AMENDED IN SENATE SEPTEMBER 12, 2017

AMENDED IN SENATE AUGUST 21, 2017

AMENDED IN SENATE JUNE 19, 2017
AMENDED IN ASSEMBLY APRIL 27, 2017
california legislature—2017–18 regular session

ASSEMBLY BILL No. 375

Introduced by Assembly Member Chau

(Principal coauthor: Senator Jackson)
(Coauthors: Assembly Members Dababneh, Gloria, and Mark Stone)

February 9, 2017

An act to add Chapter 21.7 (commencing with Section 22550) to

Division 8 of the Business and Professions Code, relating to customer
privacy.

legislative counsel’s digest

AB 375, as amended, Chau. Communications Broadband Internet
access service providers: customer privacy.
Existing law requires an operator of a commercial Internet Web site
or online service that collects personally identifiable information through
the Internet about individual consumers residing in California who use
or visit the commercial Internet Web site or online service to
conspicuously post, or make available, its privacy policy, as specified.
Under existing law, an operator violates this provision only if the
operator fails to post its policy within 30 days after being notified of
noncompliance. Existing law requires, among other things, that the
privacy policy identify the categories of personally identifiable
information that the operator collects about individual consumers and

95
AB 375 —2—

the categories of 3rd-party persons or entities with whom the operator

may share that information.
Existing law prohibits telephone and telegraph corporations from
releasing certain information regarding residential subscribers without
their written consent, except in specified circumstances.
Existing law requires a business that owns, licenses, or maintains
personal information about a California resident to implement and
maintain reasonable security procedures and practices appropriate to
the nature of the information in order to protect the personal information
from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires a person or business that conducts business in
California, and that owns or licenses computerized data that includes
personal information, to disclose a breach of the security of the system
to specified residents of California, as specified. Existing law requires
that disclosure to be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs of law
enforcement or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
This bill would enact the California Broadband Internet Privacy Act.
The act would require communications providers, defined as providers
that offer telecommunications in California for a fee directly to the
public, as specified, to notify their customers of their privacy policies.
The act act, beginning January 1, 2019, would, except as provided,
prohibit those providers broadband Internet access service providers,
as defined, from using, disclosing, or permitting access to customer
proprietary information, as defined. The act would require those
providers to take reasonable measures to protect customer proprietary
information from unauthorized use, disclosure, or access, considering
the nature and scope of the provider’s activities, the sensitivity of the
data it collects, the size of the provider, and technical feasibility. The
act would require those providers to notify an affected customer of any
breach of the security of the service that may expose the customer’s
proprietary information, as specified, and to maintain a record of any
breaches and related notifications made to customers, unless the provider
can reasonably determine that no harm to customers is reasonably likely
to occur as a result of the breach. The act act, beginning January 1,
2019, would prohibit a broadband Internet access service provider, as
defined, those providers from refusing to provide broadband Internet
access service, or in any way limiting that service, to a customer who
does not waive his or her privacy rights guaranteed by law or regulation,

95
 —3— AB 375

and would prohibit those providers from charging a customer a penalty,

penalizing a customer in any way, or offering a customer a discount or
another benefit, as a direct or indirect consequence of a customer’s
decision to, or refusal to, waive his or her privacy rights guaranteed by
law or regulation.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.

The people of the State of California do enact as follows:

line 1 SECTION 1. Chapter 21.7 (commencing with Section 22550)

line 2 is added to Division 8 of the Business and Professions Code, to
line 3 read:
line 4
line 5 Chapter 21.7. California Broadband Internet Privacy
line 6 Act
line 7
line 8 22550. This chapter shall be known, and may be cited, as the
line 9 California Broadband Internet Privacy Act.
line 10 22550.5. It is the intent of the Legislature in enacting this
line 11 chapter to incorporate into statute certain provisions of the Federal
line 12 Communications Commission Report and Order “Protecting the
line13 Privacy of Customers of Broadband and Other
line 14 Telecommunications Services” (FCC 16-148), which were revoked
line 15 by Senate Joint Resolution 34 (Public Law 115-22), which became
line 16 effective April 3, 2017. In adopting the specified provisions
line 17 incorporated into this act, it is the intent of the Legislature to give
line 18 consumers greater control over their personal information when
line 19 accessing the Internet through a broadband Internet access service
line 20 provider and thereby better protect their own privacy and
line 21 autonomy. It is also the intent of the Legislature that the consumer
line 22 protections set forth in this chapter be interpreted broadly and any
line 23 exceptions interpreted narrowly narrowly, using the Federal
line 24 Communications Commission Report and Order as persuasive
line 25 guidance, in order to maximize individual privacy and autonomy.
line 26 22551. For purposes of this chapter:
line 27 (a)  (1)  “Aggregate customer information” means collective
line 28 data that relates to a group or category of customers, from which
line 29 individual customer identities and characteristics have been

