By: Ellis S.B. No. 136
A BILL TO BE ENTITLED
AN ACT
relating to the disclosure of personal information by an Internet
service provider.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Chapter 35, Business & Commerce Code, is amended
by adding Subchapter J to read as follows:
SUBCHAPTER J. DISCLOSURE OF PERSONAL INFORMATION BY INTERNET
SERVICE PROVIDER
Sec. 35.151. DEFINITIONS. In this subchapter:
(1) "Consumer" means a person who agrees to pay a fee
to an Internet service provider for access to the Internet for
personal, family, or household purposes, and who does not resell
access.
(2) "Internet" means the largest nonproprietary
nonprofit cooperative public computer network, popularly known as
the Internet.
(3) "Internet service provider" means a person who
provides consumers authenticated access to, or presence on, the
Internet by means of a switched or dedicated telecommunications
channel on which the person provides transit routing of Internet
Protocol packets for and on behalf of the consumer. A person is not
considered an Internet service provider under this subchapter by
reason of the person's offering, on a common carrier basis, of
telecommunications facilities or of telecommunications by means of
these facilities.
(4) "Personally identifiable information" means
information that identifies:
(A) a consumer's physical or electronic address
or telephone number;
(B) specific materials or services requested or
obtained by a consumer from an Internet service provider;
(C) Internet or on-line sites visited by a
consumer; or
(D) any of the contents of a consumer's data
storage devices.
Sec. 35.152. APPLICABILITY OF SUBCHAPTER. This subchapter
applies to the provision of Internet services to a consumer located
in this state.
Sec. 35.153. DISCLOSURE OF PERSONAL INFORMATION
PROHIBITED. Except as provided by Section 35.154 or 35.155, an
Internet service provider may not knowingly disclose personally
identifiable information concerning a consumer of the Internet
service provider.
Sec. 35.154. EXCEPTION: DISCLOSURE REQUIRED. (a) An
Internet service provider shall disclose personally identifiable
information concerning a consumer:
(1) to a peace officer, as defined by Article 2.12,
Code of Criminal Procedure, acting in the officer's official
capacity;
(2) in response to a warrant, court order, or
subpoena, including an administrative subpoena, issued under a law
of this state, another state, or the United States, except that
disclosure of the information may be required in a civil action only
on a showing of compelling need for the information that cannot be
accommodated by other means;
(3) to a court in a civil action brought by the
Internet service provider for conversion or to enforce collection
of unpaid subscription fees or purchase amounts, only to the extent
necessary to establish the fact of the subscription delinquency or
purchase agreement, and with safeguards considered by the court to
be appropriate to prevent unauthorized disclosure; or
(4) to the consumer who is the subject of the
information, if the consumer requests the information in writing or
by electronic means and pays a fee set by the Internet service
provider.
(b) A fee set by an Internet service provider for the
disclosure of a consumer's personally identifiable information to
the consumer under Subsection (a)(4) may not exceed the actual cost
of providing the information.
Sec. 35.155. EXCEPTION: DISCLOSURE PERMITTED. (a) An
Internet service provider may disclose personally identifiable
information concerning a consumer to:
(1) any person if the disclosure is incident to the
Internet service provider's:
(A) debt collection activities;
(B) fulfillment of orders for Internet service;
(C) processing of requests for Internet service;
or
(D) transfer of ownership;
(2) another Internet service provider for purposes of
reporting or preventing a violation of the published acceptable use
policy or customer service agreement of the consumer's Internet
service provider; or
(3) any person with the authorization of the consumer
as provided by Subsection (c).
(b) An Internet service provider who receives personally
identifiable information under Subsection (a)(2) may disclose the
personally identifiable information only as provided by this
subchapter.
(c) An Internet service provider may obtain the consumer's
authorization of the disclosure of personally identifiable
information in writing or by electronic means. The consumer's
authorization is effective only if:
(1) the request for authorization reasonably
describes the types of persons to whom personally identifiable
information may be disclosed and the anticipated uses of the
information;
(2) the contract between an Internet service provider
and the consumer conspicuously states that:
(A) the authorization will be obtained by an
affirmative act of the consumer; or
(B) failure of the consumer to object after the
request has been made constitutes authorization of the disclosure
of personally identifiable information; and
(3) the Internet service provider obtains
authorization of the disclosure in a manner consistent with
self-regulating guidelines issued by representatives of the
Internet service provider or on-line industries, or in any other
manner reasonably designed to comply with this subsection.
Sec. 35.156. SECURITY OF INFORMATION. An Internet service
provider shall take reasonable steps to maintain the security and
privacy of a consumer's personally identifiable information.
Sec. 35.157. EXCLUSION FROM EVIDENCE. Except for purposes
of establishing a violation of this subchapter, personally
identifiable information obtained in any manner other than as
provided by this subchapter is not admissible in evidence in a civil
action.
Sec. 35.158. ENFORCEMENT; DAMAGES; DEFENSE. (a) On
violation of this subchapter, a consumer whose personally
identifiable information is involved in the violation may bring an
action for damages.
(b) A consumer who prevails in the action is entitled to the
greater of $500 or actual damages.
(c) A court may award court costs and reasonable attorney's
fees to a party awarded damages for a violation of this subchapter.
(d) A class action may not be brought under this subchapter.
(e) It is a defense to an action under this subchapter that
the Internet service provider has established and implemented
reasonable practices and procedures to prevent violations of this
subchapter.
Sec. 35.159. APPLICATION OF OTHER LAW. (a) This subchapter
does not limit any greater protection of the privacy of information
under other law.
(b) This subchapter does not limit the authority under other
state or federal law of a law enforcement or prosecuting authority
to obtain information.
SECTION 2. This Act takes effect September 1, 2003.