2017 -- H 6087 | |
======== | |
LC002358 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2017 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RIGHT- | |
TO-KNOW ACT | |
| |
Introduced By: Representatives Shanley, Carson, Regunberg, Bennett, and | |
Date Introduced: April 06, 2017 | |
Referred To: House Corporations | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.1 |
4 | RIGHT-TO-KNOW ACT |
5 | 6-48.1-1. Short title. |
6 | This chapter shall be known and may be cited as the "Right-to-Know Act." |
7 | 6-48.1-2. Legislative findings. |
8 | The General Assembly hereby finds and declares that: |
9 | (1) The right to privacy is a personal and fundamental right protected by the United |
10 | States Constitution. As such, all individuals have a right to privacy in information pertaining to |
11 | them. This state recognizes the importance of providing consumers with transparency about how |
12 | their personal information, especially information relating to their children, is shared by |
13 | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their |
14 | families from cyber-crimes and identity thieves. |
15 | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and |
16 | for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely |
17 | informed that a business might share personal information with third parties. Consumers must be |
18 | better informed about what kinds of personal information is shared with other businesses. With |
| |
1 | these specifics, consumers can knowledgeably choose to opt-in, opt-out, or choose among |
2 | businesses that disclose information to third parties on the basis of how protective the business is |
3 | of consumers' privacy. |
4 | (3) Businesses are now collecting personal information and sharing and selling it in ways |
5 | not contemplated or properly covered by the current law. Some websites are installing tracking |
6 | tools that record when consumers visit web pages, and sending very personal information, such as |
7 | age, gender, race, income, health concerns, religion, and recent purchases to third-party marketers |
8 | and data brokers. Third-party data broker companies are buying, selling, and trading personal |
9 | information obtained from mobile phones, financial institutions, social media sites, and other |
10 | online and brick and mortar companies. Some mobile applications are sharing personal |
11 | information, such as location information, unique phone identification numbers, and age, gender, |
12 | and other personal details with third-party companies. |
13 | (4) As such, consumers need to know the ways that their personal information is being |
14 | collected by companies and then shared or sold to third parties in order to properly protect their |
15 | privacy, personal safety, and financial security. |
16 | 6-48.1-3. Definitions. |
17 | As used in this chapter: |
18 | (1) "Categories of personal information" includes, but is not limited to, the following: |
19 | (i) Identity information including, but not limited to, real name, alias, nickname, and user |
20 | name; |
21 | (ii) Address information, including, but not limited to, postal or e-mail; |
22 | (iii) Telephone number; |
23 | (iv) Account name; |
24 | (v) Social security number or other government-issued identification number, including, |
25 | but not limited to, social security number, driver's license number, identification card number, |
26 | and passport number; |
27 | (vi) Birthdate or age; |
28 | (vii) Physical characteristic information, including, but not limited to, height and weight; |
29 | (viii) Sexual information, including, but not limited to, sexual orientation, sex, gender |
30 | status, gender identity, and gender expression; |
31 | (ix) Race or ethnicity; |
32 | (x) Religious affiliation or activity; |
33 | (xi) Political affiliation or activity; |
34 | (xii) Professional or employment-related information; |
| LC002358 - Page 2 of 7 |
1 | (xiii) Educational information; |
2 | (xiv) Medical information, including, but not limited to, medical conditions or drugs, |
3 | therapies, mental health, or medical products or equipment used; |
4 | (xv) Financial information, including, but not limited to, credit, debit, or account |
5 | numbers, account balances, payment history, or information related to assets, liabilities, or |
6 | general creditworthiness; |
7 | (xvi) Commercial information, including, but not limited to, records of property, products |
8 | or services provided, obtained, or considered, or other purchasing or consumer histories or |
9 | tendencies; |
10 | (xvii) Location information; |
11 | (xviii) Internet or mobile activity information, including, but not limited to, Internet |
12 | protocol addresses or information concerning the access or use of any Internet or mobile-based |
13 | site or service; |
14 | (xix) Content, including text, photographs, audio or video recordings, or other material |
15 | generated by or provided by the customer; and |
16 | (xx) Any of the above categories of information as they pertain to the children of the |
17 | customer. |
18 | (2) "Customer" means an individual residing in this state who provides, either knowingly |
19 | or unknowingly, personal information to a private entity, with or without an exchange of |
20 | consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise |
21 | using real or personal property, or any interest therein, or obtaining a product or service from the |
22 | private entity, including advertising or any other content. |
23 | (3) "Designated request address" means an email address or toll-free telephone number |
24 | whereby customers may request or obtain the information required to be provided under §6-48.1- |
25 | 4. |
26 | (4) "Disclose" means to disclose, release, transfer, share, disseminate, make available, or |
27 | otherwise communicate orally, in writing, or by electronic or any other means to any third party. |
28 | "Disclose" does not include the following: |
29 | (i) Disclosure of personal information by a private entity to a third party under a written |
30 | contract authorizing the third party to utilize the personal information to perform services on |
31 | behalf of the private entity, including maintaining or servicing accounts, providing customer |
32 | service, processing or fulfilling orders and transactions, verifying customer information, |
33 | processing payments, providing financing, or similar services, but only if: |
34 | (A) The contract prohibits the third party from using the personal information for any |
| LC002358 - Page 3 of 7 |
1 | reason other than performing the specified service or services on behalf of the private entity and |
2 | from disclosing any such personal information to additional third parties; and |
3 | (B) The private entity effectively enforces these prohibitions. |
