2018 -- H 7111 SUBSTITUTE A | |
======== | |
LC003294/SUB A | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2018 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE | |
ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
| |
Introduced By: Representatives Shanley, Carson, Regunberg, Marszalkowski, and | |
Date Introduced: January 11, 2018 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.1 |
4 | RHODE ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY |
5 | PROTECTION ACT |
6 | 6-48.1-1. Short title. |
7 | This chapter shall be known and may be cited as the "Rhode Island Right-to-Know Data |
8 | Transparency and Privacy Protection Act." |
9 | 6-48.1-2. Legislative findings. |
10 | The general assembly hereby finds and declares that: |
11 | (1) The right to privacy is a personal and fundamental right protected by the United |
12 | States Constitution. As such, all individuals have a right to privacy in information pertaining to |
13 | them. This state recognizes the importance of providing consumers with transparency about how |
14 | their personal information, especially information relating to their children, is shared by |
15 | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their |
16 | families from cyber-crimes and identity thieves. |
17 | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and |
18 | for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely |
| |
1 | informed that a business might share personal information with third parties. Consumers must be |
2 | better informed about what kinds of personal information is shared with other businesses. With |
3 | these specifics, consumers can knowledgeably choose to opt-in, opt-out, or choose among |
4 | businesses that disclose information to third parties on the basis of how protective the business is |
5 | of consumers' privacy. |
6 | (3) Businesses are now collecting personal information and sharing and selling it in ways |
7 | not contemplated or properly covered by the current law. Some websites are installing tracking |
8 | tools that record when consumers visit web pages, and sending very personal information, such as |
9 | age, gender, race, income, health concerns, religion, and recent purchases to third-party marketers |
10 | and data brokers. Third-party data broker companies are buying, selling, and trading personal |
11 | information obtained from mobile phones, financial institutions, social media sites, and other |
12 | online and brick and mortar companies. Some mobile applications are sharing personal |
13 | information, such as location information, unique phone identification numbers, and age, gender, |
14 | and other personal details with third-party companies. |
15 | (4) As such, consumers need to know the ways that their personal information is being |
16 | collected by companies and then shared or sold to third parties in order to properly protect their |
17 | privacy, personal safety, and financial security. |
18 | 6-48.1-3. Definitions. |
19 | As used in this chapter: |
20 | (1) "Categories of personal information" means and includes, but is not limited to, the |
21 | following: |
22 | (i) Identity information including, but not limited to, real name, alias, nickname, and user |
23 | name; |
24 | (ii) Address information, including, but not limited to, postal or email address; |
25 | (iii) Telephone number; |
26 | (iv) Account name; |
27 | (v) Social security number or other government-issued identification number, including, |
28 | but not limited to, social security number, driver's license number, identification card number, |
29 | and passport number; |
30 | (vi) Birthdate or age; |
31 | (vii) Physical characteristic information, including, but not limited to, height and weight; |
32 | (viii) Sexual information, including, but not limited to, sexual orientation, sex, gender |
33 | status, gender identity, and gender expression; |
34 | (ix) Race or ethnicity; |
| LC003294/SUB A - Page 2 of 7 |
1 | (x) Religious affiliation or activity; |
2 | (xi) Political affiliation or activity; |
3 | (xii) Professional or employment-related information; |
4 | (xiii) Educational information; |
5 | (xiv) Medical information, including, but not limited to, medical conditions or drugs, |
6 | therapies, mental health, or medical products or equipment used; |
7 | (xv) Financial information, including, but not limited to, credit, debit, or account |
8 | numbers, account balances, payment history, or information related to assets, liabilities, or |
9 | general creditworthiness; |
10 | (xvi) Commercial information, including, but not limited to, records of property, products |
11 | or services provided, obtained, or considered, or other purchasing or consumer histories or |
12 | tendencies; |
13 | (xvii) Location information; |
14 | (xviii) Internet or mobile activity information, including, but not limited to, Internet |
15 | protocol addresses or information concerning the access or use of any Internet or mobile-based |
16 | site or service; |
17 | (xix) Content, including text, photographs, audio or video recordings, or other material |
18 | generated by or provided by the customer; and |
