H7917

	2022 -- H 7917
	========
	LC003582
	========
	STATE OF RHODE ISLAND
	IN GENERAL ASSEMBLY
	JANUARY SESSION, A.D. 2022
	____________
	A N A C T
	RELATING TO STATE AFFAIRS AND GOVERNMENT – RHODE ISLAND
	INFORMATION PRIVACY ACT

	Introduced By: Representative Joseph M. McNamara
	Date Introduced: March 07, 2022
	Referred To: House Finance
	It is enacted by the General Assembly as follows:
1	SECTION 1. Title 42 of the General Laws entitled "STATE AFFAIRS AND
2	GOVERNMENT" is hereby amended by adding thereto the following chapter:
3	CHAPTER 162
4	RHODE ISLAND INFORMATION PRIVACY ACT
5	42-162-1. Short title.
6	This chapter shall be known and may be cited as the "Rhode Island Information Privacy
7	Act".
8	42-162-2. Definitions.
9	As used in this chapter, the following words shall, unless the context clearly requires
10	otherwise, have the following meanings:
11	(1) "Advertisement" means the process by which a person, the "advertiser," proposes a
12	commercial transaction or disseminates a public or private communication or message to solicit
13	business or a commercial opportunity.
14	(2) "Algorithm" means a specific procedure, set of rules, or order of operations designed
15	to solve a problem or make a calculation, classification, or recommendation.
16	(3) "Artificial intelligence" means computerized methods and tools including, but not
17	limited to, machine learning and natural language processing, that act in a way that resembles
18	human cognitive abilities when it comes to solving problems or performing certain tasks.

1	(4) "Automated decision system" means any computer program, method, statistical model,
2	or process that aims to aid or replace human decision-making using algorithms or artificial
3	intelligence. These systems can include analyzing complex datasets about human populations to
4	generate scores, predictions, classifications, or recommendations used to make decisions.
5	(5) "Biometric information" means information that pertains to measurable biological or
6	behavioral characteristics of an individual that can be used singularly or in combination with each
7	other or with other information for automated recognition or identification of a known or unknown
8	individual. Examples include, but are not limited to, fingerprints, retina and iris patterns,
9	voiceprints, DNA sequence, facial characteristics, gait, handwriting, keystroke dynamics, and
10	mouse movements. Biometric information does not include writing samples, written signatures,
11	photographs, human biological samples used for valid scientific testing or screening, demographic
12	data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.
13	Biometric information does not include donated organs, tissues, or parts, or blood, or serum stored
14	on behalf of recipients or potential recipients of living, or cadaveric transplants obtained or stored
15	by a federally designated organ procurement agency. Biometric information does not include
16	information captured from a patient in a health care setting or information collected, used, or stored
17	for health care treatment, payment, or operations under the federal Health Insurance Portability and
18	Accountability Act of 1996. Biometric information does not include an X-ray, roentgen process,
19	computed tomography, MRI, PET scan, mammography, or other image or film of the human
20	anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further
21	validate scientific testing or screening.
22	(6) "Browser personal information" means Internet protocol addresses, system
23	configuration information, uniform resource locators of referring pages, local and language
24	preferences, keystrokes, and other similar digital sources associated with an individual.
25	(7) "Collect" means to collect, buy, rent, gather, obtain, receive, trade for, or access any
26	personal information pertaining to an individual by any means, online or offline, including, but not
27	limited to, receiving information from the individual or a third party, actively or passively, or
28	obtaining information by observing the individual's behavior.
29	(8) "Commission" means the Rhode Island information privacy commission.
30	(9) "Conduct business in the State of Rhode Island" or "conducting business in Rhode
31	Island" means to produce, solicit, or offer for use or sale any information, product, or service in a
32	manner that intentionally targets or may reasonably be expected to contact individuals.
33	(10) "Consent" means freely given, specific, informed, unambiguous, opt-in consent by
34	individuals.
	LC003582 - Page 2 of 35
1	(11) "Covered entity" means an entity that conducts business in the State of Rhode Island,
2	processes personal information by itself or by contracting with a data processor:
3	(i) Has earned or received ten million dollars ($10,000,000) of annual revenue through
4	three hundred (300) or more transactions; or
5	(ii) Processes or maintains the personal information of ten thousand (10,000) or more
6	unique individuals during the course of a calendar year.
7	(12) "Covered interaction" means an interaction between an individual or its household and
8	a covered entity when such covered entity makes available information, products, or services to the
9	individual and collects or otherwise processes personal information pertaining to that individual.
10	Covered interactions include, but are not limited to, posting information, offering a product or
11	service, the placement of targeted advertisements, setting up an account, or offering membership
12	or other ongoing relationship with a covered entity.
13	(13) "Data processor" means a person or entity that processes personal information on
14	behalf of a covered entity.
15	(14) "De-identified" means information that cannot reasonably identify, relate to, describe,
16	be capable of being associated with, or be directly linked to a particular individual or household.
17	(15) "Device" means a tool that is capable of sending, routing, or receiving
18	communications to or from another device and intended for use by a single individual or single
19	household or, if used outside of a home, for use by the general public.
20	(16) "Disclose" means any action, set of actions, or omission in which a covered entity,
21	data processor, or a third party makes personal information available to another person,
22	intentionally or unintentionally, including, but not limited to, sharing, publishing, releasing,
23	transferring, disseminating, making available, selling, leasing, providing access to, failing to
24	restrict access to, or otherwise communicating orally, in writing, electronically, or by any other
25	means.
26	(17) "Harm" means potential or realized adverse consequences for an individual or society,
27	including, but not limited to:
28	(i) Direct or indirect financial harm;
29	(ii) Physical harm or threats to individuals or property, including, but not limited to, bias-
30	related crimes and threats, harassment, and sexual harassment;
31	(iii) Discrimination in products, services, or economic opportunities such as housing,
32	employment, credit, insurance, education, or health care on the basis of an individual or class of
33	individuals belonging to, or being perceived as belonging to, one of the protected classes under
34	chapter 5.1 of title 28, except as specifically authorized by law;
	LC003582 - Page 3 of 35
1	(iv) Interference with or surveillance of First Amendment-protected activities by state
2	actors, except as specifically authorized by law;
3	(v) Interference with the right to vote or with free and fair elections;
4	(vi) Violation of individuals’ rights to due process or equal protection under the law;
5	(vii) Loss of individual control over personal information via non-consensual sharing of
6	sensitive personal information, data breach, or other actions that violate this chapter;
7	(viii) The non-consensual capture of information or communications within an individual's
8	home or where an individual is entitled to have a reasonable expectation of privacy or access
9	control;
10	(ix) Other effects on an individual that may not be reasonably foreseeable to, contemplated
11	by or expected by the individual to whom the personal information relates, which are nevertheless
12	reasonably foreseeable to, contemplated by, or expected by the covered entity, that alter or limit
13	that individual's choices or predetermine results.
14	(18) "Individual" means a natural person who is a resident of the State of Rhode Island.
15	The location of a natural person in the State of Rhode Island shall create a presumption that the
16	natural person is a State of Rhode Island resident.
17	(19) "Legal request" means any request for personal information issued by a court of
18	competent jurisdiction pursuant to state or federal laws such as subpoenas, court orders, search
19	warrants, pen register and trap and trace orders, or wiretap orders.
20	(20) "Location information" means information pertaining to where an individual has
21	physically been or directly or indirectly reveals an individual's physical location or the location of
22	a device associated with that individual. Location information includes, but is not limited to:
23	(i) IP addresses;
24	(ii) GPS coordinates;
25	(iii) Cell-site location information;
26	(iv) Time-stamped video or other surveillance information that identifies an individual as
27	being in a certain place;
28	(v) Information derived from transportation cards;
29	(vi) Information related to an individual's visit to certain locations.
30	(21) "Rhode Island governmental entity" means any agency, executive office, department,
31	board, commission, bureau, division or authority of the state, or of any political subdivision thereof,
32	or of any authority established by the general court to serve a public purpose.
33	(22) "Monetize" or "monetization" means to sell, rent, release, disclose, disseminate, trade,
34	make available, transfer, or otherwise communicate orally, in writing, or by electronic or other
	LC003582 - Page 4 of 35
1	means, an individual's personal information by a covered entity, a third party, or a data processor
2	in exchange for monetary or other consideration, as well as to leverage or use an individual's
3	personal information to place a targeted advertisement or to otherwise profit, regardless of whether
4	the individual's personal information changes hands.
5	(23) "Person" means any natural or legal person.
