3. A specific description of the categories of entities to which the broadband 25
Internet access service provider discloses or permits to access customer proprietary
information and the purposes for which that information will be used by each 2
category of entities.
4. A specific description of the customer's rights to grant, deny, or withdraw 4
approval concerning the customer's proprietary information, including each of the 5
a. A statement that the customer's denial or withdrawal of approval to use, 7
disclose, or permit access to customer proprietary information will not affect the 8
provision of any broadband Internet access services to the customer.
b. A statement that any grant, denial, or withdrawal of approval for the use, 10
disclosure, or permission of access to customer proprietary information is valid until 11
the customer affirmatively revokes the grant, denial, or withdrawal.
c. A statement that the customer has the right to deny or withdraw approval 13
to use, disclose, or permit access to customer proprietary information at any time.
5. Access to a mechanism required under sub. (3) (d) 3.
A broadband Internet access service 16
provider shall provide a notice, through electronic mail or another means of prompt 17
communication agreed upon by the customer, to a customer of a material change to 18
its policies concerning the privacy of information that the provider obtains about the 19
customer. The notice shall include all of the following:
1. A specific description of the changes made to the provider's privacy policies, 21
including any changes to what customer proprietary information the provider 22
collects; how the provider uses, discloses, or permits access to that information; the 23
categories of entities to which it discloses or permits access to customer proprietary 24
information; and which, if any, changes are retroactive.
2. The description required under par. (b) 4.
3. Access to a mechanism required under sub. (3) (d) 3.
(d) When translation required
. If a broadband Internet access service provider 3
transacts business with a customer in a language other than English, the provider 4
shall translate the contents of the notices required under pars. (b) and (c) into the 5
language through which the provider transacts business with the customer.
6(3) Customer approval
Opt-in approval required
. Except as provided 7
under par. (c), a broadband Internet access service provider may not do any of the 8
following unless the provider obtains opt-in approval from the customer:
1. Use, disclose, or permit access to any of the customer's sensitive customer 10
2. Use, disclose, or permit access to any of the customer's proprietary 12
information previously collected by the provider for which the customer has not 13
previously granted approval under this paragraph or par. (b).
(b) Opt-out approval required
. 1. Except as provided under subd. 2. or par. (c), 15
a broadband Internet access service provider may not use, disclose, or permit access 16
to any of a customer's non-sensitive customer proprietary information unless the 17
provider obtains opt-out approval from the customer.
2. A broadband Internet access service provider may obtain opt-in approval 19
from a customer to use, disclose, or permit access to any of the customer's 20
non-sensitive customer proprietary information.
(c) Permissible use without customer approval
. A broadband Internet access 22
service provider may use, disclose, or permit access to customer proprietary 23
information without approval from the customer under par. (a) or (b) only for the 24
1. To provide the broadband Internet access service from which the information 2
is derived, or in its provision of services necessary to, or used in, the provision of that 3
2. To initiate, render, bill, or collect for broadband Internet access service.
3. To protect the rights or property of the broadband Internet access service 6
provider, or to protect users of the broadband Internet access service and other 7
providers from fraudulent, abusive, or unlawful use of the service.
4. To provide any marketing, referral, or administrative services to a customer 9
for the duration of a real-time interaction if the interaction was initiated by the 10
5. To provide location information or non-sensitive customer proprietary 12
information to any of the following:
a. A public safety answering point, as defined in s. 256.35 (1) (gm), emergency 14
medical service provider, emergency dispatch provider, public safety official, fire 15
service official, law enforcement official, or hospital emergency or trauma care 16
facility, in order to respond to the user's request for emergency services.
b. The user's legal guardian or a member of the user's immediate family, to 18
inform about the user's location in an emergency situation that involves the risk of 19
death or serious physical harm.
c. A provider of information or database management services only for the 21
purpose of assisting in the delivery of emergency services in response to an 22
6. As otherwise required or authorized by law.
(d) Solicitation and exercise of customer approval
. 1. A broadband Internet 25
access service provider shall request the approval required under par. (a) or (b) at the
point of sale to a customer and at the time the provider makes a material change to 2
its policies concerning the privacy of information that the provider obtains about a 3
2. A broadband Internet access service provider shall request customer 5
approval clearly and conspicuously, in language that is readily understandable and 6
not misleading, and each request shall include all of the following:
a. A disclosure of the types of customer proprietary information for which the 8
provider is seeking customer approval to use, disclose, or permit access to.
b. A disclosure of the purposes for which the customer's proprietary 10
information will be used.
c. A disclosure of the categories of entities to which the provider intends to 12
disclose or permit access to the customer proprietary information.
d. A means to easily access the notice required under sub. (2) (a) or (c).
e. A means to easily access the mechanism required under subd. 3.
