2019 -- S 0234

========

LC000789

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2019

____________

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS --

CONSUMER PRIVACY PROTECTION

     

     Introduced By: Senators Conley, DiPalma, Lawson, Satchell, and Cano

     Date Introduced: January 31, 2019

     Referred To: Senate Judiciary

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

2

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

3

CHAPTER 48.1

4

CONSUMER PRIVACY PROTECTION ACT

5

     6-48.1-1. Short title.

6

     This chapter shall be known and may be cited as the "Consumer Privacy Protection Act."

7

     6-48.1-2. Definitions.

8

     As used in this chapter, unless the context requires otherwise:

9

     (1) "Aggregate consumer information" means information that relates to a group or

10

category of consumers, from which individual consumer identities have been removed, that is not

11

linked or reasonably linkable to any consumer or household, including via a device. "Aggregate

12

consumer information" does not mean one or more individual consumer records that have been

13

deidentified.

14

     (2) "Biometric information" means an individual's physiological, biological or behavioral

15

characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or

16

in combination with each other or with other identifying data, to establish individual identity.

17

Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face,

18

hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a

 

1

faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or

2

rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying

3

information.

4

     (3) "Business" means:

5

     (i) A sole proprietorship, partnership, limited liability company, corporation, association,

6

or other legal entity that is organized or operated for the profit or financial benefit of its

7

shareholders or other owners, that collects consumers' personal information, or on the behalf of

8

which such information is collected and that alone, or jointly with others, determines the purposes

9

and means of the processing of consumers' personal information, that does business in the state of

10

Rhode Island, and that satisfies one or more of the following thresholds:

11

     (A) Has annual gross revenues in excess of five million dollars ($5,000,000);

12

     (B) Alone or in combination, annually buys, receives for the business' commercial

13

purposes, sells, or shares for commercial purposes, alone or in combination, the personal

14

information of fifty thousand (50,000) or more consumers, households, or devices; or

15

     (C) Derives fifty percent (50%) or more of its annual revenues from selling consumers'

16

personal information.

17

     (ii) Any entity that controls or is controlled by a business, as defined in this subsection

18

and that shares common branding with the business. "Control" or "controlled" means ownership

19

of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of

20

voting security of a business; control in any manner over the election of a majority of the

21

directors, or of individuals exercising similar functions; or the power to exercise a controlling

22

influence over the management of a company. "Common branding" means a shared name,

23

servicemark, or trademark.

24

     (4) "Business purpose" means the use of personal information for the business' or a

25

service provider's operational purposes, or other notified purposes, provided that the use of

26

personal information shall be reasonably necessary and proportionate to achieve the operational

27

purpose for which the personal information was collected or processed or for another operational

28

purpose that is compatible with the context in which the personal information was collected.

29

Business purposes are:

30

     (i) Auditing related to a current interaction with the consumer and concurrent

31

transactions, including, but not limited to, counting ad impressions to unique visitors, verifying

32

positioning and quality of ad impressions, and auditing compliance with this specification and

33

other standards.

34

     (ii) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or

 

LC000789 - Page 2 of 16

1

illegal activity, and prosecuting those responsible for that activity.

2

     (iii) Debugging to identify and repair errors that impair existing intended functionality.

3

     (iv) Short-term, transient use, provided the personal information that is not disclosed to

4

another third party and is not used to build a profile about a consumer or otherwise alter an

5

individual consumer's experience outside the current interaction, including, but not limited to, the

6

contextual customization of ads shown as part of the same interaction.

7

     (v) Performing services on behalf of the business or service provider, including

8

maintaining or servicing accounts, providing customer service, processing or fulfilling orders and

9

transactions, verifying customer information, processing payments, providing financing,

10

providing advertising or marketing services, providing analytic services, or providing similar

11

services on behalf of the business or service provider.

12

     (vi) Undertaking internal research for technological development and demonstration.

13

     (vii) Undertaking activities to verify or maintain the quality or safety of a service or

14

device that is owned, manufactured, manufactured for, or controlled by the business, and to

15

improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured

16

for, or controlled by the business.

17

     (5) "Collects," "collected," or "collection" means buying, renting, gathering, obtaining,

18

receiving, or accessing any personal information pertaining to a consumer by any means. This

19

includes receiving information from the consumer, either actively or passively, or by observing

20

the consumer's behavior.

21

     (6) "Commercial purposes" means to advance a person's commercial or economic

22

interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or

23

exchange products, goods, property, information, or services, or enabling or effecting, directly or

24

indirectly, a commercial transaction. "Commercial purposes" do not include for the purpose of

25

engaging in speech that state or federal courts have recognized as noncommercial speech,

26

including political speech and journalism.

