2025 -- H 5830

========

LC001708

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2025

____________

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- AGE-

APPROPRIATE DESIGN CODE

     Introduced By: Representatives Cotter, Spears, McGaw, Carson, Chippendale, Tanzi,
Caldwell, Kislak, McNamara, and Hopkins

     Date Introduced: February 28, 2025

     Referred To: House Corporations

     It is enacted by the General Assembly as follows:

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

CHAPTER 48.2

AGE-APPROPRIATE DESIGN CODE

     6-48.2-1. Definitions.

     As used in this chapter the following words have the following meanings:

     (1) "Actual knowledge" or "known" means a covered entity knows that a consumer is a

child based upon:

     (i) The self-identified age provided by the minor, an age provided by a third party, or an

age or closely related proxy that the covered entity knows or has associated with, attributed to or

derived or inferred for the consumer, including for the purposes of advertising, marketing or

product development; or

     (ii) The consumer's use of an online feature, product or service or a portion of such an

online feature, product or service that is directed to children.

     (2) "Affiliate" has the same meaning as provided in § 6-48.1-2.

     (3) "Child" means an individual who is under eighteen (18) years of age.

     (4) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any

personal data pertaining to a consumer by any means, including receiving data from the consumer,

either actively or passively, or by observing the consumer’s behavior.

     (5) "Common branding" means a shared name, service mark, or trademark that the average

consumer would understand that two (2) or more entities are commonly owned. For purposes of

this chapter, for a joint venture or partnership composed of covered entities in which each covered

entity has at least a forty percent (40%) interest, the joint venture or partnership and each covered

entity that composes the joint venture or partnership shall separately be considered a single covered

entity, except that personal data in the possession of each covered entity and disclosed to the joint

venture or partnership shall not be shared with the other covered entity.

     (6) "Consumer" means a natural person who is a Rhode Island resident, however identified,

including by any unique identifier.

     (7) "Covered entity" means:

     (i) A sole proprietorship, partnership, limited liability company, corporation, association,

or other legal entity that is organized or operated for the profit or financial benefit of its shareholders

or other owners engaged in an activity pursuant to the provisions of § 6-48.2-2;

     (ii) An affiliate of a covered entity that shares common branding with the covered entity.

     (8) "Dark pattern" means a user interface designed or manipulated with the purpose of

subverting or impairing user autonomy, decision making, or choice.

     (9) "Default" means a preselected option adopted by the covered entity for the online

service, product, or feature.

     (10) "Deidentified" means data that cannot reasonably be used to infer information about,

or otherwise be linked to, an identified or identifiable consumer, or a device linked to such

consumer; provided that, the covered entity that possesses the data:

     (i) Takes reasonable measures to ensure that the data cannot be associated with a consumer;

     (ii) Publicly commits to maintain and use the data only in a deidentified fashion and not

attempt to re-identify the data; and

     (iii) Contractually obligates any recipients of the data to comply with all provisions of this

chapter.

     (11) "Derived data" means data that is created by the derivation of information, data,

assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another

source of information or data about a known child or a child’s device.

     (12) "Online service, product, or feature" means access to various types of data on the

Internet, including banking, education, entertainment, news, shopping and commercial services.

"Online service, product, or feature" does not mean any of the following:

     (i) "Telecommunications service," as defined in 47 U.S.C. § 153;

LC001708 - Page 2 of 11

     (ii) A broadband Internet access service; or

     (iii) The sale, delivery, or use of a physical product.

     (13) "Personal data" means any information, including derived data, that is linked or

reasonably linkable, alone or in combination with other information, to an identified or identifiable

consumer. Personal data does not include deidentified data or publicly available information.

     (14) "Publicly available information" means information that either:

     (i) Is made available from federal, state, or local government records or widely distributed

media; or

     (ii) A covered entity has a reasonable basis to believe a consumer has lawfully made

available to the public such that the consumer no longer has a reasonable expectation of privacy in

the information.

     (15) "Precise geolocation" means any data that is derived from a device and that is used or

intended to be used to locate a consumer within a geographic area that is equal to or less than the

area of a circle with a radius of one thousand eight hundred fifty feet (1,850').

     (16) "Process" or "processing" means to conduct or direct any operation or set of operations

performed, whether by manual or automated means, on personal data or on sets of personal data,

such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise

handling of personal data.

     (17) "Product experimentation results" means the data that companies collect to understand

the experimental impact of their products.

