2022 -- H 7400

========

LC003955

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2022

____________

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

     

     Introduced By: Representatives Shanley, Carson, Edwards, Ruggiero, Cortvriend, and
Barros

     Date Introduced: February 09, 2022

     Referred To: House Innovation, Internet, & Technology

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

2

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

3

CHAPTER 48.1

4

RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

5

     6-48.1-1. Short title.

6

     This chapter shall be known and may be cited as the "Rhode Island Data Transparency and

7

Privacy Protection Act."

8

     6-48.1-2. Legislative findings.

9

     The general assembly hereby finds and declares that:

10

     (1) The right to privacy is a personal and fundamental right protected by the United States

11

Constitution. As such, all individuals have a right to privacy in information pertaining to them. This

12

state recognizes the importance of providing consumers with transparency about how their

13

personally identifiable information, especially information relating to their children, is shared by

14

businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their

15

families from cyber-crimes and identity thieves.

16

     (2) Furthermore, for free market forces to have a role in shaping the privacy practices and

17

for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely informed

18

that a business might share personally identifiable information with third parties (as that term is

 

1

hereinafter defined). Consumers must be better informed about what kinds of personally

2

identifiable information is shared with other businesses. With these specifics, consumers can

3

knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose (as that term is

4

hereinafter defined) personally identifiable information to third parties on the basis of how

5

protective the business is of consumers' privacy.

6

     (3) Businesses are now collecting personally identifiable information and disclosing it in

7

ways not contemplated or properly covered by the current law. Some websites are installing

8

tracking tools that record when consumers visit webpages, and sending personally identifiable

9

information, such as age, gender, race, income, health concerns, religion, and recent purchases to

10

third-party marketers and data brokers. Third-party data broker companies are buying and

11

disclosing personally identifiable information obtained from mobile phones, financial institutions,

12

social media sites, and other online and brick and mortar companies. Some mobile applications are

13

sharing personally identifiable information, such as location information, unique phone

14

identification numbers, age, gender, and other personal details with third-party companies.

15

     (4) As such, consumers need to know the ways that their personally identifiable

16

information is being collected by companies and then shared or sold to third parties in order to

17

properly protect their privacy, personal safety, and financial security.

18

     6-48.1-3. Definitions.

19

     As used in this chapter:

20

     (1) "Affiliate" means any entity that, directly or indirectly, controls, is controlled by, or is

21

under common control with, the entity that has disclosed personally identifiable information to it.

22

     (2) "Customer" means an individual residing in this state who provides, either knowingly

23

or unknowingly, personally identifiable information to any entity, with or without an exchange of

24

consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using

25

real or personal property, or any interest therein, or obtaining a product or service, including

26

advertising or any other content.

27

     (3) "Disclose" means to sell, release, transfer, share, disseminate, make available, or

28

otherwise communicate orally, in writing, or by electronic means or any other means to any

29

individual or third party in exchange for anything of value. "Disclose" does not include the

30

following:

31

     (i) Disclosure to an affiliate, provided that the affiliate does not disclose the personally

32

identifiable information to any third party;

33

     (ii) Disclosure of personally identifiable information by any entity to a third party under a

34

written contract authorizing the third party to utilize the personally identifiable information to

 

LC003955 - Page 2 of 6

1

perform services on behalf of such entity, including maintaining or servicing accounts, providing

2

customer service, processing or fulfilling orders and transactions, verifying customer information,

3

processing payments, providing financing, or similar services, but only if:

4

     (A) The contract prohibits the third party from using the personally identifiable information

5

for any reason other than performing the specified service or services on behalf of such entity and

6

from disclosing any such personally identifiable information to additional third parties; and

7

     (B) The entity effectively enforces these prohibitions;

8

     (iii) Disclosure of personally identifiable information by a business to a third party based

9

on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal

10

process, or court order; or

11

     (iv) Disclosure of personally identifiable information by any entity to a third party that is

12

reasonably necessary to address fraud, security, or technical issues; to protect the disclosing entity's

13

rights or property; or to protect customers or the public from illegal activities as required or

14

permitted by law.

15

     (4) "Operator" means any person or entity that owns a website located on the Internet or an

16

online service that collects and maintains personally identifiable information from a customer

17

residing in this state who uses or visits the website or online service if the website or online service

18

is operated for commercial purposes. It does not include any third party that operates, hosts, or

19

manages, but does not own, a website or online service on the owner's behalf or by processing

20

information on behalf of the owner. "Operator" does not include businesses having ten (10) or fewer

21

employees, or any third party that operates, hosts, or manages, but does not own, a website or online

22

service on the owner’s behalf or by processing information on behalf of the owner.