27

     (7) "Consumer" means a natural person who is a Rhode Island resident.

28

     (8) "Deidentified" means information that cannot reasonably identify, relate to, describe,

29

be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,

30

provided that a business that uses deidentified information:

31

     (i) Has implemented technical safeguards that prohibit reidentification of the consumer to

32

whom the information may pertain.

33

     (ii) Has implemented business processes that specifically prohibit reidentification of the

34

information.

 

LC000789 - Page 3 of 16

1

     (iii) Has implemented business processes to prevent inadvertent release of deidentified

2

information.

3

     (iv) Makes no attempt to reidentify the information.

4

     (9) "Designated methods for submitting requests" means a mailing address, email

5

address, Internet webpage, Internet web portal, toll-free telephone number, or other applicable

6

contact information, whereby consumers may submit a request or direction under this chapter.

7

     (10) "Device" means any physical object that is capable of connecting to the Internet,

8

directly or indirectly, or to another device.

9

     (11) "Health insurance information" means a consumer's insurance policy number or

10

subscriber identification number, any unique identifier used by a health insurer to identify the

11

consumer, or any information in the consumer's application and claims history, including any

12

appeals records, if the information is linked or reasonably linkable to a consumer or household,

13

including via a device, by a business or service provider.

14

     (12) "Homepage" means the introductory page of an Internet website and any Internet

15

webpage where personal information is collected. In the case of an online service, such as a

16

mobile application, "homepage" means the application's platform page or download page, a link

17

within the application, such as from the application configuration, "About," "Information," or

18

settings page, and any other location that allows consumers to review the notice, including, but

19

not limited to, before downloading the application.

20

     (13) "Infer" or "inference" means the derivation of information, data, assumptions, or

21

conclusions from facts, evidence, or another source of information or data.

22

     (14) "Person" means an individual, proprietorship, firm, partnership, joint venture,

23

syndicate, business trust, company, corporation, limited liability company, association,

24

committee, and any other organization or group of persons acting in concert.

25

     (15)(i) "Personal information" means information that identifies, relates to, describes, is

26

capable of being associated with, or could reasonably be linked, directly or indirectly, with a

27

particular consumer or household. Personal information includes, but is not limited to, the

28

following:

29

     (A) Identifiers such as a real name, alias, postal address, unique personal identifier,

30

online identifier Internet Protocol address, email address, account name, social security number,

31

driver's license number, passport number, or other similar identifiers;

32

     (B) Commercial information, including records of personal property, products or services

33

purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

34

     (C) Biometric information;

 

LC000789 - Page 4 of 16

1

     (D) Internet or other electronic network activity information, including, but not limited

2

to, browsing history, search history, and information regarding a consumer's interaction with an

3

Internet website, application, or advertisement;

4

     (E) Geolocation data;

5

     (F) Audio, electronic, visual, thermal, olfactory, or similar information;

6

     (G) Professional or employment-related information;

7

     (H) Education information, defined as information that is not publicly available

8

personally identifiable information;

9

     (I) Inferences drawn from any of the information identified in this subsection to create a

10

profile about a consumer reflecting the consumer's preferences, characteristics, psychological

11

trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes;

12

     (ii) "Personal information" does not include publicly available information. For these

13

purposes, "publicly available" means information that is lawfully made available from federal,

14

state, or local government records, if any conditions associated with such information. "Publicly

15

available" does not mean biometric information collected by a business about a consumer without

16

the consumer's knowledge. Information is not "publicly available" if that data is used for a

17

purpose that is not compatible with the purpose for which the data is maintained and made

18

available in the government records or for which it is publicly maintained. "Publicly available"

19

does not include consumer information that is deidentified or aggregate consumer information.

20

     (16) "Probabilistic identifier" means the identification of a consumer or a device to a

21

degree of certainty of more probable than not based on any categories of personal information

22

included in, or similar to, the categories enumerated in the definition of personal information.

23

     (17) "Processing" means any operation or set of operations that are performed on

24

personal data or on sets of personal data, whether or not by automated means.

25

     (18) "Pseudonymize" or "Pseudonymization" means the processing of personal

26

information in a manner that renders the personal information no longer attributable to a specific

27

consumer without the use of additional information, provided that the additional information is

28

kept separately and is subject to technical and organizational measures to ensure that the personal

29

information is not attributed to an identified or identifiable consumer.

30

     (19) "Research" means scientific, systematic study and observation, including basic

31

research or applied research that is in the public interest and that adheres to all other applicable

32

ethics and privacy laws or studies conducted in the public interest in the area of public health.