95
 AB 375 —4—

line 1 removed, that is not linked or reasonably linkable to any individual

line 2 person, household, or device.
line 3 (2)  “Aggregate customer information” does not mean one or
line 4 more individual customer records that have been de-identified.
line 5 (a)
line 6 (b)  “Broadband Internet access service” or “BIAS” means a
line 7 mass market retail service by wire or radio in California that
line 8 provides the capability to transmit data and to receive data from
line 9 all or substantially all Internet endpoints, including any capabilities
line 10 that are incidental to, and enable the operation of, the
line 11 communications service, but excluding dial-up Internet access
line 12 service. The term also encompasses any service that provides a
line 13 functional equivalent of the service described in this subdivision,
line 14 or that is used to evade the protections set forth in this chapter.
line 15 (b)
line 16 (c)  (1)  “Broadband Internet access service provider” means a
line 17 person engaged in the provision of broadband Internet access
line 18 service BIAS to a customer account located in California.
line 19 (c)  “Breach of security,” “breach,” and “data breach” mean any
line 20 instance in which a person, without authorization or exceeding
line 21 authorization, has gained access to, used, or disclosed customer
line 22 proprietary information.
line 23 (d)  “Call detail information” means information that pertains
line 24 to the transmission of specific telephone calls, including the
line 25 following:
line 26 (1)  For any call, its time, location, and duration.
line 27 (2)  For an outbound call, the telephone number called.
line 28 (3)  For an inbound call, the telephone number from which the
line 29 call was placed.
line 30 (e)  “Communications provider” or “provider” means any
line 31 provider of communications services in California, except that this
line 32 term does not include aggregators of communications services, as
line 33 defined in Section 226 of Title 47 of the United States Code. For
line 34 purposes of this chapter, the term “communications provider” or
line 35 “provider” shall include a person engaged in the provision of VoIP
line 36 service or broadband Internet access service.
line37 (f)  “Communications service” means the offering of
line 38 telecommunications in California for a fee directly to the public,
line 39 or to such classes of users as to be effectively available directly to
line 40 the public, regardless of the facilities used. For the purposes of

95
 —5— AB 375

line 1 this chapter, the term “communications service” shall include VoIP
line 2 service and broadband Internet access service.
line 3 (2)  “Broadband Internet access service provider” does not
line 4 include a premises operator, including a coffee shop, bookstore,
line 5 airline, private end-user network, or other business that acquires
line 6 BIAS from a BIAS provider to enable patrons to access the Internet
line 7 from its respective establishment.
line 8 (g)
line 9 (d)  “Customer” means either of the following:
line 10 (1)  A current or former subscriber to communications service
line 11 BIAS in California.
line 12 (2)  An applicant for communications service BIAS in California.
line 13 (h)
line 14 (e)  “Customer proprietary information” means any of the
line 15 following that a communications BIAS provider acquires in
line 16 connection with its provision of communications service: BIAS:
line 17 (1)  Individually identifiable customer proprietary network
line 18 information.
line 19 (2)  Personally identifiable information.
line 20 (3)  Content of a communication.
line 21 (i)
line 22 (f)  (1)  “Customer proprietary network information” or “CPNI”
line 23 means both of the following:
line 24 (A)  Information information that relates to the quantity,
line 25 technical configuration, type, destination, location, and amount of
line 26 use of a communications service BIAS subscribed to by a customer
line 27 of a communications BIAS provider, and that is made available to
line 28 the BIAS provider by the customer solely by virtue of the
line 29 provider-customer relationship.
line 30 (B)  Information contained in the bills pertaining to telephone
line 31 exchange service or telephone toll service received by a customer
line 32 of a provider.
line 33 (2)  “Customer proprietary network information” does not
line 34 include subscriber list information.
line 35 (j)  “Interconnected Voice over Internet Protocol service” or
line 36 “VoIP service” means a service that does all of the following:
line 37 (1)  Enables real-time, two-way voice communications.
line 38 (2)  Requires a broadband connection from the user’s location.
line 39 (3)  Requires Internet protocol-compatible customer premises
line 40 equipment.