     (18) "Profile" or "profiling" means any form of automated processing of personal data to

evaluate, analyze, or predict personal aspects concerning an identified or identifiable consumer’s

economic situation, health, personal preferences, interests, reliability, behavior, location, or

movements. "Profiling" does not include the processing of information that does not result in an

assessment or judgment about a consumer.

     (19) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other

valuable consideration by a covered entity to a third party. It does not include the following:

     (i) The disclosure of personal data to a third party who processes the personal data on behalf

of the covered entity;

     (ii) The disclosure of personal data to a third party with whom the consumer has a direct

relationship for purposes of providing a product or service requested by the consumer;

     (iii) The disclosure or transfer of personal data to an affiliate of the covered entity;

     (iv) The disclosure of data that the consumer intentionally made available to the general

public such that the consumer no longer maintains a reasonable expectation of privacy in the data;

LC001708 - Page 3 of 11

or

     (v) The disclosure or transfer of personal data to a third party as an asset that is part of a

completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party

assumes control of all or part of the covered entity’s assets, provided the consumer has the

opportunity to opt out of the transfer.

     (20) "Share" means sharing, renting, releasing, disclosing, disseminating, making

available, transferring, or otherwise communicating orally, in writing, or by electronic or other

means a consumer’s personal data by the covered entity to a third party for cross-context behavioral

advertising, whether or not for monetary or other valuable consideration, including transactions

between a covered entity and a third party for cross-context behavioral advertising for the benefit

of a covered entity in which no money is exchanged.

     (21) "Third party" means a natural or legal person, public authority, agency, or body, other

than the consumer or the covered entity.

     6-48.2-2. Scope - Exclusions.

     (a) An entity is considered a covered entity for the purposes of this chapter if the entity:

     (1) Collects consumers’ personal data or has individuals’ personal data collected on the

entity's behalf by a third party;

     (2) Alone or jointly with others, determines the purposes and means of the processing of

individuals’ personal data;

     (3) Operates in Rhode Island; and

     (4) Satisfies one or more of the following thresholds:

     (i) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as

adjusted every odd-numbered year to reflect the Consumer Price Index;

     (ii) Alone or in combination, annually buys, receives for the covered entity’s commercial

purposes, sells, or shares for commercial purposes, alone or in combination, the personal data of

fifty thousand (50,000) or more individuals, households, or devices; or

     (iii) Derives fifty percent (50%) or more of its annual revenues from selling individuals’

personal data.

     (b) This chapter shall not apply to:

     (1) Protected health information that is collected by a covered entity or covered entity

associate governed by the privacy, security, and breach notification rules issued by the U.S.

Department of Health and Human Services, 45 C.F.R. Parts 160 and 164;

     (2) A covered entity governed by the privacy, security, and breach notification rules issued

by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, to the extent

LC001708 - Page 4 of 11

the provider or covered entity maintains patient information in the same manner as medical

information or protected health information as described in subsection (b)(1) of this section; and

     (3) Information collected as part of a clinical trial subject to the federal Policy for the

Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice

guidelines issued by the International Council for Harmonisation of Technical Requirements for

Pharmaceuticals for Human Use or pursuant to human subject protection requirements of the U.S.

Food and Drug Administration.

     (c) Nothing in this chapter shall be interpreted to interfere with any obligation or

requirement under chapter 48.1 of title 6. The covered entity authorized pursuant to § 6-48.1-4

regarding sensitive data concerning known children shall have no additional obligation pursuant to

this chapter.

     6-48.2-3. Heightened risk of harm to children -- Presumption -- Definitions.

     (a) Each covered entity that offers any online service, product or feature to a consumer

whom such covered entity has actual knowledge, or willfully disregards is a child shall use

reasonable care to avoid any heightened risk of harm to children caused by such online service,

product or feature. In any enforcement action brought by the attorney general pursuant to § 6-48.2-

7, there shall be a rebuttable presumption that a covered entity used reasonable care as required

under this section if the covered entity complied with the provisions of § 6-48.2-4 concerning data

protection assessments.

     (b) As used in this chapter, “heightened risk of harm to children” means processing known

children’s personal data in a manner that presents any reasonably foreseeable risk of:

     (1) Any unfair or deceptive treatment of, or any unlawful disparate impact on, children;

     (2) Any financial or reputational injury to children;

     (3) Any physical or other intrusion upon the solitude or seclusion, or the private affairs or

concerns, of children if such intrusion would be highly offensive to a reasonable person; or

     (4) Discrimination against the child based upon race, color, religion, national origin,

disability, sex, sexual orientation, or gender identity or expression.

     6-48.2-4. Covered entity obligations.

