2024 -- S 2500 | |
======== | |
LC005228 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2024 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
| |
Introduced By: Senators DiPalma, Euer, and DiMario | |
Date Introduced: March 01, 2024 | |
Referred To: Senate Commerce | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Legislative findings. |
2 | The general assembly hereby finds and declares that: |
3 | (1) The right to privacy is a personal and fundamental right protected by the United States |
4 | Constitution. As such, all individuals have a right to privacy in information pertaining to them. This |
5 | state recognizes the importance of providing customers with transparency about how their |
6 | personally identifiable information, especially information relating to their children, is shared by |
7 | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their |
8 | families from cyber-crimes and identity thieves. |
9 | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and |
10 | for "opt-in" and "opt-out" remedies to be effective, customers must be more than vaguely informed |
11 | that a business might share personal data with third parties (as that term is hereinafter defined). |
12 | Customers must be better informed about what kinds of personally identifiable information is |
13 | shared with other businesses. With these specifics, customers can knowledgeably choose to opt in, |
14 | opt out, or choose among businesses that disclose personal data to third parties on the basis of how |
15 | protective the business is of customers' privacy. |
16 | (3) Businesses are now collecting personal data and disclosing it in ways not contemplated |
17 | or properly covered by the current law. Some websites are installing tracking tools that record when |
18 | customers visit webpages, and sending personal data, such as age, gender, race, income, health |
| |
1 | concerns, religion, and recent purchases to third-party marketers and data brokers. Third-party data |
2 | broker companies are buying and disclosing personal data obtained from mobile phones, financial |
3 | institutions, social media sites, and other online and brick and mortar companies. Some mobile |
4 | applications are sharing personal data, such as location information, unique phone identification |
5 | numbers, age, gender, and other personal details with third-party companies. |
6 | (4) As such, customers need to know the ways that their personal data are being collected |
7 | by companies and then shared or sold to third parties in order to properly protect their privacy, |
8 | personal safety, and financial security. |
9 | SECTION 2. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL |
10 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
11 | CHAPTER 48.1 |
12 | RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT |
13 | 6-48.1-1. Short title. |
14 | This chapter shall be known and may be cited as the "Rhode Island Data Transparency and |
15 | Privacy Protection Act". |
16 | 6-48.1-2. Definitions. |
17 | As used in this chapter: |
18 | (1) "Affiliate" means any entity that shares common branding with another legal entity |
19 | directly or indirectly, controls, is controlled by, or is under common control with another legal |
20 | entity. For this purpose, "control" or "controlled" means ownership of, or the power to vote, more |
21 | than fifty percent (50%) of the outstanding shares of any class of voting security of a company, |
22 | control in any manner over the election of a majority of the directors or of individuals exercising |
23 | similar functions, or the power to exercise controlling influence over the management of a |
24 | company. |
25 | (2) "Authenticate" means to use reasonable means to determine that a request to exercise |
26 | any of the rights afforded under this chapter is being made by, or on behalf of, the customer who is |
27 | entitled to exercise such customer rights with respect to the personal data at issue. |
28 | (3) "Biometric data" means data generated by automatic measurements of an individual's |
29 | biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique |
30 | biological patterns or characteristics that are used to identify a specific individual. "Biometric data" |
31 | does not include a digital or physical photograph, an audio or video recording, or any data generated |
32 | from a digital or physical photograph, or an audio or video recording, unless such data is generated |
33 | to identify a specific individual. |
34 | (4) "Business associate" has the same meaning as provided in 45 C.F.R. § 160.103. |
| LC005228 - Page 2 of 17 |
1 | (5) "Child" has the same meaning as provided in 15 U.S.C. § 6501. |
2 | (6) "Consent" means a clear, affirmative act signifying a customer has freely given, |
3 | specific, informed and unambiguous agreement to allow the processing of personal data relating to |
4 | the customer. "Consent" may include a written statement, including by electronic means, or any |
5 | other unambiguous affirmative action. "Consent" does not include acceptance of a general or broad |
6 | term of use or similar document that contains descriptions of personal data processing along with |
7 | other, unrelated information, hovering over, muting, pausing or closing a given piece of content, or |
8 | agreement obtained through the use of dark patterns. |
9 | (7) "Controller" means an individual who, or legal entity that, alone or jointly with others |
10 | determines the purpose and means of processing personal data. |
11 | (8) "COPPA" means the Children's Online Privacy Protection Act of 1998, 15 USC § 6501 |
12 | et seq., and the regulations, rules, guidance and exemptions adopted, pursuant to said act, as said |