6	(24) "Personal information" means information about an individual directly or indirectly
7	captured in a covered interaction. Personal information includes any information so captured that
8	directly or indirectly identifies, relates to, describes, is capable of being associated with, or could
9	reasonably be linked to a particular individual, household, or device. Information is reasonably
10	linkable to an individual, household, or device if used on its own or in combination with other
11	reasonably available information to identify an individual, household, or device, regardless of
12	whether the covered entity holds such additional information. This definition includes, but is not
13	limited to, the following information:
14	(i) First names, middle names, last names, aliases, and social media and website-used
15	usernames;
16	(ii) Government-issued ID and vehicle license plate numbers;
17	(iii) Telephone numbers, including cellphone numbers, and physical and digital addresses
18	such as IP addresses and email addresses;
19	(iv) Date of birth, age, gender, race, ethnicity, national origin, and sexual orientation;
20	(v) Information revealing political opinions, religious, or philosophical beliefs held by
21	identified individuals;
22	(vi) Technical identifiers such as a service ID number that can be tied back to an individual;
23	(vii) Biometric information;
24	(viii) Location information;
25	(ix) Medical and health information including an individual's medical history and search
26	queries related to medical conditions;
27	(x) Financial data, including social security number, details of financial and commercial
28	transactions, and credit scores related to the financial capacity of an individual;
29	(xi) Professional data, including resume, job history, and other similar records related to
30	an individual;
31	(xii) Information pertaining to an individual's behavior online, such as a record of the
32	websites they visit or the files they download;
33	(xiii) Browser personal information;
34	(xiv) Information pertaining to an individual's sex life; and
	LC003582 - Page 5 of 35
1	(xv) Electronic communications such as messaging, email, and voice conversations;
2	(25) "Processing" or "process" means any action or set of actions performed on or with
3	personal information, including, but not limited to, collecting, accessing, using, storing, retaining,
4	sharing, monetizing, analyzing, creating, generating, aggregating, altering, correlating, operating
5	on, decision-making, recording, modifying, organizing, structuring, disclosing, transmitting,
6	selling, licensing, disposing of, destroying, de-identifying, or another handling of personal
7	information. This term includes using personal information in automated decision systems.
8	(26) "Reasonably understandable" means of length and complexity such that an individual
9	with an eighth-grade reading level, as established by the department of education, can read and
10	comprehend.
11	(27) "Sensitive personal information" means the following personal information related to
12	an identified individual:
13	(i) Race, ethnicity, national origin, and sexual orientation;
14	(ii) Date of birth;
15	(iii) Cellphone number;
16	(iv) Information revealing political opinions, religious or philosophical beliefs held by
17	identified individuals;
18	(v) Biometric information;
19	(vi) Location information;
20	(vii) Medical and health information including an individual's medical history and search
21	queries related to medical conditions;
22	(viii) Information pertaining to an individual's sex life;
23	(ix) Social security number; and
24	(x) Credit scores related to the financial capacity of an individual.
25	(28) "Targeted advertisement" means an advertisement directed to an individual or a group
26	of individuals where the advertisement is selected by an automated decision system based on
27	processed personal information obtained or inferred over time from the individual or the groups of
28	individual's devices activities, communications, or associations across websites, applications,
29	services, or covered entities. It does not include advertisements directed to an individual solely
30	based upon the individual's current visit to a website, application, service, covered entity, or a direct
31	response to the individual's request for information or feedback.
32	(29) "Third party" means, with respect to an individual's personal information, any person
33	or governmental entity that is not the covered entity or a data processor.
34	(30) "Use model" means a discrete purpose for which collected personal information is to
	LC003582 - Page 6 of 35
1	be processed, including, but not limited to, first-party marketing, third-party marketing, first-party
2	research and development, third-party research and development, and product improvement and
3	development.
4	42-162-3. General principles and duties.
5	(a) The provisions of this chapter and the regulations enacted thereof shall be interpreted
6	and administered in accordance with the following general principles:
7	(1) Covered entities and data processors must process personal information and use
8	automated decision systems discreetly and honestly, and only to the extent necessary for carrying
9	out their purpose; and
10	(2) Covered entities and data processors must be protective of personal information, loyal
11	to the individuals whose personal information is processed, and honest about the risk of processing
12	practices, including the use of automated decision systems.
13	(b) Duty of care. Covered entities and data processors shall;
14	(1) Reasonably secure individual personal information from unauthorized access; and
15	(2) Promptly comply with § 11-49.3-4 in case of a breach of security, as defined therein.
16	(c) Duty of loyalty. Covered entities and data processors shall not use personal information,
17	or information derived from personal information, in any way that:
18	(1) Benefits themselves to the detriment of an individual;
19	(2) Results in reasonably foreseeable and material physical or financial harm to an
20	individual; or
21	(3) Would be unexpected and highly offensive to a reasonable individual that provided
22	consent in accordance with this chapter.
23	(d) Duty of confidentiality. Covered entities and data processors:
24	(1) Shall not disclose or sell personal information to, or share personal information with,
25	any other person except as consistent with the provisions set forth in this chapter and regulations
26	enacted to implement them;
27	(2) Shall not disclose or sell personal information to, or share personal information with,
28	any third party unless that third party enters into a contract with the covered entity that imposes on
29	the third party the same duties of care, loyalty, and confidentiality toward the applicable individual
30	as are imposed on the covered entity under this chapter; and
31	(3) Shall take reasonable steps to ensure that the practices of any third party to whom the
32	covered entity discloses or sells, or with whom the covered entity shares personal information fulfill
33	the duties of care, loyalty, and confidentiality assumed by the third party under the contract
34	described in the previous subsection.
	LC003582 - Page 7 of 35
1	(i) Covered entities shall regularly audit the data security and data information practices of
2	any such third party, making such audit publicly available.
3	42-162-4. Rights of access, correction, data portability, and deletion.
4	(a) Access to and portability of personal information.
5	(1) Individuals shall have the right to:
6	(i) Access all their personal information that was processed by the covered entity or a data
7	processor;
8	(ii) Access all the information pertaining to the collection and processing of their personal
9	information, including, but not limited to:
10	(A) Where or from whom the covered entity obtained personal information, i.e., from the
11	individual or a third party, whether online or offline;
12	(B) The types of third parties to which the covered entity has disclosed or will disclose
13	captured personal information;
14	(C) The purposes of the processing;
15	(D) The categories of personal information concerned;
16	(E) The names of third parties to which the covered entity had disclosed the personal
17	information and a log showing when such disclosure happened; and
18	(F) The period of retention of the personal information;
19	(iii) Obtain their personal information processed by a covered entity in a structured, readily
20	usable, portable, and machine-readable format;
21	(iv) Transmit or cause the covered entity to transmit the personal information to another
22	covered entity, where technically feasible;
23	(v) Request a covered entity to stop collecting and processing their personal information.
24	(b) Correction and deletion of personal information.
25	(1) Individuals shall have the right to:
26	(i) Correct inaccurate personal information stored by covered entities; and
27	(ii) Delete all their personal information stored by covered entities; provided that, a covered
28	entity that has collected personal information from an individual is not required to delete
29	information to the extent it is exempt under this chapter from the requirement of consent.
30	(2) A covered entity that maintains an individual's personal information in a non-public
31	profile or account must correct or delete such personal information, and any information derived
32	therefrom pertaining to the individual upon the individual's request.
33	(c) Exercise of rights.
34	(1) A covered entity must provide individuals with a reasonable means to exercise their
	LC003582 - Page 8 of 35
1	rights mentioned in subsections (a) and (b) of this section in a request-form that is:
2	(i) Clear and conspicuous;
3	(ii) Made available at no additional cost and with no transactional penalty to the individual
4	to whom the information pertains; and
5	(iii) In English and any other language in which the covered entity communicates with the
6	individual to whom the information pertains.
7	(2) A covered entity must comply with a request to exercise the rights mentioned in
8	subsections (a) and (b) of this section no later than thirty (30) days after receiving a verifiable
9	request from the individual.
10	(i) Where the covered entity has reasonable doubts or cannot verify the identity of the
11	individual making a request, the covered entity may request additional personal information
12	necessary for the specific purpose of confirming the identity of the individual.
13	(ii) A covered entity may not de-identify an individual's personal information during the
14	sixty (60) day period beginning on the date on which the covered entity receives a request for
15	correction or deletion from the individual.
16	42-162-5. Right to know.
17	(a) Individuals shall have the right to know what personal information a covered entity or
18	a data processor will collect and process about the individual, including the categories and specific
19	pieces of personal information the covered entity processes, before giving consent for the collection
20	and processing of their personal information.
21	(b) Meaningful notice. A covered entity must make both a long-form privacy policy and a
22	short-form privacy policy available to all individuals in accordance with the following.
23	(1) The privacy policies shall be available and readily accessible on the covered entity's
24	website or mobile application.
25	(i) In the case of in-person or non-Internet electronic engagement, the privacy policies shall
26	be readily accessible at the primary physical place of business and any offline equivalent
27	maintained by the covered entity.
