HOUSE BILL NO. 457
INTRODUCED BY D. ZOLNIKOV, B. BENNETT, J. ELLSWORTH, D. DUNN, J. READ, K. SULLIVAN
A BILL FOR AN ACT ENTITLED: "AN ACT PROTECTING THE PRIVACY OF INTERNET ACCESS SERVICE CUSTOMERS; REQUIRING PRIOR AFFIRMATIVE CONSENT BEFORE AN INTERNET ACCESS SERVICE PROVIDER MAY USE A CUSTOMER'S PERSONAL INFORMATION; PROVIDING DEFINITIONS AND EXCEPTIONS; PROVIDING FOR ENFORCEMENT AND PENALTIES; AUTHORIZING RULEMAKING; AND PROVIDING AN APPLICABILITY DATE."
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
NEW SECTION. Section 1. Short title. [Sections 1 through 10 11] may be cited as the "Internet Access Service Customer Privacy Act".
NEW SECTION. Section 2. Purpose. The purpose of [sections 1 through 10 11] is to protect the privacy rights of internet access service customers pursuant to the state's authority under the 10th amendment to the United States constitution.
NEW SECTION. Section 3. Definitions. As used in [sections 1 through 10 11], the following definitions apply:
(1) "Aggregate data" means collective data that relates to a group or category of customers and from which information that could be used to link the data to an individual, household, or device has been removed.
(2) "Customer" means an applicant for or a current or former subscriber to an internet access service.
(3) "Department" means the department of justice created in 2-15-2001.
(4) "Internet access service" or "service" means a retail service that provides the capability to transmit data to and receive data through the internet using a dial-up service, a digital subscriber line, cable modem, fiber optics, wireless radio, satellite, or powerline, or other similar technology.
(5) "Personal information" means the following information about a customer collected by a provider either as information provided by the customer or collected by the provider about the customer's internet usage and the content or purpose of a customer's communications:
(a) name and billing information;
(b) government-issued identification, such as a social security number, driver's license number, or state-issued identification number;
(c) a physical address, e-mail address, or phone number;
(d) demographic information, such as date of birth, age, race, ethnicity, nationality, religion, political beliefs, gender, sexual orientation, and whether the customer is single, married, divorced, or has children;
(e) financial information, such as income, credit history, and history of online purchases;
(f) health information, such as health concerns, medical conditions, or medical history;
(g) information relating to the amount and type of usage by the customer of the provider's service, such as internet browsing history, application use history, timing of usage, quantity of usage, and the origin and destination internet protocol addresses for internet traffic; and
(h) device identifiers, such as a media access control address, an international mobile equipment identity number, or an internet protocol address, and including information that could be linked or used to identify a customer's device.
(6) "Provider" means an entity that provides an internet access service to customers residing in the state.
NEW SECTION. Section 4. Use of customer personal information restricted. A provider may use, disclose, sell, or permit access to a customer's personal information only as provided in [sections 1 through 10 11].
NEW SECTION. Section 5. Consumer's affirmative prior consent required for provider use of personal information. (1) Except as provided in [section 6], before a provider may use, disclose, sell, or permit access to a customer's personal information, the provider shall first obtain the affirmative express opt-in consent of the customer.
(2) A provider's mechanism for obtaining a customer's consent must be clear, conspicuous, and readily available to the customer and allow the customer to grant, deny, revise, or revoke consent at any time.
(3) The provider shall ensure that a customer's choices related to consent under this section are promptly given full effect and remain in effect until changed by the customer.
(4) A provider may not refuse service to a customer or charge higher fees to a customer based on the customer's choices concerning personal information.
