2021 -- H 5959 | |
======== | |
LC002173 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2021 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND TRANSPARENCY AND PRIVACY PROTECTION ACT | |
| |
Introduced By: Representatives Shanley, Marszalkowski, Craven, Ruggiero, and Barros | |
Date Introduced: February 26, 2021 | |
Referred To: House Corporations | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.2 |
4 | RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT |
5 | 6-48.2-1. Short title. |
6 | This chapter shall be known and may be cited as the "Rhode Island Data Transparency and |
7 | Privacy Protection Act." |
8 | 6-48.2-2. Legislative findings. |
9 | The general assembly hereby finds and declares that: |
10 | (1) The right to privacy is a personal and fundamental right protected by the United States |
11 | Constitution. As such, all individuals have a right to privacy in information pertaining to them. This |
12 | state recognizes the importance of providing consumers with transparency about how their |
13 | personally identifiable information, especially information relating to their children, is shared by |
14 | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their |
15 | families from cyber-crimes and identity thieves. |
16 | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and |
17 | for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely informed |
18 | that a business might share personally identifiable information with third parties (as that term is |
| |
1 | hereinafter defined). Consumers must be better informed about what kinds of personally |
2 | identifiable information is shared with other businesses. With these specifics, consumers can |
3 | knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose (as that term is |
4 | hereinafter defined) personally identifiable information to third parties on the basis of how |
5 | protective the business is of consumers' privacy. |
6 | (3) Businesses are now collecting personally identifiable information and disclosing it in |
7 | ways not contemplated or properly covered by the current law. Some websites are installing |
8 | tracking tools that record when consumers visit webpages, and sending personally identifiable |
9 | information, such as age, gender, race, income, health concerns, religion, and recent purchases to |
10 | third-party marketers and data brokers. Third-party data broker companies are buying and |
11 | disclosing personally identifiable information obtained from mobile phones, financial institutions, |
12 | social media sites, and other online and brick and mortar companies. Some mobile applications are |
13 | sharing personally identifiable information, such as location information, unique phone |
14 | identification numbers, age, gender, and other personal details with third-party companies. |
15 | (4) As such, consumers need to know the ways that their personally identifiable |
16 | information is being collected by companies and then shared or sold to third parties in order to |
17 | properly protect their privacy, personal safety, and financial security. |
18 | 6-48.2-3. Definitions. |
19 | As used in this chapter: |
20 | (1) "Affiliate" means any entity that, directly or indirectly, controls, is controlled by, or is |
21 | under common control with, the entity that has disclosed personally identifiable information to it. |
22 | (2) "Customer" means an individual residing in this state who provides, either knowingly |
23 | or unknowingly, personally identifiable information to any entity, with or without an exchange of |
24 | consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using |
25 | real or personal property, or any interest therein, or obtaining a product or service, including |
26 | advertising or any other content. |
27 | (3) "Disclose" means to sell, release, transfer, share, disseminate, make available, or |
28 | otherwise communicate orally, in writing, or by electronic means or any other means to any |
29 | individual or third party in exchange for anything of value. "Disclose" does not include the |
30 | following: |
31 | (i) Disclosure to an affiliate, provided that the affiliate does not disclose the personally |
32 | identifiable information to any third party; |
33 | (ii) Disclosure of personally identifiable information by any entity to a third party under a |
34 | written contract authorizing the third party to utilize the personally identifiable information to |
| LC002173 - Page 2 of 6 |
1 | perform services on behalf of such entity, including maintaining or servicing accounts, providing |
2 | customer service, processing or fulfilling orders and transactions, verifying customer information, |
3 | processing payments, providing financing, or similar services, but only if: |
4 | (A) The contract prohibits the third party from using the personally identifiable information |
5 | for any reason other than performing the specified service or services on behalf of such entity and |
6 | from disclosing any such personally identifiable information to additional third parties; and |
7 | (B) The entity effectively enforces these prohibitions; |
8 | (iii) Disclosure of personally identifiable information by a business to a third party based |
9 | on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal |
10 | process, or court order; |
11 | (iv) Disclosure of personally identifiable information by any entity to a third party that is |
12 | reasonably necessary to address fraud, security, or technical issues; to protect the disclosing entity's |
13 | rights or property; or to protect customers or the public from illegal activities as required or |
14 | permitted by law. |
15 | (4) "Operator" means any person or entity that owns a website located on the Internet or an |
16 | online service that collects and maintains personally identifiable information from a customer |
17 | residing in this state who uses or visits the website or online service if the website or online service |
18 | is operated for commercial purposes. It does not include any third party that operates, hosts, or |
19 | manages, but does not own, a website or online service on the owner's behalf or by processing |
20 | information on behalf of the owner. "Operator" does not include businesses having ten (10) or fewer |
21 | employees, or any third party that operates, hosts, or manages, but does not own, a website or online |