95
 AB 375 —6—

line 1 (4)  Permits users generally to receive calls that originate on the

line 2 public switched telephone network and to terminate calls to the
line 3 public switched telephone network.
line 4 (2)  (A)  CPNI includes, but is not limited to, all of the following:
line 5 broadband service plans, geo-location data, Media Access Control
line 6 (MAC) addresses and other device identifiers, source and
line 7 destination Internet Protocol (IP) addresses and domain name
line 8 information, other information in the network layer protocol
line 9 headers, traffic statistics, including both short-term and long-term
line 10 measurements, port information and other transport layer protocol
line 11 header information, application headers including any information
line 12 a BIAS provider injects into the application header, application
line 13 usage, application payload, customer premises equipment, and
line 14 other customer device information.
line 15 (B)  CPNI includes any information falling within a CPNI
line 16 category that the BIAS provider collects or accesses in connection
line 17 with the provision of BIAS.
line 18 (C)  CPNI includes information that a BIAS provider causes to
line 19 be collected or stored on a customer’s device, including customer
line 20 premises equipment and mobile stations.
line 21 (k)
line 22 (g)  “Material change” means any change that a customer, acting
line 23 reasonably under the circumstances, would consider important to
line 24 his or her decisions regarding his or her privacy, including any
line 25 change to information required by the privacy notice described in
line 26 Section 22552. privacy.
line 27 (h)  “Nonsensitive customer proprietary information” means
line 28 customer proprietary information that is not sensitive customer
line 29 proprietary information.
line 30 (l)
line 31 (i)  “Opt-in approval” means a method for obtaining customer
line 32 consent to use, disclose, or permit access to the customer’s
line 33 proprietary information. This approval method requires that the
line 34 communications BIAS provider obtain from the customer
line 35 affirmative, express consent allowing the requested usage,
line 36 disclosure, or access to the customer proprietary information after
line 37 the customer is provided appropriate notification of the BIAS
line 38 provider’s request, consistent with the requirements of this chapter.
line 39 (m)

95
 —7— AB 375

line 1 (j)  “Opt-out approval” means a method for obtaining customer

line 2 consent to use, disclose, or permit access to the customer’s
line 3 proprietary information. Under this approval method, a customer
line 4 is deemed to have consented to the use or disclosure of, or access
line 5 to, the customer’s proprietary information if the customer has
line 6 failed to object to that use, disclosure, or access after the customer
line 7 is provided appropriate notification of the communications BIAS
line 8 provider’s request for consent, consistent with the requirements
line 9 of this chapter.
line 10 (n)
line 11 (k)  “Person” includes an individual, partnership, association,
line 12 joint-stock company, trust, or corporation.
line 13 (o)
line 14 (l)  “Personally identifiable information” means any information
line 15 that is linked or reasonably linkable to an individual or device.
line 16 Information is linked or reasonably linkable to an individual or
line 17 device if it can reasonably be used on its own, in context, or in
line 18 combination to identify an individual or device, or to logically
line 19 associate it with other information about a specific individual or
line 20 device. Personally identifiable information includes, but is not
line 21 limited to each of the following: name; address; Social Security
line 22 number; date of birth; mother’s maiden name; government-issued
line 23 identifiers, including a driver’s license number; physical address;
line 24 email address or other online contact information; phone numbers;
line 25 MAC addresses or other unique device identifiers; IP addresses;
line 26 and persistent online or unique advertising identifiers.
line 27 (p)
line 28 (m)  “Sensitive customer proprietary information” includes all
line 29 of the following:
line 30 (1)  Financial information.
line 31 (2)  Health information.
line 32 (3)  Information pertaining to children.
line 33 (4)  Social security numbers.
line 34 (5)  Precise geolocation information.
line 35 (6)  Content of communications.
line 36 (7)  Call detail information.
line 37 (8)  Web
line 38 (7)  (A)  Internet Web site browsing history, application usage
line 39 history, and the functional equivalents of either.