3. A broadband Internet access service provider shall make available, at no 16
additional cost to the customer, a mechanism for a customer to grant, deny, or 17
withdraw opt-in approval or opt-out approval, or both, at any time.
4. A broadband Internet access service provider shall give effect to a customer's 19
grant, denial, or withdrawal of approval promptly, and the grant, denial, or 20
withdrawal of approval shall remain in effect until the customer revokes or limits the 21
grant, denial, or withdrawal of approval.
5. If a broadband Internet access service provider transacts business with a 23
customer in a language other than English, the provider shall translate the contents 24
required under subd. 2. and the instructions for using the mechanism required under
subd. 3. into the language through which the provider transacts business with the 2
3(4) Data security
. (a) A broadband Internet access service provider shall take 4
reasonable security measures to protect customer proprietary information from 5
unauthorized use, disclosure, or access.
(b) In implementing reasonable security measures under par. (a), a broadband 7
Internet access service provider shall appropriately take into account each of the 8
1. The nature and scope of the provider's activities.
2. The sensitivity of the data it collects.
3. The size of the provider.
4. The technical feasibility of implementing the security measures.
13(5) Data breach notification
. (a) Customer notification
. 1. Except as provided 14
in subd. 4., a broadband Internet access service provider shall, without unreasonable 15
delay, notify a customer about any breach of security involving customer proprietary 16
information pertaining to that customer within 30 days after the provider reasonably 17
determines that a breach of security has occurred unless the provider reasonably 18
determines that no harm to the customer is reasonably likely to occur as a result of 19
the breach of security.
2. A broadband Internet access service provider shall notify a customer about 21
a breach of security under subd. 1. by at least one of the following methods:
a. A written notification sent to either the customer's electronic mail address 23
or the postal address of record of the customer, or, for former customers, to the last 24
postal address ascertainable after reasonable investigation using commonly 25
b. Other electronic means of prompt communication agreed upon by the 2
customer for contacting that customer for breach of security notification purposes.
3. A broadband Internet access service provider shall provide all of the 4
following information in a notice required under subd. 1.:
a. The date, estimated date, or estimated date range of the breach of security.
b. A description of the customer proprietary information that was involved in 7
the breach of security or reasonably believed to have been involved in the breach of 8
c. Information that the customer may use to contact the provider to inquire 10
about the breach of security and the customer proprietary information that the 11
provider maintains about that customer.
d. Information about how to contact the department and any federal agencies 13
relevant to the service provided to the customer.
e. If the breach of security creates a risk of financial harm, information about 15
the national credit-reporting agencies and the steps customers can take to guard 16
against identity theft, including any credit monitoring, credit reporting, credit 17
freezes, or other consumer protections that the provider is offering customers 18
affected by the breach of security, including security freezes under s. 100.54.
4. Upon the request of a law enforcement agency, a broadband Internet access 20
service provider shall not disclose a breach of security to a customer.
(b) Notification to government agencies
. 1. Except as provided in subd. 3., a 22
broadband Internet access service provider shall notify the department and the 23
department of justice of any breach of security affecting 5,000 or more customers no 24
later than 7 business days after the provider reasonably determines that a breach
of security has occurred and at least 3 business days before notifying the affected 2
customers under par. (a) 1.
2. Except as provided in subd. 3., a broadband Internet access service provider 4
shall, without unreasonable delay, notify the department of any breach of security 5
affecting fewer than 5,000 customers within 30 days after the provider reasonably 6
determines that a breach of security has occurred.
3. A broadband Internet access service provider is not required to notify the 8
department under subd. 1. or 2. if it reasonably determines that no harm to 9
customers is reasonably likely to occur as a result of the breach of security.
(c) Record keeping
. 1. Except as provided in subd. 3., a broadband Internet 11
access service provider shall maintain a record, electronically or in some other 12
manner, of each breach of security and the notifications made to customers under 13
par. (a) 1. regarding that breach. The record shall include all of the following:
a. The date that the provider first determines that the breach of security 15
b. The date that customers were notified.
c. A written copy of all customer notifications.