     (a) A covered entity subject to this chapter shall:

     (1) Complete a data protection impact assessment for an online service, product, or feature

that is reasonably likely to be accessed by children and maintain documentation of the data

protection impact assessment for as long as the online service, product, or feature is reasonably

known to be used by children. The data protection impact assessment shall consist of a systematic

survey to assess compliance with the duty to use reasonable care to avoid any heightened risk of

LC001708 - Page 5 of 11

harm to known children and shall include a plan to ensure that all online products, services, or

features provided by the covered entity and known to be used by children are designed and offered

in a manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to

known children. The plan shall include a description of steps the covered entity has taken and shall

take to comply with the duty to use reasonable care to avoid any heightened risk of harm to known

children.

     (2) Review and modify all data protection impact assessments as necessary to account for

material changes to processing pertaining to the online service, product, or feature within ninety

(90) days after any material changes.

     (3) Within five (5) days after receipt of a written request by the attorney general, provide

to the attorney general a list of all data protection impact assessments the covered entity has

completed.

     (4) Within seven (7) days after receipt of a written request by the attorney general, provide

the attorney general with a copy of a data protection impact assessment; provided that, the attorney

general may, in the attorney general’s discretion, extend beyond seven (7) days the amount of time

allowed for a covered entity to produce a data protection impact assessment.

     (5) Configure all default privacy settings provided to known children by the online service,

product, or feature to settings that offer a high level of privacy, unless the covered entity can

demonstrate a compelling reason that a different setting is consistent with the duty to use reasonable

care to avoid any heightened risk of harm to children, as defined pursuant to the provisions of § 6-

48.2-3(b).

     (6) Provide any privacy information, terms of service, policies, and community standards

concisely, prominently, and using clear language suited to the age of children known to access that

online service, product, or feature.

     (7) Provide prominent, accessible, and responsive tools to assist known children in a form

or manner required by the general attorney, or, if applicable, their parents or guardians, in the

exercise of their privacy rights and to report concerns.

     (b) A data protection impact assessment required by this section shall:

     (1) Identify the purpose of the online service, product, or feature;

     (2) Disclose how it uses children’s personal data; and

     (3) Determine whether the online service, product, or feature is designed and offered in a

manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to

children and:

     (i) Whether the design of the online service, product, or feature is reasonably expected to

LC001708 - Page 6 of 11

allow known children to be party to or exploited by a contract on the online service, product, or

feature that would result in reasonably foreseeable and material financial harm to the child; a highly

offensive intrusion on the reasonable privacy expectations of the child; or discrimination against

the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or

gender identity or expression;

     (ii) Whether targeted advertising systems used by the online service, product, or feature

would result in reasonably foreseeable and material financial harm to the known child; a highly

offensive intrusion on the reasonable privacy expectations of the child; or discrimination against

the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or

gender identity or expression;

     (iii) Whether the online service, product, or feature uses system design features to increase,

sustain, or extend use of the online service, product, or feature by known children, including the

automatic playing of media, rewards for time spent, and notifications, that would result in

reasonably foreseeable and material financial harm to the child or a highly offensive intrusion on

the reasonable privacy expectations of the child; or discrimination against the child based upon

race, color, religion, national origin, disability, sex, sexual orientation, or gender identity or

expression;

     (iv) Whether, how, and for what purpose the online product, service, or feature collects or

processes personal data of known children and whether those practices would result in reasonably

foreseeable and material financial harm to the child; a highly offensive intrusion on the reasonable

privacy expectations of the child; or discrimination against the child based upon race, color,

religion, national origin, disability, sex, sexual orientation, or gender identity or expression; and

     (v) Whether and how product experimentation results for the online product, service, or

feature reveal data management or design practices that would result in reasonably foreseeable and

material financial harm to the known child; a highly offensive intrusion on the reasonable privacy

expectations of the child; or discrimination against the child based upon race, color, religion,

national origin, disability, sex, sexual orientation, or gender identity or expression.

     (c) A data protection impact assessment conducted by a covered entity for the purpose of

compliance with any other law may be utilized to comply with the provisions of this chapter if the

data protection impact assessment meets the requirements of this chapter.

     (d) A single data protection impact assessment may contain multiple similar processing

operations that present similar risk only if each relevant online service, product, or feature is

addressed separately.

     (e) A covered entity may process only the personal data reasonably necessary to provide

LC001708 - Page 7 of 11

an online service, product, or feature with which a child is actively and knowingly engaged to

estimate age.

     (f) A data protection impact assessment created pursuant to this section is exempt from

public disclosure and to the extent required to be disclosed to public officials shall not constitute a

public record pursuant to the provisions of chapter 2 of title 38 (“access to public records”).