13 | act and such regulations, rules, guidance and exemptions may be amended from time to time. |
14 | (9) "Covered entity" has the same meaning as provided in 45 C.F.R. § 160.103. |
15 | (10) "Customer" means an individual residing in this state acting in an individual or |
16 | household context. "Customer" does not include an individual acting in a commercial or |
17 | employment context or as an employee, owner, director, officer or contractor of a company, |
18 | partnership, sole proprietorship, nonprofit or government agency whose communications or |
19 | transactions with the controller occur solely within the context of that individual's role with the |
20 | company, partnership, sole proprietorship, nonprofit or government agency. |
21 | (11) "Dark pattern" means a user interface designed or manipulated with the substantial |
22 | effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is |
23 | not limited to, any practice the Federal Trade Commission refers to as a "dark pattern". |
24 | (12) "Decisions that produce legal or similarly significant effects concerning the customer" |
25 | means decisions made by the controller that result in the provision or denial by the controller of |
26 | financial or lending services, housing, insurance, education enrollment or opportunity, criminal |
27 | justice, employment opportunities, health care services or access to essential goods or services. |
28 | (13) "De-identified data" means data that cannot reasonably be used to infer information |
29 | about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such |
30 | individual. |
31 | (14) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42 |
32 | USC § 1320d et seq., as amended from time to time. |
33 | (15) "Identified or identifiable individual" means an individual who can be readily |
34 | identified, directly or indirectly. |
| LC005228 - Page 3 of 17 |
1 | (16) "Institution of higher education" means any individual who, or school, board, |
2 | association, limited liability company or corporation that, is licensed or accredited to offer one or |
3 | more programs of higher learning leading to one or more degrees. |
4 | (17) "Nonprofit organization" means any organization that is exempt from taxation under |
5 | Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, or any |
6 | subsequent corresponding Internal Revenue Code of the United States, as amended from time to |
7 | time. |
8 | (18) "Personal data" means any information that is linked or reasonably linkable to an |
9 | identified or identifiable individual and does not include de-identified data or publicly available |
10 | information. |
11 | (19) "Precise geolocation data" means information derived from technology, including, |
12 | but not limited to, global positioning system level latitude and longitude coordinates or other |
13 | mechanisms, that directly identifies the specific location of an individual with precision and |
14 | accuracy within a radius of one thousand seven hundred fifty feet (1,750'). "Precise geolocation |
15 | data" does not include the content of communications or any data generated by or connected to |
16 | advanced utility metering infrastructure systems or equipment for use by a utility. |
17 | (20) "Process" or "processing" means any operation or set of operations performed, |
18 | whether by manual or automated means, on personal data or on sets of personal data, such as the |
19 | collection, use, storage, disclosure, analysis, deletion or modification of personal data. "Processor" |
20 | means an individual who, or legal entity that, processes personal data on behalf of a controller. |
21 | (21) "Profiling" means any form of automated processing performed on personal data to |
22 | evaluate, analyze or predict personal aspects related to an identified or identifiable individual's |
23 | economic situation, health, personal preferences, interests, reliability, behavior, location or |
24 | movements. |
25 | (22) "Protected health information" has the same meaning as provided in 42 USC § 1320d. |
26 | (23) "Pseudonymous data" means personal data that cannot be attributed to a specific |
27 | individual without the use of additional information; provided such additional information is kept |
28 | separately and is subject to appropriate technical and organizational measures to ensure that the |
29 | personal data is not attributed to an identified or identifiable individual. |
30 | (24) "Publicly available information" means information that is lawfully made available |
31 | through federal, state or municipal government records or widely distributed media, or a controller |
32 | has a reasonable basis to believe a customer has lawfully made available to the general public. |
33 | (25) "Sale of personal data" means the exchange of personal data for monetary or other |
34 | valuable consideration by the controller to a third party. "Sale of personal data" does not include |
| LC005228 - Page 4 of 17 |
1 | the disclosure of personal data to a processor that processes the personal data on behalf of the |
2 | controller, the disclosure of personal data to a third party for purposes of providing a product or |
3 | service requested by the customer, the disclosure or transfer of personal data to an affiliate of the |
4 | controller, the disclosure of personal data where the customer directs the controller to disclose the |
5 | personal data or intentionally uses the controller to interact with a third party, the disclosure of |
6 | personal data that the customer: |
7 | (i) Intentionally made available to the general public via a channel of mass media; and |
8 | (ii) Did not restrict to a specific audience, or the disclosure or transfer of personal data to |
