Regular Session 2017-2018 Senate Bill 1093 P.N. 1581

PRINTER'S NO. 1581

THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL

No.

1093

Session of

2018

INTRODUCED BY HAYWOOD, HUGHES, FONTANA, TARTAGLIONE, LEACH,

COSTA, BREWSTER, RESCHENTHALER, SCHWANK, WARD, BROWNE AND

FARNESE, MARCH 23, 2018

REFERRED TO COMMUNICATIONS AND TECHNOLOGY, MARCH 23, 2018

AN ACT

Amending Titles 12 (Commerce and Trade) and 66 (Public

Utilities) of the Pennsylvania Consolidated Statutes, in

commercial protection, providing for personal information; in

alternative form of regulation of telecommunications

services, further providing for definitions; and making an

editorial change.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Part IV heading of Title 12 of the Pennsylvania

Consolidated Statutes is amended to read:

PART IV

COMMERCIAL [PROTECTION] AND CONSUMER PROTECTIONS

Section 2. Part IV of Title 12 is amended by adding a

chapter to read:

CHAPTER 55

PERSONAL INFORMATION

Sec.

5501. Scope of chapter.

5502. Definitions.

5503. Collection of personal information.

5504. Limitations.

5505. Unfair trade practices.

5506. Invasion of privacy.

5507. Federal law.

§ 5501. Scope of chapter.

This chapter relates to personal information of customers to

be collected and maintained by service providers.

§ 5502. Definitions.

The following words and phrases when used in this chapter

shall have the meanings given to them in this section unless the

context clearly indicates otherwise:

"C all detail information." Information pertaining to the

transmission of specific telephone calls, including the

following:

(1) For an outbound call, the telephone number called

and the time, location or duration of the call.

(2) For an inbound call, the telephone number from which

the call was placed and the time, location or duration of the

call.

"Customer proprietary information." Any of the following

that a telecommunication service provider acquires in connection

with the provision of a telecommunication service:

(1) I ndividually identifiable customer proprietary

network information.

(2) Personally identifiable information.

(3) Sensitive customer proprietary information.

"Customer proprietary network information." As defined under

section 222(h)(1) of the Communications Act of 1934 (48 Stat.

1064, 47 U.S.C. § 222(h)(1)).

20180SB1093PN1581 - 2 -

"Internet service provider." A person providing a service

which enables users to access content, information, e-mail or

other services offered over the Internet.

"Person." An individual, a corporation, a business trust, an

estate, a trust, a partnership, an association, a joint venture,

a government, a governmental subdivision or agency or another

legal or commercial entity.

"Personal information."

(1) Any of the following:

(i) An individual's last name in combination with

and linked to one or more of the following data elements

when the data elements are not encrypted or redacted:

(A) Social Security number.

(B) Driver's license number or a State

identification card number issued in lieu of a

driver's license.

card number, access code or password that would

permit access to an individual's financial account.

(ii) Call detail information.

(iii) Customer proprietary information.

(2) The term does not include publicly available

information that is lawfully made available to the general

public from Federal, State or local government records.

"Personally identifiable information." Any information that

is linked or reasonably linkable to an individual or device.

"Sensitive customer proprietary information." Includes any

of the following:

(1) Financial information.

(2) Health or medical history information.

20180SB1093PN1581 - 3 -

(3) Information regarding children.

(4) Social Security number.

(5) Precise geolocation information.

(6) The content of communications.

(7) Web browsing history, application usage history or

the functional equivalent of either history.

"Telecommunication service." Includes, but is not limited

to, a service provided for a charge or compensation to

facilitate the origination, transmission, emission or reception

of signs, signals, data, writings, images and sounds or

intelligence of any nature by telephone, including cell phone,

wire, radio, electromagnetic, photoelectronic or photo-optical

system.

"Telecommunication service provider." A person providing

telecommunication service, including, but not limited to, a

cellular, paging or other wireless communications company

which, for a fee, supplies the facility, cell site, mobile

telephone switching office or other equipment or

telecommunication service.

§ 5503. Collection of personal information.

(a) Prohibition without consent.--Except as otherwise

provided in section 5504 (relating to limitations), a

telecommunication service provider or an Internet service

provider that has entered into a franchise agreement, right-of-

way agreement or contract with the Commonwealth or a political

subdivision, or that uses facilities subject to the agreement or

contract, even if the telecommunication service provider or

Internet service provider is not a party to the agreement or

contract, may not disclose personal information from a customer

resulting from the customer's use of the telecommunication

20180SB1093PN1581 - 4 -

service provider or Internet service provider without the

express written authorization from the customer.

(b) Impairment of services.--A telecommunication service

provider or an Internet service provider under subsection (a)

may not refuse to provide services to a customer because the

customer has not provided the express written authorization to

collect the customer's personal information.

§ 5504. Limitations.

(a) Disclosure required.--A telecommunication service

provider or an Internet service provider shall disclose personal

information from a customer in any of the following situations:

(1) In accordance with any of the following:

(i) A grand jury subpoena.

(ii) A subpoena, including an administrative

subpoena, issued under authority of law of the United

States, this Commonwealth or another state.

(iii) A court order in a civil proceeding upon a

showing of compelling need for the information that

cannot be accommodated by other means.

(iv) A warrant or court order.

(2) To any of the following:

(i) An investigating or law enforcement officer

while acting as authorized by law.

(ii) A court in a civil action for conversion

commenced by the telecommunication service provider or

Internet service provider or a court in a civil action to

enforce collection of unpaid subscription fees or

purchase amounts, but only to the extent necessary to

establish the fact of the subscription delinquency or

purchase agreement, and with appropriate safeguards

20180SB1093PN1581 - 5 -

against unauthorized disclosure.

