2018 -- H 7111 SUBSTITUTE A

========

LC003294/SUB A

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2018

____________

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE

ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

     

     Introduced By: Representatives Shanley, Carson, Regunberg, Marszalkowski, and
Edwards

     Date Introduced: January 11, 2018

     Referred To: House Judiciary

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

2

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

3

CHAPTER 48.1

4

RHODE ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY

5

PROTECTION ACT

6

     6-48.1-1. Short title.

7

     This chapter shall be known and may be cited as the "Rhode Island Right-to-Know Data

8

Transparency and Privacy Protection Act."

9

     6-48.1-2. Legislative findings.

10

     The general assembly hereby finds and declares that:

11

     (1) The right to privacy is a personal and fundamental right protected by the United

12

States Constitution. As such, all individuals have a right to privacy in information pertaining to

13

them. This state recognizes the importance of providing consumers with transparency about how

14

their personal information, especially information relating to their children, is shared by

15

businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their

16

families from cyber-crimes and identity thieves.

17

     (2) Furthermore, for free market forces to have a role in shaping the privacy practices and

18

for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely

 

1

informed that a business might share personal information with third parties. Consumers must be

2

better informed about what kinds of personal information is shared with other businesses. With

3

these specifics, consumers can knowledgeably choose to opt-in, opt-out, or choose among

4

businesses that disclose information to third parties on the basis of how protective the business is

5

of consumers' privacy.

6

     (3) Businesses are now collecting personal information and sharing and selling it in ways

7

not contemplated or properly covered by the current law. Some websites are installing tracking

8

tools that record when consumers visit web pages, and sending very personal information, such as

9

age, gender, race, income, health concerns, religion, and recent purchases to third-party marketers

10

and data brokers. Third-party data broker companies are buying, selling, and trading personal

11

information obtained from mobile phones, financial institutions, social media sites, and other

12

online and brick and mortar companies. Some mobile applications are sharing personal

13

information, such as location information, unique phone identification numbers, and age, gender,

14

and other personal details with third-party companies.

15

     (4) As such, consumers need to know the ways that their personal information is being

16

collected by companies and then shared or sold to third parties in order to properly protect their

17

privacy, personal safety, and financial security.

18

     6-48.1-3. Definitions.

19

     As used in this chapter:

20

     (1) "Categories of personal information" means and includes, but is not limited to, the

21

following:

22

     (i) Identity information including, but not limited to, real name, alias, nickname, and user

23

name;

24

     (ii) Address information, including, but not limited to, postal or email address;

25

     (iii) Telephone number;

26

     (iv) Account name;

27

     (v) Social security number or other government-issued identification number, including,

28

but not limited to, social security number, driver's license number, identification card number,

29

and passport number;

30

     (vi) Birthdate or age;

31

     (vii) Physical characteristic information, including, but not limited to, height and weight;

32

     (viii) Sexual information, including, but not limited to, sexual orientation, sex, gender

33

status, gender identity, and gender expression;

34

     (ix) Race or ethnicity;

 

LC003294/SUB A - Page 2 of 7

1

     (x) Religious affiliation or activity;

2

     (xi) Political affiliation or activity;

3

     (xii) Professional or employment-related information;

4

     (xiii) Educational information;

5

     (xiv) Medical information, including, but not limited to, medical conditions or drugs,

6

therapies, mental health, or medical products or equipment used;

7

     (xv) Financial information, including, but not limited to, credit, debit, or account

8

numbers, account balances, payment history, or information related to assets, liabilities, or

9

general creditworthiness;

10

     (xvi) Commercial information, including, but not limited to, records of property, products

11

or services provided, obtained, or considered, or other purchasing or consumer histories or

12

tendencies;

13

     (xvii) Location information;

14

     (xviii) Internet or mobile activity information, including, but not limited to, Internet

15

protocol addresses or information concerning the access or use of any Internet or mobile-based

16

site or service;

17

     (xix) Content, including text, photographs, audio or video recordings, or other material

18

generated by or provided by the customer; and

19

     (xx) Any of the above categories of information as they pertain to the children of the

20

customer.