9 | a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a |
10 | proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes |
11 | control of all or part of the controller's assets. |
12 | (26) "Sensitive data" means personal data that includes data revealing racial or ethnic |
13 | origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation |
14 | or citizenship or immigration status, the processing of genetic or biometric data for the purpose of |
15 | uniquely identifying an individual, personal data collected from a known child, or precise |
16 | geolocation data. |
17 | (27) "Targeted advertising" means displaying advertisements to a customer where the |
18 | advertisement is selected based on personal data obtained or inferred from that customer's activities |
19 | over time and across nonaffiliated Internet websites or online applications to predict such |
20 | customer's preferences or interests. "Targeted advertising" does not include advertisements based |
21 | on activities within a controller's own Internet websites or online applications, advertisements |
22 | based on the context of a customer's current search query, or current visit to an Internet website or |
23 | online application, advertisements directed to a customer in response to the customer's request for |
24 | information or feedback, or processing personal data solely to measure or report advertising |
25 | frequency, performance or reach. |
26 | (28) "Third party" means an individual or legal entity, such as a public authority, agency |
27 | or body, other than the customer, controller or processor or an affiliate of the processor or of the |
28 | controller. |
29 | (29) "Trade secret" has the same meaning as § 6-41-1. |
30 | 6-48.1-3. Information sharing practices. |
31 | (a) A controller shall, in its customer agreement or incorporated addendum or in another |
32 | conspicuous location on its website or online service platform where similar notices are customarily |
33 | posted: |
34 | (1) Identify all categories of personal data that the controller collects through the website |
| LC005228 - Page 5 of 17 |
1 | or online service about customers; |
2 | (2) Identify all categories of third parties to whom the controller may disclose that |
3 | personally identifiable information; |
4 | (3) Identify how customers may exercise their consumer rights, including how a customer |
5 | may appeal a controller’s decision with regard to the customer’s request; |
6 | (4) Identify the purposes for processing the personal data; |
7 | (5) Identify the categories of personal data that the controller shares with third parties, if |
8 | any; and |
9 | (6) Identify an active electronic mail address or other online mechanism that the customer |
10 | may use to contact the controller. |
11 | (b) If a controller sells personal data to third parties or processes personal data for targeted |
12 | advertising, the controller shall clearly and conspicuously disclose such processing, as well as the |
13 | manner in which a customer may exercise the right to opt out of such processing. |
14 | (c) Nothing in this chapter shall be construed to authorize the collection, storage or |
15 | disclosure of information or data that is otherwise prohibited, restricted or regulated by state or |
16 | federal law. |
17 | (d) A controller shall limit the collection of personal data to what is adequate, relevant and |
18 | reasonably necessary in relation to the purposes for which data is processed, as disclosed to the |
19 | customer. The controller shall not process personal data for purposes that are not reasonably |
20 | necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, |
21 | as disclosed to the customer, unless the controller obtains the customer’s consent. |
22 | (e) This chapter does not apply to any body, authority, board, bureau, commission, district |
23 | or agency of this state or any political subdivision of this state; nonprofit organization; institution |
24 | of higher education; national securities association that is registered under 15 U.S.C. § 78o-3 of the |
25 | Securities Exchange Act of 1934, as amended from time to time; financial institution or data subject |
26 | to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; or covered entity or business |
27 | associate, as defined in 45 C.F.R. § 160.103. |
28 | (f) The following information and data are exempt from the provisions of this chapter: |
29 | (1) Protected health information under HIPAA; |
30 | (2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2; |
31 | (3) Identifiable private information for purposes of the federal policy for the protection of |
32 | human research subjects under 45 C.F.R. §§ 46.101 through 46.124; |
33 | (4) Identifiable private information that is otherwise information collected as part of human |
34 | subjects research pursuant to the good clinical practice guidelines issued by the International |
| LC005228 - Page 6 of 17 |
1 | Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; |
2 | (5) The protection of human subjects under 21 C.F.R. Parts 50 and 56, or personal data |
3 | used or shared in research, as defined in 45 C.F.R. § 164.501 or other research conducted in |
4 | accordance with applicable law; |
5 | (6) Information and documents created for purposes of the Health Care Quality |
6 | Improvement Act of 1986, 42 U.S.C. § 11101 et seq.; |
7 | (7) Patient safety work product for purposes of the Patient Safety and Quality Improvement |
8 | Act, 42 U.S.C. § 299b-21 et seq., as amended from time to time; |
9 | (8) Information derived from any of the health care related information listed in this |
10 | subsection that is de-identified in accordance with the requirements for de-identification pursuant |
11 | to HIPAA; |
