2018 -- H 7111

========

LC003294

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2018

____________

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE

ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

     Introduced By: Representatives Shanley, Carson, Regunberg, Marszalkowski, and
Edwards

     Date Introduced: January 11, 2018

     Referred To: House Judiciary

     It is enacted by the General Assembly as follows:

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

CHAPTER 48.1

RHODE ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY

PROTECTION ACT

     6-48.1-1. Short title.

     This chapter shall be known and may be cited as the "Rhode Island Right-to-Know Data

Transparency and Privacy Protection Act."

     6-48.1-2. Legislative findings.

     The general assembly hereby finds and declares that:

     (1) The right to privacy is a personal and fundamental right protected by the United

States Constitution. As such, all individuals have a right to privacy in information pertaining to

them. This state recognizes the importance of providing consumers with transparency about how

their personal information, especially information relating to their children, is shared by

businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their

families from cyber-crimes and identity thieves.

     (2) Furthermore, for free market forces to have a role in shaping the privacy practices and

for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely

informed that a business might share personal information with third parties. Consumers must be

better informed about what kinds of personal information is shared with other businesses. With

these specifics, consumers can knowledgeably choose to opt-in, opt-out, or choose among

businesses that disclose information to third parties on the basis of how protective the business is

of consumers' privacy.

     (3) Businesses are now collecting personal information and sharing and selling it in ways

not contemplated or properly covered by the current law. Some websites are installing tracking

tools that record when consumers visit web pages, and sending very personal information, such as

age, gender, race, income, health concerns, religion, and recent purchases to third-party marketers

and data brokers. Third-party data broker companies are buying, selling, and trading personal

information obtained from mobile phones, financial institutions, social media sites, and other

online and brick and mortar companies. Some mobile applications are sharing personal

information, such as location information, unique phone identification numbers, and age, gender,

and other personal details with third-party companies.

     (4) As such, consumers need to know the ways that their personal information is being

collected by companies and then shared or sold to third parties in order to properly protect their

privacy, personal safety, and financial security.

     6-48.1-3. Definitions.

     As used in this chapter:

     (1) "Categories of personal information" means and includes, but is not limited to, the

following:

     (i) Identity information including, but not limited to, real name, alias, nickname, and user

name;

     (ii) Address information, including, but not limited to, postal or email address;

     (iii) Telephone number;

     (iv) Account name;

     (v) Social security number or other government-issued identification number, including,

but not limited to, social security number, driver's license number, identification card number,

and passport number;

     (vi) Birthdate or age;

     (vii) Physical characteristic information, including, but not limited to, height and weight;

     (viii) Sexual information, including, but not limited to, sexual orientation, sex, gender

status, gender identity, and gender expression;

     (ix) Race or ethnicity;

LC003294 - Page 2 of 8

     (x) Religious affiliation or activity;

     (xi) Political affiliation or activity;

     (xii) Professional or employment-related information;

     (xiii) Educational information;

     (xiv) Medical information, including, but not limited to, medical conditions or drugs,

therapies, mental health, or medical products or equipment used;

     (xv) Financial information, including, but not limited to, credit, debit, or account

numbers, account balances, payment history, or information related to assets, liabilities, or

general creditworthiness;

     (xvi) Commercial information, including, but not limited to, records of property, products

or services provided, obtained, or considered, or other purchasing or consumer histories or

tendencies;

     (xvii) Location information;

     (xviii) Internet or mobile activity information, including, but not limited to, Internet

protocol addresses or information concerning the access or use of any Internet or mobile-based

site or service;

     (xix) Content, including text, photographs, audio or video recordings, or other material

generated by or provided by the customer; and

     (xx) Any of the above categories of information as they pertain to the children of the

customer.

     (2) "Customer" means an individual residing in this state who provides, either knowingly

or unknowingly, personal information to a private entity, with or without an exchange of

consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise

using real or personal property, or any interest therein, or obtaining a product or service from the

private entity, including advertising or any other content.

     (3) "Designated request address" means an email address, toll-free telephone number, or

webform whereby customers may request or obtain the information required to be provided under

§ 6-48.1- 4.

     (4) "Disclose" means to disclose, release, transfer, share, disseminate, make available, or

otherwise communicate orally, in writing, or by electronic or any other means to any third party.

"Disclose" does not include the following:

     (i) Disclosure of personal information by a private entity to a third party under a written

contract authorizing the third party to utilize the personal information to perform services on

behalf of the private entity, including maintaining or servicing accounts, providing customer

LC003294 - Page 3 of 8

service, processing or fulfilling orders and transactions, verifying customer information,

processing payments, providing financing, or similar services, but only if:

     (A) The contract prohibits the third party from using the personal information for any

reason other than performing the specified service or services on behalf of the private entity and

from disclosing any such personal information to additional third parties; and

     (B) The private entity effectively enforces these prohibitions.

     (ii) Disclosure of personal information by a business to a third party based on a good-

faith belief that disclosure is required to comply with applicable law, regulation, legal process, or

court order.

     (iii) Disclosure of personal information by a private entity to a third party that is

reasonably necessary to address fraud, security, or technical issues; to protect the disclosing

private entity's rights or property; or to protect customers or the public from illegal activities as

required or permitted by law.

     (5) "Operator" means any person or entity that owns a website located on the Internet or

an online service that collects and maintains personally identifiable information from a customer

residing in this state who uses or visits the website or online service if the website or online

service is operated for commercial purposes. It does not include any third party that operates,

hosts, or manages, but does not own, a website or online service on the owner's behalf or by

processing information on behalf of the owner. "Operator" does not include businesses having ten

(10) or fewer employees, or any third party that operates, hosts, or manages, but does not own, a

website or online service on the owner’s behalf or by processing information on behalf of the

owner.