33

Research with personal information that may have been collected from a consumer in the course

34

of the consumer's interactions with a business' service or device for other purposes shall be:

 

LC000789 - Page 5 of 16

1

     (i) Compatible with the business purpose for which the personal information was

2

collected;

3

     (ii) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate,

4

such that the information cannot reasonably identify, relate to, describe, be capable of being

5

associated with, or be linked, directly or indirectly, to a particular consumer;

6

     (iii) Made subject to technical safeguards that prohibit reidentification of the consumer to

7

whom the information may pertain;

8

     (iv) Subject to business processes that specifically prohibit reidentification of the

9

information;

10

     (v) Made subject to business processes to prevent inadvertent release of deidentified

11

information;

12

     (vi) Protected from any reidentification attempts;

13

     (vii) Used solely for research purposes that are compatible with the context in which the

14

personal information was collected;

15

     (viii) Not be used for any commercial purpose;

16

     (ix) Subjected by the business conducting the research to additional security controls

17

limit access to the research data to only those individuals in a business as are necessary to carry

18

out the research purpose.

19

     (20)(i) "Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing,

20

disseminating, making available, transferring, or otherwise communicating orally, in writing, or

21

by electronic or other means, a consumer's personal information by the business to another

22

business or a third party for monetary or other valuable consideration;

23

     (ii) For purposes of this chapter, a business does not sell personal information when:

24

     (A) A consumer uses or directs the business to intentionally disclose personal information

25

or uses the business to intentionally interact with a third party, provided the third party does not

26

also sell the personal information, unless that disclosure would be consistent with the provisions

27

of this title. An intentional interaction occurs when the consumer intends to interact with the third

28

party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given

29

piece of content does not constitute a consumer's intent to interact with a third party;

30

     (B) The business uses or shares an identifier for a consumer who has opted out of the sale

31

of the consumer's personal information for the purposes of alerting third parties that the consumer

32

has opted out of the sale of the consumer's personal information;

33

     (C) The business uses or shares with a service provider personal information of a

34

consumer that is necessary to perform a business purpose if both of the following conditions are

 

LC000789 - Page 6 of 16

1

met: services that the service provider performs on the business' behalf, provided that the service

2

provider also does not sell the personal information.

3

     (I) The business has provided notice that information being used or shared in its terms

4

and conditions;

5

     (II) The service provider does not further collect, sell, or use the personal information of

6

the consumer except as necessary to perform the business purpose;

7

     (D) The business transfers to a third party the personal information of a consumer as an

8

asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party

9

assumes control of all or part of the business, provided that information is used consistently with

10

this chapter. If a third party materially alters how it uses or shares the personal information of a

11

consumer in a manner that is materially inconsistent with the promises made at the time of

12

collection, it shall provide prior notice of the new or changed practice to the consumer.

13

     (21) "Service" or "services" means work, labor, and services, including services furnished

14

in connection with the sale or repair of goods.

15

     (22) "Service provider" means a sole proprietorship, partnership, limited liability

16

company, corporation, association, or other legal entity that is organized or operated for the profit

17

or financial benefit of its shareholders or other owners, that processes information on behalf of a

18

business and to which the business discloses a consumer's personal information for a business

19

purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the

20

information from retaining, using, or disclosing the personal information for any purpose other

21

than for the specific purpose of performing the services specified in the contract for the business,

22

or as otherwise permitted by this title, including retaining, using, or disclosing the personal

23

information for a commercial purpose other than providing the services specified in the contract

24

with the business.

25

     (23) "Third party" means a person who is not any of the following:

26

     (i) The business that collects personal information from consumers under this title;

27

     (ii) A person to whom the business discloses a consumer's personal information for a

28

business purpose pursuant to a written contract, provided that the contract:

29

     (A) Prohibits the person receiving the personal information from:

30

     (I) Selling the personal information;

31

     (II) Retaining, using, or disclosing the personal information for any purpose other than

32

for the specific purpose of performing the services specified in the contract, including retaining,

33

using, or disclosing the personal information for a commercial purpose other than providing the

34

services specified in the contract;

 

LC000789 - Page 7 of 16

1

     (III) Retaining, using, or disclosing the information outside of the direct business

2

relationship between the person and the business;

3

     (B) Includes a certification made by the person receiving the personal information that

4

the person understands the restrictions in this chapter and will comply with them.

5

     Any person who violates any of the restrictions set forth in this chapter shall be liable for

6

the violations. A business that discloses personal information to a person in compliance with this

7

chapter shall not be liable under this title if the person receiving the personal information uses it

8

in violation of the restrictions set forth in this chapter; provided that, at the time of disclosing the

9

personal information, the business does not have actual knowledge, or reason to believe, that the

10

person intends to commit such a violation.