12 | (9) Information originating from and intermingled to be indistinguishable with, or |
13 | information treated in the same manner as, information exempt under this subsection that is |
14 | maintained by a covered entity or business associate, program or qualified service organization, as |
15 | specified in 42 U.S.C. § 290dd-2, as amended from time to time; |
16 | (10) Information used for public health activities and purposes as authorized by HIPAA, |
17 | community health activities and population health activities; |
18 | (11) The collection, maintenance, disclosure, sale, communication or use of any personal |
19 | information bearing on a customer's credit worthiness, credit standing, credit capacity, character, |
20 | general reputation, personal characteristics or mode of living by a customer reporting agency, |
21 | furnisher or user that provides information for use in a customer report, and by a user of a customer |
22 | report, but only to the extent that such activity is regulated by and authorized under the Fair Credit |
23 | Reporting Act, 15 U.S.C. § 1681 et seq., as amended from time to time; |
24 | (12) Personal data collected, processed, sold or disclosed in compliance with the Driver's |
25 | Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq., as amended from time to time; |
26 | (13) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. |
27 | § 1232g et seq., as amended from time to time; |
28 | (14) Personal data collected, processed, sold or disclosed in compliance with the Farm |
29 | Credit Act, 12 U.S.C. § 2001 et seq., as amended from time to time; |
30 | (15) Data processed or maintained in the course of an individual applying to, employed by |
31 | or acting as an agent or independent contractor of a controller, processor or third party, to the extent |
32 | that the data is collected and used within the context of that role, as the emergency contact |
33 | information of an individual or that is necessary to retain to administer benefits for another |
34 | individual relating to the individual who is the subject of the information under this subsection and |
| LC005228 - Page 7 of 17 |
1 | used for the purposes of administering such benefits; and |
2 | (16) Personal data collected, processed, sold or disclosed in relation to price, route or |
3 | service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101 et seq., as |
4 | amended from time to time, by an air carrier subject to said act, to the extent subsections 1 to 11, |
5 | inclusive, of this section are preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as |
6 | amended from time to time. |
7 | 6-48.1-4. Processing of information. |
8 | (a) The controller shall establish, implement, and maintain reasonable administrative, |
9 | technical and physical data security practices to protect the confidentiality, integrity and |
10 | accessibility of personal data. |
11 | (b) The controller shall not process sensitive data concerning a customer without obtaining |
12 | customer consent and shall not process sensitive data of a child unless consent is obtained and the |
13 | information is processed in accordance with COPPA. |
14 | (c) The controller shall not process personal data in violation of the laws of this state and |
15 | federal laws that prohibit unlawful discrimination against customers. |
16 | (d) The controller shall provide the customer with a mechanism to grant and revoke consent |
17 | where consent is required. Upon receipt of revocation, the controller shall suspend the processing |
18 | of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from |
19 | receipt to effectuate the revocation. |
20 | 6-48.1-5. Customer rights. |
21 | (a) No controller shall discriminate against a customer for exercising their customer rights. |
22 | (b) No controller shall deny goods or services, charge different prices or rates for goods or |
23 | services or provide a different level of quality of goods or services to the customer if the customer |
24 | does not consent to use of their data. |
25 | (c) Controllers may provide different prices and levels for goods and services if it is for a |
26 | bona fide loyalty, rewards, premium features, discount or club card programs that customers |
27 | voluntarily participate. |
28 | (d) A customer shall have the right to: |
29 | (1) Confirm whether or not a controller is processing the customer's personal data and |
30 | access such personal data, unless such confirmation or access would require the controller to reveal |
31 | a trade secret; |
32 | (2) Correct inaccuracies in the customer's personal data and delete personal data provided |
33 | by, or obtained about, the customer, taking into account the nature of the personal data and the |
34 | purposes of the processing of the consumer's personal data; |
| LC005228 - Page 8 of 17 |
1 | (3) Obtain a copy of the customer's personal data processed by the controller, in a portable |
2 | and, to the extent technically feasible, readily usable format that allows the customer to transmit |
3 | the data to another controller without undue delay, where the processing is carried out by automated |
4 | means; provided such controller shall not be required to reveal any trade secret; and |
5 | (4) Opt out of the processing of the personal data for purposes of targeted advertising, the |
6 | sale of personal data, or profiling in furtherance of solely automated decisions that produce legal |
7 | or similarly significant effects concerning the customer. |
8 | (e) A customer may exercise rights under this section by secure and reliable means |
9 | established by the controller and described to the customer in the controller's privacy notice. A |
10 | customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the |
11 | case of processing personal data of a known child, the parent or legal guardian may exercise such |
12 | customer rights on the child's behalf. In the case of processing personal data concerning a customer |
13 | subject to a guardianship, conservatorship or other protective arrangement, the guardian or the |
14 | conservator of the customer may exercise such rights on the customer's behalf. |
15 | 6-48.1-6. Exercising customer rights. |
16 | A controller shall comply with a request by a customer to exercise the customer rights |
17 | authorized as follows: |
18 | (1) A controller shall respond to the customer without undue delay, but not later than forty- |
19 | five (45) days after receipt of the request. The controller may extend the response period by forty- |
20 | five (45) additional days when reasonably necessary, considering the complexity and number of |
21 | the customer's requests; provided the controller informs the customer of any such extension within |
22 | the initial forty-five (45) day response period and of the reason for the extension. |
23 | (2) If a controller declines to act regarding the customer's request, the controller shall |
24 | inform the customer without undue delay, but not later than forty-five (45) days after receipt of the |
25 | request, of the justification for declining to act and instructions for how to appeal the decision. |
26 | (3) Information provided in response to a customer request shall be provided by a |
27 | controller, free of charge, once per customer during any twelve (12) month period. If requests from |
28 | a customer are manifestly unfounded, excessive or repetitive, the controller may charge the |
29 | customer a reasonable fee to cover the administrative costs of complying with the request or decline |
30 | to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, |
31 | excessive or repetitive nature of the request. |
32 | (4) If a controller is unable to authenticate a request to exercise any of the rights afforded, |
33 | the controller shall not be required to comply with a request to initiate an action pursuant to this |
34 | section and shall provide notice to the customer that the controller is unable to authenticate the |
| LC005228 - Page 9 of 17 |
1 | request to exercise such right or rights until such customer provides additional information |
2 | reasonably necessary to authenticate such customer and such customer's request to exercise such |
3 | right or rights. A controller shall not be required to authenticate an opt-out request, but may deny |
4 | an opt-out request if the controller has reasonable and documented belief that such request is |
5 | fraudulent. If a controller denies an opt-out request because the controller believes such request is |
6 | fraudulent, the controller shall send a notice to the person who made such request disclosing that |
7 | such controller believes such request is fraudulent, why such controller believes such request is |
8 | fraudulent and that such controller shall not comply with such request. |
9 | (5) A controller that has obtained personal data about a customer from a source other than |
10 | the customer shall be deemed in compliance with a customer's request to delete such data by doing |
11 | the following: |
12 | (i) Retaining a record of the deletion request and the minimum data necessary for the |
13 | purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and |
14 | not using such retained data for any other purpose pursuant to the provisions of this chapter; or |
15 | (ii) Opting the consumer out of the processing of such personal data for any purpose except |
16 | for those exempted pursuant to the provisions of this chapter. |
17 | (6) A controller shall establish a process for a customer to appeal the controller's refusal to |
18 | take action on a request within a reasonable period of time after the customer's receipt of the |
19 | decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) |
20 | days after receipt of an appeal, a controller shall inform the customer in writing of any action taken |
21 | or not taken in response to the appeal, including a written explanation of the reasons for the |
22 | decision. If the appeal is denied, the customer may submit a complaint to the attorney general. |
23 | (7) A customer may designate another person to serve as the customer's authorized agent |
24 | and act on such customer's behalf, to opt out of the processing of such customer's personal data. A |
25 | controller shall comply with an opt-out request received from an authorized agent if the controller |
26 | is able to verify the identity of the customer and the authorized agent's authority to act on the |
27 | customer’s behalf. |
28 | 6-48.1-7. Controller and processor responsibilities. |
29 | (a) A processor shall adhere to the instructions of a controller and shall assist the controller |
30 | in meeting the controller's obligations of this chapter. |
31 | (b) A contract between a controller and a processor shall govern the processor's data |
32 | processing procedures with respect to processing performed on behalf of the controller. The |
33 | contract shall be binding and clearly set forth instructions for processing data, the nature and |
34 | purpose of processing, the type of data subject to processing, the duration of processing and the |
| LC005228 - Page 10 of 17 |
1 | rights and obligations of both parties. The contract shall also require that the processor: |
2 | (1) Ensure that each person processing personal data is subject to a duty of confidentiality |
3 | with respect to the data; |
4 | (2) At the controller's direction, delete or return all personal data to the controller as |
5 | requested at the end of the provision of services, unless retention of the personal data is required |
6 | by law; |
7 | (3) Upon the reasonable request of the controller, make available to the controller all |
8 | information in its possession necessary to demonstrate the processor's compliance with the |
9 | obligations of this chapter; |
10 | (4) After providing the controller an opportunity to object, engage any subcontractor |
11 | pursuant to a written contract that requires the subcontractor to meet the obligations of the processor |
12 | with respect to the personal data; and |
13 | (5) Allow, and cooperate with, reasonable assessments by the controller or the controller's |
14 | designated assessor, or the processor may arrange for a qualified and independent assessor to assess |
15 | the processor's policies and technical and organizational measures in support of the obligations of |
16 | this chapter, using an appropriate and accepted control standard of framework and assessment |
17 | procedure for such assessments. The processor shall provide a report of such assessment to the |
18 | controller upon request. |
19 | (c) Nothing in this section shall be construed to relieve a controller or processor from the |
20 | liabilities imposed on the controller or processor by virtue of such controller's or processor's role |
21 | in the processing relationship. If a processor begins, alone or jointly with others, determining the |
22 | purposes and means of the processing of personal data, the processor is a controller with respect to |
23 | such processing and may be subject to an enforcement action under § 6-48.1-8. |
24 | (d) A controller shall conduct and document a data protection assessment for each of the |
25 | controller's processing activities that presents a heightened risk of harm to a customer. For the |
26 | purposes of this section, processing that presents a heightened risk of harm to a customer includes: |
27 | (1) The processing of personal data for the purposes of targeted advertising; |
28 | (2) The sale of personal data; |
29 | (3) The processing of personal data for the purposes of profiling, where such profiling |
30 | presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate |
31 | impact on, customers, financial, physical or reputational injury to customers, a physical or other |
32 | intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such |
33 | intrusion would be offensive to a reasonable person, or other substantial injury to customers; and |
34 | (4) The processing of sensitive data. |
| LC005228 - Page 11 of 17 |
1 | (e) The attorney general may require a controller to disclose any data protection assessment |
2 | that is relevant to an investigation conducted by the attorney general, and the controller shall make |
3 | the data protection assessment available. The attorney general may evaluate the data protection |
4 | assessment for compliance with responsibilities of this chapter. Data protection assessments shall |
5 | be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to |
6 | public records"). To the extent any information contained in a data protection assessment disclosed |
7 | to the attorney general includes information subject to attorney-client privilege or work product |
8 | protection, such disclosure shall not constitute a waiver of such privilege or protection. |
9 | (f) A single data protection assessment may address a comparable set of processing |
10 | operations that include similar activities. |
11 | (g) If a controller conducts a data protection assessment for the purpose of complying with |
12 | another applicable law or regulation, the data protection assessment shall be deemed to satisfy the |
13 | requirements established in this section if such data protection assessment is reasonably similar in |
14 | scope and effect to the data protection assessment that would otherwise be conducted pursuant to |
15 | this section. |
16 | (h) Data protection assessment requirements shall apply to processing activities created or |
17 | generated after January 1, 2025 and are not retroactive. |
18 | (i) Any controller in possession of de-identified data shall: |
19 | (1) Take reasonable measures to ensure that the data cannot be associated with an |
20 | individual; |
21 | (2) Publicly commit to maintaining and using de-identified data without attempting to re- |
22 | identify the data; and |
23 | (3) Contractually obligate any recipients of the de-identified data to comply with all |
24 | provisions of this chapter. |
25 | (j) Nothing in this chapter shall be construed to: |
26 | (1) Require a controller or processor to re-identify de-identified data or pseudonymous |
27 | data; or |
28 | (2) Maintain data in identifiable form, or collect, obtain, retain or access any data or |
29 | technology, in order to be capable of associating an authenticated consumer request with personal |
30 | data. |
31 | (k) Nothing in this chapter shall be construed to require a controller or processor to comply |
32 | with an authenticated consumer rights request if the controller: |
33 | (1) Is not reasonably capable of associating the request with the personal data or it would |
34 | be unreasonably burdensome for the controller to associate the request with the personal data; |
| LC005228 - Page 12 of 17 |
1 | (2) Does not use the personal data to recognize or respond to the specific consumer who is |
2 | the subject of the personal data, or associate the personal data with the other personal data about |
3 | the same specific consumer; and |
4 | (3) Does not sell the personal data to any third party or otherwise voluntarily disclose the |
5 | personal data to any third party other than a processor, except as otherwise permitted in this section. |