23

     (5) "Personally identifiable information" or "personal information" means an individual's

24

first name or first initial and last name in combination with any one or more of the following data

25

elements, when the name and the data elements are not either encrypted or utilizing a protocol that

26

provides a higher degree of security or are in hard copy, paper format:

27

     (i) Social security number;

28

     (ii) Driver's license number, passport number, Rhode Island identification card number, or

29

tribal identification number;

30

     (iii) Account number, credit, or debit card number, in combination with any required

31

security code, access code, password, or personal identification number, that would permit access

32

to an individual's financial account;

33

     (iv) Medical or health insurance information; or

34

     (v) Email address with any required security code, access code, or password that would

 

LC003955 - Page 3 of 6

1

permit access to an individual's personal, medical, insurance, or financial account.

2

     (6) "Third party" means any entity that is a separate legal entity from the entity that has

3

disclosed the personally identifiable information; provided, however, that an affiliate of the entity

4

that has disclosed the personally identifiable information shall not be considered a third party.

5

     6-48.1-4. Information sharing practices.

6

     (a) An operator of a commercial website or online service that collects, stores and sells

7

categories of personally identifiable information through the Internet about individual customers

8

residing in this state who use or visit its commercial website or online service shall, in its customer

9

agreement or incorporated addendum or in another conspicuous location on its website or online

10

service platform where similar notices are customarily posted:

11

     (1) Identify all categories of personally identifiable information that the operator collects

12

through the website or online service about individual customers who use or visit its commercial

13

website or online service; and

14

     (2) Identify all categories of third-party persons or entities with whom the operator may

15

disclose that personally identifiable information.

16

     (b) Nothing in this chapter shall be construed to authorize the collection, storage or

17

disclosure of information or data that is otherwise prohibited, restricted or regulated by state or

18

federal law.

19

     6-48.1-5. Violations.

20

     (a) A violation of this chapter constitutes a violation of the general regulatory provisions

21

of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter

22

13.1 of title 6; provided further, that in the event that any individual or entity intentionally discloses

23

personally identifiable information:

24

     (1) To a shell company or any entity that has been formed or established solely, or in part,

25

for the purposes of circumventing the intent of this chapter;

26

     (2) To any third party that is not exempt pursuant to § 6-48.2-3; or

27

     (3) In violation of any provision of this chapter, that individual or entity shall pay a fine of

28

not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each

29

such disclosure.

30

     (b) The office of the attorney general shall have sole enforcement authority of the

31

provisions of this chapter and may enforce a violation of this chapter pursuant to:

32

     (1) The provisions of this section; or

33

     (2) General regulatory provisions of commercial law in title 6, or both.

34

     (c) Nothing in this section shall be construed to authorize any private right of action to

 

LC003955 - Page 4 of 6

1

enforce any provision of this chapter, any regulation hereunder, or any other provisions of

2

commercial law in title 6.

3

     6-48.1-6. Waivers -- Severability.

4

     Any waiver of the provisions of this chapter shall be void and unenforceable. If any

5

provision of this chapter or its application to any person or circumstance is held invalid by a court

6

of competent jurisdiction, the invalidity shall not affect other provisions of applications of the

7

chapter that can be given effect without the invalid provision or application, and to this end the

8

provisions of the chapter are severable.

9

     6-48.1-7. Construction.

10

     (a) Nothing in this chapter shall be deemed to apply in any manner to any information or

11

data that is subject to the Federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated

12

under that act, or to information or data subject to the Health Insurance Portability and

13

Accountability Act of 1996 (HIPAA); provided, however, no entity or individual shall be exempt

14

from the provisions of this chapter.

15

     (b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or

16

agent of a state agency or local unit of government when working for that state agency or local unit

17

of government.

18

     (c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-

19

exempt organization under the Internal Revenue Code.

20

     (d) Nothing in this chapter shall be construed to mandate and/or require the retention or

21

disclosure of any specific individual's personally identifiable information.

22

     (e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product

23

sales summaries or statistical information or aggregate customer data which may include personally

24

identifiable information.

25

     (f) Nothing in this chapter shall be construed to apply to any personally identifiable

26

information or any other information collected, used, processed, or disclosed by or for a consumer

27

reporting agency as defined by 15 USC § 1681a(f).

28

     SECTION 2. This act shall take effect on January 1, 2023.

========

LC003955

========

 

LC003955 - Page 5 of 6

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

***

1

     This act would require online service providers and commercial websites that collect, store

2

and sell personally identifiable information to disclose what categories of personally identifiable

3

information they collect and to what third parties they sell the information. This act does not

4

prohibit the collection or sale of personally identifiable information and does not require the

5

retention or disclosure of personally identifiable information by online service providers or

6

commercial websites. Any intentional disclosure of personal information in violation of the

7

provisions of this act would be punishable by a fine of not less than one hundred dollars ($100) nor

8

more than five hundred dollars ($500) per disclosure with sole enforcement vested in the

9

department of the attorney general.

10

     This act would take effect on January 1, 2023.

========

LC003955

========

 

LC003955 - Page 6 of 6