2026 -- S 2766

========

LC005693

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2026

____________

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

RHODE ISLAND DELETE ACT

     Introduced By: Senators Gu, DiPalma, Urso, Vargas, Zurier, Paolino, and Burke

     Date Introduced: March 04, 2026

     Referred To: Senate Commerce

     It is enacted by the General Assembly as follows:

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

CHAPTER 48.2

RHODE ISLAND DELETE ACT

     6-48.2-1. Short title.

     This chapter shall be known and may be cited as the "Rhode Island Delete Act".

     6-48.2-2. Definitions.

     As used in this chapter, the following terms shall have the following meanings:

     (1) The definitions of § 6-48.1-2 shall apply unless otherwise specified in this chapter.

     (2) "Authorized agent" means a natural person or a business entity that a consumer has

authorized to act on their behalf.

     (3) "Dark pattern" means a user interface designed or manipulated with the substantial

effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is

not limited to, any practice the federal trade commission refers to as a "dark pattern".

     (4) "Data broker" means a business that knowingly collects, shares or sells to third parties

the personal data of a consumer with whom the business does not have a direct relationship. This

chapter shall not apply to any of the following:

     (i) An entity to the extent that is covered by the federal Fair Credit Reporting Act, U.S.C §

1681 et seq.;

     (ii) Personal data collected or processed subject to Title V of Gramm-Leach-Bliley Act, 15

U.S.C. § 6801 et seq., and implementing regulations;

     (iii) Personal data collected or processed subject to the privacy, security, and breach

notification rules under the Health Insurance Portability and Accountability Act.

     (5) "Department" means the Rhode Island department of business regulation.

     (6) "Direct relationship" means that a consumer has intentionally interacted with a business

for the purpose of accessing, purchasing, using, requesting, or obtaining information about the

business’s products or services. A consumer does not have a "direct relationship" with a business

if the purpose of their engagement is to exercise any right described under § 6-48.1-6, or for the

business to verify the consumer’s identity. A business does not have a "direct relationship" with a

consumer simply because it collects personal data directly from the consumer. The consumer must

intend to interact with the business. A business is still a data broker and does not have a direct

relationship with a consumer as to personal data it sells about the consumer that it collected outside

of a first-party interaction with the consumer.

     (7) "Personal data" means any information that is linked or reasonably linkable to an

identified or identifiable individual and does not include publicly available information.

     (8) "Reproductive or sexual health care" means any health care-related services or products

rendered or provided concerning a consumer's reproductive system or sexual well-being including,

but not limited to, any such service or product rendered or provided concerning:

     (i) An individual health condition, status, disease, diagnosis, diagnostic test or treatment;

     (ii) A social, psychological, behavioral or medical intervention;

     (iii) A surgery or procedure including, but not limited to, an abortion;

     (iv) A use or purchase of a medication including, but not limited to, a medication used or

purchased for the purposes of an abortion;

     (v) A bodily function, vital sign or symptom;

     (vi) A measurement of a bodily function, vital sign or symptom; or

     (vii) An abortion including, but not limited to, medical or nonmedical services, products,

diagnostics, counseling or follow-up services for an abortion.

     (9) "Reproductive or sexual health data" means any personal data concerning an effort

made by a consumer to seek, or a consumer's receipt of, reproductive or sexual health care.

     6-48.2-3. Data brokers’ registry fund.

     There is created the "data brokers’ registry fund" ("the fund") into which shall be deposited

with the general treasurer of the state. The fund shall be administered by the department. All monies

LC005693 - Page 2 of 10

collected or received by the department pursuant to this chapter shall be deposited into the fund, to

be available for expenditure by the department, upon appropriation by the general assembly, to

offset all of the following costs:

     (1) The reasonable costs of establishing and maintaining the informational internet website

described in § 6-48.2-5.

     (2) The costs incurred by the judiciary and the department in connection with enforcing

this chapter, as specified in § 6-48.2-4.

     (3) The reasonable costs of establishing, maintaining, and providing access to the

accessible deletion mechanism described in § 6-48.2-7.

     6-48.2-4. Registration.

     (a) On or before January 31 following each year in which a business meets the definition

of data broker as defined in § 6-48.2-2, the business shall register with the department pursuant to

the requirements of this section.

