determines that a breach of security has occurred.
AB123-SA1,11,75
3. A broadband Internet access service provider is not required to notify the
6department under subd. 1. or 2. if it reasonably determines that no harm to
7customers is reasonably likely to occur as a result of the breach of security.
AB123-SA1,11,118
(c)
Record keeping. 1. Except as provided in subd. 3., a broadband Internet
9access service provider shall maintain a record, electronically or in some other
10manner, of each breach of security and the notifications made to customers under
11par. (a) 1. regarding that breach. The record shall include all of the following:
AB123-SA1,11,1312
a. The date that the provider first determines that the breach of security
13occurred.
AB123-SA1,11,1414
b. The date that customers were notified.
AB123-SA1,11,1515
c. A written copy of all customer notifications.
AB123-SA1,11,1816
2. A broadband Internet access service provider shall retain the record required
17under subd. 1. for at least 2 years from the date on which the provider first
18determines that the breach of security occurred.
AB123-SA1,11,2119
3. A broadband Internet access service provider is not required to maintain a
20record under subd. 1. if it reasonably determines that no harm to customers is
21reasonably likely to occur as a result of the breach of security.
AB123-SA1,11,25
22(6) Internet access service offers conditioned on waiver of privacy. (a) A
23broadband Internet access service provider may not refuse to provide broadband
24Internet access service because a customer or prospective customer does not provide
25approval required under sub. (3) (a) or (b).
AB123-SA1,12,4
1(b) A broadband Internet access service provider that offers a financial
2incentive program, such as lower rates, in exchange for a customer's approval to use,
3disclose, or permit access to the customer's proprietary information shall do all of the
4following:
AB123-SA1,12,65
1. Provide a notice explaining the terms of the financial incentive program that
6includes all of the following:
