78(R) SB 136 - Introduced version


                                                                                


By:  Ellis                                                                S.B. No. 136



A BILL TO BE ENTITLED

AN ACT

relating to the disclosure of personal information by an Internet 
service provider.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:                        
	SECTION 1.  Chapter 35, Business & Commerce Code, is amended 
by adding Subchapter J to read as follows:

SUBCHAPTER J.  DISCLOSURE OF PERSONAL INFORMATION BY INTERNET 
SERVICE PROVIDER
	Sec. 35.151.  DEFINITIONS.  In this subchapter:                         
		(1)  "Consumer" means a person who agrees to pay a fee 
to an Internet service provider for access to the Internet for 
personal, family, or household purposes, and who does not resell 
access.
		(2)  "Internet" means the largest nonproprietary 
nonprofit cooperative public computer network, popularly known as 
the Internet.
		(3)  "Internet service provider" means a person who 
provides consumers authenticated access to, or presence on, the 
Internet by means of a switched or dedicated telecommunications 
channel on which the person provides transit routing of Internet 
Protocol packets for and on behalf of the consumer.  A person is not 
considered an Internet service provider under this subchapter by 
reason of the person's offering, on a common carrier basis, of 
telecommunications facilities or of telecommunications by means of 
these facilities.
		(4)  "Personally identifiable information" means 
information that identifies:
			(A)  a consumer's physical or electronic address 
or telephone number;
			(B)  specific materials or services requested or 
obtained by a consumer from an Internet service provider;
			(C)  Internet or on-line sites visited by a 
consumer; or            
			(D)  any of the contents of a consumer's data 
storage devices.      
	Sec. 35.152.  APPLICABILITY OF SUBCHAPTER.  This subchapter 
applies to the provision of Internet services to a consumer located 
in this state.
	Sec. 35.153.  DISCLOSURE OF PERSONAL INFORMATION 
PROHIBITED. Except as provided by Section 35.154 or 35.155, an 
Internet service provider may not knowingly disclose personally 
identifiable information concerning a consumer of the Internet 
service provider.
	Sec. 35.154.  EXCEPTION: DISCLOSURE REQUIRED. (a)  An 
Internet service provider shall disclose personally identifiable 
information concerning a consumer:
		(1)  to a peace officer, as defined by Article 2.12, 
Code of Criminal Procedure, acting in the officer's official 
capacity;
		(2)  in response to a warrant, court order, or 
subpoena, including an administrative subpoena, issued under a law 
of this state, another state, or the United States, except that 
disclosure of the information may be required in a civil action only 
on a showing of compelling need for the information that cannot be  
accommodated by other means;
		(3)  to a court in a civil action brought by the 
Internet service provider for conversion or to enforce collection 
of unpaid subscription fees or purchase amounts, only to the extent 
necessary to establish the fact of the subscription delinquency or 
purchase agreement, and with safeguards considered by the court to 
be appropriate to prevent unauthorized disclosure; or
		(4)  to the consumer who is the subject of the 
information, if the consumer requests the information in writing or 
by electronic means and pays a fee set by the Internet service 
provider.
	(b)  A fee set by an Internet service provider for the 
disclosure of a consumer's personally identifiable information to 
the consumer under Subsection (a)(4) may not exceed the actual cost 
of providing the information.
	Sec. 35.155.  EXCEPTION: DISCLOSURE PERMITTED. (a)  An 
Internet service provider may disclose personally identifiable 
information concerning a consumer to:
		(1)  any person if the disclosure is incident to the 
Internet service provider's:
			(A)  debt collection activities;                                      
			(B)  fulfillment of orders for Internet service;                      
			(C)  processing of requests for Internet service; 
or                
			(D)  transfer of ownership;                                           
		(2)  another Internet service provider for purposes of 
reporting or preventing a violation of the published acceptable use 
policy or customer service agreement of the consumer's Internet 
service provider; or
		(3)  any person with the authorization of the consumer 
as provided by Subsection (c).
	(b)  An Internet service provider who receives personally 
identifiable information under Subsection (a)(2) may disclose the 
personally identifiable information only as provided by this 
subchapter.
	(c)  An Internet service provider may obtain the consumer's 
authorization of the disclosure of personally identifiable 
information in writing or by electronic means.  The consumer's 
authorization is effective only if:
		(1)  the request for authorization reasonably 
describes the types of persons to whom personally identifiable 
information may be disclosed and the anticipated uses of the 
information;
		(2)  the contract between an Internet service provider 
and the consumer conspicuously states that:
			(A)  the authorization will be obtained by an 
affirmative act of the consumer; or
			(B)  failure of the consumer to object after the 
request has been made constitutes authorization of the disclosure 
of personally identifiable information; and
		(3)  the Internet service provider obtains 
authorization of the disclosure in a manner consistent with 
self-regulating guidelines issued by representatives of the 
Internet service provider or on-line industries, or in any other 
manner reasonably designed to comply with this subsection.
	Sec. 35.156.  SECURITY OF INFORMATION.  An Internet service 
provider shall take reasonable steps to maintain the security and 
privacy of a consumer's personally identifiable information.
	Sec. 35.157.  EXCLUSION FROM EVIDENCE.  Except for purposes 
of establishing a violation of this subchapter, personally 
identifiable information obtained in any manner other than as 
provided by this subchapter is not admissible in evidence in a civil 
action.
	Sec. 35.158.  ENFORCEMENT; DAMAGES; DEFENSE. (a)  On 
violation of this subchapter, a consumer whose personally 
identifiable information is involved in the violation may bring an 
action for damages.
	(b)  A consumer who prevails in the action is entitled to the 
greater of $500 or actual damages.
	(c)  A court may award court costs and reasonable attorney's 
fees to a party awarded damages for a violation of this subchapter.
	(d)  A class action may not be brought under this subchapter.           
	(e)  It is a defense to an action under this subchapter that 
the Internet service provider has established and implemented 
reasonable practices and procedures to prevent violations of this 
subchapter.
	Sec. 35.159.  APPLICATION OF OTHER LAW. (a)  This subchapter 
does not limit any greater protection of the privacy of information 
under other law.
	(b)  This subchapter does not limit the authority under other 
state or federal law of a law enforcement or prosecuting authority 
to obtain information.
	SECTION 2.  This Act takes effect September 1, 2003.