28	(2) The privacy policies shall be persistently and conspicuously available at or prior to the
29	point of sale of a product or service, subscription to a service, sign up, or creation of an account
30	with the covered entity.
31	(3) Covered entities that process personal information shall ensure that individuals are
32	presented with the short-form privacy policy only once upon the individual's first electronic covered
33	interaction that may or will result in the processing of personal information, whether that is through
34	the covered entity's website or use of the covered entity's mobile application.
	LC003582 - Page 9 of 35
1	(i) In the case of in-person or non-Internet electronic engagement, the short-form privacy
2	policy should be read to or otherwise presented to the individual before the covered entity first
3	collects the individual's personal information.
4	(4) The short-form privacy notice required under this section shall:
5	(i) Be clear, concise, well-organized, and complete;
6	(ii) Be clear and prominent in appearance;
7	(iii) Use clear and plain language;
8	(iv) Use visualizations where appropriate to make complex information understandable by
9	the ordinary user;
10	(v) Be reasonably understandable;
11	(vi) Be distinguishable from other matters;
12	(vii) Not contain any unrelated, confusing, or contradictory information;
13	(viii) Be no more than six hundred (600) words, excluding the list of third parties with
14	which the covered entity discloses personal information; and
15	(ix) Be provided free of charge.
16	(5) The short-form privacy notice required must include:
17	(i) The sensitive personal information being processed;
18	(ii) The use model and a brief explanation of the relationship between the individual and
19	the covered entity;
20	(iii) Whether the covered entity by itself or a data processor on its behalf processes the
21	information;
22	(iv) Whether the covered entity uses automated decision systems;
23	(v) Whether personal information is going to be processed for purposes of targeted
24	advertisement or monetization;
25	(vi) One example of harm that may arise from a misuse of the personal information;
26	(vii) The period of retention of the personal information expressed in exact dates;
27	(viii) To what types of third parties the covered entity discloses personal information and
28	for what purposes, including governmental entities; and
29	(ix) Whether the covered entity collects personal information through offline practices
30	when the individual does not interact directly with the covered entity.
31	(6) A list of the third parties referenced in subsection (b)(5)(viii) of this section must be
32	provided either in the short-form privacy notice or in an easily accessible online form. If the policy
33	is delivered verbally, the person communicating the policy must offer to read the list of third parties.
34	If provided in the short-form privacy notice, such list must be offset by at least two (2) line breaks
	LC003582 - Page 10 of 35
1	from the rest of the short-form privacy notice.
2	(7) The long-form privacy policy shall contain a detailed description of the processing of
3	the personal information, including, but not limited to, all the elements of the short-form privacy
4	policy, and an explanation of how the covered entities and their affiliate data processors comply
5	with the provisions of this chapter, including the following:
6	(i) A brief explanation of the technology that mediates the relationship between the
7	individual and the covered entity, including automated decision systems; and
8	(ii) A brief explanation of the risks of harm that arises from the possible misuse of personal
9	information processing.
10	(8) The commission shall:
11	(i) Establish a standardized short-form privacy notice that complies with this section;
12	(ii) Determine whether a more concise presentation of a short-form privacy notice is
13	appropriate where the policy is being communicated verbally, and if so, shall establish a
14	standardized short-form verbal privacy notice;
15	(iii) Develop a recognizable and uniform logo or button to promote individual awareness
16	of the short-form privacy notice; and
17	(iv) Promulgate regulations specifying additional requirements for the format and
18	substance of short-form privacy notices.
19	42-162-6. Right to consent.
20	(a) Individuals shall have the right to consent in accordance with this section before their
21	personal information is collected and processed.
22	(b) Consent given by an individual authorizes a covered entity to collect, cause to collect,
23	process, or cause to process personal information from such individual in accordance with the
24	following:
25	(1) A covered entity must obtain consent:
26	(i) Before collecting or causing to collect personal information for purposes of processing
27	an individual's personal information for the first time; and
28	(ii) After the acceptance of the short-form privacy policy described in § 42-162-5.
29	(2) For continuing covered interactions, the consent required by this section must be
30	renewed annually, and if not so renewed, shall be deemed to have been withdrawn.
31	(3) A covered entity must provide new meaningful notice and obtain consent from an
32	individual two (2) weeks before changing the nature of the processing of personal information to
33	which the individual previously consented.
34	(i) The two (2) week period in the previous subsection shall not apply if the change in
	LC003582 - Page 11 of 35
1	processing is necessary to enable a new functionality requested by the individual; provided that,
2	such individual was given notice and provided consent when making such request.
3	(4) A covered entity requesting consent shall:
4	(i) Ensure that the option to refuse consent is presented as clearly and prominently as the
5	option to provide consent;
6	(ii) Provide a mechanism for an individual to withdraw previously given consent at any
7	time; and
8	(iii) Once a year, provide a notice explaining how the personal information was used,
9	including two (2) examples of such use.
10	(5) A covered entity requesting consent shall not coerce consent through the use of
11	interfaces that:
12	(i) Threaten or mandate an individual's compliance;
13	(ii) Ask questions or provide information in a way individuals cannot reasonably
14	understand;
15	(iii) Attract the individual's attention away from their current task by exploiting perception,
16	particularly pre-attentive processing;
17	(iv) Take advantage of individuals’ errors to facilitate the interface designer’s goals;
18	(v) Deliberately increase work for the individual;
19	(vi) Interrupt the individual's task flow;
20	(vii) Use information architectures and navigation mechanisms that guide the individual
21	toward not having a real option to consent;
22	(viii) Hide desired content or interface elements;
23	(ix) Limit or omit controls that would facilitate task accomplishment by the individual;
24	(x) Present disturbing content to the individual; or
25	(xi) Generally mislead or deceive the individual.
26	(6) Once an individual refuses to provide consent in accordance with this section, and if
27	the individual keeps interacting with the covered entity in any way, the covered entity shall not try
28	to obtain consent unless a period of at least six (6) months has passed.
29	(7) Under no circumstances shall the mere covered interaction of an individual with a
30	covered entity's product or service be deemed as consent.
31	(8) A covered entity may collect browser personal information; provided that, the covered
32	entity:
33	(i) Processes only the personal information necessary to request consent;
34	(ii) Processes such information solely to request consent; and
	LC003582 - Page 12 of 35
1	(iii) Immediately deletes all the personal information if consent is refused.
2	(9) A covered entity shall not:
3	(i) Refuse to serve an individual who does not approve the processing of the individual's
4	personal information under this section unless the processing is necessary for the primary purpose
5	of the transaction that the individual has requested;
6	(ii) Offer a program that relates the price or quality of a product or service to the degree of
7	acceptance of personal information processing. This includes the provision of discounts or other
8	incentives in exchange for the consent;
9	(A) Notwithstanding the above, a covered entity may, with the individual's consent given
10	in compliance with this section, operate a program in which information, products, or services sold
11	to the individual are discounted based on that individual's prior purchases from the covered entity;
12	provided that, the personal information shall be processed solely to operate such program.
13	(iii) State or imply that the quality of a product or service will be diminished and shall not
14	actually diminish the quality of a product or service if the individual declines to give consent.
15	42-162-7. Right to control disclosure of personal information.
16	(a) Individuals shall have the right to know the names of third parties to which the covered
17	entities or data processors will disclose their personal information, and refuse consent for such
18	disclosure.
19	(b) Disclosure of personal information and relationships with third parties.
20	(1) No covered entity or data processor in possession of personal information may disclose,
21	cause to disclose, or otherwise disseminate to third parties, including government agencies,
22	personal information unless such disclosure is included in the meaningful notice pursuant to this
23	chapter, and consent from the individual is obtained in the manners and ways prescribed in this
24	chapter.
25	(2) Covered entity shall not process or cause to process an individual's personal information
26	acquired from a third party, unless it has first obtained the individual's consent.
27	(i) Notwithstanding § 42-162-7(b)(2)(i), if the processing is necessary to obtain consent,
28	the covered entity shall:
29	(A) Process only the personal information required to request consent;
30	(B) Process the personal information solely to request consent; and
31	(C) Immediately delete the personal information if consent is not given.
32	(3) A covered entity shall not disclose personal information to a data processor or another
33	third party without a contractual agreement that:
34	(i) Requires the data processor or third party to meet the same privacy and security
	LC003582 - Page 13 of 35
1	obligations as the covered entity;
2	(ii) Prohibits the data processor or third party from processing the personal information for
3	any purpose other than the purposes for which the individual provided consent; and
4	(iii) Prohibits the data processor or third party from further disclosing or processing the
5	personal information except as explicitly authorized by the contract and consistent with this
6	chapter.
7	(4) If a covered entity learns that a data processor or third party to whom it has provided
8	access to personal information is using such personal information in violation of this chapter, the
9	covered entity shall immediately;
10	(i) Limit the violator’s access to personal information;
11	(ii) Seek proof of destruction of personal information previously accessed by the violating
12	data processor or third party; and
13	(iii) Notify the commission about the violation.
14	42-162-8. Prohibition of surreptitious surveillance.
15	A covered entity shall not activate the microphone, camera, or any other sensor on a device
16	in the lawful possession of an individual that is capable of collecting or transmitting audio, video,
17	or image data or data that can be used to measure biological or biometric information, human
18	movement, location, chemicals, light, radiation, air pressure, speed, weight or mass, positional or
19	physical orientation, magnetic fields, temperature, or sound without providing notice and obtaining
20	consent pursuant to this chapter for the specific type of measurement to be activated; provided that,
21	such consent shall be effective for not more than one hundred eighty (180) days, after which it shall
22	expire unless renewed.
23	42-162-9. Age of responsibility.
24	(a) For the purposes of this chapter, individuals age thirteen (13) and older are deemed
25	competent to exercise all rights granted to individuals under this chapter.
26	(b) Rights and obligations relating to individuals under the age of thirteen (13) shall be
27	governed by the children's online privacy protection act (15 U.S.C. Sec. 6501 et seq.) and its
28	regulations.
29	42-162-10. Protection of biometric and location information.
30	(a) In addition to all provisions of this chapter generally applicable to personal information,
31	the following provisions shall apply to the processing and collection of biometric and location
32	information, regardless of how such biometric and location information is processed or collected:
33	(1) Processing. No covered entity or data processor may collect or process an individual's
34	biometric or location information unless it first:
	LC003582 - Page 14 of 35
1	(i) Informs the individual in writing that biometric or location information is being
2	processed and the specific purpose or purposes and length of time for which the information is
3	being processed; and
4	(ii) Obtains consent from the individual for the specific purpose of collecting and
5	processing biometric or location information before any such information is collected or processed:
6	(A) For biometric information, the consent shall be handwritten and executed by the
7	individual, explicitly authorize such processing, and be sent to the covered entity by postal mail,
8	facsimile, or electronic scan;
9	(B) Consent shall be for a period specified in the written consent of not more than one year
10	and shall automatically expire at the end of such period unless renewed pursuant to the same
11	procedures. Upon expiration of consent, any biometric or location information possessed by a
12	covered entity must be destroyed;
13	(2) Retention and destruction. A covered entity in possession of biometric or location
14	information must develop a specific written policy, made available to the public, establishing a
15	retention schedule and guidelines for permanently destroying biometric or location information
16	when the initial purpose for processing such information has been satisfied or within one year of
17	the individual's consent, unless renewed, whichever occurs first:
18	(i) Absent a valid warrant issued by a court of competent jurisdiction, a covered entity in
19	possession of biometric or location information must comply with its established retention schedule
20	and destruction guidelines;
21	(3) Disclosure. No covered entity or data processor in possession of biometric or location
22	information may disclose, cause to disclose, sell, or otherwise disseminate or cause to disseminate
23	to third parties, including government agencies, an individual's biometric or location information
24	unless:
25	(i) The individual gives consent in writing to the disclosure; or
26	(ii) The disclosure completes a financial transaction requested or authorized by the subject
27	of the biometric or location information; or
28	(iii) The disclosure is required by state or federal law, in which case the individual must be
29	given adequate notice on the occasion of obtaining the consent; or
30	(iv) The disclosure is required pursuant to a valid warrant issued by a court of competent
31	jurisdiction, in which case the individual must be given adequate notice in accordance with § 42-
32	162-17;
33	(4) Monetizing. No covered entity in possession of biometric or location information may
34	monetize or otherwise profit from an individual's biometric or location information;
	LC003582 - Page 15 of 35
1	(i) A covered entity may process an individual's biometric or location information to
2	recommend actions, services, goods, or products provided that:
3	(A) There is full disclosure to the individual about the biometric or location information
4	processed;
5	(B) Consent was given in a manner consistent with this section; and
6	(C) There is full disclosure that such recommendation is based on the biometric or location
7	information processed.
8	42-162-11. Prohibition of discrimination.
9	(a) Individual's shall have the right not to be subject to processing of their personal
10	information that results in unlawful discriminatory actions.
11	(b) Covered entities that process personal information shall not engage in unlawful
12	discriminatory practices connected with the use of personal information and the provision of
13	services, products, or goods.
14	(c) Unlawful discriminatory practices are acts or practices that:
15	(1) Process personal information in the course of advertising, marketing, soliciting,
16	offering, selling, leasing, licensing, renting, or otherwise commercially contracting for
17	employment, finance, health care, credit, insurance, housing, or education opportunities in a
18	manner that directly results in discrimination against or otherwise makes an opportunity
19	unavailable on the basis of an individual's or group of individual's actual or perceived belonging to
20	a protected class;
21	(2) Process personal information in a manner that discriminates in, or otherwise makes
22	unavailable, whether in a commercial transaction or otherwise, any place of public accommodation,
23	resort, or amusement, on the basis of an individual's or group of individual's actual or perceived
24	belonging to a protected class; or
25	(3) Enable the use of covered entities' services or products to place targeted advertisements
26	for employment, finance, health care, credit, insurance, housing, or education opportunities in such
27	a way that enables the advertiser to determine whether to serve an advertisement to an individual
28	or group of individual's on the basis of actual or perceived belonging to a protected class.
29	(d) Nothing in this section shall limit covered entities from processing personal information
30	for:
31	(1) Legitimate testing to prevent unlawful discrimination or otherwise determine the extent
32	or effectiveness of the covered entity's compliance with this section; and
33	(2) The purpose of advertising, marketing, soliciting, or offering education or employment
34	opportunities to members of a protected class so long as such opportunities are within an affirmative
	LC003582 - Page 16 of 35
1	action, diversity program, or similar initiative that intends to provide opportunities to the protected
2	classes.
3	42-162-12. Prohibition of unfair and deceptive trade practices.
4	(a) Unfair and deceptive trade practices relating to information privacy are hereby declared
5	unlawful.
6	(b) Unfair and deceptive trade practices are acts or practices that:
7	(1) Materially interfere with the ability of an individual to understand the way the covered
8	entity processes personal information; or
9	(2) Take unreasonable advantage of:
10	(i) A lack of understanding on the part of the individual of the material risks, costs, or
11	conditions of the processing of personal information; or
12	(ii) The inability of the individual to protect the interests of the individual in selecting or
13	using a product, good, or service provided by the covered entity; or
14	(iii) The reasonable reliance by the individual on a covered entity to act in the interests of
15	the consumer.
16	42-162-13. The Rhode Island information privacy commission.
17	(a) The commission shall have all the powers necessary or convenient to carry out and
18	effectuate its purposes including, but not limited to, the power to:
19	(1) Appoint officers and hire employees;
20	(2) Establish and amend a plan of organization that it considers expedient;
21	(3) Execute all instruments necessary or convenient for accomplishing the purposes of this
22	chapter and its regulation;
23	(4) Adopt, amend, or repeal regulations for the implementation, administration, and
24	enforcement of this chapter;
25	(5) Enter into agreements or other transactions with a person, including, but not limited to,
26	a governmental entity or other governmental instrumentality or authority in connection with its
27	powers and duties under this chapter;
28	(6) Appear on its own behalf before boards, commissions, departments, or other agencies
29	of municipal, state, or federal government;
30	(7) Apply for and accept subventions, grants, loans, advances, and contributions of money,
31	property, labor, or other things of value from any source, to be held, used, and applied for its
32	purposes;
33	(8) Provide and pay for advisory services and technical assistance as may be necessary for
34	its judgment to carry out this chapter and fix the compensation of persons providing such services
	LC003582 - Page 17 of 35
1	or assistance;
2	(9) Prepare, publish and distribute, with or without charge as the commission may
3	determine, such studies, reports, bulletins, and other materials as the commission considers
4	appropriate;
5	(10) Gather facts and information applicable to the commission's obligation to enforce this
6	chapter and ensure its compliance;
7	(11) Conduct investigations for possible violations of this chapter;
8	(12) Conduct administrative proceedings and promulgate regulations;
9	(13) Refer cases for criminal prosecution to the appropriate federal, state, or local
10	authorities;
11	(14) Maintain an official Internet website for the commission;
12	(15) Conduct a study to determine the most effective way for covered entities to obtain
13	individuals’ consent.
14	The commission may request data and information from covered entities conducting
15	business in Rhode Island, Rhode Island government entities administering notice and consent
16	regimes, consumer protection experts, privacy advocates, and researchers, Internet standards-
17	setting bodies such as the Internet Engineering Taskforce and Institute of Electrical and Electronics
18	Engineers, and other relevant sources to meet the purpose of the study;
19	(16) Assess and impose civil administrative penalties on covered entities, data processors,
20	and third parties who fail to comply with or violate any provision of this chapter or regulation
21	enacted pursuant to this chapter, and create an administrative procedure for such purpose; and
22	(17) Create and disseminate information to the public about their rights in relation to
23	personal information privacy and what to do if they believe their rights have been violated.
24	42-162-14. Enforcement -- Civil administrative penalties.
25	(a) Any individual or group of individual's alleging a violation of this chapter or a
26	regulation promulgated under this chapter may bring an administrative complaint before the
27	commission.
28	(1) The commission shall promulgate a form of complaint for use under this section, which
29	shall be in such form and language to permit an individual to prepare and file such complaint pro
30	se.
31	(2) An individual shall not be required to accept mandatory arbitration of a claim under
32	this chapter as a condition of bringing an administrative complaint.
33	(3) The administrative complaint shall be directed against the covered entity, data
34	processor, and the third parties alleged to have committed the violation.
	LC003582 - Page 18 of 35
1	(4) The commission shall investigate the allegations and decide whether it amounts to the
2	imposition of a civil administrative penalty.
3	(b) The commission shall also open investigations without any particular alleged violation
4	to assess the compliance of covered entities, data processors, and third parties with this chapter and
5	shall impose civil administrative penalties if necessary.
6	(c) Whenever the commission seeks to assess a civil administrative penalty on any covered
7	entities, data processors, and third parties, the commission shall cause to be served upon such
8	person, either by service, in hand, or by certified mail, return receipt requested, a written notice of
9	its intent to assess a civil administrative penalty which shall include: a concise statement of the
10	alleged act or omission for which such civil administrative penalty is sought to be assessed, each
11	law, regulation, or order violated as a result of such alleged act or omission; the amount which the
12	commission seeks to assess as a civil administrative penalty for each such alleged act or omission;
13	a statement of such person's right to an administrative hearing on the proposed assessment; the
14	requirements such person must comply with to avoid being deemed to have waived the right to an
15	administrative hearing; and the manner of payment thereof if such person elects to pay the penalty
16	and waive an administrative hearing. After such notice of intent to assess a civil administrative
17	penalty has been given, each such day thereafter during which such noncompliance or violation
18	occurs or continues shall constitute a separate offense and shall be subject to a separate civil
19	administrative penalty if reasonable efforts have not been made to promptly come into compliance.
20	(d) Whenever the commission seeks to assess a civil administrative penalty on any person,
21	such person shall have the right to an administrative hearing under the provisions of chapter 35 of
22	title 42. Such person shall be deemed to have waived such right to an administrative hearing unless,
23	within twenty-one (21) days of the date of the commission's notice of intent to assess a civil
24	administrative penalty, such person files with the commission a written statement denying the
25	occurrence of any of the acts or omissions alleged by the commission in such notice, or asserting
26	that the money amount of the proposed civil administrative penalty is excessive. In any
27	administrative hearing authorized pursuant to chapter 35 of title 42, the commission shall, by a
28	preponderance of the evidence, prove the occurrence of each act or omission alleged by the
29	commission.
30	(e) If a person waives his/her right to an administrative hearing, the proposed civil
31	administrative penalty shall be final immediately upon such waiver.
32	(f) If a civil administrative penalty is assessed at the conclusion of an administrative
33	hearing, said civil administrative penalty shall be final upon the expiration of thirty (30) days if no
34	action for judicial review of such decision is commenced pursuant to chapter 35 of title 42.
	LC003582 - Page 19 of 35
1	(g) Any person who institutes proceedings for judicial review of the final assessment of a
2	civil administrative penalty shall place the full amount of the final assessment in an interest-bearing
3	escrow account in the custody of the clerk of the reviewing court. The establishment of such an
4	interest-bearing escrow account shall be a condition precedent to the jurisdiction of the reviewing
5	court unless the party seeking judicial review demonstrates in a preliminary hearing held within
6	twenty (20) days of the filing of the complaint either the presence of a substantial question for
7	review by the court or an inability to pay. Upon such a demonstration, the court may grant an
8	extension or waiver of the interest-bearing escrow account or may require, in lieu of such interest-
9	bearing escrow account, the posting of a bond payable directly to the state in the amount of one
10	hundred twenty-five percent (125%) of the assessed penalty. If, after judicial review, in a case
11	where the requirement for an escrow account has been waived, and in cases where a bond has been
12	posted in lieu of such requirement, the court affirms, in whole or in part, the assessment of a civil
13	administrative penalty the commission shall be paid the amount thereof. If, after such review in a
14	case where an interest-bearing escrow account has been established, the court affirms the
15	assessment of such penalty, in whole or in part, the commission shall be paid the amount thereof
16	together with the accumulated interest thereon in such interest-bearing escrow account. If the court
17	sets aside the assessment of a civil administrative penalty in a case where the amount of such
18	penalty has been deposited in an interest-bearing escrow account, the person on whom the civil
19	administrative penalty was assessed shall be repaid the amount so set aside, together with the
20	accumulated interest thereon.
21	(h) Each person who fails to pay a civil administrative penalty on time, and each person
22	who issues a bond pursuant to this section and who fails to pay to the state on time the amount
23	required hereunder, shall be liable to the state for up to three (3) times the amount of the civil
24	administrative penalty, together with costs, plus interest from the time the civil administrative
25	penalty became final and attorneys' fees, including all costs and attorneys' fees incurred directly in
26	the collection thereof.
27	(i) No civil administrative penalty assessed hereunder shall be:
28	(1) Less than fifteen hundredths percent (0.15%) of the annual global revenue of the
29	covered entity, data processor, or third party or fifteen thousand dollars ($15,000), whichever is
30	greater, per individual violation; or
31	(2) More than four percent (4%) of the covered entity's annual global revenue, data
32	processor, or third party or twenty million dollars ($20,000,000), whichever is greater, if the
33	commission assesses a civil administrative penalty for multiple violations that affect multiple
34	individuals.
	LC003582 - Page 20 of 35
1	(j) In determining the amount of each civil administrative penalty, the commission shall
2	include, but not be limited to, the following in its consideration:
3	(1) The number of affected individuals;
4	(2) The severity of the violation or noncompliance;
5	(3) The risks caused by the violation or noncompliance;
6	(4) Whether the violation or noncompliance was part of a pattern of noncompliance and
7	violations and not an isolated instance;
8	(5) Whether the violation or noncompliance was willful and not the result of error;
9	(6) The precautions taken by the defendant to prevent a violation;
10	(7) The number of administrative actions, lawsuits, settlements, and consent decrees under
11	this chapter involving the defendant;
12	(8) The number of administrative actions, lawsuits, settlements, and consent-decrees
13	involving the defendant in other states and at the federal level in issues involving information
14	privacy; and
15	(9) The international record of the defendant when it comes to information privacy issues;
16	(k) Notwithstanding any general or special law to the contrary, including the limitations
17	and considerations set forth in this section, the commission may require that the amount of a civil
18	administrative penalty imposed pursuant to this section exceeds the economic benefit realized by a
19	person for noncompliance.
20	(l) When imposing civil administrative penalties, the commission shall consider the
21	following:
22	(1) Each individual whose personal information was unlawfully processed and each
23	instance of processing counts as a separate violation;
24	(2) Each subsection of this chapter that was violated counts as a separate violation;
25	(3) If a series of steps or transactions were component parts of a single transaction to avoid
26	the reach of this chapter, the commission shall disregard the intermediate steps or transactions and
27	consider everything one transaction.
28	(m) All civil administrative penalties assessed shall be paid to the state. Once the payment
29	is received, the state shall:
30	(1) Earmark ten percent (10%) of the civil administrative penalties collected to fund the
31	commission's budget; and
32	(2) Identify the individuals affected by the violation and use the remaining proceeds
33	collected to redress and mitigate harms caused by the violation.
34	42-162-15. Enforcement -- Judicial remedies.
	LC003582 - Page 21 of 35
1	(a) Private right of action. Any individual alleging a violation of this chapter or a regulation
2	promulgated under this chapter may bring a civil action in any court of competent jurisdiction.
3	(1) An individual protected by this chapter may not be required, as a condition of service
4	or otherwise, to file an administrative complaint with the commission or to accept mandatory
5	arbitration of a claim under this chapter.
6	(2) The civil action shall be directed to the covered entity, data processor, and the third
7	parties alleged to have committed the violation.
8	(3) A violation of this chapter or a regulation promulgated under this chapter regarding an
9	individual's personal information constitutes a rebuttable presumption of harm to that individual.
10	(4) In a civil action in which the plaintiff prevails, the court may award:
11	(i) Liquidated damages of not less than fifteen hundredths percent (0.15%) of the annual
12	global revenue of the covered entity or fifteen thousand dollars ($15,000) per violation, whichever
13	is greater;
14	(ii) Punitive damages; and
15	(iii) Any other relief, including, but not limited to, an injunction that the court deems to be
16	appropriate.
