BILL AS INTRODUCED H.159
2023 Page 1 of 13
1 H.159
2 Introduced by Representative Sibilia of Dover
3 Referred to Committee on
4 Date:
5 Subject: Communications; broadband Internet access service; customer
6 privacy
7 Statement of purpose of bill as introduced: This bill proposes to enact the
8 Vermont Broadband Internet Access Service Privacy Act.
9 An act relating to the Vermont Broadband Internet Access Service Privacy
10 Act
11 It is hereby enacted by the General Assembly of the State of Vermont:
12 Sec. 1. 9 V.S.A. chapter 61A is added to read:
13 CHAPTER 61A. BROADBAND INTERNET ACCESS SERVICE
14 PRIVACY
15 § 2411. TITLE
16 This chapter shall be known as the Vermont Broadband Internet Access
17 Service Privacy Act.
18 § 2412. LEGISLATIVE INTENT
19 It is the intent of the General Assembly in enacting this chapter to
20 incorporate into statute certain provisions of the Federal Communications VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 2 of 13
1 Commission Report and Order “Protecting the Privacy of Customers of
2 Broadband and Other Telecommunications Services” (FCC 16-148), which
3 were revoked by Senate Joint Resolution 34 (Public Law 115-22), effective
4 April 3, 2017. In adopting these provisions, it is the intent of the General
5 Assembly to give consumers greater control over their personal information
6 when accessing the Internet through a broadband Internet access service
7 provider and thereby better protect their privacy and autonomy. It is also the
8 intent of the General Assembly that the consumer protections set forth in this
9 chapter be interpreted broadly and any exceptions interpreted narrowly, using
10 the Federal Communications Commission Report and Order as persuasive
11 guidance, in order to maximize individual privacy and autonomy.
12 § 2413. DEFINITIONS
13 As used in this chapter:
14 (1) “Aggregate customer information” means collective data that relates
15 to a group or category of customers, from which individual customer identities
16 and characteristics have been removed, that is not linked or reasonably linkable
17 to any individual person, household, or device. “Aggregate customer
18 information” does not mean one or more individual customer records that have
19 been de-identified.
20 (2) “Broadband Internet access service” or “Internet service” means a
21 mass market retail service by wire or radio in Vermont that provides the VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 3 of 13
1 capability to transmit data and to receive data from all or substantially all
2 Internet endpoints, including any capabilities that are incidental to, and enable
3 the operation of, the service, but excluding dial-up Internet access service. The
4 term also encompasses any service that provides a functional equivalent of the
5 service described in this subdivision or that is used to evade the protections set
6 forth in this chapter.
7 (3) “Broadband Internet access service provider” or “provider” means a
8 person engaged in the provision of Internet service to a customer account
9 located in Vermont. “Broadband Internet access service provider” or
10 “provider” does not include a premises operator, including a coffee shop,
11 bookstore, airline, private end-user network, or other business that acquires
12 Internet service from a provider to enable patrons to access the Internet from
13 its respective establishment.
14 (4) “Customer” means either of the following:
15 (A) a current or former subscriber to Internet service in Vermont; or
16 (B) an applicant for Internet service in Vermont.
17 (5) “Customer proprietary information” means any of the following that
18 a provider acquires in connection with its provision of Internet service:
19 (A) individually identifiable customer proprietary network
20 information;
21 (B) personally identifiable information; or VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 4 of 13
1 (C) content of a communication.
2 (6)(A) “Customer proprietary network information” or “CPNI” means
3 information that relates to the quantity, technical configuration, type,
4 destination, location, and amount of use of an Internet service subscribed to by
5 a customer of a provider and that is made available to the provider by the
6 customer solely by virtue of the provider-customer relationship.
7 (B)(i) CPNI includes all of the following: broadband service plans;
8 geolocation data; Media Access Control (MAC) addresses and other device
9 identifiers; source and destination Internet Protocol (IP) addresses and domain
10 name information; other information in the network layer protocol headers;
11 traffic statistics, including both short-term and long-term measurements; port
12 information and other transport layer protocol header information; application
13 headers, including any information a provider injects into the application
14 header; application usage; application payload; customer premises equipment;
15 and other customer device information.