     (b) In registering with the department, as set forth in subsection (a) of this section, a data

broker shall do all of the following:

     (1) Pay a registration fee in an amount determined by the department not to exceed the

reasonable costs of establishing and maintaining the informational internet website described in §

6-48.2-5 and the reasonable costs of establishing, maintaining, and providing access to the

accessible deletion mechanism described in § 6-48.2-7. Registration fees shall be deposited in the

data brokers’ registry fund pursuant to § 6-48.2-3, and used for the purposes specified in this

section.

     (2) Provide the following information:

     (i) The name of the data broker and its primary physical, email, and internet website

addresses;

     (ii) The metrics compiled pursuant to § 6-48.2-6(a)(1) and (a)(2);

     (iii) Whether the data broker collects the personal data of minors;

     (iv) Whether the data broker collects consumers’ names, dates of birth, ZIP codes, email

addresses, or phone numbers;

     (v) Whether the data broker collects consumers’ account login or account number in

combination with any required security code, access code, or password that would permit access to

a consumer’s account with a third party;

     (vi) Whether the data broker collects consumers’ drivers’ license number, Rhode Island

identification card number, tax identification number, social security number, passport number,

military identification number, or other unique identification number issued on a government

LC005693 - Page 3 of 10

document commonly used to verify the identity of a specific individual;

     (vii) Whether the data broker collects consumers’ mobile advertising identification

numbers, connected television identification numbers, or vehicle identification numbers (VIN);

     (viii) Whether the data broker collects consumers’ citizenship data, including immigration

status;

     (ix) Whether the data broker collects consumers’ union membership status;

     (x) Whether the data broker collects consumers’ sexual orientation data;

     (xi) Whether the data broker collects consumers’ gender identity and gender expression

data;

     (xii) Whether the data broker collects consumers’ biometric data;

     (xiii) Whether the data broker collects consumers’ precise geolocation;

     (xiv) Whether the data broker collects consumers’ reproductive or sexual health care data;

     (xv) Whether the data broker has shared or sold consumers’ data to a foreign actor in the

past year;

     (xvi) Whether the data broker has shared or sold consumers’ data to the federal government

in the past year;

     (xvii) Whether the data broker has shared or sold consumers’ data to other state

governments in the past year;

     (xviii) Whether the data broker has shared or sold consumers’ data to law enforcement in

the past year, unless that data was shared pursuant to a subpoena or court order;

     (xix) Whether the data broker has shared or sold consumers’ data to a developer of a GenAI

system or model in the past year;

     (xx) Up to three (3), but no fewer than one, of the most common types of personal

information that the data broker collects, if the data broker does not collect the information

described in subsections (b)(2)(iv) and (b)(2)(vii) of this section;

     (xxi) Beginning January 1, 2029, whether the data broker has undergone an audit as

described in § 6-48.2-7(e), and, if so, the most recent year that the data broker has submitted a

report resulting from the audit and any related materials to the department;

     (xxii) A link to a page on the data broker’s internet website that does both of the following:

     (A) Details how consumers may exercise their privacy rights to:

     (I) Delete personal data, as described in § 6-48.1-5(e)(2);

     (II) Correct inaccurate personal data, as described in § 6-48.1-5(e)(2);

     (III) Learn what personal data is being processed, as described in § 6-48.1-5;

     (IV) Learn how to access that personal data, as described in § 6-48.1-5;

LC005693 - Page 4 of 10

     (V) Learn how to opt out of the sale or sharing of personal data, as described in § 6-48.1-

5; and

     (B) Does not make use of any dark patterns.

     (xxiii) Whether and to what extent the data broker or any of its subsidiaries is regulated by

any of the following:

     (A) The federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.;

     (B) The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and implementing regulations;

     (C) The Health Insurance Portability and Accountability Act of 1996 (HIPAA).

     (xxiv) Any additional information or explanation the data broker chooses to provide

concerning its data collection practices.

     (c) A data broker that fails to register as required by this section is liable for administrative

fines and costs in an administrative action brought by the department as follows:

     (1) An administrative fine of two hundred dollars ($200) for each day the data broker fails

to register as required by this section.

     (2) An amount equal to the fees that were due during the period it failed to register.