     6-48.2-5. Covered entity prohibitions.

     A covered entity that provides an online service, product, or feature to known children shall

not:

     (1) Process the personal data of any known child in a way that is inconsistent with the duty

to use reasonable care to avoid any heightened risk of harm to children, as defined pursuant to the

provisions of § 6-48.2-3(b);

     (2) Profile a known child by default unless both of the following criteria are met:

     (i) The covered entity can demonstrate it has appropriate safeguards in place to ensure that

profiling is consistent with the duty to use reasonable care to avoid any heightened risk of harm to

known children; and

     (ii) Profiling is necessary to provide the online service, product, or feature requested and

only with respect to the aspects of the online service, product, or feature with which a known child

is actively and knowingly engaged;

     (3) Process any personal data that is not reasonably necessary to provide an online service,

product, or feature with which a known child is actively and knowingly engaged;

     (4) If the end user is a known child, process personal data for any reason other than a reason

for which that personal data was collected;

     (5) Process any precise geolocation information of known children by default, unless the

collection of that precise geolocation information is strictly necessary for the covered entity to

provide the service, product, or feature requested and then only for the limited time that the

collection of precise geolocation information is necessary to provide the service, product, or

feature;

     (6) Process any precise geolocation information of a known child without providing a

conspicuous sign to the child for the duration of that collection that precise geolocation information

is being collected;

     (7) Use dark patterns to cause known children to provide personal data beyond what is

reasonably expected to provide that online service, product, or feature to forego privacy protections,

or to take any action that the covered entity knows, or has reason to know, is not consistent with

the duty to use reasonable care to avoid any heightened risk of harm to children; or

LC001708 - Page 8 of 11

     (8) Allow a known child’s parent or any other consumer to monitor the child’s online

activity or track the child’s location, without providing a conspicuous signal to the child when the

child is being monitored or tracked.

     6-48.2-6. Impact assessments non-public information.

     (a) A data protection impact assessment collected or maintained by the attorney general

pursuant to this chapter shall not be deemed public for purposes of chapter 2 of title 38 ("access to

public records").

     (b) To the extent any information contained in a data protection impact assessment

disclosed to the attorney general includes information subject to attorney-client privilege or work

product protection, disclosure pursuant to this chapter does not constitute a waiver of that privilege

or protection.

     6-48.2-7. Enforcement.

     (a) The attorney general may seek the imposition of an injunction and a civil penalty of not

more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation

of this chapter, or not more than seven thousand five hundred dollars ($7,500) per affected child

for each intentional violation of this chapter, plus costs and reasonable attorneys’ fees for each

violation.

     (b) Any penalties, fees, and expenses recovered in an action brought under this chapter

shall be deposited in a restricted receipt account and are to be appropriated to the attorney general

and utilized pursuant to the provisions of subsection (c) of this section.

     (c) All fees collected by the office of the attorney general in accordance with subsection

(b) of this section shall be placed into a restricted receipt account to support the personnel costs,

operating costs and capital expenditure necessary to carry out the enforcement provisions of this

section; provided, however, that any fees charged shall be in addition to and not substituted for

funds appropriated for the office by the state or federal government.

     (d) If a covered entity is in substantial compliance with the requirements of this chapter,

the attorney general shall, before initiating a civil action pursuant to the provisions of this chapter,

provide written notice to the covered entity identifying the specific provisions of this chapter that

the attorney general alleges have been or are being violated. If a covered entity satisfies the

provisions of § 6-48.2-4 before offering any new online product, service, or feature reasonably

likely to be accessed by children to the public, the covered entity shall have ninety (90) days to

fully comply with all provisions specified in the notice from the attorney general. If the covered

entity cures all noticed violations and provides the attorney general a written statement that the

alleged violations have been cured, and sufficient measures have been taken to prevent future

LC001708 - Page 9 of 11

violations, the covered entity shall not be liable for a civil penalty for any violation cured within

the ninety (90) day period.

     (e) No individual entitlement or private right of action is created by this section.

     SECTION 2. This act shall take effect on January 1, 2026.

========

LC001708

========

LC001708 - Page 10 of 11

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- AGE-

APPROPRIATE DESIGN CODE

***

     This act would require that any covered entity that develops and provides online services,

products, or features that children are reasonably likely to access shall consider the best interest of

children when designing and developing such online service, product, or feature. The provisions of

this chapter may be enforced by the attorney general and violators are subject to civil penalties.

     This act would take effect on January 1, 2026.

========

LC001708

========

LC001708 - Page 11 of 11