17	(5) In addition to any relief awarded pursuant to the previous subsection, the court shall
18	award reasonable attorneys’ fees and costs to any prevailing plaintiff.
19	(6) The court may request the opinion of the commission on the matters discussed.
20	(b) The attorney general may bring an action pursuant to chapter 13.1 of title 6 against a
21	covered entity, data processor, or third party to remedy violations of this chapter and for other relief
22	that may be appropriate.
23	(1) If the court finds that the defendant has employed any method, act, or practice which
24	they knew or should have known to be in violation of this chapter, the court may require such
25	person to pay to the state a civil penalty of:
26	(i) Not less than fifteen hundredths percent (0.15%) of the annual global revenue or fifteen
27	thousand dollars ($15,000), whichever is greater, per violation; and
28	(ii) Not more than four percent (4%) of the annual global revenue of the covered entity,
29	data processor, or third party or twenty million dollars ($20,000,000), whichever is greater, per
30	action if such action includes multiple violations to multiple individuals;
31	(2) During the proceedings, the court may also request the opinion of the commission on
32	the matters discussed.
33	(3) All money awards shall be paid to the state. The state shall identify the individuals
34	affected by the violation and earmark such money awards, penalties, or assessments collected for
	LC003582 - Page 22 of 35
1	purposes of paying for the damages they suffered as a consequence of the violation.
2	(c) When calculating awards and civil penalties in all the actions in this section, a court
3	shall consider the factors mentioned in § 42-162-14(j).
4	(d) When assessing the defendant’s behavior in judicial proceedings, the court shall
5	consider the factors mentioned in § 42-162-14(l).
6	(e) It is a violation of this chapter for a covered entity or anyone else acting on behalf of a
7	covered entity to retaliate against an individual who makes a good-faith complaint that there has
8	been a failure to comply with any part of this chapter.
9	(1) An injured individual by a violation of the previous subsection may bring a civil action
10	for monetary damages and injunctive relief in any court of competent jurisdiction.
11	42-162- 16. Enforcement -- Miscellaneous.
12	(a) Non-waivable rights. Any provision of a contract or agreement of any kind, including
13	a covered entity's terms of service or a privacy policy, including the short-form privacy notice
14	required under § 42-162-5 that purports to waive or limit in any way an individual's rights under
15	this chapter, including, but not limited to, any right to a remedy or means of enforcement shall be
16	deemed contrary to public policy and shall be void and unenforceable.
17	(b) No covered entity that is a provider of an interactive computer service, as defined in 47
18	U.S.C. § 230, shall be treated as the publisher or speaker of any personal information provided by
19	another information content provider, as defined in 47 U.S.C. § 230 and allowing posting of
20	information by a user without other action by the interactive computer service shall not be deemed
21	processing of the personal information by the interactive computer service.
22	(c) No private or government action brought pursuant to this chapter shall preclude any
23	other action under this chapter.
24	42-162-17. Exceptions.
25	(a) A covered entity shall not be required to provide meaningful notice or obtain consent
26	for processing personal information in accordance with §§ 42-162-5 and 42-162-6:
27	(1) The processing is necessary to execute the specific transaction for which the individual
28	is providing personal information, such as the provision of financial information to complete a
29	purchase or the provision of a mailing address to deliver a package;
30	(i) Notwithstanding the previous subsection, personal information shall not be processed
31	for any other purpose beyond that clear primary purpose without providing meaningful notice to
32	and obtaining consent from the individual to whom the personal information pertains.
33	(2) The covered entity believes that an emergency involving immediate danger of death or
34	serious physical injury to any individual requires obtaining without delay personal information so
	LC003582 - Page 23 of 35
1	that it can be used to respond to the emergency, and the request is narrowly tailored to address the
2	emergency, subject to the following limitations.
3	(i) The request shall document the factual basis for believing that an emergency involving
4	immediate danger of death or serious physical injury to an individual requires obtaining without
5	delay personal information relating to the emergency; and
6	(ii) Simultaneous with the covered entity obtaining personal information under this
7	subsection, the covered entity shall use reasonable efforts to inform the individual of the personal
8	information obtained; the details of the emergency; and the reasons why the covered entity needed
9	to obtain the personal information and shall continue such efforts to inform until receipt of
10	information is confirmed; or
11	(3) The processing involves only de-identified information; provided that, a covered entity
12	that processes de-identified information must:
13	(i) Have a privacy policy that details how the de-identified information is processed;
14	(ii) Implement technical safeguards that prohibit indirect re-identification of the
15	information;
16	(iii) Implement business processes that expressly prohibit indirect re-identification of the
17	information;
18	(iv) Implement business processes that prevent inadvertent release of de-identified
19	information; and
20	(v) Not attempt to re-identify the information.
21	(b) A covered entity, its affiliated data processors, or the third parties they contracted with
22	shall not be required to obtain consent for disclosing or sharing personal information in accordance
23	with this chapter if:
24	(1) Disclosure is required to respond to a legal request; provided that:
25	(i) A covered entity receiving such legal request shall serve or deliver the following
26	information to the individual to which the legal request for personal information refers by registered
27	or first-class mail, electronic mail, or other means reasonably calculated to be effective:
28	(A) A copy of the legal request and a notice that informs the individual of the nature of the
29	inquiry with reasonable specificity;
30	(B) That personal information related to the individual was supplied to, or requested by, a
31	requesting entity and the date on which the supplying or request took place;
32	(C) An inventory of the personal information requested or supplied;
33	(D) Whether the information was in possession of the covered entity, an affiliate data
34	processor, or a third party they contracted with; and
	LC003582 - Page 24 of 35
1	(E) The identity of the person that sought the legal request from the court, if known.
2	(ii) The covered entity shall serve or deliver such notification immediately upon receiving
3	a legal request asking for or compelling the disclosure of personal information; provided that, a
4	covered entity may apply to the court for an order delaying notification. The court may issue the
5	order if notification of the existence of the legal request will result in danger to the life or physical
6	safety of an individual, flight from prosecution, destruction of or tampering with evidence, or
7	intimidation of potential witnesses, or otherwise seriously jeopardize an investigation or unduly
8	delay a trial.
9	(A) If granted, such an order shall not exceed thirty (30) days, but may be renewed up to
10	thirty (30) days at a time while grounds for the delay persist.
11	(B) The disclosure is a routine disclosure required by state or federal law; provided that,
12	the individual received notice of such requirement in accordance with §§ 42-162-4 and 42-162-6.
13	42-162-18. Transparency.
14	(a) Covered entities that receive any form of a legal request for disclosure of personal
15	information pursuant to this chapter shall:
16	(1) Provide the commission and the general public a bi-monthly report containing the
17	following aggregate information related to legal requests received by the covered entity, their
18	affiliated data processors, and any third parties they contracted with:
19	(i) The total number of legal requests, disaggregated by type of requests such as warrants,
20	court orders, and subpoenas;
21	(ii) The number of legal requests that resulted in the covered entity disclosing personal
22	information;
23	(iii) The number of legal requests that did not result in the covered entity disclosing
24	personal information, including the reasons why the information was not disclosed;
25	(iv) The type of personal information sought in the legal requests received by the covered
26	entity;
27	(v) The total number of legal requests seeking the disclosure of location or biometric
28	information;
29	(vi) The number of legal requests that resulted in the covered entity disclosing location or
30	biometric information;
31	(vii) The number of legal requests that did not result in the covered entity disclosing
32	location or biometric information, including the reasons for such disclosure; and
33	(viii) The nature of the proceedings from which the requests were ordered and whether it
34	was a government entity or a private person seeking the legal request;
	LC003582 - Page 25 of 35
1	(2) Take all reasonable measures and engage in all legal actions available to ensure that the
2	legal request is valid under applicable laws and statutes; and
3	(3) Require their affiliate data processors and third parties they contracted with to have
4	similar practices and standards.
5	(b) Covered entities that are required to disclose personal information as a matter of law
6	pursuant to § 42-162-17(b) shall provide the commission and the general public a bi-monthly report
7	containing the following aggregate information:
8	(1) The total number of times that they share information, disaggregated by:
9	(i) Applicable law or statute that mandates such disclosure;
10	(ii) Government entity or private party that received the information; and
11	(iii) The type of personal information disclosed.
12	(2) The total number of individuals affected by such disclosures, disaggregated by race,
13	ethnicity, gender, and age, if such demographics are known.
14	(c) The commission shall:
15	(1) Establish a standardized reporting form to comply with this section;
16	(2) Determine whether a more concise presentation of the reporting is appropriate and, if
17	so, shall establish a standardized version of such form;
18	(3) Dedicate a section of its website to making the reports available to the general public;
19	and
20	(4) Promulgate regulations specifying additional requirements for purposes of advancing
21	information related to the sharing of information with the government.
