AB807,6,4
1(2) Notice requirements. (a)
When notice required. 1. A broadband Internet
2access service provider shall make a notice available at all times to customers about
3its policies concerning the privacy of the information that the provider obtains about
4customers.
AB807,6,75
2. A broadband Internet access service provider shall notify a prospective
6customer, at the point of sale, prior to a purchase of service, about its policies
7concerning the privacy of information that the provider obtains about customers.
AB807,6,98
(b)
Contents. A broadband Internet access service provider shall include all of
9the following in the notice provided to customers under par. (a):
AB807,6,1210
1. A specific description of the types of customer proprietary information that
11the broadband Internet access service provider collects from providing broadband
12Internet access service and how it uses that information.
AB807,6,1513
2. A specific description of the circumstances under which the broadband
14Internet access service provider discloses or permits access to each type of customer
15proprietary information that it collects.
AB807,6,1916
3. A specific description of the categories of entities to which the broadband
17Internet access service provider discloses or permits to access customer proprietary
18information and the purposes for which that information will be used by each
19category of entities.
AB807,6,2220
4. A specific description of the customer's rights to grant, deny, or withdraw
21approval concerning the customer's proprietary information, including each of the
22following:
AB807,6,2523
a. A statement that the customer's denial or withdrawal of approval to use,
24disclose, or permit access to customer proprietary information will not affect the
25provision of any broadband Internet access services to the customer.
AB807,7,3
1b. A statement that any grant, denial, or withdrawal of approval for the use,
2disclosure, or permission of access to customer proprietary information is valid until
3the customer affirmatively revokes the grant, denial, or withdrawal.
AB807,7,54
c. A statement that the customer has the right to deny or withdraw approval
5to use, disclose, or permit access to customer proprietary information at any time.
AB807,7,66
5. Access to a mechanism required under sub. (3) (d) 3.
AB807,7,117
(c)
Material changes to a privacy policy. A broadband Internet access service
8provider shall provide a notice, through electronic mail or another means of prompt
9communication agreed upon by the customer, to a customer of a material change to
10its policies concerning the privacy of information that the provider obtains about the
11customer. The notice shall include all of the following:
AB807,7,1612
1. A specific description of the changes made to the provider's privacy policies,
13including any changes to what customer proprietary information the provider
14collects; how the provider uses, discloses, or permits access to that information; the
15categories of entities to which it discloses or permits access to customer proprietary
16information; and which, if any, changes are retroactive.
AB807,7,1717
2. The description required under par. (b) 4.
AB807,7,1818
3. Access to a mechanism required under sub. (3) (d) 3.
AB807,7,2219
(d)
When translation required. If a broadband Internet access service provider
20transacts business with a customer in a language other than English, the provider
21shall translate the contents of the notices required under pars. (b) and (c) into the
22language through which the provider transacts business with the customer.
AB807,7,25
23(3) Customer approval. (a)
Opt-in approval required. Except as provided
24under par. (c), a broadband Internet access service provider may not do any of the
25following unless the provider obtains opt-in approval from the customer:
AB807,8,2
11. Use, disclose, or permit access to any of the customer's sensitive customer
2proprietary information.
AB807,8,53
2. Use, disclose, or permit access to any of the customer's proprietary
4information previously collected by the provider for which the customer has not
5previously granted approval under this paragraph or par. (b).
AB807,8,96
(b)
Opt-out approval required. 1. Except as provided under subd. 2. or par. (c),
7a broadband Internet access service provider may not use, disclose, or permit access
8to any of a customer's nonsensitive customer proprietary information unless the
9provider obtains opt-out approval from the customer.
AB807,8,1210
2. A broadband Internet access service provider may obtain opt-in approval
11from a customer to use, disclose, or permit access to any of the customer's
12nonsensitive customer proprietary information.
AB807,8,1613
(c)
Permissible use without customer approval. A broadband Internet access
14service provider may use, disclose, or permit access to customer proprietary
15information without approval from the customer under par. (a) or (b) only for the
16following purposes:
AB807,8,1917
1. To provide the broadband Internet access service from which the information
18is derived, or in its provision of services necessary to, or used in, the provision of that
19service.
AB807,8,2020
2. To initiate, render, bill, or collect for broadband Internet access service.
AB807,8,2321
3. To protect the rights or property of the broadband Internet access service
22provider, or to protect users of the broadband Internet access service and other
23providers from fraudulent, abusive, or unlawful use of the service.
AB807,9,3
14. To provide any marketing, referral, or administrative services to a customer
2for the duration of a real-time interaction if the interaction was initiated by the
3customer.
AB807,9,54
5. To provide location information or nonsensitive customer proprietary
5information to any of the following:
AB807,9,96
a. A public safety answering point, as defined in s. 256.35 (1) (gm), emergency
7medical service provider, emergency dispatch provider, public safety official, fire
8service official, law enforcement official, or hospital emergency or trauma care
9facility, in order to respond to the user's request for emergency services.