19 | (xx) Any of the above categories of information as they pertain to the children of the |
20 | customer. |
21 | (2) "Customer" means an individual residing in this state who provides, either knowingly |
22 | or unknowingly, personal information to a private entity, with or without an exchange of |
23 | consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise |
24 | using real or personal property, or any interest therein, or obtaining a product or service from the |
25 | private entity, including advertising or any other content. |
26 | (3) "Designated request address" means an email address, toll-free telephone number, or |
27 | webform whereby customers may request or obtain the information required to be provided under |
28 | § 6-48.1- 4. |
29 | (4) "Disclose" means to disclose, release, transfer, share, disseminate, make available, or |
30 | otherwise communicate orally, in writing, or by electronic or any other means to any third party. |
31 | "Disclose" does not include the following: |
32 | (i) Disclosure of personal information by a private entity to a third party under a written |
33 | contract authorizing the third party to utilize the personal information to perform services on |
34 | behalf of the private entity, including maintaining or servicing accounts, providing customer |
| LC003294/SUB A - Page 3 of 7 |
1 | service, processing or fulfilling orders and transactions, verifying customer information, |
2 | processing payments, providing financing, or similar services, but only if: |
3 | (A) The contract prohibits the third party from using the personal information for any |
4 | reason other than performing the specified service or services on behalf of the private entity and |
5 | from disclosing any such personal information to additional third parties; and |
6 | (B) The private entity effectively enforces these prohibitions. |
7 | (ii) Disclosure of personal information by a business to a third party based on a good- |
8 | faith belief that disclosure is required to comply with applicable law, regulation, legal process, or |
9 | court order. |
10 | (iii) Disclosure of personal information by a private entity to a third party that is |
11 | reasonably necessary to address fraud, security, or technical issues; to protect the disclosing |
12 | private entity's rights or property; or to protect customers or the public from illegal activities as |
13 | required or permitted by law. |
14 | (5) "Operator" means any person or entity that owns a website located on the Internet or |
15 | an online service that collects and maintains personally identifiable information from a customer |
16 | residing in this state who uses or visits the website or online service if the website or online |
17 | service is operated for commercial purposes. It does not include any third party that operates, |
18 | hosts, or manages, but does not own, a website or online service on the owner's behalf or by |
19 | processing information on behalf of the owner. "Operator" does not include businesses having ten |
20 | (10) or fewer employees, or any third party that operates, hosts, or manages, but does not own, a |
21 | website or online service on the owner’s behalf or by processing information on behalf of the |
22 | owner. |
23 | (6)(i) "Personal information" means any information that identifies, relates to, describes, |
24 | or is capable of being associated with, a particular individual, including, but not limited to, their |
25 | name, signature, physical characteristics or description, address, telephone number, passport |
26 | number, driver's license or state identification card number, insurance policy number, education, |
27 | employment, employment history, bank account number, credit card number, debit card number, |
28 | or any other financial information. |
29 | (ii) "Personal information" also means any data or information pertaining to an |
30 | individual's income, assets, liabilities, purchases, leases, or rentals of goods, services, or real |
31 | property, if that information is disclosed, or is intended to be disclosed, with any identifying |
32 | information, such as the individual's name, address, telephone number, or social security number. |
33 | (7) "Third party" or "third parties" means: |
34 | (i) A private entity that is a separate legal entity from the private entity that has disclosed |
| LC003294/SUB A - Page 4 of 7 |
1 | personal information; |
2 | (ii) A private entity that does not share common ownership or common corporate control |
3 | with the private entity that has disclosed personal information; or |
4 | (iii) A private entity that does not share a brand name or common branding with the |
5 | private entity that has disclosed personal information such that the affiliate relationship is clear to |
6 | the customer. |
7 | 6-48.1-4. Information sharing practices. |
8 | An operator of a commercial website or online service that collects personally |
9 | identifiable information through the Internet about individual customers residing in this state who |
10 | use or visit its commercial website or online service shall, in its customer agreement or |
