HLS 18RS-972 ORIGINAL
2018 Regular Session
HOUSE BILL NO. 679
BY REPRESENTATIVE JORDAN
COMMERCE: Creates the Internet Privacy and Protection Act
1 AN ACT
2To enact Chapter 14 of Title 45 of the Louisiana Revised Statutes of 1950, to be comprised
3 of R.S. 45:1621 through 1626; relative to creating the "Internet Privacy and
4 Protection Act"; to provide for internet privacy and the protection of customer
5 personal information; to provide for definitions; to provide for express consent with
6 respect to disclosures; to require certain reasonable measures and safeguards; to
7 provide for a private right of action for violations; and to provide for related matters.
8Be it enacted by the Legislature of Louisiana:
9 Section 1. Chapter 14 of Title 45 of the Louisiana Revised Statutes of 1950,
10comprised of R.S. 45:1621 through 1626, is hereby enacted to read as follows:
11 CHAPTER 14. INTERNET SERVICE PROVIDERS
12 PART I. INTERNET PRIVACY AND PROTECTION ACT
13 §1621. Short title
14 This Part shall be known and may be cited as the "Internet Privacy and
15 Protection Act".
16 §1622. Definitions
17 As used in this Part, the following terms and phrases have the meanings
18 herein ascribed to them:
19 (1)(a) "Broadband Internet access service" means any of the following:
Page 1 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 (I) A mass-market retail service provided by wire or radio that enables a
2 customer to transmit data to or receive data from Internet endpoints.
3 (ii) Any service that the Federal Communications Commission finds is
4 providing a service that is the functional equivalent of the service described in Item
5 (1)(a)(I) of this Paragraph.
6 (iii) Any service that is incidental to or that enables the operation of the
7 service described in Item (1)(a)(I) of this Paragraph.
8 (b) "Broadband Internet access service" does not include dial-up Internet
9 access service.
10 (2) "Broadband Internet access service provider" means a person or entity
11 that provides broadband Internet access service.
12 (3) "Customer" means either of the following:
13 (a) A current or former subscriber to broadband Internet access service.
14 (b) A person applying for a subscription to broadband Internet access
15 service.
16 (4) "Customer personal information" means any information about an
17 individual customer, including but not limited to the following:
18 (a) The name of the customer.
19 (b) The address of the customer.
20 (c) The billing or other financial information of the customer.
21 (d) The social security number of the customer.
22 (e) Any demographic data associated with the customer.
23 (f) Information about an individual customer’s use of broadband Internet
24 access service, including but not limited to the following:
25 (I) The customer’s Internet browsing history.
26 (ii) The customer’s application usage history.
27 (iii) Any device identifier associated with the customer’s subscription to
28 broadband Internet access service, such as a media access control address, an
29 international mobile equipment identity, or an Internet Protocol address.
Page 2 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 (iv) Any Internet Protocol address to which the customer sends or from
2 which the customer receives a communication.
3 (v) The customer’s precise location.
4 (vi) The content of the customer’s Internet communications, including
5 information pertaining to the customer’s finances, health, or children.
6 §1623. Customer personal information; information disclosures; express consent
7 required; prohibitions
8 A. A broadband Internet access service provider shall not disclose, sell, or
9 permit access to customer personal information, except as permitted in accordance
10 with this Section.
11 B.(1) A broadband Internet access service provider may disclose, sell, or
12 permit access to customer personal information if the customer gives the broadband
13 Internet access service provider express consent to disclose, sell, or permit access to
14 the customer personal information of the customer.
15 (2) A customer that provides consent as described in this Subsection may
16 revoke the consent at any time by communicating the revocation to the broadband
17 Internet access service provider. For purposes of this Paragraph, a broadband
18 Internet access service provider shall provide customers with an easily accessible
19 means of communicating a revocation.
20 C. A broadband Internet access service provider shall not do any of the
21 following on the basis that the customer does not provide consent as described in
22 Subsection B of this Section:
23 (1) Refuse to provide broadband Internet access service to a customer.
24 (2) Charge a customer a higher price for broadband Internet access service.
25 (3) Offer a customer a discount on broadband Internet access service on the
26 basis that the customer provides consent.
27 D. Without the express consent as provided for in this Section, a broadband
28 Internet access service provider shall not disclose, sell, or permit access to customer
29 personal information to do any of the following:
Page 3 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 (1) Directly provide the customer with information about the broadband
2 Internet access service or other communications related services offered by the
3 broadband Internet access service provider.
4 (2) Initiate or render broadband Internet access service.
5 (3) Bill and collect unpaid balances owed for broadband Internet access
6 service.
7 (4) Protect the rights or property of the broadband Internet access service
8 provider, or the rights or property of customers or other broadband Internet access
9 service providers, in cases involving fraud or abusive or unlawful use of, or
10 subscription to, broadband Internet access service.
11 (5) Comply with a court order.
12 (6) Provide the precise location of the customer in any of the following
13 circumstances:
14 (a) In an emergency situation to a public safety answering point, emergency
15 medical services provider, emergency dispatch center, law enforcement officer or
16 agency, fire service professional or agency, hospital, or trauma care facility.