21

     (2) "Customer" means an individual residing in this state who provides, either knowingly

22

or unknowingly, personal information to a private entity, with or without an exchange of

23

consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise

24

using real or personal property, or any interest therein, or obtaining a product or service from the

25

private entity, including advertising or any other content.

26

     (3) "Designated request address" means an email address, toll-free telephone number, or

27

webform whereby customers may request or obtain the information required to be provided under

28

§ 6-48.1- 4.

29

     (4) "Disclose" means to disclose, release, transfer, share, disseminate, make available, or

30

otherwise communicate orally, in writing, or by electronic or any other means to any third party.

31

"Disclose" does not include the following:

32

     (i) Disclosure of personal information by a private entity to a third party under a written

33

contract authorizing the third party to utilize the personal information to perform services on

34

behalf of the private entity, including maintaining or servicing accounts, providing customer

 

LC003294/SUB A - Page 3 of 7

1

service, processing or fulfilling orders and transactions, verifying customer information,

2

processing payments, providing financing, or similar services, but only if:

3

     (A) The contract prohibits the third party from using the personal information for any

4

reason other than performing the specified service or services on behalf of the private entity and

5

from disclosing any such personal information to additional third parties; and

6

     (B) The private entity effectively enforces these prohibitions.

7

     (ii) Disclosure of personal information by a business to a third party based on a good-

8

faith belief that disclosure is required to comply with applicable law, regulation, legal process, or

9

court order.

10

     (iii) Disclosure of personal information by a private entity to a third party that is

11

reasonably necessary to address fraud, security, or technical issues; to protect the disclosing

12

private entity's rights or property; or to protect customers or the public from illegal activities as

13

required or permitted by law.

14

     (5) "Operator" means any person or entity that owns a website located on the Internet or

15

an online service that collects and maintains personally identifiable information from a customer

16

residing in this state who uses or visits the website or online service if the website or online

17

service is operated for commercial purposes. It does not include any third party that operates,

18

hosts, or manages, but does not own, a website or online service on the owner's behalf or by

19

processing information on behalf of the owner. "Operator" does not include businesses having ten

20

(10) or fewer employees, or any third party that operates, hosts, or manages, but does not own, a

21

website or online service on the owner’s behalf or by processing information on behalf of the

22

owner.

23

     (6)(i) "Personal information" means any information that identifies, relates to, describes,

24

or is capable of being associated with, a particular individual, including, but not limited to, their

25

name, signature, physical characteristics or description, address, telephone number, passport

26

number, driver's license or state identification card number, insurance policy number, education,

27

employment, employment history, bank account number, credit card number, debit card number,

28

or any other financial information.

29

     (ii) "Personal information" also means any data or information pertaining to an

30

individual's income, assets, liabilities, purchases, leases, or rentals of goods, services, or real

31

property, if that information is disclosed, or is intended to be disclosed, with any identifying

32

information, such as the individual's name, address, telephone number, or social security number.

33

     (7) "Third party" or "third parties" means:

34

     (i) A private entity that is a separate legal entity from the private entity that has disclosed

 

LC003294/SUB A - Page 4 of 7

1

personal information;

2

     (ii) A private entity that does not share common ownership or common corporate control

3

with the private entity that has disclosed personal information; or

4

     (iii) A private entity that does not share a brand name or common branding with the

5

private entity that has disclosed personal information such that the affiliate relationship is clear to

6

the customer.

7

     6-48.1-4. Information sharing practices.