NEW SECTION. Section 6. Exceptions to opt-in consent requirement. (1) A provider may use, disclose, sell, or permit access to a customer's personal information without prior affirmative express opt-in consent if the use, disclosure, sale, or access is necessary to:
(a) provide internet service to the customer;
(b) comply with a legal requirement, court order, or administrative order by a duly authorized public agency;
(c) bill or collect payment for the provider's services;
(d) protect the rights or property of the provider, other providers, or the customer from fraudulent, abusive, or unlawful use of or subscription to the provider's network;
(e) provide the customer's location information to:
(i) assist emergency service or law enforcement responders if the customer requests emergency services;
(ii) assist the customer's legal guardian, family member, or other person in the case of an emergency that could reasonably involve risk of death or serious injury; or
(f) inform an information or database management service assisting in the delivery of emergency services to the customer.
(2) A provider may use, disclose, sell, or permit access to a customer's personal information to advertise or market the provider's services to the customer if the provider allows the customer to opt out of the advertising or marketing.
NEW SECTION. Section 7. Use of aggregated customer data authorized. Nothing in [sections 1 through 10 11] restricts a provider from generating aggregated customer data or using, disclosing, selling, or permitting access to aggregated customer data.
NEW SECTION. Section 8. Customer rights not waivable. (1) A provider may not ask a customer to waive the customer's rights under [sections 1 through 10 11].
(2) Nothing in [sections 1 through 10 11] may be construed as allowing a customer to waive the customer's rights under [sections 1 through 10 11].
NEW SECTION. Section 9. Small business exemption -- prior consent required for sale. A provider with annual revenue of $3 million or less is exempt from the provisions of [sections 1 through 10 11] except that the provider may not sell a customer's personal information or aggregated data that includes data about a customer without the customer's prior express consent.
NEW SECTION. Section 10. Department enforcement -- penalties -- disposition of fines -- rulemaking. (1) Whenever the department has reason to believe that a provider is using, has used, or is about to knowingly use any method, act, or practice that would be a violation of a provision of [sections 1 through 10 11] and that proceeding would be in the public interest, the department may bring an action in the name of the state against the provider to restrain by temporary or permanent injunction or temporary restraining order the use of the unlawful method, act, or practice upon giving appropriate notice to the provider.
(2) In a proceeding pursuant to this section, the provisions of 30-14-111(2) and (3), 30-14-112 through 30-14-115, 30-14-121, 30-14-122, 30-14-131, and 30-14-134 apply.
(3) (a) In an action brought pursuant to this section, upon a court determination of a violation of a provision of [sections 1 through 10 11], the department may recover a civil fine of not more than $10,000 for each violation of a provision of [sections 1 through 10 11]. A fine under this subsection (3)(a) is in addition to any other fine provided by law to which the provider may be subject.
(b) All civil fines, costs, and fees received or recovered pursuant to this section must be deposited into a state special revenue account to the credit of the department and must be used to defray the expenses of the department in discharging its administrative and regulatory powers and duties in relation to this section. Any excess civil fines, costs, or fees must be transferred to the general fund.
(4) The department may adopt rules to implement the provisions of [sections 1 through 10 11].
NEW SECTION. SECTION 11. NO PRIVATE RIGHT OF ACTION. A PRIVATE PERSON OR ENTITY MAY NOT BRING ANY ACTION TO ENFORCE ANY PROVISION OF [SECTIONS 1 THROUGH 11].
NEW SECTION. Section 12. Codification instruction. [Sections 1 through 10 11] are intended to be codified as an integral part of Title 30, chapter 14, and the provisions of Title 30, chapter 14, apply to [sections 1 through 10 11].
NEW SECTION. Section 13. Severability. If a part of [this act] is invalid, all valid parts that are severable from the invalid part remain in effect. If a part of [this act] is invalid in one or more of its applications, the part remains in effect in all valid applications that are severable from the invalid applications.
NEW SECTION. Section 14. Applicability. [This act] applies to contracts between providers and customers entered into or renewed on or after [the effective date of this act].
- END -
New language in a bill appears underlined, deleted material appears stricken.
Sponsor names are handwritten on introduced bills, hence do not appear on the bill until it is reprinted.
See the status of this bill for the bill's primary sponsor.
Prepared by Montana