22	42-162-19. Non-applicability.
23	This chapter shall not apply to:
24	(1) Personal information captured from a patient by a health care provider or health care
25	facility or biometric information collected, processed, used, or stored exclusively for medical
26	education or research, public health or epidemiological purposes, health care treatment, insurance,
27	payment, or operations under the federal Health Insurance Portability and Accountability Act of
28	1996, or to X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or
29	other image or film of the human anatomy used exclusively to diagnose, prognose, or treat an illness
30	or other medical condition or to further validate scientific testing or screening;
31	(2) Individuals sharing their personal contact information such as email addresses with
32	other individuals in the workplace, or other social, political, or similar settings where the purpose
33	of the information is to facilitate communication among such individuals; provided that, this
34	chapter shall cover any processing of such contact information beyond interpersonal
	LC003582 - Page 26 of 35
1	communication.
2	(3) Covered entities' publication of entity-based member or employee contact information
3	where such publication is intended to allow members of the public to contact such member or
4	employee in the ordinary course of the entity's operations.
5	42-162-20. Relationship with other laws.
6	(a) The provisions of this chapter shall supersede local or state laws, regulations, and
7	ordinances, except when such local or state laws, regulations, or ordinances provide stronger
8	privacy protections for individuals.
9	(b) This chapter covers businesses that are subject to federal laws concerning the
10	processing of individuals' personal information to the extent that this chapter provides stronger
11	privacy protections for individuals than those federal laws; and those federal laws do not explicitly
12	preempt state laws.
13	(c) Nothing in this chapter shall diminish any individual's rights or obligations under any
14	other applicable law.
15	42-162-21. The Rhode Island information privacy commission.
16	(a) There shall be a Rhode Island information privacy commission to have general
17	supervision and sole regulatory and enforcement authority over chapter 162 of title 42.
18	(b) The commission shall consist of five (5) commissioners: one of whom shall be
19	appointed by the governor; one of whom shall be appointed by the attorney general; one of whom
20	shall be appointed by the secretary of state; and two (2) of whom shall be appointed by a majority
21	vote of the governor, attorney general and secretary of state, with the advice and consent of the
22	senate. The secretary of state shall designate the chair of the commission. The chair shall serve in
23	that capacity throughout the term of appointment and until a successor shall be appointed.
24	(c) All commissioners must have a background in one or more of the following:
25	(1) Information privacy, technology, and the law;
26	(2) Social implications of artificial intelligence and digital equity;
27	(3) Data science and data surveillance; or
28	(4) Digital services, digital markets, and consumer protection of digital data.
29	(d) Prior to appointment to the commission, a background investigation shall be conducted
30	into the financial stability, integrity, and responsibility of a candidate, including the candidate’s
31	reputation for good character and honesty.
32	(e) Each commissioner shall be a resident of the state within ninety (90) days of
33	appointment and, while serving on the commission, shall not:
34	(1) Hold, or be a candidate for, federal, state, or local elected office;
	LC003582 - Page 27 of 35
1	(2) Hold an appointed office in a federal, state or local government; or
2	(3) Serve as an official in a political party. Not more than three (3) commissioners shall be
3	from the same political party.
4	(f) Each commissioner shall serve for a term of five (5) years or until a successor is
5	appointed and shall be eligible for reappointment; provided, however, that no commissioner shall
6	serve more than ten (10) years. A person appointed to fill a vacancy in the office of a commissioner
7	shall be appointed in a like manner and shall serve for only the unexpired term of that
8	commissioner.
9	(g) The secretary of state, the governor or the attorney general may remove a commissioner
10	who was appointed by that appointing authority if the commissioner:
11	(1) Is guilty of malfeasance in office;
12	(2) Substantially neglects the duties of a commissioner;
13	(3) Is unable to discharge the powers and duties of the office;
14	(iv) Commits gross misconduct; or
15	(v) Is convicted of a felony.
16	(h) The secretary of state, the governor and the attorney general may, by majority vote,
17	remove a commissioner who was appointed by a majority vote of the secretary of state, the governor
18	and the attorney general if the commissioner:
19	(1) Is guilty of malfeasance in office;
20	(2) Substantially neglects the duties of a commissioner;
21	(3) Is unable to discharge the powers and duties of the commissioner’s office;
22	(4) Commits gross misconduct; or
23	(5) Is convicted of a felony.
24	(i) Before removal, the commissioner shall be provided with a written statement of the
25	reason for removal and an opportunity to be heard.
26	(j) Three (3) commissioners shall constitute a quorum, and the affirmative vote of three (3)
27	commissioners shall be required for an action of the commission. The chair or three (3) members
28	of the commission may call a meeting; provided, however, that notice of all meetings shall be given
29	to each commissioner and to other persons who request such notice. The commission shall adopt
30	regulations establishing procedures, which may include electronic communications, by which a
31	request to receive notice shall be made and the method by which timely notice may be given.
32	(k) Commissioners shall receive reasonable salaries. Commissioners shall devote their full
33	time and attention to the duties of their office.
34	(l) The commission shall annually elect one of its members to serve as secretary and one
	LC003582 - Page 28 of 35
1	of its members to serve as treasurer. The secretary shall keep a record of the proceedings of the
2	commission and shall be the custodian and keeper of the records of all books, documents, and
3	papers filed by the commission and of its minute book. The secretary shall cause copies to be made
4	of all minutes and other records and documents of the commission and shall certify that such copies
5	are true copies, and all persons dealing with the commission may rely upon such certification.
6	(m) The chair shall have and exercise supervision and control over all the affairs of the
7	commission. The chair shall preside at all hearings at which the chair is present and shall designate
8	a commissioner to act as chair in the chair's absence. To promote efficiency in administration, the
9	chair shall make such division or re-division of the work of the commission among the
10	commissioners as the chair deems expedient.
11	(n) The commissioners shall, if so directed by the chair, participate in the hearing and
12	decision of any matter before the commission; provided, however, that at least two (2)
13	commissioners shall participate in the hearing and decision of matters other than those of formal or
14	administrative character coming before the commission; and provided further, that any such matter
15	may be heard, examined and investigated by an employee of the commission designated and
16	assigned by the chair, with the concurrence of one other commissioner. Such employee shall make
17	a report in writing relative to the hearing, examination, and investigation of every such matter to
18	the commission for its decision. For the purposes of hearing, examining, and investigating any such
19	matter, such employee shall have all of the powers conferred upon a commissioner by this section.
20	For each hearing, the concurrence of a majority of the commissioners participating in the decision
21	shall be necessary.
22	(o) The commission shall appoint an executive director. The executive director shall serve
23	at the pleasure of the commission, shall receive such salary as may be determined by the
24	commission, and shall devote full-time and attention to the duties of the office. The executive
25	director shall be a person with skill and experience in management, shall be the executive and
26	administrative head of the commission, and shall be responsible for administering and enforcing
27	the law relative to the commission and each administrative unit thereof. The executive director shall
28	appoint and employ a chief financial and accounting officer and may, subject to the approval of the
29	commission, employ other employees, consultants, agents, and advisors, including legal counsel,
30	and shall attend meetings of the commission. The chief financial and accounting officer of the
31	commission shall be in charge of its funds, books of account, and accounting records. No funds
32	shall be transferred by the commission without the approval of the commission and the signatures
33	of the chief financial and accounting officer and the treasurer of the commission. In the case of an
34	absence or vacancy in the office of the executive director or in the case of disability, as determined
	LC003582 - Page 29 of 35
1	by the commission, the commission may designate an acting executive director to serve as
2	executive director until the vacancy is filled or the absence or disability ceases. The acting executive
3	director shall have all of the powers and duties of the executive director and shall have similar
4	qualifications as the executive director.
5	(p) Chapter 14 of title 36 shall apply to the commissioners and to employees of the
6	commission; provided, however, that the commission shall establish a code of ethics for all
7	members and employees that shall be more restrictive than chapter 14 of title 36. A copy of the
8	code shall be filed with the state ethics commission. The code shall include provisions reasonably
9	necessary to carry out the purposes of this section and any other laws subject to the jurisdiction of
10	the commission including, but not limited to:
11	(1) Prohibiting the receipt of gifts by commissioners and employees from any entity subject
12	to the jurisdiction of the commission;
13	(2) Prohibiting the participation by commissioners and employees in a particular matter as
14	defined in § 36-14-5 that affects the financial interest of a relative within the third degree of
15	consanguinity or a person with whom such commissioner or employee has a significant relationship
16	as defined in the code; and
17	(3) Providing for recusal of a commissioner in a decision due to a potential conflict of
18	interest.