6 | (l) The rights afforded under this section, and inclusive of § 6-48.1-5(e) shall not apply to |
7 | pseudonymous data in cases where the controller is able to demonstrate that any information |
8 | necessary to identify the consumer is kept separately and is subject to effective technical and |
9 | organizational controls that prevent the controller from accessing such information. |
10 | (m) A controller that discloses pseudonymous data or de-identified data shall exercise |
11 | reasonable oversight to monitor compliance with any contractual commitments to which the |
12 | pseudonymous data or de-identified data is subject and shall take appropriate steps to address any |
13 | breaches of those contractual commitments. |
14 | (n) This chapter shall not be construed to restrict a controller's or processor's ability to: |
15 | (1) Comply with federal, state or municipal ordinances or regulations; |
16 | (2) Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or |
17 | summons by federal, state, municipal or other governmental authorities; |
18 | (3) Cooperate with law enforcement agencies concerning conduct or activity that the |
19 | controller or processor reasonably and in good faith believes may violate federal, state or municipal |
20 | ordinances or regulations; |
21 | (4) Investigate, establish, exercise, prepare for or defend legal claims; |
22 | (5) Provide a product or service specifically requested by a customer; |
23 | (6) Perform under a contract to which a customer is a party, including fulfilling the terms |
24 | of a written warranty; |
25 | (7) Take steps at the request of a customer prior to entering into a contract; |
26 | (8) Take immediate steps to protect an interest that is essential for the life or physical safety |
27 | of the customer or another individual, and where the processing cannot be manifestly based on |
28 | another legal basis; |
29 | (9) Prevent, detect, protect against or respond to security incidents, identity theft, fraud, |
30 | harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or |
31 | security of systems or investigate, report or prosecute those responsible for any such action; |
32 | (10) Engage in public or peer-reviewed scientific or statistical research in the public interest |
33 | that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed |
34 | by an institutional review board that determines, or similar independent oversight entities that |
| LC005228 - Page 13 of 17 |
1 | determine, whether the deletion of the information is likely to provide substantial benefits that do |
2 | not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy |
3 | risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks |
4 | associated with research, including any risks associated with re-identification; |
5 | (11) Assist another controller, processor or third party with any of the obligations of this |
6 | chapter; or |
7 | (12) Process personal data for reasons of public interest in the area of public health, |
8 | community health or population health, but solely to the extent that such processing is: |
9 | (i) Subject to suitable and specific measures to safeguard the rights of the customer whose |
10 | personal data is being processed, and |
11 | (ii) Under the responsibility of a professional subject to confidentiality obligations under |
12 | federal, state or local law. |
13 | (o) The obligations imposed on controllers or processors shall not restrict a controller's or |
14 | processor's ability to collect, use or retain data for internal use to: |
15 | (1) Conduct internal research to develop, improve or repair products, services or |
16 | technology; |
17 | (2) Effectuate a product recall; |
18 | (3) Identify and repair technical errors that impair existing or intended functionality; or |
19 | (4) Perform internal operations that are reasonably aligned with the expectations of the |
20 | customer or reasonably anticipated based on the customer's existing relationship with the controller, |
21 | or are otherwise compatible with processing data in furtherance of the provision of a product or |
22 | service specifically requested by a customer or the performance of a contract to which the customer |
23 | is a party. |
24 | (p) A controller or processor that discloses personal data to a processor or third-party |
25 | controller shall not be deemed to have violated this chapter if the processor or third-party controller |
26 | that receives and processes such personal data violates said sections; provided at the time the |
27 | disclosing controller or processor disclosed such personal data, the disclosing controller or |
28 | processor did not have actual knowledge that the receiving processor or third-party controller would |
29 | violate said sections. A third-party controller or processor receiving personal data from a controller |
30 | or processor in compliance with this chapter is likewise not in violation of said sections for the |
31 | transgressions of the controller or processor from which such third-party controller or processor |
32 | receives such personal data. |
33 | (q) Nothing in this chapter shall be construed to: |
34 | (1) Impose any obligation on a controller or processor that adversely affects the rights or |
| LC005228 - Page 14 of 17 |
1 | freedoms of any person, including, but not limited to, the rights of any person to freedom of speech |
2 | or freedom of the press guaranteed in the First Amendment to the United States Constitution; or |
3 | (2) Apply to any person's processing of personal data in the course of such person's purely |
4 | personal or household activities. |
5 | (r) Personal data processed by a controller pursuant to this section may be processed to the |
