[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 1116 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 1116

  To require providers of broadband internet access service and edge 
   services to clearly and conspicuously notify users of the privacy 
 policies of those providers, to give users opt-in or opt-out approval 
 rights with respect to the use of, disclosure of, and access to user 
    information collected by those providers based on the level of 
        sensitivity of the information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 10, 2019

Mrs. Blackburn introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
  To require providers of broadband internet access service and edge 
   services to clearly and conspicuously notify users of the privacy 
 policies of those providers, to give users opt-in or opt-out approval 
 rights with respect to the use of, disclosure of, and access to user 
    information collected by those providers based on the level of 
        sensitivity of the information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Balancing the Rights Of Web Surfers 
Equally and Responsibly Act of 2019'' or the ``BROWSER Act of 2019''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Broadband internet access service.--
                    (A) In general.--The term ``broadband internet 
                access service'' means a mass-market retail service by 
                wire or radio that provides the capability to transmit 
                data to and receive data from all or substantially all 
                internet endpoints, including any capabilities that are 
                incidental to and enable the operation of the 
                communications service, but excluding dial-up internet 
                access service.
                    (B) Functional equivalent; evasion.--The term 
                ``broadband internet access service'' includes any 
                service that--
                            (i) the Commission finds to be providing a 
                        functional equivalent of the service described 
                        in subparagraph (A); or
                            (ii) is used to evade the protections set 
                        forth in this Act.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Covered service.--The term ``covered service'' means--
                    (A) broadband internet access service; or
                    (B) an edge service.
            (4) Edge service.--The term ``edge service''--
                    (A) means a service provided over the internet--
                            (i) for which the provider requires the 
                        user to subscribe or establish an account in 
                        order to use the service;
                            (ii) that the user purchases from the 
                        provider of the service without a subscription 
                        or account;
                            (iii) by which a program searches for and 
                        identifies items in a database that correspond 
                        to keywords or characters specified by the 
                        user, used especially for finding particular 
                        sites on the world wide web; or
                            (iv) by which the user divulges sensitive 
                        user information; and
                    (B) includes a service described in subparagraph 
                (A) that is provided through a software program, 
                including a mobile application.
            (5) Emergency services.--The term ``emergency services'' 
        has the meaning given the term in section 222 of the 
        Communications Act of 1934 (47 U.S.C. 222).
            (6) Material.--The term ``material'' means, with respect to 
        a change in a privacy policy of a provider of a covered 
        service, any change in the policy that a user of the service, 
        acting reasonably under the circumstances, would consider 
        important to the decisions of the user regarding the privacy of 
        the user, including any change to information required to be 
        included in a privacy notice under section 3.
            (7) Mobile application.--The term ``mobile application'' 
        means a software program that runs on the operating system of a 
        mobile device.
            (8) Non-sensitive user information.--The term ``non-
        sensitive user information'' means any user information that is 
        not sensitive user information.
            (9) Opt-in approval.--The term ``opt-in approval'' means a 
        method for obtaining from a user of a covered service consent 
        to use, disclose, or permit access to sensitive user 
        information under which the provider of the service obtains 
        express consent allowing the requested usage of, disclosure of, 
        or access to the sensitive user information.
            (10) Opt-out approval.--The term ``opt-out approval'' means 
        a method for obtaining from a user of a covered service consent 
        to use, disclose, or permit access to non-sensitive user 
        information under which the user is deemed to have consented to 
        the use of, disclosure of, or access to the non-sensitive user 
        information if the user has failed to object to the use, 
        disclosure, or access.
            (11) Public safety answering point.--The term ``public 
        safety answering point'' has the meaning given the term in 
        section 222 of the Communications Act of 1934 (47 U.S.C. 222).
            (12) Sensitive user information.--The term ``sensitive user 
        information'' includes any of the following:
                    (A) Financial information.
                    (B) Health information.
                    (C) Information pertaining to children under the 
                age of 13.
                    (D) Social Security number.
                    (E) Precise geolocation information.
                    (F) Content of communications.
                    (G) Web browsing history, history of usage of a 
                software program (including a mobile application), and 
                the functional equivalents of either.
            (13) State.--The term ``State'' means each of the several 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, Guam, American Samoa, the United States Virgin Islands, 
        the Commonwealth of the Northern Mariana Islands, any other 
        territory or possession of the United States, and each 
        federally recognized Indian Tribe.
            (14) User.--The term ``user'' means, with respect to a 
        covered service, a person who--
                    (A) is a current or former--
                            (i) subscriber to the service; or
                            (ii) holder of an account for the service;
                    (B) purchases the service without a subscription or 
                account;
                    (C) is an applicant for the service; or
                    (D) in the case of a service described in clause 
                (iii) or (iv) of paragraph (4)(A), uses the service.
            (15) User information.--The term ``user information'' means 
        any information that--
                    (A) a provider of a covered service acquires in 
                connection with the provision of the service; and
                    (B) is linked or reasonably linkable to an 
                individual.

SEC. 3. NOTICE OF PRIVACY POLICIES.

    (a) In General.--A provider of a covered service shall provide a 
user of the service with clear and conspicuous notice of the privacy 
policies of the provider with respect to the service.
    (b) Availability to Prospective Users.--The notice required by 
subsection (a) shall be made available to a prospective user of a 
covered service--
            (1) at the point of sale of, subscription to, or 
        establishment of an account for the covered service, prior to 
        that sale, subscription, or establishment, without regard to 
        whether the point of sale, subscription, or establishment is in 
        person, online, over the telephone, or through another means; 
        or
            (2) if there is no such sale, subscription, or 
        establishment, before the user uses the service.
    (c) Persistent Availability.--The notice required by subsection (a) 
shall be made persistently available.
    (d) Material Changes.--A provider of a covered service shall 
provide a user of the service with clear and conspicuous advance notice 
of any material change to the privacy policies of the provider with 
respect to the service.