95
 AB 375 —8—

line 1 (q)  “Telecommunications” means the transmission, between or

line 2 among points specified by the user, of information of the user’s
line 3 choosing, without change in the form or content of the information
line 4 as sent and received.
line 5 (B)  “Internet Web site browsing history and application usage
line 6 history” means information from network traffic related to Internet
line 7 Web site browsing or other applications, including the application
line 8 layer of that traffic, and information from network traffic indicating
line 9 the Internet Web site or party with which the customer is
line 10 communicating, including a domain or IP address.
line 11 22552. (a)  In addition to the requirements of Chapter 22
line12 (commencing with Section 22575), as applicable, a
line 13 communications provider shall notify its customers of its privacy
line 14 policies. The notice shall be clear and conspicuous, and in language
line 15 that is comprehensible and not misleading, and shall do all of the
line 16 following:
line 17 (1)  Specify and describe the types of customer proprietary
line 18 information that the provider collects by virtue of its provision of
line 19 communications service and how it uses that information.
line 20 (2)  Specify and describe under what circumstances the provider
line 21 discloses or permits access to each type of customer proprietary
line 22 information that it collects.
line 23 (3)  Specify and describe the categories of entities to which the
line 24 provider discloses or permits access to customer proprietary
line 25 information and the purposes for which the customer proprietary
line 26 information will be used by each category of entities.
line 27 (4)  Specify and describe a customer’s opt-in approval and
line 28 opt-out approval rights with respect to his or her customer
line 29 proprietary information, including both of the following:
line 30 (A)  That a customer’s denial or withdrawal of approval to use,
line 31 disclose, or permit access to customer proprietary information
line 32 shall not affect the provision of any communications services of
line 33 which he or she is a customer.
line 34 (B)  That any grant, denial, or withdrawal of approval for the
line 35 use, disclosure, or permission of access to the customer proprietary
line 36 information is valid until the customer affirmatively revokes that
line 37 grant, denial, or withdrawal. The notice shall inform the customer
line 38 of his or her right to deny or withdraw access to the proprietary
line 39 information at any time.

95
 —9— AB 375

line 1 (5)  Provide for access to a mechanism for a customer to grant,

line 2 deny, or withdraw approval for the provider to use, disclose, or
line 3 provide access to customer proprietary information as required by
line 4 Section 22553.
line 5 (6)  Be completely translated into a language other than English
line 6 if the provider transacts business with the customer in that
line 7 language.
line 8 (b)  Notice required under subdivision (a) shall be made pursuant
line 9 to both of the following requirements:
line 10 (1)  The provider shall make the notice to a prospective customer
line 11 at the point of sale, prior to the purchase of service, whether the
line 12 point of sale is in person, online, over the telephone, or via another
line 13 means.
line 14 (2)  The provider shall make the notice persistently available
line 15 through a clear and conspicuous link on the communications
line 16 provider’s homepage, the provider’s application if it provides one
line 17 for account management purposes, and any functional equivalent
line 18 to the provider’s homepage or application. If a provider does not
line 19 have an Internet Web site, it shall provide notice to a customer in
line 20 paper form or another format agreed upon by the customer.
line 21 (c)  A communications provider shall provide an existing
line 22 customer with advance notice of one or more material changes to
line 23 the provider’s privacy policies. The notice shall be clear and
line 24 conspicuous, in language that is comprehensible and not
line 25 misleading, and shall satisfy all of the following:
line 26 (1)  It shall be provided through email or another means of active
line 27 communication agreed upon by the customer.
line 28 (2)  It shall specify and describe both of the following:
line 29 (A)  The changes made to the provider’s privacy policies,
line 30 including any changes to what customer proprietary information
line 31 the provider collects, and how it uses, discloses, or permits access
line 32 to that information, the categories of entities to which it discloses
line 33 or permits access to customer proprietary information, and which,
line 34 if any, changes are retroactive.
line 35 (B)  A customer’s opt-in approval or opt-out approval rights
line 36 with respect to his or her customer proprietary information,
line 37 including the material specified in paragraph (4) of subdivision
line 38 (a).
line 39 (3)  It shall provide for access to a mechanism for a customer to
line 40 grant, deny, or withdraw approval for the provider to use, disclose,

