AMENDED IN SENATE JUNE 19, 2017

AMENDED IN ASSEMBLY APRIL 27, 2017

california legislature—2017–18 regular session

ASSEMBLY BILL No. 375

Introduced by Assembly Member Chau

February 9, 2017

An act to repeal Section 20601 of the Business and Professions Code,

relating to video arcades. An act to add Chapter 36 (commencing with
Section 22949.1) to Division 8 of the Business and Professions Code,
relating to customer privacy.

legislative counsel’s digest

AB 375, as amended, Chau. Video arcades. Internet service providers:
customer privacy.
Existing law requires an operator of a commercial Internet Web site
or online service that collects personally identifiable information
through the Internet about individual consumers residing in California
who use or visit the commercial Internet Web site or online service to
conspicuously post, or make available, its privacy policy, as specified.
Under existing law, an operator violates this provision if the operator
fails to post its policy within 30 days after being notified of
noncompliance. Existing law requires, among other things, that the
privacy policy identify the categories of personally identifiable
information that the operator collects about individual consumers and
the categories of 3rd-party persons or entities with whom the operator
may share that information.
This bill would enact the California Broadband Internet Privacy Act.
The bill would prohibit an Internet service provider from using,

97
 AB 375 —2—

disclosing, selling, or permitting access to customer personal

information, except as provided in that act. The bill would authorize a
customer to give prior opt-in consent, which may be revoked by the
customer at any time, to an Internet service provider to use, disclose,
sell, or permit access to that customer’s personal information. The bill
would prohibit an Internet service provider from refusing to serve or
to limit service to a customer who does not provide consent or charging
a customer a penalty or offering a customer a discount or another
benefit based on the customer’s decision to provide consent.
The bill, however, would authorize an Internet service provider to
use, disclose, or permit access to customer personal information, without
customer approval, for specified limited purposes, unless otherwise
prohibited by state law. These purposes would include to comply with
other laws or an administrative or court order, to bill and collect for
Internet access services, and to provide location information concerning
a customer. The bill would require an Internet service provider to
maintain reasonable security procedures to protect customers’ personal
information. The bill would specify that its requirements apply to
Internet service providers operating within California when providing
Internet access services to customers who are residents of and physically
located in California.
Existing law requires a video arcade, as defined, to post a sign
notifying consumers that an industry-created rating system is available
to aid in the selection of a game. Existing law also requires a video
arcade to make a brochure available upon request to consumers
explaining this system.
This bill would repeal the above-described brochure requirement.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.

The people of the State of California do enact as follows:

line 1 SECTION 1. Chapter 36 (commencing with Section 22949.1)

line 2 is added to Division 8 of the Business and Professions Code, to
line 3 read:

97
 —3— AB 375

line 1
line 2 Chapter 36. California Broadband Internet Privacy
line 3 Act
line 4
line 5 22949.1. This chapter shall be known, and may be cited, as
line 6 the California Broadband Internet Privacy Act.
line 7 22949.2. It is the intent of the Legislature in enacting this
line 8 chapter to give consumers greater control over their personal
line 9 information when accessing the Internet through an Internet service
line 10 provider and thereby better protect their own privacy and
line 11 autonomy. It is also the intent of the Legislature that the consumer
line 12 protections set forth in this chapter be interpreted broadly and
line 13 any exceptions interpreted narrowly in order to maximize
line 14 individual privacy and autonomy.
line 15 22949.3. For purposes of this chapter, the following terms
line 16 have the following meanings:
line 17 (a)  “Aggregate customer information” means collective data
line 18 that relates to a group or category of customers, from which
line 19 individual customer identities and characteristics have been
line 20 removed, that is not linked or reasonably linkable to any individual
line 21 person, household, or device. “Aggregate customer information”
line 22 does not mean one or more individual customer records that have
line 23 been deidentified.
line 24 (b)  “Customer” means a current or former subscriber to the
line 25 Internet access service, or an applicant for Internet access service.
line 26 (c)  “Customer personal information” means information
line 27 collected from or about an individual customer or user of the
line 28 customer’s subscription that is made available to the Internet
line 29 service provider by a customer or user of the customer’s
line 30 subscription solely by virtue of the provider-customer relationship,
line 31 including:
line 32 (1)  Name and billing information.
line 33 (2)  Government-issued identifiers, including social security
line 34 number.
line 35 (3)  Information that would permit the physical or online
line 36 contacting of an individual, such as physical address, email
line 37 address, phone number, or IP address.
line 38 (4)  Demographic information, such as date of birth, age, gender,
line 39 race, ethnicity, nationality, religion, or sexual orientation.
line 40 (5)  Financial information.

