Internet Privacy Protection Act

Summary: The Internet Privacy Protection Act forbids Internet service providers (ISPs) from using or selling browsing histories, app usage data, geo-locations and other kinds of personal information without their users’ consent.

Based on Maryland SB 1200 and Minnesota SF 1937

BACKGROUND

In October 2016, the Federal Communications Commission established rules to limit how Internet service providers (ISPs) like AT&T, Comcast and Verizon, can use a customer’s personal information. The rules divided customer data into two categories. For sensitive data, ISPs would need active permission from the customer before using: geographic location, children’s information, health information, financial information, Social Security numbers, web browsing history, app usage history, or the content of a customer’s communications. For less-sensitive personal data, ISP’s would need to allow customers to opt-out, including the customer’s name, address, IP address, current subscription level, or anything else. In March 2017, Congress and the President overturned those FCC rules by enacting S.J.Res.34.

A number of state legislatures are now stepping up to protect Internet consumers. The Minnesota Senate passed SF 1937, the Senate Judiciary Committee has approved Illinois SB 1502, and the Maryland Senate passed SB 1200.

SECTION 1. SHORT TITLE

This Act shall be called the “Internet Privacy Protection Act.”

SECTION 2. FINDINGS AND PURPOSE

(A) FINDINGS—The legislature finds that:

  1. In October 2016, the Federal Communications Commission established rules to limit how Internet service providers can use a customer’s personal information.
  2. In March 2017, Congress and the President enacted a measure to cancel the FCC rules.
  3. Such rules are essential to maintain basic privacy rights for residents and this state has the power to protect its residents from the unwanted sale and use of personal information.

(B) PURPOSE—This law is enacted to protect the privacy rights of state residents.

SECTION 3. INTERNET PRIVACY

After section XXX, the following new section XXX shall be inserted:

(A) DEFINITIONS—In this section:

  1. “Browsing history” means information that shows that a consumer has accessed a specific web site.
  2. “Internet service provider” means a person that provides access to the Internet.
  3. “Personally identifying information” means the following information relating to a consumer using an Internet service provider to access the Internet:

a. the consumer’s name, address, Social Security number, geographic location, or web browsing history;
b. the Internet protocol address associated with an electronic device that belongs to the consumer;
c. the content of the customer’s communications with anyone other than the Internet service provider; or
d. any information about the customer’s spouse, children, health, or finances.

(B) RESTRICTION ON INTERNET SERVICE PROVIDERS

  1. An Internet service provider may not sell or transfer a consumer’s personally identifying information to a person without the consumer’s express and affirmative permission.
  2. An Internet service provider may not send or display to a consumer an advertisement that has been selected to be sent or displayed because of the consumer’s browsing history without the consumer’s express and affirmative permission.
  3. An Internet service provider may not refuse to provide its services to a consumer because of the consumer’s refusal to provide express and affirmative permission to the Internet service provider under paragraphs (1) and (2) of this subsection.
  4. This section does not apply to an Internet service provider that transmits a consumer’s personally identifying information in response to a subpoena, summons, warrant, or court order that appears on its face to have been issued in accordance with lawful authority; or to the consumer to whom the personally identifying information pertains.

SECTION 4. EFFECTIVE DATE

This law shall become effective on July 1, 20XX.

 

SHARE