17 (b) In an emergency situation involving the risk of death or serious bodily
18 harm to the customer’s legal guardian or a member of the customer’s immediate
19 family.
20 (c) In response to an emergency situation, to providers of information or
21 providers of database management services for the sole purpose of assisting the
22 delivery of emergency services.
23 (7) Disclose, sell, or permit access to an aggregate dataset from which
24 information that may be used to identify an individual customer has been removed,
25 provided that all persons that have access to the aggregate dataset agree to not use
26 information in the aggregate dataset for purposes of identifying an individual
27 customer.
28 §1624. Broadband Internet access service providers; reasonable measures and
29 safeguards
Page 4 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 A.(1) A broadband Internet access service provider shall employ reasonable
2 measures to protect customer personal information from unauthorized use,
3 disclosure, or access.
4 (2) In employing such reasonable measures, a broadband Internet access
5 service provider shall consider each of the following factors:
6 (a) The nature and scope of the activities of the broadband Internet access
7 service provider.
8 (b) The sensitivity of the data collected by the broadband Internet access
9 service provider.
10 B. A broadband Internet access service provider shall employ administrative
11 safeguards necessary to protect customer personal information, including but not
12 limited to the following:
13 (1) Designating one or more employees to coordinate efforts to protect
14 customer personal information.
15 (2) Identifying reasonably foreseeable internal and external risks associated
16 with the activities of the broadband Internet access service provider.
17 (3) Assessing whether existing safeguards provide adequate protection from
18 the identified risks.
19 (4) Training and managing employees in practices and procedures related to
20 protecting customer personal information.
21 (5) Adjusting existing safeguards in light of changes to business practices or
22 new circumstances.
23 C. A broadband Internet access service provider shall employ technical
24 safeguards necessary to protect customer personal information, including but not
25 limited to the following:
26 (1) Assessing risks in the network and software design of the broadband
27 Internet access service.
28 (2) Assessing risks in the processing, transmission, and storage of
29 information by the broadband Internet access service.
Page 5 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 (3) Detecting, preventing, and responding to intrusions upon, attacks against,
2 or system failures of the broadband Internet access service.
3 (4) Regularly testing and monitoring the effectiveness of key controls and
4 systems of and procedures used to operate the broadband Internet access service.
5 D. A broadband Internet access service provider shall ensure physical
6 safeguards necessary to protect customer personal information, including but not
7 limited to the following:
8 (1) Assessing risks in the storage and disposal of information by the
9 broadband Internet access service.
10 (2) Detecting, preventing, and responding to intrusions upon, attacks against
11 or system failures of the broadband Internet access service.
12 (3) Protecting against unauthorized access to or use of customer personal
13 information during or after collecting, transporting, destroying, or disposing of
14 customer personal information.
15 (4) Disposing of customer personal information after the broadband Internet
16 access service provider no longer needs the customer personal information for
17 business purposes or as required by local, state, or federal law.
18 (5) Any factor or combination of factors described in this Subsection for the
19 purpose of determining whether the factor or combination of factors would enable
20 a person to commit identity theft against a customer.
21 (6) The technical feasibility of potential measures.
22 E. A broadband Internet access service provider may take any lawful
23 measure that allows the broadband Internet access service provider to comply with
24 the requirements of this Section.
25 §1625. Notice
26 A broadband Internet access service provider shall provide a clear,
27 conspicuous, and nondeceptive notice of the requirements and allowances described
28 in this Part to a customer before such customer subscribes to the broadband Internet
29 access service.
Page 6 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 18RS-972 ORIGINAL
HB NO. 679
1 §1626. Violations; right of action
2 A customer whose customer personal information is disclosed, sold, or to
3 which access is granted in violation of the provisions of this Part is entitled to a
4 private right of action against the broadband Internet access service provider that
5 unlawfully disclosed, sold, or permitted access to the customer personal information.
DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part
of the legislative instrument. The keyword, one-liner, abstract, and digest do not constitute
part of the law or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
HB 679 Original 2018 Regular Session Jordan
Abstract: Creates the Internet Privacy and Protection Act.
Proposed law creates the Internet Privacy and Protection Act. Defines the following terms:
"broadband internet access service", "broadband internet access service provider",
"customer", and "customer personal information".
Proposed law prohibits a broadband internet access service provider from disclosing, selling,
or permitting access to customer personal information, unless the customer provides express
consent to such service provider as provided for in proposed law.
Proposed law authorizes the customer to revoke the consent at any time using an easily
accessible means of communication provided by the broadband internet access service
provider.
Proposed law requires a broadband internet access service provider to employ certain
reasonable measures and safeguards, including administrative and technological measures
and safeguards, to protect customer personal information.
Proposed law requires a broadband internet access service provider to give a clear,
conspicuous, and nondeceptive notice of the requirements and allowances described in
proposed law to a customer before the customer subscribes to the broadband internet access
service.
Proposed law provides a customer a private right of action against a broadband internet
access service provider who disclosed, sold, or otherwise violated the customer relative to
the unlawful disclosure of the customer's personal information.
(Adds R.S. 45:1621-1626)
Page 7 of 7
CODING: Words in struck through type are deletions from existing law; words underscored
are additions.