AB807,9,1210
b. The user's legal guardian or a member of the user's immediate family, to
11inform about the user's location in an emergency situation that involves the risk of
12death or serious physical harm.
AB807,9,1513
c. A provider of information or database management services only for the
14purpose of assisting in the delivery of emergency services in response to an
15emergency.
AB807,9,1616
6. As otherwise required or authorized by law.
AB807,9,2117
(d)
Solicitation and exercise of customer approval. 1. A broadband Internet
18access service provider shall request the approval required under par. (a) or (b) at the
19point of sale to a customer and at the time the provider makes a material change to
20its policies concerning the privacy of information that the provider obtains about a
21customer.
AB807,9,2422
2. A broadband Internet access service provider shall request customer
23approval clearly and conspicuously, in language that is readily understandable and
24not misleading, and each request shall include all of the following:
AB807,10,2
1a. A disclosure of the types of customer proprietary information for which the
2provider is seeking customer approval to use, disclose, or permit access to.
AB807,10,43
b. A disclosure of the purposes for which the customer's proprietary
4information will be used.
AB807,10,65
c. A disclosure of the categories of entities to which the provider intends to
6disclose or permit access to the customer proprietary information.
AB807,10,77
d. A means to easily access the notice required under sub. (2) (a) or (c).
AB807,10,88
e. A means to easily access the mechanism required under subd. 3.
AB807,10,119
3. A broadband Internet access service provider shall make available, at no
10additional cost to the customer, a mechanism for a customer to grant, deny, or
11withdraw opt-in approval or opt-out approval, or both, at any time.
AB807,10,1512
4. A broadband Internet access service provider shall give effect to a customer's
13grant, denial, or withdrawal of approval promptly, and the grant, denial, or
14withdrawal of approval shall remain in effect until the customer revokes or limits the
15grant, denial, or withdrawal of approval.
AB807,10,2016
5. If a broadband Internet access service provider transacts business with a
17customer in a language other than English, the provider shall translate the contents
18required under subd. 2. and the instructions for using the mechanism required under
19subd. 3. into the language through which the provider transacts business with the
20customer.
AB807,10,23
21(4) Data security. (a) A broadband Internet access service provider shall take
22reasonable security measures to protect customer proprietary information from
23unauthorized use, disclosure, or access.
AB807,11,3
1(b) In implementing reasonable security measures under par. (a), a broadband
2Internet access service provider shall appropriately take into account each of the
3following factors:
AB807,11,44
1. The nature and scope of the provider's activities.
AB807,11,55
2. The sensitivity of the data it collects.
AB807,11,66
3. The size of the provider.
AB807,11,77
4. The technical feasibility of implementing the security measures.
AB807,11,14
8(5) Data breach notification. (a)
Customer notification. 1. Except as provided
9in subd. 4., a broadband Internet access service provider shall, without unreasonable
10delay, notify a customer about any breach of security involving customer proprietary
11information pertaining to that customer within 30 days after the provider reasonably
12determines that a breach of security has occurred unless the provider reasonably
13determines that no harm to the customer is reasonably likely to occur as a result of
14the breach of security.
AB807,11,1615
2. A broadband Internet access service provider shall notify a customer about
16a breach of security under subd. 1. by at least one of the following methods:
AB807,11,2017
a. A written notification sent to either the customer's electronic mail address
18or the postal address of record of the customer, or, for former customers, to the last
19postal address ascertainable after reasonable investigation using commonly
20available sources.
AB807,11,2221
b. Other electronic means of prompt communication agreed upon by the
22customer for contacting that customer for breach of security notification purposes.
AB807,11,2423
3. A broadband Internet access service provider shall provide all of the
24following information in a notice required under subd. 1.:
AB807,11,2525
a. The date, estimated date, or estimated date range of the breach of security.
AB807,12,3
1b. A description of the customer proprietary information that was involved in
2the breach of security or reasonably believed to have been involved in the breach of
3security.
AB807,12,64
c. Information that the customer may use to contact the provider to inquire
5about the breach of security and the customer proprietary information that the
6provider maintains about that customer.
AB807,12,87
d. Information about how to contact the department and any federal agencies
8relevant to the service provided to the customer.
AB807,12,139
e. If the breach of security creates a risk of financial harm, information about
10the national credit-reporting agencies and the steps customers can take to guard
11against identity theft, including any credit monitoring, credit reporting, credit
12freezes, or other consumer protections that the provider is offering customers
13affected by the breach of security, including security freezes under s. 100.54.
AB807,12,1514
4. Upon the request of a law enforcement agency, a broadband Internet access
15service provider shall not disclose a breach of security to a customer.
AB807,12,2116
(b)
Notification to government agencies. 1. Except as provided in subd. 3., a
17broadband Internet access service provider shall notify the department and the
18department of justice of any breach of security affecting 5,000 or more customers no
19later than 7 business days after the provider reasonably determines that a breach
20of security has occurred and at least 3 business days before notifying the affected
21customers under par. (a) 1.