     (3) Expenses incurred by the department in the investigation and administration of the

action as the court deems appropriate.

     (d) A data broker required to register under this chapter that fails to comply with the

requirements of § 6-48.2-7 is liable for administrative fines and costs in an administrative action

brought by the department as follows:

     (1) An administrative fine of two hundred dollars ($200) for each deletion request for each

day the data broker fails to delete information as required by § 6-48.2-7; and

     (2) Reasonable expenses incurred by the department in the investigation and administration

of the action.

     (e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under

subsections (c) or (d) of this section, shall be deposited in the data brokers’ registry fund, created

pursuant to § 6-48.2-3, with the intent that they be used to fully offset costs incurred by the judiciary

and the department in connection with this chapter.

     6-48.2-5. Public access to information.

     The department shall create a page on its internet website where the registration

information provided by data brokers described in § 6-48.2-4(b)(2) and the accessible deletion

mechanism described in § 6-48.2-7 shall be accessible to the public.

     6-48.2-6. Disclosure.

     (a) On or before July 1 following each calendar year in which a business meets the

LC005693 - Page 5 of 10

definition of a data broker as defined in § 6-48.2-2, the business shall do all of the following:

     (1) Compile the number of requests pursuant to §§ 6-48.1-5 and 6-48.2-7(c) that the data

broker received, complied with in whole or in part, and denied during the previous calendar year;

     (2) Compile the median and the mean number of days within which the data broker

substantively responded to requests pursuant to §§ 6-48.1-5 and 6-48.2-7(c) that the data broker

received during the previous calendar year; and

     (3) Disclose the metrics compiled within the data broker’s privacy policy posted on their

internet website and accessible from a link included in the data broker’s privacy policy.

     (b) In its disclosure pursuant to subsection (a)(3) of this section, regarding requests made

pursuant to § 6-48.2-7(c) a data broker shall disclose the number of requests that the data broker

denied in whole or in part because of any of the following:

     (1) The request was not verifiable;

     (2) The request was not made by a consumer or a consumer's authorized agent;

     (3) The request called for information exempt from deletion.

     (4) The request was denied on other grounds.

     (c) In its disclosure pursuant to subsection (a)(3) of this section, a data broker shall specify

the number of requests in which deletion was not required in whole, or in part, due to an exemption

under this chapter, §§ 6-48.1-3(d) or (e), or 6-48.1-7(o) or (p).

     6-48.2-7. Deletion.

     (a) By January 1, 2027, the department shall establish an accessible deletion mechanism

that does all of the following:

     (1) Implements and maintains reasonable security procedures and practices including, but

not limited to, administrative, physical, and technical safeguards appropriate to the nature of the

information and the purposes for which the personal data will be used and to protect consumers’

personal data from unauthorized use, disclosure, access, destruction, or modification;

     (2) Allows a consumer, through a single verifiable consumer request, to request that every

data broker that maintains any personal data delete any personal data related to that consumer held

by the data broker or associated service provider or contractor;

     (3) Allows a consumer to selectively exclude specific data brokers from a request made

under subsection (a)(2) of this section; and

     (4) Allows a consumer to make a request to alter a previous request made under this section

within forty-five (45) days since the consumer last made a request under this section.

     (b) The accessible deletion mechanism established pursuant to subsection (a) of this

section, shall meet all of the following requirements:

LC005693 - Page 6 of 10

     (1) The accessible deletion mechanism shall allow a consumer to request the deletion of all

personal data related to that consumer through a single deletion request;

     (2) The accessible deletion mechanism shall permit a consumer to securely submit

information in one or more privacy-protecting ways determined by the department to aid in the

deletion request;

     (3) The accessible deletion mechanism shall allow data brokers registered with the

department to determine whether an individual has submitted a verifiable consumer request to

delete the personal data related to that consumer as described in subsection (b)(1) of this section,

and shall not allow the disclosure of any additional personal data when the data broker accesses the

accessible deletion mechanism unless otherwise specified in this chapter;

     (4) The accessible deletion mechanism shall allow a consumer to make a request described

in subsection (b)(1) of this section, using an internet service operated by the department;

     (5) The accessible deletion mechanism shall not charge a consumer to make a request

described in subsection (b)(1) of this section;