SEC. 4. USER OPT-IN OR OPT-OUT APPROVAL RIGHTS BASED ON SENSITIVITY OF 
              INFORMATION.

    (a) Opt-In Approval Required for Sensitive User Information.--
Except as provided in subsection (c), a provider of a covered service 
shall obtain opt-in approval from a user to use, disclose, or permit 
access to the sensitive user information of the user.
    (b) Opt-Out Approval Required for Non-Sensitive User Information.--
Except as provided in subsection (c), a provider of a covered service--
            (1) shall obtain opt-out approval from a user to use, 
        disclose, or permit access to any of the non-sensitive user 
        information of the user; or
            (2) if the provider so chooses, may comply with the 
        requirement of paragraph (1) by obtaining opt-in approval from 
        the user to use, disclose, or permit access to any of the non-
        sensitive user information of the user.
    (c) Limitations and Exceptions.--A provider of a covered service 
may use, disclose, or permit access to user information without user 
approval for the following purposes:
            (1) In providing the covered service from which the 
        information is derived, or in providing services necessary to, 
        or used in, the provision of the service.
            (2) To initiate, render, bill for, and collect for the 
        covered service.
            (3) To protect the rights or property of the provider, or 
        to protect users of the covered service and other service 
        providers from fraudulent, abusive, or unlawful use of the 
        service.
            (4) To provide location information or non-sensitive user 
        information--
                    (A) to a public safety answering point, emergency 
                medical service provider or emergency dispatch 
                provider, public safety, fire service, or law 
                enforcement official, or hospital emergency or trauma 
                care facility, in order to respond to the request of 
                the user for emergency services;
                    (B) to inform the legal guardian of the user, or 
                members of the immediate family of the user, of the 
                location of the user in an emergency situation that 
                involves the risk of death or serious physical harm; or
                    (C) to providers of information or database 
                management services solely for purposes of assisting in 
                the delivery of emergency services in response to an 
                emergency.
            (5) As otherwise required or authorized by law.
    (d) Mechanism for Exercising User Approval.--
            (1) In general.--A provider of a covered service shall make 
        available a simple, easy-to-use mechanism for a user to grant, 
        deny, or withdraw opt-in approval or opt-out approval at any 
        time.
            (2) Form and manner.--The mechanism required by paragraph 
        (1) shall be--
                    (A) clear and conspicuous; and
                    (B) made available--
                            (i) at no additional cost to the user; and
                            (ii) in a language other than English, if 
                        the provider transacts business with the user 
                        in that other language.
            (3) Effect.--The grant, denial, or withdrawal of opt-in 
        approval or opt-out approval by a user shall--
                    (A) be given effect promptly; and
                    (B) remain in effect until the user revokes or 
                limits the grant, denial, or withdrawal of approval.

SEC. 5. SERVICE OFFERS CONDITIONED ON WAIVERS OF PRIVACY RIGHTS.

    A provider of a covered service may not--
            (1) condition, or effectively condition, provision of the 
        service on agreement by a user to waive privacy rights 
        guaranteed by law or regulation, including this Act; or
            (2) terminate the service or otherwise refuse to provide 
        the service as a direct or indirect consequence of the refusal 
        of a user to waive any privacy rights described in paragraph 
        (1).

SEC. 6. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

    (a) General Application.--The requirements of this Act apply, 
according to their terms, to--
            (1) those persons, partnerships, and corporations over 
        which the Commission has authority pursuant to section 5(a)(2) 
        of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
            (2) providers of broadband internet access service, 
        notwithstanding the exception in such section 5(a)(2) for 
        common carriers subject to the Communications Act of 1934 (47 
        U.S.C. 151 et seq.).
    (b) Unfair or Deceptive Acts or Practices.--A violation of this Act 
shall be treated as an unfair or deceptive act or practice in or 
affecting commerce for purposes of section 5(a)(2) of the Federal Trade 
Commission Act (15 U.S.C. 45(a)(2)).
    (c) Powers of Commission.--Except as provided in subsection (a)(2) 
of this section--
            (1) the Commission shall enforce this Act in the same 
        manner, by the same means, and with the same jurisdiction, 
        powers, and duties as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act; and
            (2) any person who violates this Act shall be subject to 
        the penalties and entitled to the privileges and immunities 
        provided in the Federal Trade Commission Act.

SEC. 7. RELATIONSHIP TO OTHER LAW.

    (a) Preemption of State Law.--No State or political subdivision of 
a State shall, with respect to a provider of a covered service subject 
to this Act, adopt, maintain, enforce, or impose or continue in effect 
any law, rule, regulation, duty, requirement, standard, or other 
provision having the force and effect of law relating to or with 
respect to the privacy of user information.
    (b) Other Federal Law.--
            (1) In general.--Except as provided in paragraph (2), 
        nothing in this Act shall be construed to supersede any Federal 
        statute or regulation relating to information privacy.
            (2) Communications act of 1934.--Insofar as any provision 
        of the Communications Act of 1934 (47 U.S.C. 151 et seq.) or 
        any regulations promulgated under that Act apply to any person, 
        partnership, or corporation subject to this Act with respect to 
        privacy policies, terms of service, and practices covered by 
        this Act, the provision or regulations shall have no force or 
        effect, unless the regulations pertain to emergency services.
                                 <all>