16 (ii) CPNI includes any information falling within a CPNI category
17 that the provider collects or accesses in connection with the provision of
18 Internet service.
19 (iii) CPNI includes information that a provider causes to be
20 collected or stored on a customer’s device, including customer premises
21 equipment and mobile stations.
VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 5 of 13
1 (7) “Material change” means any change that a customer, acting
2 reasonably under the circumstances, would consider important to the
3 customer’s decisions regarding the customer’s privacy.
4 (8) “Nonsensitive customer proprietary information” means customer
5 proprietary information that is not sensitive customer proprietary information.
6 (9) “Opt-in approval” means a method for obtaining customer consent to
7 use, disclose, or permit access to the customer’s proprietary information. This
8 approval method requires that the provider obtain from the customer
9 affirmative, express consent allowing the requested usage, disclosure, or access
10 to the customer proprietary information after the customer is provided
11 appropriate notification of the provider’s request, consistent with the
12 requirements of this chapter.
13 (10) “Opt-out approval” means a method for obtaining customer consent
14 to use, disclose, or permit access to the customer’s proprietary information.
15 Under this approval method, a customer is deemed to have consented to the
16 use or disclosure of, or access to, the customer’s proprietary information if the
17 customer has failed to object to that use, disclosure, or access after the
18 customer is provided appropriate notification of the provider’s request for
19 consent, consistent with the requirements of this chapter.
20 (11) “Personally identifiable information” means any information that is
21 linked or reasonably linkable to an individual or device. Information is linked VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 6 of 13
1 or reasonably linkable to an individual or device if it can reasonably be used on
2 its own, in context, or in combination to identify an individual or device, or to
3 logically associate it with other information about a specific individual or
4 device. Personally identifiable information includes each of the following:
5 name; address; Social Security number; date of birth; mother’s maiden name;
6 government-issued identifiers, including a driver’s license number; physical
7 address; e-mail address or other online contact information; telephone
8 numbers; MAC addresses or other unique device identifiers; IP addresses; and
9 persistent online or unique advertising identifiers.
10 (12) “Sensitive customer proprietary information” includes all of the
11 following:
12 (A) Financial information.
13 (B) Health information.
14 (C) Information pertaining to children.
15 (D) Social Security numbers.
16 (E) Precise geolocation information.
17 (F) Content of communications.
18 (G) Internet website browsing history, application usage history, and
19 the functional equivalents of either. “Internet website browsing history” and
20 “application usage history” means information from network traffic related to
21 Internet website browsing or other applications, including the application layer VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 7 of 13
1 of that traffic, and information from network traffic indicating the Internet
2 website or party with which the customer is communicating, including a
3 domain or IP address.
4 (H) Information pertaining to the customer’s children.
5 § 2414. CUSTOMER APPROVAL
6 (a) Except as described in subsection (b) of this section, a provider shall not
7 use, disclose, or permit access to customer proprietary information except with
8 the opt-out or opt-in approval of a customer as described in this section.
9 (b) A provider may use, disclose, or permit access to customer proprietary
10 information without customer approval for any of the following purposes:
11 (1) in its provision of the Internet service from which the information is
12 derived, or in its provision of services necessary to, or used in, the provision of
13 the service;
14 (2) to initiate, render, bill, and collect for Internet service;
15 (3) to protect the rights or property of the provider or to protect users of
16 the Internet service and other providers from fraudulent, abusive, or unlawful
17 use of the service;
18 (4) to provide any inbound marketing, referral, or administrative
19 services to the customer for the duration of a real-time interaction;
20 (5) to provide location information or nonsensitive customer proprietary
21 information to any of the following:
VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 8 of 13
1 (A) a public safety answering point; emergency medical service
2 provider or emergency dispatch provider; public safety, fire service, or law
3 enforcement official; or hospital emergency or trauma care facility in order to
4 respond to the user’s request for emergency services;
5 (B) the user’s legal guardian or members of the user’s immediate
6 family in an emergency situation that involves the risk of death or serious
7 physical harm; and
8 (C) providers of information or database management services solely
9 for purposes of assisting in the delivery of emergency services in response to
10 an emergency;
11 (6) to generate an aggregate customer information dataset using
12 customer personal information, or using, disclosing, or permitting access to the
13 aggregate customer information dataset it generated;
14 (7) for any other lawful purpose if the provider ensures the customer
15 proprietary information is not individually identifiable by doing all of the
16 following:
17 (A) determining that the information is not reasonably linkable to an
18 individual or device;
19 (B) publicly committing to maintain and use the data in a
20 nonindividually identifiable fashion and to not attempt to reidentify the data;
21 and VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 9 of 13
1 (C) contractually prohibiting any entity to which it discloses or
2 permits access to the de-identified data from attempting to reidentify the
3 data; and
4 (8) as otherwise required or authorized by law.