6 | extent that such processing is reasonably necessary and proportionate to the purposes in this |
7 | section; and adequate, relevant and limited to what is necessary in relation to the specific purposes |
8 | listed in this section. Personal data collected, used or retained shall, where applicable, consider the |
9 | nature and purpose or purposes of such collection, use or retention. Such data shall be subject to |
10 | reasonable administrative, technical and physical measures to protect the confidentiality, integrity |
11 | and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to |
12 | customers relating to such collection, use or retention of personal data. |
13 | (s) If a controller processes personal data pursuant to an exemption in this section, the |
14 | controller bears the burden of demonstrating that such processing qualifies for the exemption. |
15 | (t) Processing personal data for the purposes expressly identified in this section shall not |
16 | solely make a legal entity a controller with respect to such processing. |
17 | 6-48.1-8. Violations. |
18 | (a) A violation of this chapter constitutes a violation of the general regulatory provisions |
19 | of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter |
20 | 13.1 of title 6; provided, further, that in the event that any individual or entity intentionally discloses |
21 | personal data: |
22 | (1) To a shell company or any entity that has been formed or established solely, or in part, |
23 | for the purposes of circumventing the intent of this chapter; |
24 | (2) To any third party that is not exempt pursuant to § 6-48.1-3; or |
25 | (3) In violation of any provision of this chapter, that individual or entity shall pay a fine of |
26 | not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each |
27 | such disclosure. |
28 | (b) The attorney general shall have sole enforcement authority of the provisions of this |
29 | chapter and may enforce a violation of this chapter pursuant to: |
30 | (1) The provisions of this section; or |
31 | (2) General regulatory provisions of commercial law in title 6, or both. |
32 | (c) Nothing in this section shall be construed to authorize any private right of action to |
33 | enforce any provision of this chapter, any regulation hereunder, or any other provisions of law. |
34 | 6-48.1-9. Waivers - Severability. |
| LC005228 - Page 15 of 17 |
1 | Any waiver of the provisions of this chapter shall be void and unenforceable. If any |
2 | provision of this chapter or its application to any person or circumstance is held invalid by a court |
3 | of competent jurisdiction, the invalidity shall not affect other provisions of applications of the |
4 | chapter that can be given effect without the invalid provision or application, and to this end the |
5 | provisions of the chapter are severable. |
6 | 6-48.1-10. Construction. |
7 | (a) Nothing in this chapter shall be deemed to apply in any manner to a financial institution, |
8 | an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley |
9 | Act, 15 U.S.C. § 6801 et seq. and its implementing regulations, or to information or data subject to |
10 | the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191. |
11 | (b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
12 | agent of a state agency or local unit of government when working for that state agency or local unit |
13 | of government. |
14 | (c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax |
15 | exempt organization under the Internal Revenue Code. |
16 | (d) Nothing in this chapter shall be construed to mandate and/or require the retention or |
17 | disclosure of any specific individual's personally identifiable information. |
18 | (e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product |
19 | sales summaries or statistical information or aggregate customer data which may include |
20 | personally, identifiable information. |
21 | (f) Nothing in this chapter shall be construed to apply to any personally identifiable |
22 | information or any other information collected, used, processed, or disclosed by or for a customer |
23 | reporting agency as defined by 15 U.S.C. § 1681a(f). |
24 | SECTION 3. This act shall take effect on January 1, 2025. |
======== | |
LC005228 | |
======== | |
| LC005228 - Page 16 of 17 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
*** | |
1 | This act would create the Rhode Island Data Transparency and Privacy Protect Act for data |
2 | privacy protections for the personal data of the citizens of Rhode Island, requiring any person or |
3 | entity that processes personal data to identify all categories of information the controller collects, |
4 | when the controller may disclose such information, how a customer may exercise their consumer |
5 | rights, the purpose for processing the personal data, categories of personal data share with a third |
6 | party, and means to contact the controller. This act would further limit a controller to processing |
7 | personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for |
8 | which the data is processed. A controller would be prohibited from processing sensitive data |
9 | without obtaining the customer's consent and prohibited from discriminating against a customer for |
10 | exercising their customer rights. Any violation of this act would constitute a violation of the general |
11 | regulatory provisions of commercial law and constitute a deceptive trade practice. A fine would be |
12 | imposed for each violation of not less than one hundred dollars ($100) and no more than five |
13 | hundred dollars ($500). |
14 | This act would take effect on January 1, 2025. |
======== | |
LC005228 | |
======== | |
| LC005228 - Page 17 of 17 |