2. A broadband Internet access service provider shall retain the record required 19
under subd. 1. for at least 2 years from the date on which the provider first 20
determines that the breach of security occurred.
3. A broadband Internet access service provider is not required to maintain a 22
record under subd. 1. if it reasonably determines that no harm to customers is 23
reasonably likely to occur as a result of the breach of security.
24(6) Internet access service offers conditioned on waiver of privacy
. (a) A 25
broadband Internet access service provider may not refuse to provide broadband
Internet access service because a customer or prospective customer does not provide 2
approval required under sub. (3) (a) or (b).
(b) A broadband Internet access service provider that offers a financial 4
incentive program, such as lower rates, in exchange for a customer's approval to use, 5
disclose, or permit access to the customer's proprietary information shall do all of the 6
1. Provide a notice explaining the terms of the financial incentive program that 8
includes all of the following:
a. An explanation that the program requires opt-in approval from the 10
customer to use, disclose, or permit access to the customer's proprietary information.
b. Information about what customer proprietary information the provider will 12
collect, how it will be used, and the categories of entities with which it will be shared 13
and for what purposes.
c. Information, prominently displayed, about the equivalent service plan that 15
does not necessitate the use, disclosure, or access to customer proprietary 16
information beyond that required or permitted under sub. (3) (c).
2. Obtain opt-in approval from the customer for consent to participate in the 18
financial incentive program.
3. Provide the notice required under subd. 1. at the time the program is offered 20
to a customer and at the time that a customer elects to participate in the program.
4. Make the notice required under subd. 1. easily accessible and available 22
separate from any other privacy notifications, including the notifications required 23
under sub. (2) (a) or (c).
5. If the provider transacts business with a customer in a language other than 2
English, translate the contents required under subd. 1. into the language through 3
which the provider transacts business with the customer.
6. If the customer grants the opt-in approval required under subd. 2., a 5
broadband Internet access service provider shall make available a mechanism for 6
the customer to withdraw approval for participation in the financial incentive 7
program under this paragraph at any time.
8(7) Remedies and penalties
. (a) 1. A person or class of persons adversely 9
affected by a broadband Internet access service provider's violation of this section 10
has a claim for appropriate relief, including damages, injunctive relief, and 11
rescission and may bring an action in circuit court against the broadband Internet 12
access service provider.
2. Notwithstanding s. 814.04 (1), a person or class of persons entitled to relief 14
under subd. 1 may recover costs, disbursements, and reasonable attorney fees.
(b) 1. Any of the following may bring an action in circuit court in the name of 16
the state to restrain by temporary or permanent injunction any violation of this 17
a. The department.
b. The department of justice, after consulting with the department.
c. Any district attorney, upon informing the department.
2. Before entry of final judgment, the court may make any order or judgment 22
necessary to restore to any person any pecuniary loss suffered because of a violation 23
that is the subject of the action under subd. 1., if proof of the violation is submitted 24
to the satisfaction of the court.
(c) 1. For any violation of this section, the department of justice, after 2
consulting with the department, or the district attorney for the county where the 3
violation occurs, upon informing the department, may commence an action in the 4
name of the state to recover a forfeiture of not more than $50,000 for the first 5
violation and not more than $100,000 for each subsequent violation.
2. Each occasion that a broadband Internet access service provider uses, 7
discloses, or permits access to an individual customer's proprietary information in 8
violation of sub. (3) (a) or (b) constitutes a separate violation.”.
196.504 (1) (a) of the statutes is renumbered 196.504 (1) (ad), 11
and 196.504 (1) (ad) 2., as renumbered, is amended to read:
(ad) 2. A telecommunications utility
that has not received or
13applied for A-CAM or phase II support
196.504 (1) (aa) of the statutes is created to read:
(aa) “A-CAM support” means support for the deployment of voice 16
and broadband-capable networks from the federal Connect America Fund that is 17
made to telecommunications utilities regulated as rate-of-return carriers by the 18
federal communications commission and that is based on the federal 19
communications commission's Alternative Connect America Cost Model.
196.504 (1) (ab) of the statutes is created to read:
(ab) “Broadband infrastructure” means infrastructure for the 22
provision of broadband service at a minimum download speed of 25 megabits per 23
second and a minimum upload speed of 3 megabits per second.”.