11 | incorporated addendum or in another conspicuous location on its website or online service |
12 | platform where similar notices are customarily posted: |
13 | (1) Identify all categories of personal information that the operator collects through the |
14 | website or online service about individual customers who use or visit its commercial website or |
15 | online service; |
16 | (2) Identify all categories of third-party persons or entities with whom the operator may |
17 | disclose that personally identifiable information; and |
18 | (3) Provide a description of a customer's rights, as required under § 6-48.1-6, |
19 | accompanied by one or more designated request addresses. |
20 | 6-48.1-5. Disclosure of a customer's personal information to a third party. |
21 | (a) An operator that discloses a customer's personal information to a third party shall |
22 | make the following information available to the customer free of charge: |
23 | (1) All categories of personal information that were disclosed; and |
24 | (2) The names of all third parties that received the customer's personal information. |
25 | (b) This section applies only to personal information disclosed after the effective date of |
26 | this chapter. |
27 | 6-48.1-6. Information availability service. |
28 | (a) An operator required to comply with § 6-48.1-5 shall make the required information |
29 | available by providing a designated request address in its customer agreement or incorporated |
30 | addendum or in another conspicuous location on its website or online service platform where |
31 | similar notices are customarily posted, and, upon receipt of a request under this section, shall |
32 | provide the customer with the information required under § 6-48.1-5 for all disclosures occurring |
33 | in the prior twelve (12) months. |
34 | (b) An operator that receives a request from a customer under this section at one of the |
| LC003294/SUB A - Page 5 of 7 |
1 | designated addresses shall provide a response to the customer within thirty (30) days. |
2 | (c) Notwithstanding the provisions of this section, a parent or legal guardian of a |
3 | customer under the age of eighteen (18) may submit a request under this section on behalf of that |
4 | customer. An operator shall not be required to, but may respond to a request made by the same |
5 | parent or legal guardian on behalf of a customer under the age of eighteen (18) more than once |
6 | within a given twelve (12) month period. |
7 | 6-48.1-7. Violations. |
8 | A violation of this chapter constitutes a violation of the general regulatory provisions of |
9 | commercial law in title 6. The office of the attorney general shall have sole enforcement authority |
10 | of the provisions of this chapter and may enforce a violation of this chapter as an unlawful |
11 | practice under the general regulatory provisions of commercial law in title 6. An operator in |
12 | violation of this chapter shall have thirty (30) days after being notified of a violation to rectify |
13 | that violation before the attorney general may seek an enforcement action against that operator. |
14 | Nothing in this section shall prevent a person from otherwise seeking relief under any other |
15 | similarly applicable state laws. |
16 | 6-48.1-8. Waivers; Contracts. |
17 | Any waiver of the provisions of this chapter shall be void and unenforceable. Any |
18 | agreement that does not comply with the applicable provisions of this chapter shall be void and |
19 | unenforceable. |
20 | 6-48.1-9. Construction. |
21 | (a) Nothing in this chapter shall be construed to conflict with the Federal Health |
22 | Insurance Portability and Accountability Act of 1996 and the rules promulgated under that act. |
23 | (b) Nothing in this chapter shall be deemed to apply in any manner to a financial |
24 | institution or an affiliate of a financial institution that is subject to Title V of the Federal Gramm- |
25 | Leach-Bliley Act of 1999 and the rules promulgated under that act. |
26 | (c) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
27 | agent of a state agency or local unit of government when working for that state agency or local |
28 | unit of government. |
29 | (d) Nothing in this chapter shall be construed to apply to any entity recognized as a tax- |
30 | exempt organization under the Internal Revenue Code of 1986. |
31 | SECTION 2. This act shall take effect on July 1, 2018. |
======== | |
LC003294/SUB A | |
======== | |
| LC003294/SUB A - Page 6 of 7 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- RHODE | |
ISLAND RIGHT-TO-KNOW DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
*** | |
1 | This act would create the "Rhode Island Right-to-Know Transparency and Privacy |
2 | Protection Act" to protect individuals of this state from disclosure of personally identifiable |
3 | information through the Internet by operators of commercial websites or online services, and |
4 | would empower the attorney general with enforcement authority for any operator violations. |
5 | This act would take effect on July 1, 2018. |
======== | |
LC003294/SUB A | |
======== | |
| LC003294/SUB A - Page 7 of 7 |