(iii) The customer who is the subject of the

information.

(b) Disclosure permitted.--A telecommunication service

provider or an Internet service provider may disclose personal

information from a customer if the disclosure is incident to the

ordinary course of business and for any of the following

purposes:

(1) To initiate or provide the telecommunication service

or Internet service from which the information is derived, if

the information is necessary or used to provide the service.

(2) To initiate, render, bill for or collect a fee for a

telecommunication service or an Internet service.

(3) To protect the rights or property of the

telecommunication service provider or Internet service

provider or to protect users of the telecommunication service

or Internet service or other providers from fraudulent,

abusive or unlawful use of the service.

(4) To provide inbound marketing, referral or

administrative services to the customer for the duration of a

real-time interaction, if the customer initiated the

interaction.

(5) T o provide location information or nonpersonal

information to any of the following:

(i) A public safety answering point, emergency

medical service provider, emergency dispatch provider,

public safety official, fire service official, law

enforcement official, hospital emergency room personnel

or trauma care facility personnel to respond to the

customer's request for emergency services.

20180SB1093PN1581 - 6 -

(ii) The customer's legal guardian or members of the

customer's immediate family in an emergency situation

involving the risk of death or serious physical harm to

the customer.

(iii) A provider of information or database

management services solely for the purpose of assisting

in the delivery of emergency services in response to an

emergency.

(6) As otherwise required or authorized by law.

(1) A telecommunication service provider or an Internet

service provider may obtain the customer's authorization to

disclose personally identifiable information in writing or by

electronic means.

(2) A request for authorization shall reasonably

describe the types of persons to whom personally identifiable

information may be disclosed and the anticipated uses of the

information.

(3) For an authorization to be effective, notice to a

customer by a telecommunication service provider or an

Internet service provider shall state that:

(i) the authorization will be obtained by an

affirmative act of the customer; or

(ii) failure of the customer to object after the

request has been made constitutes an authorization of

disclosure.

(4) If included within a broader written contract or

other agreement with a telecommunication service provider or

an Internet service provider, an authorization and notice of

the disclosure of information must be conspicuous.

20180SB1093PN1581 - 7 -

(5) An authorization under this chapter shall be

effective for no longer than six months but may be extended

for a period not exceeding an additional six months if the

extension is provided in a written and conspicuous manner and

consistent with paragraph (3).

(6) An authorization may be obtained in a manner

consistent with self-regulating guidelines issued by a

representative of the telecommunication service provider or

Internet service provider or an online industry or in another

manner reasonably designed to comply with this chapter.

(7) A customer may terminate an authorization under this

chapter at any time by providing oral or written notice to

the telecommunication service provider or Internet service

provider.

§ 5505. Unfair trade practices.

(a) Enforcement and penalties generally.--Except as provided

in subsection (b), a violation of a provision of this chapter

shall constitute an unfair method of competition and unfair or

deceptive act or practice within the meaning of section 2(4) of

the act of December 17, 1968 (P.L.1224, No.387), known as the

Unfair Trade Practices and Consumer Protection Law, and shall be

subject to the enforcement provisions and civil penalties

contained in the Unfair Trade Practices and Consumer Protection

Law.

(b) Private action.--Notwithstanding section 9.2(a) of the

Unfair Trade Practices and Consumer Protection Law, as a result

of the use or employment by a telecommunication service provider

or an Internet service provider of a method, act or practice in

contravention of the provisions of this chapter, a customer who

suffers an ascertainable loss of money or property, real or

20180SB1093PN1581 - 8 -

personal, may bring a private action to recover actual damages

or $1,000, whichever is greater, for each violation. The court

may:

(1) award up to three times the actual damages sustained

for each violation, but not less than $1,000 for each

violation;

(2) award costs and reasonable attorney fees to the

plaintiff, in addition to other relief provided under this

chapter and under the Unfair Trade Practices and Consumer

Protection Law; and

(3) provide additional relief as it deems necessary or

proper.

§ 5506. Invasion of privacy.

(a) Criminal penalties.--Subject to subsection (c), a person

maintaining, using or disclosing information which was obtained

in contravention of the provisions of this chapter, whether or

not the person is the telecommunication service provider or

Internet service provider subject to the penalties under section

5505 (relating to unfair trade practices), commits a felony of

the third degree.

(b) Civil liability.--Subject to subsection (c), a person

maintaining, using or disclosing information which was obtained

in contravention of the provisions of this chapter, whether or

not the person is the telecommunication service provider or

Internet service provider subject to the penalties under section

5505, shall be liable to a person damaged by the maintenance,

use or disclosure of the information in an action for invasion

of privacy for the following:

(1) Treble the actual damages proved.

(2) Reasonable attorney fees.

20180SB1093PN1581 - 9 -

liability under subsection (a) and civil liability under

subsection (b) shall exist if:

(1) the person in good faith relied on a court order

entered under this chapter; or

(2) the use, maintenance or disclosure by the person is

otherwise authorized by law.

§ 5507. Federal law.

The enforcement provisions under this chapter shall be

consistent with Federal law.

Section 3. The definition of "telecommunications carrier" in

section 3012 of Title 66 is amended to read:

§ 3012. Definitions.

The following words and phrases when used in this chapter

shall have the meanings given to them in this section unless the

context clearly indicates otherwise:

* * *

"Telecommunications carrier." An entity that provides

telecommunications services subject to the jurisdiction of the

commission. The term includes an "Internet service provider" and

a "telecommunication service provider," as those terms are

defined in 12 Pa.C.S. § 5502 (relating to definitions).

* * *

Section 4. This act shall take effect immediately.

20180SB1093PN1581 - 10 -