97
 AB 375 —4—

line 1 (6)  Health information.

line 2 (7)  Information pertaining to minors.
line 3 (8)  Geolocation information.
line 4 (9)  Information from the use of the service, such as Web
line 5 browsing history, application usage history, content of
line 6 communications, and origin and destination Internet Protocol (IP)
line 7 addresses of all traffic.
line 8 (10)  Device identifiers, such as media access control (MAC)
line 9 address or Internet mobile equipment identity (IMEI).
line 10 (11)  Information concerning a customer or user of the
line 11 customer’s subscription that is collected or made available and
line 12 is maintained in personally identifiable form.
line 13 (d)  “Internet access service” means a mass-market retail service
line 14 by wire or radio that provides the capability to transmit data to
line 15 and receive data from all or substantially all Internet endpoints,
line 16 including any capabilities that are incidental to and enable the
line 17 operation of the communications service, but excluding dial-up
line 18 Internet access service. “Internet access service” also encompasses
line 19 any service that the Federal Communications Commission or the
line 20 Public Utilities Commission finds to be providing a functional
line 21 equivalent to the service described in this subdivision.
line 22 (e)  “Internet service provider” means a person or entity
line 23 engaged in the provision of Internet access service, but only to the
line 24 extent that the person or entity is providing Internet access service.
line 25 22949.4. (a)  An Internet service provider shall not use,
line 26 disclose, sell, or permit access to customer personal information,
line 27 except as provided in this chapter.
line 28 (b)  (1)  An Internet service provider may use, disclose, sell, or
line 29 permit access to customer personal information if the customer
line 30 gives the Internet service provider prior opt-in consent, which may
line 31 be revoked by the customer at any time. The mechanism for
line 32 requesting and revoking consent under this subdivision shall be
line 33 clear and conspicuous, as defined in subdivision (c) of Section
line 34 17601, not misleading, in the language primarily used to conduct
line 35 business with the customer, and made available to the customer
line 36 at no additional cost. The mechanism shall also be persistently
line 37 available on or through the Internet service provider’s Internet
line 38 Web site, or mobile application if it provides one for account
line 39 management purposes. If the Internet service provider does not
line 40 have an Internet Web site, it shall provide a persistently available

97
 —5— AB 375

line 1 mechanism by another means, such as a toll-free telephone number.

line 2 The customer’s grant, denial, or withdrawal of consent shall be
line 3 given effect promptly and remain in effect until the customer
line 4 revokes or limits the grant, denial, or withdrawal of consent.
line 5 (2)  The request for consent shall disclose to the customer all of
line 6 the following:
line 7 (A)  The types of customer personal information for which the
line 8 Internet service provider is seeking customer approval to use,
line 9 disclose, sell, or permit access.
line 10 (B)  The purposes for which the customer personal information
line 11 will be used.
line 12 (C)  The categories of entities to which the Internet service
line 13 provider intends to disclose, sell, or permit access to the customer
line 14 personal information.
line 15 (c)  An Internet service provider shall not do either of the
line 16 following:
line 17 (1)  Refuse to serve a customer, or in any way limit services to
line 18 a customer, who does not provide consent under subdivision (b).
line 19 (2)  Charge a customer a penalty, or penalize a customer in any
line 20 way, or offer a customer a discount or another benefit based on
line 21 the customer’s decision to provide or not provide consent under
line 22 subdivision (b).
line 23 (d)  An Internet service provider shall disclose the customer
line 24 personal information of the customer upon affirmative written
line 25 request by the customer, to any person designated by the customer.
line 26 22949.5. (a)  An Internet service provider may use, disclose,
line 27 or permit access to customer personal information without
line 28 customer consent, but only to the extent necessary to achieve the
line 29 stated purpose, in the following circumstances, unless otherwise
line 30 prohibited by state law:
line 31 (1)  To provide the Internet access service from which the
line 32 information is derived, or services necessary to the provision of
line 33 that service.
line 34 (2)  To comply with legal process or other laws, court orders,
line 35 or administrative orders.
line 36 (3)  To initiate, render, bill for, and collect for Internet access
line 37 service.
line 38 (4)  To protect the rights or property of the Internet service
line 39 provider, or to protect customers of those services and other