5 (c) Except as otherwise provided in this section, a provider shall obtain opt-
6 out approval from a customer to use, disclose, or permit access to any of the
7 customer’s nonsensitive customer proprietary information. If it so chooses, a
8 provider may instead obtain opt-in approval from a customer to use, disclose,
9 or permit access to any of the customer’s nonsensitive customer proprietary
10 information.
11 (d) Except as otherwise provided in this section, a provider shall obtain
12 opt-in approval from a customer to do either of the following:
13 (1) use, disclose, or permit access to any of the customer’s sensitive
14 customer proprietary information; or
15 (2) make any material retroactive change, including a material change
16 that would result in a use, disclosure, or permission of access to any of the
17 customer’s proprietary information previously collected by the provider for
18 which the customer did not previously grant approval, either through opt-in or
19 opt-out consent, as required by this subsection and subsection (c) of this
20 section.
VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 10 of 13
1 (e)(1) Except as described in subsection (a) of this section, a provider shall,
2 at a minimum, solicit customer approval pursuant to subsection (c) or (d) of
3 this section, as applicable, at the point of sale and when making one or more
4 material changes to privacy policies.
5 (2) A provider’s solicitation of customer approval shall be clear and
6 conspicuous and in language that is comprehensible and not misleading. The
7 solicitation shall disclose all of the following:
8 (A) the types of customer proprietary information that the provider is
9 seeking customer approval to use, disclose, or permit access to;
10 (B) the purposes for which the customer proprietary information will
11 be used; and
12 (C) the categories of entities to which the provider intends to disclose
13 or permit access to the customer proprietary information.
14 (3) A provider’s solicitation of customer approval shall be completely
15 translated into a language other than English if the provider transacts business
16 with the customer in that language.
17 (f) A provider shall make available a simple, easy-to-use mechanism for a
18 customer to grant, deny, or withdraw opt-in approval and opt-out approval at
19 any time. The mechanism shall be clear and conspicuous, in language that is
20 comprehensible and not misleading, and made available at no additional cost to
21 the customer. The mechanism shall be persistently available on or through the VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 11 of 13
1 provider’s home page on its Internet website, the provider’s application if it
2 provides one for account management purposes, and any functional equivalent
3 to the provider’s home page or application. If the provider does not have a
4 home page, it shall provide a persistently available mechanism by another
5 means, such as a toll-free telephone number. The customer’s grant, denial, or
6 withdrawal of approval shall be given effect promptly and remain in effect
7 until the customer revokes or limits the grant, denial, or withdrawal of
8 approval.
9 § 2415. INTERNET SERVICE OFFERS CONDITIONED ON WAIVER OF
10 PRIVACY RIGHTS PROHIBITED
11 A provider shall not do either of the following:
12 (1) refuse to provide Internet service or in any way limit that service to a
13 customer who does not waive the customer’s privacy rights guaranteed by law
14 or regulation, including this chapter; or
15 (2) charge a customer a penalty, penalize a customer in any way, or
16 offer a customer a discount or another benefit as a direct or indirect
17 consequence of a customer’s decision to, or refusal to, waive the customer’s
18 privacy rights guaranteed by law or regulation, including this chapter.
19 § 2416. PROVIDER SECURITY
20 (a) A provider shall take reasonable measures to protect customer
21 proprietary information from unauthorized use, disclosure, or access.
VT LEG #364903 v.1
 BILL AS INTRODUCED H.159
2023 Page 12 of 13
1 (b) In implementing the security measures required by this section, a
2 provider shall take into account each of the following fact