95
 AB 375 — 10 —

line 1 or permit access to his or her customer proprietary information as

line 2 required by Section 22553.
line 3 (4)  It shall be completely translated into a language other than
line 4 English if the provider transacts business with the customer in that
line 5 language.
line 6 22553.
line 7 22552. (a)  (1)  Except as described in paragraph (2), a
line 8 communications BIAS provider shall not use, disclose, or permit
line 9 access to customer proprietary information except with the opt-out
line 10 or opt-in approval of a customer as described in this section.
line 11 (2)  A BIAS provider may use, disclose, or permit access to
line 12 customer proprietary information without customer approval for
line 13 any of the following purposes:
line 14 (A)  In its provision of the communications BIAS service from
line 15 which the information is derived, or in its provision of services
line 16 necessary to, or used in, the provision of the service.
line 17 (B)  To initiate, render, bill, and collect for communications
line 18 service. BIAS.
line 19 (C)  To protect the rights or property of the BIAS provider, or to
line 20 protect users of the communications service BIAS and other BIAS
line 21 providers from fraudulent, abusive, or unlawful use of the service.
line22 (D)  To provide any inbound marketing, referral, or
line 23 administrative services to the customer for the duration of a
line 24 real-time interaction, if the interaction was initiated by the
line 25 customer. interaction.
line 26 (E)  To provide location information or nonsensitive customer
line 27 proprietary information to any of the following:
line 28 (i)  A public safety answering point, emergency medical service
line 29 provider or emergency dispatch provider, public safety, fire service,
line 30 or law enforcement official, or hospital emergency or trauma care
line 31 facility, in order to respond to the user’s request for emergency
line 32 services.
line 33 (ii)  The user’s legal guardian or members of the user’s
line 34 immediate family of the user’s location in an emergency situation
line 35 that involves the risk of death or serious physical harm.
line 36 (iii)  Providers of information or database management services
line 37 solely for purposes of assisting in the delivery of emergency
line 38 services in response to an emergency.
line 39 (F)  To generate an aggregate customer information dataset
line 40 using customer personal information, or using, disclosing, or

95
 — 11 — AB 375

line 1 permitting access to the aggregate customer information dataset

line 2 it generated.
line 3 (G)  For any other lawful purpose if the BIAS provider ensures
line 4 the customer proprietary information is not individually identifiable
line 5 by doing all of the following:
line 6 (i)  Determining that the information is not reasonably linkable
line 7 to an individual or device.
line 8 (ii)  Publicly committing to maintain and use the data in a
line 9 non-individually identifiable fashion and to not attempt to
line 10 re-identify the data.
line 11 (iii)  Contractually prohibiting any entity to which it discloses
line 12 or permits access to the de-identified data from attempting to
line 13 re-identify the data.
line 14 (F)
line 15 (H)  As otherwise required or authorized by law.
line 16 (b)  Except as otherwise provided in this section, a
line 17 communications BIAS provider shall obtain opt-out approval from
line 18 a customer to use, disclose, or permit access to any of the
line 19 customer’s nonsensitive customer proprietary information. If it so
line 20 chooses, a BIAS provider may instead obtain opt-in approval from
line 21 a customer to use, disclose, or permit access to any of the
line 22 customer’s nonsensitive customer proprietary information.
line 23 (c)  Except as otherwise provided in this section, a
line 24 communications BIAS provider shall obtain opt-in approval from
line 25 a customer to do either of the following:
line 26 (1)  Use, disclose, or permit access to any of the customer’s
line 27 sensitive customer proprietary information.
line 28 (2)  Make any material retroactive change, including a material
line 29 change that would result in a use, disclosure, or permission of
line 30 access to any of the customer’s proprietary information previously
line 31 collected by the BIAS provider for which the customer did not
line 32 previously grant approval, either through opt-in or opt-out consent,
line 33 as required by subdivision (b) and this subdivision.
line 34 (d)  (1)  Except as described in subdivision (a), a communications
line 35 BIAS provider shall, at a minimum, solicit customer approval
line 36 pursuant to subdivision (b) or (c), as applicable, at the point of sale
line 37 and when making one or more material changes to privacy policies.
line 38 The solicitation may be part of, or the same communication as, a
line 39 notice required by Section 22552.