19	(q) The commission shall, for the purposes of compliance with state finance law, operate
20	as a state agency and shall be subject to the laws applicable to agencies under the control of the
21	governor; provided, however, that the comptroller may identify any additional instructions or
22	actions necessary for the commission to manage fiscal operations in the state accounting system
23	and meet statewide and other governmental accounting and audit standards. The commission shall
24	properly classify the commission's operating and capital expenditures and shall not include any
25	salaries of employees in the commission's capital expenditures. Unless otherwise exempted by law
26	or the applicable central service agency, the commission shall participate in any other available
27	state central services including, but not limited to, the state payroll system pursuant to chapter 13.1
28	of title 6, and may purchase other goods and services provided by state agencies in accordance with
29	comptroller provisions. The comptroller may chargeback the commission for the transition and
30	ongoing costs for participation in the state accounting and payroll systems and may retain and
31	expend such costs without further appropriation for the purposes of this section.
32	42-162-22. Funding.
33	It is hereby appropriated, out of any money in the treasury not otherwise appropriated for
34	the fiscal year 2022-2023, the sum of seven hundred fifty thousand dollars ($750,000) for the Rhode
	LC003582 - Page 30 of 35
1	Island information privacy commission for the supervision, regulation and enforcement over
2	chapter 162 of title 42. The state controller is hereby authorized and directed to draw his/her orders
3	upon the general treasurer for the payment of said sum, or so much thereof as may be from time to
4	time required, upon receipt by him/her of properly authenticated vouchers.
5	42-162-23. Workplace surveillance.
6	(a) For the purposes of this section, the following words shall have the following meanings
7	unless the context clearly requires otherwise:
8	(1) "Electronic monitoring" means the collection of information concerning employee
9	activities, communications, actions, biometrics, or behaviors by electronic means.
10	(2) "Employment-related decision" means any decision made by the employer that affects
11	wages, benefits, hours, work schedule, performance evaluation, hiring, discipline, promotion,
12	termination, job content, productivity requirements, workplace health and safety, or any other terms
13	and conditions of employment.
14	(3) "Facial recognition technology" shall have the meaning an automated or semi-
15	automated process that assists in identifying or verifying an individual or capturing information
16	about an individual based on the physical characteristics of an individual's face, head or body, that
17	uses characteristics of an individual's face, head or body to infer emotion, associations, activities
18	or the location of an individual.
19	(4) "Information" also referred to as "employee information," or "data" means information
20	that identifies, relates to, describes, is reasonably capable of being associated with, or could
21	reasonably be linked, directly or indirectly, with a particular employee, regardless of how the
22	information is collected, inferred, or obtained.
23	(5) "Vendor" means a business engaged in a contract with an employer to provide services,
24	software, or technology that collects, stores, analyzes, or interprets employee information.
25	(b) An employer, or vendor acting on behalf of an employer, shall not electronically
26	monitor an employee unless:
27	(1) The electronic monitoring only purpose is to;
28	(i) Enable tasks that are necessary to accomplish essential job functions;
29	(ii) Monitor production processes or quality;
30	(iii) Comply with employment, labor, or other relevant laws;
31	(iv) Protect the safety and security of employees; or
32	(v) Carry on other purposes as determined by the department of labor standards; and
33	(2) The specific form of electronic monitoring is:
34	(i) Necessary to accomplish the allowable purpose;
	LC003582 - Page 31 of 35
1	(ii) The least invasive means that could reasonably be used to accomplish the allowable
2	purpose;
3	(iii) Limited to the smallest number of employees; and
4	(iv) Collecting the least amount of information necessary to accomplish the purposes
5	mentioned in subsection (b)(1) of this section.
6	(c) Notwithstanding § 42-162-23(b), the following practices shall be prohibited:
7	(1) Use of electronic monitoring that either directly or indirectly harms an employee's
8	physical health, mental health, personal safety or wellbeing;
9	(2) Monitoring of employees who are off-duty and not performing work-related tasks;
10	(3) Audio-visual monitoring of bathrooms or other similarly private areas including locker
11	rooms and changing areas;
12	(4) Audio-visual monitoring of break rooms, lounges, and other social spaces, except to
13	investigate specific illegal activity;
14	(5) Use of facial recognition technology other than for the purpose of verifying the identity
15	of an employee for security purposes; and
16	(6) Any other forms of electronic monitoring such as may be prohibited by the department
17	of labor standards.
18	(d) Employers shall not require employees to install applications on personal or mobile
19	devices that collect employee information or require employees to wear data-collecting devices,
20	including those that are incorporated into items of clothing or personal accessories, unless the
21	electronic monitoring is necessary to accomplish essential job functions and is narrowly limited to
22	only the activities and times necessary to accomplish essential job functions.
23	(e) Information resulting from electronic monitoring shall be accessed only by authorized
24	agents and used only for the purpose and duration for which notice was given in accordance with
25	subsection (f) of this section.
26	(f) Employers shall provide employees with notice that electronic monitoring will occur
27	prior to conducting each specific form of electronic monitoring. The notice must, at a minimum,
28	include a description of;
29	(1) The purpose that the specific form of electronic monitoring is intended to accomplish,
30	as specified in § 42-162-23(b);
31	(2) The specific activities, locations, communications, and job roles that will be
32	electronically monitored;
33	(3) The technologies used to conduct the specific form of electronic monitoring;
34	(4) The vendors or other third parties that the information collected through electronic
	LC003582 - Page 32 of 35
1	monitoring will be disclosed or transferred to, including the name of the vendor and the purpose
2	for the data transfer;
3	(5) The organizational positions that are authorized to access the information collected
4	through the specific form of electronic monitoring, and under what conditions; and
5	(6) The dates, times, and frequency that electronic monitoring will occur.
6	(g) Employers shall provide employees with notice that electronic monitoring will occur
7	prior to conducting each specific form of electronic monitoring and the notice must, at a minimum,
8	include the names of any vendors conducting electronic monitoring on the employer’s behalf.
9	(h) Employers shall provide employees with notice that electronic monitoring will occur
10	prior to conducting each specific form of electronic monitoring and the notice must, at a minimum,
11	include an explanation of:
12	(1) The reasons why the specific form of electronic monitoring is necessary to accomplish
13	the purpose; and
14	(2) How the specific monitoring practice is the least invasive means available to
15	accomplish the allowable monitoring purpose.
16	(i) The notice provided for in § 42-162-23(f) shall be clear and conspicuous and provide
17	the employee with actual notice of electronic monitoring activities.
18	(1) A notice that provides electronic monitoring "may" take place or that the employer
19	"reserves the right" to monitor shall not suffice.
20	(j) An employer who engages in random or periodic electronic monitoring of employees
21	will inform the affected employees of the specific events which are being monitored at the time the
22	monitoring takes place with a notice that shall be clear and conspicuous.
23	(1) Notwithstanding the previous subsection, notice of random or periodic electronic
24	monitoring may be given after electronic monitoring has occurred only if necessary to preserve the
25	integrity of an investigation of wrongdoing or protect the immediate safety of employees,
26	customers, or the public.
27	(k) An employer shall only use employee information collected through electronic
28	monitoring to accomplish its purpose, unless the information documents illegal activity.
29	(l) When making a hiring or employment-related decision using information collected
30	through electronic monitoring, an employer shall:
31	(1) Not make the decision based solely on such information;
32	(2) Give the affected employee access to the data and provide an opportunity to correct or
33	explain it;
34	(3) Corroborate such information by other means, such as independent documentation by
	LC003582 - Page 33 of 35
1	supervisors or managers, or by consultation with other employees; and
2	(4) Document and communicate to affected employees the basis for the corroboration prior
3	to the decision going into effect.
4	(m) Section 42-162-23(k) shall not apply to those cases when electronic monitoring data
5	provides evidence of illegal activity.
6	42-162-24. Severability.
7	Should any provision of this chapter or part hereof be held under any circumstances in any
8	jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the
9	validity or enforceability of any other provision of this or other parts of this chapter.
10	SECTION 2. This act shall take effect on January 1, 2023, except for the appropriation
11	contained in § 42-162-22 which shall take effect upon passage.
	========
	LC003582
	========
	LC003582 - Page 34 of 35
	EXPLANATION
	BY THE LEGISLATIVE COUNCIL
	OF
	A N A C T
	RELATING TO STATE AFFAIRS AND GOVERNMENT – RHODE ISLAND
	INFORMATION PRIVACY ACT
	***
1	This act would create the Rhode Island information privacy act. This act would allow an
2	individual to access and learn what personal information about the individual has been gathered
3	and stored by covered entities that conduct business in Rhode Island. The act would also establish
4	the Rhode Island information privacy commission to oversee and enforce the provisions of the
5	Rhode Island information privacy act.
6	This act would take effect on January 1, 2023, except for the appropriation contained in §
7	42-162-22, which would take effect upon passage.
	========
	LC003582
	========
	LC003582 - Page 35 of 35