11

     (24) "Unique identifier" or "unique personal identifier" means a persistent identifier that

12

can be used to recognize a consumer, a family, or a device that is linked to a consumer or family,

13

over time and across different services, including, but not limited to, a device identifier; an

14

Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar

15

technology; customer number, unique pseudonym, or user alias; telephone numbers, or other

16

forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or

17

device. For purposes of this subsection, "family" means a custodial parent or guardian and any

18

minor children over which the parent or guardian has custody.

19

     (25) "Verifiable consumer request" means a request that is made by a consumer, by a

20

consumer on behalf of the consumer's minor child, or by a natural person that the business can

21

reasonably verify, to be the consumer about whom the business has collected personal

22

information. A business is not obligated to provide information to the consumer if the business

23

cannot verify, that the consumer making the request is the consumer about whom the business has

24

collected information.

25

     6-48.1-3. Businesses that collect information.

26

     (a) A consumer shall have the right to request that a business that collects a consumer's

27

personal information disclose to that consumer the categories and specific pieces of personal

28

information the business has collected.

29

     (b) A business that collects a consumer's personal information shall, at or before the point

30

of collection, inform consumers as to the categories of personal information to be collected and

31

the purposes for which the categories of personal information shall be used. A business shall not

32

collect additional categories of personal information or use personal information collected for

33

additional purposes without providing the consumer with notice consistent with this section.

34

     (c) A business shall provide the information specified in subsection (a) of this section to a

 

LC000789 - Page 8 of 16

1

consumer only upon receipt of a verifiable consumer request.

2

     (d) A business that receives a verifiable consumer request from a consumer to access

3

personal information shall promptly take steps to disclose and deliver, free of charge to the

4

consumer, the personal information required by this section. The information may be delivered by

5

mail or electronically, and if provided electronically, the information shall be in a portable and, to

6

the extent technically feasible, in a readily useable format that allows the consumer to transmit

7

this information to another entity without hindrance. A business may provide personal

8

information to a consumer at any time, but shall not be required to provide personal information

9

to a consumer more than twice in a twelve (12) month period.

10

     (e) This section shall not require a business to retain any personal information collected

11

for a single, one-time transaction, if such information is not sold or retained by the business or to

12

reidentify or otherwise link information that is not maintained in a manner that would be

13

considered personal information.

14

     6-48.1-4. Request to delete information.

15

     (a) A consumer shall have the right to request that a business delete any personal

16

information about the consumer which the business has collected from the consumer.

17

     (b) A business that collects personal information about consumers shall disclose, at or

18

before the point of collection the consumer's rights to request the deletion of the consumer's

19

personal information.

20

     (c) A business that receives a verifiable request from a consumer to delete the consumer's

21

personal information shall delete the consumer's personal information from its records and direct

22

any service providers to delete the consumer's personal information from their records, except as

23

provided in subsection (d) of this section.

24

     (d) A business or a service provider shall not be required to comply with a consumer's

25

request to delete the consumer's personal information if it is necessary for the business or service

26

provider to maintain the consumer's personal information in order to:

27

     (1) Complete the transaction for which the personal information was collected, provide a

28

good or service requested by the consumer, or reasonably anticipated within the context of a

29

business's ongoing business relationship with the consumer, or otherwise perform a contract

30

between the business and the consumer;

31

     (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal

32

activity; or prosecute those responsible for that activity;

33

     (3) Debug to identify and repair errors that impair existing intended functionality;

34

     (4) Exercise free speech, ensure the right of another consumer to exercise his or her right

 

LC000789 - Page 9 of 16

1

of free speech, or exercise another right provided for by law;

2

     (5) Engage in public or peer-reviewed scientific, historical, or statistical research in the

3

public interest that adheres to all other applicable ethics and privacy laws, when the businesses'

4

deletion of the information is likely to render impossible or seriously impair the achievement of

5

such research, if the consumer has provided informed consent;

6

     (6) To enable solely internal uses that are reasonably aligned with the expectations of the

7

consumer based on the consumer's relationship with the business;

8

     (7) Comply with a legal obligation;

9

     (8) Otherwise use the consumer's personal information, internally, in a lawful manner

10

that is compatible with the context in which the consumer provided the information.

11

     6-48.1-5. Information disclosed upon request.

12

     (a) A consumer shall have the right to request that a business that collects, maintains or

13

sells personal information about the consumer disclose to the consumer the following:

14

     (1) The categories of personal information it has collected about that consumer;

15

     (2) The categories of sources from which the personal information is collected;

16

     (3) The business or commercial purpose for collecting or selling personal information;

17

     (4) The categories of third parties with whom the business shares personal information;

18

     (5) The specific pieces of personal information it has collected about that consumer.