AB807,12,2522
2. Except as provided in subd. 3., a broadband Internet access service provider
23shall, without unreasonable delay, notify the department of any breach of security
24affecting fewer than 5,000 customers within 30 days after the provider reasonably
25determines that a breach of security has occurred.
AB807,13,3
13. A broadband Internet access service provider is not required to notify the
2department under subd. 1. or 2. if it reasonably determines that no harm to
3customers is reasonably likely to occur as a result of the breach of security.
AB807,13,74
(c)
Record keeping. 1. Except as provided in subd. 3., a broadband Internet
5access service provider shall maintain a record, electronically or in some other
6manner, of each breach of security and the notifications made to customers under
7par. (a) 1. regarding that breach. The record shall include all of the following:
AB807,13,98
a. The date that the provider first determines that the breach of security
9occurred.
AB807,13,1010
b. The date that customers were notified.
AB807,13,1111
c. A written copy of all customer notifications.
AB807,13,1412
2. A broadband Internet access service provider shall retain the record required
13under subd. 1. for at least 2 years from the date on which the provider first
14determines that the breach of security occurred.
AB807,13,1715
3. A broadband Internet access service provider is not required to maintain a
16record under subd. 1. if it reasonably determines that no harm to customers is
17reasonably likely to occur as a result of the breach of security.
AB807,13,21
18(6) Internet access service offers conditioned on waiver of privacy. (a) A
19broadband Internet access service provider may not refuse to provide broadband
20Internet access service because a customer or prospective customer does not provide
21approval required under sub. (3) (a) or (b).
AB807,13,2522
(b) A broadband Internet access service provider that offers a financial
23incentive program, such as lower rates, in exchange for a customer's approval to use,
24disclose, or permit access to the customer's proprietary information shall do all of the
25following:
AB807,14,2
11. Provide a notice explaining the terms of the financial incentive program that
2includes all of the following:
AB807,14,43
a. An explanation that the program requires opt-in approval from the
4customer to use, disclose, or permit access to the customer's proprietary information.
AB807,14,75
b. Information about what customer proprietary information the provider will
6collect, how it will be used, and the categories of entities with which it will be shared
7and for what purposes.
AB807,14,108
c. Information, prominently displayed, about the equivalent service plan that
9does not necessitate the use, disclosure, or access to customer proprietary
10information beyond that required or permitted under sub. (3) (c).
AB807,14,1211
2. Obtain opt-in approval from the customer for consent to participate in the
12financial incentive program.
AB807,14,1413
3. Provide the notice required under subd. 1. at the time the program is offered
14to a customer and at the time that a customer elects to participate in the program.
AB807,14,1715
4. Make the notice required under subd. 1. easily accessible and available
16separate from any other privacy notifications, including the notifications required
17under sub. (2) (a) or (c).
AB807,14,2018
5. If the provider transacts business with a customer in a language other than
19English, translate the contents required under subd. 1. into the language through
20which the provider transacts business with the customer.
AB807,14,2421
6. If the customer grants the opt-in approval required under subd. 2., a
22broadband Internet access service provider shall make available a mechanism for
23the customer to withdraw approval for participation in the financial incentive
24program under this paragraph at any time.
AB807,15,5
1(7) Remedies and penalties. (a) 1. A person or class of persons adversely
2affected by a broadband Internet access service provider's violation of this section
3has a claim for appropriate relief, including damages, injunctive relief, and
4rescission and may bring an action in circuit court against the broadband Internet
5access service provider.
AB807,15,76
2. Notwithstanding s. 814.04 (1), a person or class of persons entitled to relief
7under subd. 1. may recover costs, disbursements, and reasonable attorney fees.
AB807,15,108
(b) 1. Any of the following may bring an action in circuit court in the name of
9the state to restrain by temporary or permanent injunction any violation of this
10section:
AB807,15,1111
a. The department.
AB807,15,1212
b. The department of justice, after consulting with the department.
AB807,15,1313
c. Any district attorney, upon informing the department.
AB807,15,1714
2. Before entry of final judgment, the court may make any order or judgment
15necessary to restore to any person any pecuniary loss suffered because of a violation
16that is the subject of the action under subd. 1., if proof of the violation is submitted
17to the satisfaction of the court.
AB807,15,2218
(c) For any violation of this section, the department of justice, after consulting
19with the department, or the district attorney of the county where the violation occurs,
20upon informing the department, may commence an action in the name of the state
21to recover a forfeiture of not more than $50,000 for the first violation and not more
22than $100,000 for each subsequent violation.
AB807,16,3
1(d) A person who intentionally, as defined in s. 939.23 (3), violates this section
2shall be fined not more than $1,000, or imprisoned in the county jail for not more than
390 days or both.