8

     An operator of a commercial website or online service that collects personally

9

identifiable information through the Internet about individual customers residing in this state who

10

use or visit its commercial website or online service shall, in its customer agreement or

11

incorporated addendum or in another conspicuous location on its website or online service

12

platform where similar notices are customarily posted:

13

     (1) Identify all categories of personal information that the operator collects through the

14

website or online service about individual customers who use or visit its commercial website or

15

online service;

16

     (2) Identify all categories of third-party persons or entities with whom the operator may

17

disclose that personally identifiable information; and

18

     (3) Provide a description of a customer's rights, as required under § 6-48.1-6,

19

accompanied by one or more designated request addresses.

20

     6-48.1-5. Disclosure of a customer's personal information to a third party.

21

     (a) An operator that discloses a customer's personal information to a third party shall

22

make the following information available to the customer free of charge:

23

     (1) All categories of personal information that were disclosed; and

24

     (2) The names of all third parties that received the customer's personal information.

25

     (b) This section applies only to personal information disclosed after the effective date of

26

this chapter.

27

     6-48.1-6. Information availability service.

28

     (a) An operator required to comply with § 6-48.1-5 shall make the required information

29

available by providing a designated request address in its customer agreement or incorporated

30

addendum or in another conspicuous location on its website or online service platform where

31

similar notices are customarily posted, and, upon receipt of a request under this section, shall

32

provide the customer with the information required under § 6-48.1-5 for all disclosures occurring

33

in the prior twelve (12) months.

34

     (b) An operator that receives a request from a customer under this section at one of the

 

LC003294/SUB A - Page 5 of 7

1

designated addresses shall provide a response to the customer within thirty (30) days.

2

     (c) Notwithstanding the provisions of this section, a parent or legal guardian of a

3

customer under the age of eighteen (18) may submit a request under this section on behalf of that

4

customer. An operator shall not be required to, but may respond to a request made by the same

5

parent or legal guardian on behalf of a customer under the age of eighteen (18) more than once

6

within a given twelve (12) month period.

7

     6-48.1-7. Violations.

8

     A violation of this chapter constitutes a violation of the general regulatory provisions of

9

commercial law in title 6. The office of the attorney general shall have sole enforcement authority

10

of the provisions of this chapter and may enforce a violation of this chapter as an unlawful

11

practice under the general regulatory provisions of commercial law in title 6. An operator in

12

violation of this chapter shall have thirty (30) days after being notified of a violation to rectify

13

that violation before the attorney general may seek an enforcement action against that operator.

14

Nothing in this section shall prevent a person from otherwise seeking relief under any other

15

similarly applicable state laws.

16

     6-48.1-8. Waivers; Contracts.

17

     Any waiver of the provisions of this chapter shall be void and unenforceable. Any

18

agreement that does not comply with the applicable provisions of this chapter shall be void and

19

unenforceable.

20

     6-48.1-9. Construction.

21

     (a) Nothing in this chapter shall be construed to conflict with the Federal Health

22

Insurance Portability and Accountability Act of 1996 and the rules promulgated under that act.

23

     (b) Nothing in this chapter shall be deemed to apply in any manner to a financial

24

institution or an affiliate of a financial institution that is subject to Title V of the Federal Gramm-

25

Leach-Bliley Act of 1999 and the rules promulgated under that act.

26

     (c) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or

27

agent of a state agency or local unit of government when working for that state agency or local

28

unit of government.

29

     (d) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-

30

exempt organization under the Internal Revenue Code of 1986.

31

     SECTION 2. This act shall take effect on July 1, 2018.

========

LC003294/SUB A

========

 

LC003294/SUB A - Page 6 of 7

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE

ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

***

1

     This act would create the "Rhode Island Right-to-Know Transparency and Privacy

2

Protection Act" to protect individuals of this state from disclosure of personally identifiable

3

information through the Internet by operators of commercial websites or online services, and

4

would empower the attorney general with enforcement authority for any operator violations.

5

     This act would take effect on July 1, 2018.

========

LC003294/SUB A

========

 

LC003294/SUB A - Page 7 of 7