SP0566
LD 1610
Session - 128th Maine Legislature
 
LR 2315
Item 1
Bill Tracking, Additional Documents Chamber Status

An Act To Protect Privacy of Online Customer Personal Information

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 35-A MRSA c. 94  is enacted to read:

CHAPTER 94

BROADBAND INTERNET ACCESS SERVICE CUSTOMER PRIVACY

§ 9301 Privacy of broadband Internet access service customer personal information

1 Definitions.   As used in this section, unless the context otherwise indicates, the following terms have the following meanings.
A "Broadband Internet access service" means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.
B "Customer" means an applicant for or a current or former subscriber of broadband Internet access service.
C "Customer personal information" means:

(1) Personally identifying information about a customer, including the customer's name, billing information, social security number, billing address and demographic data; and

(2) Information from a customer's use of broadband Internet access service, including:

(a) The customer's web browsing history;

(b) The customer's application usage history;

(c) The customer's precise geolocation information;

(d) The customer's financial information;

(e) The customer's health information;

(f) Information pertaining to the customer's children;

(g) The customer's device identifier, such as a media access control address, international mobile equipment identity or Internet protocol address;

(h) The content of the customer's communications; and

(i) The origin and destination Internet protocol addresses.

D "Provider" means a person who provides broadband Internet access service.
2 Privacy of customer personal information.   A provider may not use, disclose, sell or permit access to customer personal information, except as provided in subsections 3 and 4.
3 Customer consent exception.   Consent of a customer is governed by this subsection.
A A provider may use, disclose, sell or permit access to a customer's customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer's consent under this paragraph at any time.
B A provider may not:

(1) Refuse to serve a customer who does not provide consent under paragraph A; or

(2) Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A.

C A provider may use, disclose, sell or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to that information.
4 Other exceptions.   Notwithstanding the provisions of subsections 2 and 3, a provider may collect, retain, use, disclose, sell and permit access to customer personal information without customer approval:
A For the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service;
B To advertise or market the provider's communications-related services to the customer;
C To comply with a lawful court order;
D To initiate, render, bill for and collect payment for broadband Internet access service;
E To protect users of the provider's or other providers' services from fraudulent, abusive or unlawful use of or subscription to such services; and
F To provide geolocation information concerning the customer to:

(1) For the purpose of responding to a customer's call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility;

(2) The customer's legal guardian or a member of the customer's immediate family in an emergency situation that involves the risk of death or serious physical harm; or

(3) A provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency.

5 Security of customer personal information.   A provider shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.
A In implementing security measures required by this subsection, a provider shall take into account each of the following factors:

(1) The nature and scope of the provider's activities;

(2) The sensitivity of the data the provider collects;

(3) The size of the provider; and

(4) The technical feasibility of the security measures.

B A provider may employ any lawful measure that allows the provider to comply with the requirements of this subsection.
6 Notice required.   A provider shall provide to each of the provider's customers a clear, conspicuous and nondeceptive notice at the point of sale and on the provider's publicly accessible website of the provider's obligations and a customer's rights under this section.
7 Applicability.   The requirements of this section apply to providers operating within the State when providing broadband Internet access service to customers that are physically located and billed for service received in the State.

summary

This bill prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The bill provides other exceptions under which a provider may use, disclose, sell or permit access to customer personal information. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access. The bill requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. The provisions of the bill apply to providers operating within the State when providing broadband Internet access service to customers that are billed for service received in the State and are physically located in the State.


Top of Page