     (6)(i) "Personal information" means any information that identifies, relates to, describes,

or is capable of being associated with, a particular individual, including, but not limited to, their

name, signature, physical characteristics or description, address, telephone number, passport

number, driver's license or state identification card number, insurance policy number, education,

employment, employment history, bank account number, credit card number, debit card number,

or any other financial information.

     (ii) "Personal information" also means any data or information pertaining to an

individual's income, assets, liabilities, purchases, leases, or rentals of goods, services, or real

property, if that information is disclosed, or is intended to be disclosed, with any identifying

information, such as the individual's name, address, telephone number, or social security number.

     (7) "Third party" or "third parties" means:

     (i) A private entity that is a separate legal entity from the private entity that has disclosed

LC003294 - Page 4 of 8

personal information;

     (ii) A private entity that does not share common ownership or common corporate control

with the private entity that has disclosed personal information; or

     (iii) A private entity that does not share a brand name or common branding with the

private entity that has disclosed personal information such that the affiliate relationship is clear to

the customer.

     6-48.1-4. Information sharing practices.

     (a) An operator of a commercial website or online service that collects personally

identifiable information through the Internet about individual customers residing in this state who

use or visit its commercial website or online service shall, in its customer agreement or

incorporated addendum or in another conspicuous location on its website or online service

platform where similar notices are customarily posted:

     (1) Identify all categories of personal information that the operator collects through the

website or online service about individual customers who use or visit its commercial website or

online service;

     (2) Identify all categories of third-party persons or entities with whom the operator may

disclose that personally identifiable information; and

     (3) Provide a description of a customer's rights, as required under § 6-48.1-6,

accompanied by one or more designated request addresses.

     (b) The collection and retention of personal information for a period to extend beyond

forty-eight (48) hours is prohibited unless the customer gives prior consent (opt-in) to the

retention for a specified longer period. Any operator shall destroy, delete or purge all records

containing personal information within forty-eight (48) hours of collection unless valid customer

consent to retain the information has been provided to the operator. Dissemination of personal

information by an operator to any third party is prohibited unless the customer has given prior

consent (opt-in) to the dissemination.

     6-48.1-5. Disclosure of a customer's personal information to a third party.

     (a) An operator that discloses a customer's personal information to a third party shall

make the following information available to the customer free of charge:

     (1) All categories of personal information that were disclosed; and

     (2) The names of all third parties that received the customer's personal information.

     (b) This section applies only to personal information disclosed after the effective date of

this chapter.

     6-48.1-6. Information availability service.

LC003294 - Page 5 of 8

     (a) An operator required to comply with § 6-48.1-5 shall make the required information

available by providing a designated request address in its customer agreement or incorporated

addendum or in another conspicuous location on its website or online service platform where

similar notices are customarily posted, and, upon receipt of a request under this section, shall

provide the customer with the information required under § 6-48.1-5 for all disclosures occurring

in the prior twelve (12) months.

     (b) An operator that receives a request from a customer under this section at one of the

designated addresses shall provide a response to the customer within thirty (30) days.

     (c) Notwithstanding the provisions of this section, a parent or legal guardian of a

customer under the age of eighteen (18) may submit a request under this section on behalf of that

customer. An operator shall not be required to, but may respond to a request made by the same

parent or legal guardian on behalf of a customer under the age of eighteen (18) more than once

within a given twelve (12) month period.

     6-48.1-7. Violations.

     A violation of this chapter constitutes a violation of the general regulatory provisions of

commercial law in title 6. The office of the attorney general shall have sole enforcement authority

of the provisions of this chapter and may enforce a violation of this chapter as an unlawful

practice under the general regulatory provisions of commercial law in title 6. An operator in

violation of this chapter shall have thirty (30) days after being notified of a violation to rectify

that violation before the attorney general may seek an enforcement action against that operator.

Nothing in this section shall prevent a person from otherwise seeking relief under any other

similarly applicable state laws.

     6-48.1-8. Waivers; Contracts.

     Any waiver of the provisions of this chapter shall be void and unenforceable. Any

agreement that does not comply with the applicable provisions of this chapter shall be void and

unenforceable.

     6-48.1-9. Construction.

     (a) Nothing in this chapter shall be construed to conflict with the Federal Health

Insurance Portability and Accountability Act of 1996 and the rules promulgated under that act.

     (b) Nothing in this chapter shall be deemed to apply in any manner to a financial

institution or an affiliate of a financial institution that is subject to Title V of the Federal Gramm-

Leach-Bliley Act of 1999 and the rules promulgated under that act.

     (c) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or

agent of a state agency or local unit of government when working for that state agency or local

LC003294 - Page 6 of 8

unit of government.

     (d) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-

exempt organization under the Internal Revenue Code of 1986.

     SECTION 2. This act shall take effect on July 1, 2018.

========

LC003294

========

LC003294 - Page 7 of 8

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE

ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT

***

     This act would create the "Rhode Island Right-to-Know Transparency and Privacy

Protection Act" to protect individuals of this state from disclosure of personally identifiable

information through the Internet by operators of commercial websites or online services, and

would empower the attorney general with enforcement authority for any operator violations.

     This act would take effect on July 1, 2018.

========

LC003294

========

LC003294 - Page 8 of 8