95
 AB 375 — 12 —

line 1 (2)  A provider’s solicitation of customer approval shall be clear

line 2 and conspicuous, and in language that is comprehensible and not
line 3 misleading. The solicitation shall disclose all of the following:
line 4 (A)  The types of customer proprietary information that the BIAS
line 5 provider is seeking customer approval to use, disclose, or permit
line 6 access to.
line 7 (B)  The purposes for which the customer proprietary information
line 8 will be used.
line 9 (C)  The categories of entities to which the BIAS provider intends
line 10 to disclose or permit access to the customer proprietary
line 11 information.
line 12 (D)  A means to easily access the notice required by subdivision
line 13 (a) of Section 22552 and a means to access the mechanism required
line 14 by subdivision (e).
line 15 (3)  A BIAS provider’s solicitation of customer approval shall
line 16 be completely translated into a language other than English if the
line 17 BIAS provider transacts business with the customer in that
line 18 language.
line 19 (e)  A communications BIAS provider shall make available a
line 20 simple, easy-to-use mechanism for customers a customer to grant,
line 21 deny, or withdraw opt-in approval and opt-out approval at any
line 22 time. The mechanism shall be clear and conspicuous, in language
line 23 that is comprehensible and not misleading, and made available at
line 24 no additional cost to the customer. The mechanism shall be
line 25 persistently available on or through the BIAS provider’s homepage
line 26 on its Internet Web site, the BIAS provider’s application if it
line 27 provides one for account management purposes, and any functional
line 28 equivalent to the BIAS provider’s homepage or application. If the
line 29 BIAS provider does not have an Internet Web site, a homepage, it
line 30 shall provide a persistently available mechanism by another means
line 31 such as a toll-free telephone number. The customer’s grant, denial,
line 32 or withdrawal of approval shall be given effect promptly and
line 33 remain in effect until the customer revokes or limits the grant,
line 34 denial, or withdrawal of approval.
line 35 22554. (a)  In addition to the requirements of Section 1798.81.5
line 36 of the Civil Code, a communications provider shall take reasonable
line 37 measures to protect customer proprietary information from
line 38 unauthorized use, disclosure, or access.

95
 — 13 — AB 375

line 1 (b)  The security measures taken by a communications provider

line 2 to implement the requirement set forth in this section shall, as
line 3 appropriate, take into account each of the following factors:
line 4 (1)  The nature and scope of the provider’s activities.
line 5 (2)  The sensitivity of the data it collects.
line 6 (3)  The size of the provider.
line 7 (4)  Technical feasibility.
line 8 (c)  A communications provider may employ a lawful security
line 9 measure that allows it to implement the requirement set forth in
line 10 this section.
line 11 22555. (a)  (1)  In addition to the requirements of Section
line 12 1798.82 of the Civil Code, a communications provider shall notify
line 13 an affected customer of any breach without unreasonable delay
line 14 and in any event no later than 30 calendar days after the provider
line 15 reasonably determines that a breach has occurred, subject to law
line 16 enforcement needs, unless the provider can reasonably determine
line 17 that no harm to the customer is reasonably likely to occur as a
line 18 result of the breach.
line 19 (2)  A provider required to provide notification to a customer
line 20 under this subdivision shall provide the notice by one or both of
line 21 the following methods:
line 22 (A)  Written notification sent to either the customer’s email
line 23 address or the postal address on record of the customer, or, for
line 24 former customers, to the last postal address ascertainable after
line 25 reasonable investigation using commonly available sources.
line 26 (B)  Other electronic means of active communications agreed
line 27 upon by the customer for contacting that customer for data breach
line 28 notification purposes.
line 29 (3)  The customer notification required to be provided under this
line 30 subdivision shall include all of the following:
line 31 (A)  The date, estimated date, or estimated date range of the
line 32 breach of security.
line 33 (B)  A description of the customer proprietary information that
line 34 was breached or reasonably believed to have been breached.
line 35 (C)  Information the customer can use to contact the provider to
line 36 inquire about the breach of security and the customer proprietary
line 37 information that the provider maintains about that customer.
line38 (D)  Information about how to contact the Federal
line 39 Communications Commission.