     (6) The accessible deletion mechanism shall allow a consumer to make a request described

in subsection (b)(1) of this section in any language spoken by any consumer for whom personal

data has been collected by data brokers;

     (7) The accessible deletion mechanism shall be readily accessible and usable by consumers

with disabilities;

     (8) The accessible deletion mechanism shall support the ability of a consumer’s authorized

agents to aid in the deletion request;

     (9) The accessible deletion mechanism shall allow the consumer, or their authorized agent,

to verify the status of the consumer’s deletion request; and

     (10) The accessible deletion mechanism shall provide a description of all of the following:

     (i) The deletion permitted by this section including, but not limited to, the actions required

by subsections (c) and (d) of this section;

     (ii) The process for submitting a deletion request pursuant to this section; and

     (iii) Examples of the types of information that may be deleted.

     (c)(1) Beginning August 1, 2027, a data broker shall access the accessible deletion

mechanism established pursuant to subsection (a) of this section, at least once every forty-five (45)

days and do all of the following:

     (i) Within forty-five (45) days after receiving a request made pursuant to this section,

process all deletion requests made pursuant to this section and delete all personal data related to the

consumers making the requests consistent with the requirements of this section;

LC005693 - Page 7 of 10

     (ii) In cases where a data broker denies a consumer request to delete under this chapter

because the request cannot be verified, process the request as an opt-out of the sale or sharing of

the consumer’s personal data, as provided for under § 6-48.1-5(e)(4);

     (iii) Direct all processors associated with the data broker to delete all personal data in their

possession related to the consumers making the requests described in subsection (c)(1)(i) of this

section;

     (iv) Direct all processors associated with the data broker to process a request described by

subsection (c)(1)(ii) of this section, as an opt-out of the sale or sharing of the consumer’s personal

data, as provided for under § 6-48.1-5(e)(4);

     (2) Notwithstanding subsection (c)(1) of this section, a data broker shall not be required to

delete a consumer’s personal data if it is reasonably necessary for the data broker to maintain the

personal data to fulfill a purpose described in § 6-48.1-7(o) or (p);

     (3) Personal data described in subsection (c)(2) of this section, shall only be used for the

purposes described in subsection (c)(2) of this section, and shall not be used or disclosed for any

other purpose including, but not limited to, marketing purposes.

     (d)(1) Beginning August 1, 2027, after a consumer has submitted a deletion request and a

data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all

personal data of the consumer at least once every forty-five (45) days pursuant to this section unless

the consumer requests otherwise or the deletion is not required pursuant to subsection (c)(2) of this

section;

     (2) Beginning August 1, 2027, after a consumer has submitted a deletion request and a data

broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or

share new personal data of the consumer unless the consumer requests otherwise.

     (e)(1) Beginning January 1, 2028, and every three (3) years thereafter, a data broker shall

undergo an audit by an independent third party to determine compliance with this chapter;

     (2) For an audit completed pursuant to subsection (e)(1) of this section, the data broker

shall submit a report resulting from the audit and any related materials to the department within

five (5) business days of a written request from the department;

     (3) A data broker shall maintain the report and materials described in subsection (c)(2) of

this section, for at least six (6) years.

     (f)(1) The department may charge an access fee to a data broker when the data broker

accesses the accessible deletion mechanism pursuant to subsection (d) of this section, that does not

exceed the reasonable costs of providing that access;

     (2) A fee collected by the department pursuant to subsection (f)(1) of this section, shall be

LC005693 - Page 8 of 10

deposited in the data brokers’ registry fund pursuant to § 6-48.2-3.

     6-48.2-8. Rules and regulations.

     The department may promulgate rules and regulations to implement and administer this

chapter.

     SECTION 2. This act shall take effect upon passage.

========

LC005693

========

LC005693 - Page 9 of 10

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

RHODE ISLAND DELETE ACT

***

     This act would create the Rhode Island Delete Act, requiring any entity that knowingly

collects, shares or sells to third parties the personal data of a consumer with whom the business

does not have a direct relationship, to register with the department of business regulation.

Consumers may request that their personal information be deleted through an appropriate deletion

mechanism as established by the department of business regulation.

     This act would take effect upon passage.

========

LC005693

========

LC005693 - Page 10 of 10