22 | service on the owner’s behalf or by processing information on behalf of the owner. |
23 | (5) "Personally identifiable information" or "personal information" means an individual's |
24 | first name or first initial and last name in combination with any one or more of the following data |
25 | elements, when the name and the data elements are not either encrypted or utilizing a protocol that |
26 | provides a higher degree of security or are in hard copy, paper format: |
27 | (i) Social security number; |
28 | (ii) Driver's license number, passport number, Rhode Island identification card number, or |
29 | tribal identification number; |
30 | (iii) Account number, credit, or debit card number, in combination with any required |
31 | security code, access code, password, or personal identification number, that would permit access |
32 | to an individual's financial account; |
33 | (iv) Medical or health insurance information; or |
34 | (v) Email address with any required security code, access code, or password that would |
| LC002173 - Page 3 of 6 |
1 | permit access to an individual's personal, medical, insurance, or financial account. |
2 | (6) "Third party" means any entity that is a separate legal entity from the entity that has |
3 | disclosed the personally identifiable information; provided, however, that an affiliate of the entity |
4 | that has disclosed the personally identifiable information shall not be considered a third party. |
5 | 6-48.2-4. Information sharing practices. |
6 | (a) An operator of a commercial website or online service that collects, stores and sells |
7 | categories of personally identifiable information through the Internet about individual customers |
8 | residing in this state who use or visit its commercial website or online service shall, in its customer |
9 | agreement or incorporated addendum or in another conspicuous location on its website or online |
10 | service platform where similar notices are customarily posted: |
11 | (1) Identify all categories of personally identifiable information that the operator collects |
12 | through the website or online service about individual customers who use or visit its commercial |
13 | website or online service; and |
14 | (2) Identify all categories of third-party persons or entities with whom the operator may |
15 | disclose that personally identifiable information. |
16 | (b) Nothing in this chapter shall be construed to authorize the collection, storage or |
17 | disclosure of information or data that is otherwise prohibited, restricted or regulated by state or |
18 | federal law. |
19 | 6-48.2-5. Violations. |
20 | (a) A violation of this chapter constitutes a violation of the general regulatory provisions |
21 | of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter |
22 | 13.1 of title 6; provided further, that in the event that any individual or entity intentionally discloses |
23 | personally identifiable information: |
24 | (1) To a shell company or any entity that has been formed or established solely, or in part, |
25 | for the purposes of circumventing the intent of this chapter; or |
26 | (2) In violation of any provision of this chapter, that individual or entity shall pay a one |
27 | hundred dollar ($100) fine for each such disclosure. |
28 | (b) The office of the attorney general shall have sole enforcement authority of the |
29 | provisions of this chapter and may enforce a violation of this chapter pursuant to: |
30 | (1) The provisions of this section; or |
31 | (2) General regulatory provisions of commercial law in title 6, or both. |
32 | Nothing in this section shall be construed to authorize any private right of action to enforce |
33 | any provision of this chapter, any regulation hereunder, or any other provisions of commercial law |
34 | in title 6. |
| LC002173 - Page 4 of 6 |
1 | 6-48.2-6. Waivers; Contracts. |
2 | Any waiver of the provisions of this chapter shall be void and unenforceable. |
3 | 6-48.2-7. Construction. |
4 | (a) Nothing in this chapter shall be deemed to apply in any manner to any information or |
5 | data that is subject to the Federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated |
6 | under that act, or to information or date subject to the Health Insurance Portability and |
7 | Accountability Act of 1996 (HIPAA); provided, however, no entity or individual shall be exempt |
8 | from the provisions of this chapter. |
9 | (b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
10 | agent of a state agency or local unit of government when working for that state agency or local unit |
11 | of government. |
12 | (c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax- |
13 | exempt organization under the Internal Revenue Code. |
14 | (d) Nothing in this chapter shall be construed to mandate and/or require the retention or |
15 | disclosure of any specific individual's personally identifiable information. |
16 | (e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product |
17 | sales summaries or statistical information or aggregate customer data which may include personally |
18 | identifiable information. |
19 | (f) Nothing in this chapter shall be construed to apply to any personally identifiable |
20 | information or any other information collected, used, processed, or disclosed by or for a consumer |
21 | reporting agency as defined by subdivision (f) of Section 1681a of Title 15 of the United States |
22 | Code. |
23 | SECTION 2. This act shall take effect on January 1, 2022. |
======== | |
LC002173 | |
======== | |
| LC002173 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND TRANSPARENCY AND PRIVACY PROTECTION ACT | |
*** | |
1 | This act would create the "Rhode Island Transparency and Privacy Protection Act" to |
2 | require online service providers and commercial websites that collect, store and sell personally |
3 | identifiable information to disclose what categories of personally identifiable information they |
4 | collect and to what third parties they sell the information. This act does not prohibit the collection |
5 | or sale of personally identifiable information and does not require the retention or disclosure of |
6 | personally identifiable information by online service providers or commercial websites. |
7 | This act would take effect on January 1, 2022. |
======== | |
LC002173 | |
======== | |
| LC002173 - Page 6 of 6 |