97
 AB 375 —6—

line 1 carriers from fraudulent, abusive, or unlawful use of, or

line 2 subscription to, those services.
line 3 (5)  To provide location information concerning the customer
line 4 as follows:
line 5 (A)  To a public safety answering point, emergency medical
line 6 service provider, or emergency dispatch provider, public safety,
line 7 fire service, or law enforcement official, or hospital emergency or
line 8 trauma care facility, in order to respond to the customer’s request
line 9 for emergency services.
line 10 (B)  To inform the customer’s legal guardian, members of the
line 11 customer’s family, or a person reasonably believed by the Internet
line 12 service provider, to be a close personal friend of the customer, of
line 13 the customer’s location in an emergency situation that involves
line 14 the risk of death or life-threatening harm.
line 15 (C)  To providers of information or database management
line 16 services solely for purposes of assisting in the delivery of
line 17 emergency services in response to an emergency.
line 18 (b)  Nothing in this chapter shall restrict an Internet service
line 19 provider from generating an aggregate customer information
line 20 dataset using customer personal information, or using, disclosing,
line 21 selling, or permitting access to the aggregate customer information
line 22 dataset it generated.
line 23 (c)  Unless otherwise prohibited by state law, an Internet service
line 24 provider may use, disclose, or permit access to customer personal
line25 information to advertise or market the provider’s
line 26 communications-related services to the customer, provided that
line 27 the customer may opt out of that use, disclosure, or access at any
line 28 time, and the customer is notified of the right to opt out in a manner
line 29 that is clear and conspicuous, as defined in subdivision (c) of
line 30 Section 17601, not misleading, in the language primarily used to
line 31 conduct business with the consumer, persistently available, and
line 32 made available to the customer at no additional cost.
line 33 22949.6. (a)  An Internet service provider shall implement and
line 34 maintain reasonable security procedures and practices appropriate
line 35 to the nature of the information to protect customer personal
line 36 information from unauthorized use, disclosure, access, destruction,
line 37 or modification.
line 38 (b)  An Internet service provider may employ any lawful security
line 39 measures that allow it to comply with the requirements set forth
line 40 in this section.

97
 —7— AB 375

line 1 (c)  An Internet service provider shall not retain a customer’s

line 2 information for longer than is reasonably necessary to accomplish
line 3 the purposes for which the information was collected, unless the
line 4 information is aggregate customer information, or as otherwise
line 5 required by this chapter.
line 6 22949.7. The requirements of this chapter shall apply to
line 7 Internet service providers operating within California when
line 8 providing Internet access service to their customers who are
line 9 residents of and physically located in California. Any waiver by
line 10 the customer of the provisions of this chapter shall be deemed
line 11 contrary to public policy and shall be void and unenforceable.
line 12 22949.8. The provisions of this act are severable. If any
line 13 provision of this act or its application is held invalid, that invalidity
line 14 shall not affect other provisions or applications that can be given
line 15 effect without the invalid provision or application.
line 16 It is the intent of the Legislature that this chapter would have
line 17 been adopted regardless of whether an invalid provision had not
line 18 been included or an invalid application had not been made
line 19 22949.9. California adopts this chapter pursuant to all inherent
line 20 state authority under the Tenth Amendment of the United States
line 21 Constitution and all relevant authority granted and reserved to
line 22 the states by Title 47 of the United States Code, including the
line 23 authority to impose requirements necessary to protect public safety
line 24 and welfare, safeguard the rights of consumers, manage public
line 25 rights-of-way, and regulate franchises. California further adopts
line 26 this law pursuant to the inalienable right of privacy granted under
line 27 the authority of Article I, Section 1 of the California Constitution.
line 28 SECTION 1. Section 20601 of the Business and Professions
line 29 Code is repealed.

97