95
 AB 375 — 14 —

line 1 (E)  If the breach creates a risk of financial harm, information

line 2 about the national credit-reporting agencies and the steps the
line 3 customer can take to guard against identity theft, including any
line 4 credit monitoring, credit reporting, credit freezes, or other consumer
line 5 protections the provider is offering customers affected by the
line 6 breach of security.
line 7 (b)  A communications provider shall notify the Federal
line 8 Communications Commission of any breach affecting 5,000 or
line 9 more customers no later than seven business days after the provider
line 10 reasonably determines that a breach has occurred and at least three
line 11 business days before notification to the affected customers, unless
line 12 the provider can reasonably determine that no harm to customers
line 13 is reasonably likely to occur as a result of the breach. A provider
line 14 shall notify the Federal Communications Commission of any
line 15 breach affecting fewer than 5,000 customers without unreasonable
line 16 delay and no later than 30 calendar days after the provider
line 17 reasonably determines that a breach has occurred, unless the
line 18 provider can reasonably determine that no harm to customers is
line 19 reasonably likely to occur as a result of the breach.
line 20 (c)  A communications provider shall notify the Federal Bureau
line 21 of Investigation and the United States Secret Service of a breach
line 22 that affects 5,000 or more customers no later than seven business
line 23 days after the provider reasonably determines that a breach has
line 24 occurred and at least three business days before notification to the
line 25 affected customers, unless the provider can reasonably determine
line 26 that no harm to customers is reasonably likely to occur as a result
line 27 of the breach.
line 28 (d)  A communications provider shall maintain a record,
line 29 electronically or in some other manner, of any breaches and
line 30 notifications made to customers, unless the provider can reasonably
line 31 determine that no harm to customers is reasonably likely to occur
line 32 as a result of the breach. The record shall include the dates on
line 33 which the provider determines that a reportable breach has occurred
line 34 and the dates of customer notification. The record shall include a
line 35 written copy of all customer notifications. A provider shall retain
line 36 the record for a minimum of two years from the date on which it
line 37 determines that a reportable breach has occurred.
line 38 22556. A communications provider may bind itself
line 39 contractually to privacy and data security regimes other than those
line 40 described in this chapter for the provision of communications

95
 — 15 — AB 375

line 1 services other than broadband Internet access service to enterprise

line 2 customers if the provider’s contract with that customer specifically
line 3 addresses the issues of transparency, choice, data security, and
line 4 data breach and provides a mechanism for the customer to
line 5 communicate with the provider about privacy and data security
line 6 concerns.
line 7 22557.
line 8 22553. A broadband Internet access service BIAS provider
line 9 shall not do either of the following:
line 10 (a)  Refuse to provide broadband Internet access service, BIAS,
line 11 or in any way limit that service, to a customer who does not waive
line 12 his or her privacy rights guaranteed by law or regulation, including
line 13 this chapter.
line 14 (b)  Charge a customer a penalty, penalize a customer in any
line 15 way, or offer a customer a discount or another benefit, as a direct
line 16 or indirect consequence of a customer’s decision to, or refusal to,
line 17 waive his or her privacy rights guaranteed by law or regulation,
line 18 including this chapter.
line 19 22558.
line 20 22554. This chapter shall not limit the other statutory rights of
line 21 a customer or the statutory obligations of a communications BIAS
line 22 provider, including, but not limited to, the rights and obligations
line 23 described in this division, Section 1798.82 of the Civil Code, and
line 24 Article 3 (commencing with Section 2891) of Chapter 10 of Part
line 25 2 of Division 1 of the Public Utilities Code.
line 26 22559.
line 27 22555. The requirements of this chapter shall apply to
line 28 broadband Internet access service BIAS providers operating within
line 29 California when providing broadband Internet access service BIAS
line 30 to their customers who are residents of and physically located in
line 31 California. Except as described in Section 22556, any Any waiver
line 32 by the customer of the provisions of this chapter shall be deemed
line 33 contrary to public policy and shall be void and unenforceable.
line 34 22560.
line 35 22556. California adopts this chapter pursuant to all inherent
line 36 state authority under the Tenth Amendment of the United States
line 37 Constitution and all relevant authority granted and reserved to the
line 38 states by Title 47 of the United States Code, including the authority
line 39 to impose requirements necessary to protect public safety and
line 40 welfare, safeguard the rights of consumers, manage public

95
 AB 375 — 16 —

line 1 rights-of-way, and regulate franchises. California further adopts

line 2 this law pursuant to the inalienable right of privacy granted under
line 3 the authority of Article I, Section 1 of the California Constitution.
line 4 22557. This chapter shall become operative on January 1,
line 5 2019.
line 6 SEC. 2. The provisions of this act are severable. If any
line 7 provision of this act or its application is held invalid, that invalidity
line 8 shall not affect other provisions or applications that can be given
line 9 effect without the invalid provision or application.

95