4 | (ii) Disclosure of personal information by a business to a third party based on a good- |
5 | faith belief that disclosure is required to comply with applicable law, regulation, legal process, or |
6 | court order. |
7 | (iii) Disclosure of personal information by a private entity to a third party that is |
8 | reasonably necessary to address fraud, security, or technical issues; to protect the disclosing |
9 | private entity's rights or property; or to protect customers or the public from illegal activities as |
10 | required or permitted by law. |
11 | (5) "Operator" means any person or entity that owns an Internet website located or an |
12 | online service that collects and maintains personally identifiable information from a customer |
13 | residing in this state who uses or visits the website or online service if the website or online |
14 | service is operated for commercial purposes. It does not include any third party that operates, |
15 | hosts, or manages, but does not own, a website or online service on the owner's behalf or by |
16 | processing information on behalf of the owner. |
17 | (6)(i) "Personal information" means any information that identifies, relates to, describes, |
18 | or is capable of being associated with, a particular individual, including, but not limited to, their |
19 | name, signature, physical characteristics or description, address, telephone number, passport |
20 | number, driver's license or state identification card number, insurance policy number, education, |
21 | employment, employment history, bank account number, credit card number, debit card number, |
22 | or any other financial information. |
23 | (ii) "Personal information" also means any data or information pertaining to an |
24 | individual's income, assets, liabilities, purchases, leases, or rentals of goods, services, or real |
25 | property, if that information is disclosed, or is intended to be disclosed, with any identifying |
26 | information, such as the individual's name, address, telephone number, or social security number. |
27 | (7) "Third party" or "third parties" means: |
28 | (i) A private entity that is a separate legal entity from the private entity that has disclosed |
29 | personal information; |
30 | (ii) A private entity that does not share common ownership or common corporate control |
31 | with the private entity that has disclosed personal information; or |
32 | (iii) A private entity that does not share a brand name or common branding with the |
33 | private entity that has disclosed personal information such that the affiliate relationship is clear to |
34 | the customer. |
| LC002358 - Page 4 of 7 |
1 | 6-48.1-4. Notification of information sharing practices. |
2 | An operator of a commercial website or online service that collects personally |
3 | identifiable information through the Internet about individual customers residing in this state who |
4 | use or visit its commercial website or online service shall, in its customer agreement or |
5 | incorporated addendum: |
6 | (1) Identify all categories of personal information that the operator collects through the |
7 | website or online service about individual customers who use or visit its commercial website or |
8 | online service; |
9 | (2) Identify all categories of third-party persons or entities with whom the operator may |
10 | disclose that personally identifiable information; and |
11 | (3) Provide a description of a customer's rights, as required under §6-48.1-6, |
12 | accompanied by one or more designated request addresses. |
13 | 6-48.1-5. Disclosure of a customer's personal information to a third party. |
14 | (a) An operator that discloses a customer's personal information to a third party shall |
15 | make the following information available to the customer free of charge: |
16 | (1) All categories of personal information that were disclosed; and |
17 | (2) The names of all third parties that received the customer's personal information. |
18 | (b) This section applies only to personal information disclosed after the effective date of |
19 | this chapter. |
20 | 6-48.1-6. Information availability service. |
21 | (a) An operator required to comply with §6-48.1-5 shall make the required information |
22 | available by providing a designated request address in its customer agreement or incorporated |
23 | addendum, and, upon receipt of a request under this section, shall provide the customer with the |
24 | information required under §6-48.1-5 for all disclosures occurring in the prior twelve (12) |
25 | months. |
26 | (b) An operator that receives a request from a customer under this section at one of the |
27 | designated addresses shall provide a response to the customer within thirty (30) days. |
28 | 6-48.1-7. Right of action. |
29 | Any person whose rights under this chapter are violated shall have a right of action |
30 | against an offending party, and shall recover: |
31 | (i) Liquidated damages of ten dollars ($10.00) or actual damages, whichever is greater; |
32 | (ii) Injunctive relief, if appropriate; and |
33 | (iii) Reasonable attorneys' fees, costs, and expenses. |
34 | 6-48.1-8. Waivers; Contracts. |
| LC002358 - Page 5 of 7 |
1 | Any waiver of the provisions of this chapter shall be void and unenforceable. Any |
2 | agreement that does not comply with the applicable provisions of this chapter shall be void and |
3 | unenforceable. |
4 | 6-48.1-9. Construction. |
5 | (a) Nothing in this chapter shall be construed to conflict with the Federal Health |
6 | Insurance Portability and Accountability Act of 1996 and the rules promulgated under that act. |
7 | (b) Nothing in this chapter shall be deemed to apply in any manner to a financial |
8 | institution or an affiliate of a financial institution that is subject to Title V of the Federal Gramm- |
9 | Leach-Bliley Act of 1999 and the rules promulgated under that act. |
10 | (c) Nothing in this chapter shall be deemed to apply to the activities of an individual or |
11 | entity to the extent that those activities are subject to Section 222 or 631 of the Federal |
12 | Communications Act of 1934. |
13 | (d) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
14 | agent of a state agency or local unit of government when working for that state agency or local |
15 | unit of government. |
16 | SECTION 2. This act shall take effect on July 1, 2017. |
======== | |
LC002358 | |
======== | |
| LC002358 - Page 6 of 7 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RIGHT- | |
TO-KNOW ACT | |
*** | |
1 | This act would protect individuals of this state from disclosure of personally identifiable |
2 | information through the Internet by operators of commercial websites or online services and |
3 | would create a right of action for any operator violations. |
4 | This act would take effect on July 1, 2017. |
======== | |
LC002358 | |
======== | |
| LC002358 - Page 7 of 7 |