19

     (b) A business that collects personal information about a consumer shall disclose to the

20

consumer the information specified in subsection (a) of this section upon receipt of a verifiable

21

request from the consumer.

22

     (c) This section does not require a business to do the following:

23

     (1) Retain any personal information about a consumer collected for a single one-time

24

transaction if, in the ordinary course of business, that information about the consumer is not

25

retained;

26

     (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not

27

maintained in a manner that would be considered personal information.

28

     6-48.1-6. Businesses that sell information.

29

     (a) A consumer shall have the right to request that a business that sells the consumer's

30

personal information, or that discloses it for a business purpose, disclose to that consumer:

31

     (1) The categories of personal information that the business collected about the

32

consumer;

33

     (2) The categories of personal information that the business sold about the consumer and

34

the categories of third parties to whom the personal information was sold, by category or

 

LC000789 - Page 10 of 16

1

categories of personal information for each third party to whom the personal information was

2

sold;

3

     (3) The categories of personal information that the business disclosed about the consumer

4

for a business purpose.

5

     (b) A business that sells personal information about a consumer, or that discloses a

6

consumer's personal information for a business purpose, shall disclose, the information specified

7

in subsection (a) of this section to the consumer upon receipt of a verifiable request from the

8

consumer.

9

     (c) A third party shall not sell personal information about a consumer that has been sold

10

to the third party by a business unless the consumer has received explicit notice and is provided

11

an opportunity to exercise the right to opt out pursuant to this chapter.

12

     6-48.1-7. Opt-out.

13

     (a) A consumer shall have the right, at any time, to direct a business that sells personal

14

information about the consumer to third parties not to sell the consumer's personal information.

15

This right may be referred to as the right to opt out.

16

     (b) A business that sells consumers' personal information to third parties shall provide

17

notice to consumers, that this information may be sold and that consumers have the right to opt

18

out of the sale of their personal information.

19

     (c) A business that has received direction from a consumer not to sell the consumer's

20

personal information or, in the case of a minor consumer's personal information has not received

21

consent to sell the minor consumer's personal information shall be prohibited from selling the

22

consumer's personal information after its receipt of the consumer's direction, unless the consumer

23

subsequently provides express authorization for the sale of the consumer's personal information.

24

     (d) Notwithstanding subsection (a) of this section, a business shall not sell the personal

25

information of consumers if the business has actual knowledge that the consumer is less than

26

sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and

27

sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are

28

less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's

29

personal information. A business that willfully disregards the consumer's age shall be deemed to

30

have had actual knowledge of the consumer's age. This right may be referred to as the "right to

31

opt in."

32

     6-48.1-8. Prohibition on discrimination.

33

     (a)(1) A business shall not discriminate against a consumer because the consumer

34

exercised any of the consumer's rights under this chapter, including, but not limited to, by:

 

LC000789 - Page 11 of 16

1

     (i) Denying goods or services to the consumer;

2

     (ii) Charging different prices or rates for goods or services, including through the use of

3

discounts or other benefits or imposing penalties;

4

     (iii) Providing a different level or quality of goods or services to the consumer, if the

5

consumer exercises the consumer's rights under this chapter.

6

     (iv) Suggesting that the consumer will receive a different price or rate for goods or

7

services or a different level or quality of goods or services.

8

     (2) Nothing in this subsection prohibits a business from charging a consumer a different

9

price or rate, or from providing a different level or quality of goods or services to the consumer, if

10

that difference is reasonably related to the value provided to the consumer by the consumer's data.

11

     (b)(1) A business may offer financial incentives, including payments to consumers as

12

compensation, for the collection of personal information, the sale of personal information, or the

13

deletion of personal information. A business may also offer a different price, rate, level, or quality

14

of goods or services to the consumer if that price or difference is directly related to the value

15

provided to the consumer by the consumer's data.

16

     (2) A business that offers any financial incentives pursuant to subsection (a) of this

17

section, shall notify consumers of the financial incentives.

18

     (3) A business may enter a consumer into a financial incentive program only if the

19

consumer gives the business prior opt-in consent which clearly describes the material terms of the

20

financial incentive program, and which may be revoked by the consumer at any time.

21

     (4) A business shall not use financial incentive practices that are unjust, unreasonable,

22

coercive, or usurious in nature.

23

     6-48.1-9. Designated method for submission.

24

     (a) In order to comply with this chapter, in a form that is reasonably accessible to

25

consumers, a business collecting, maintaining or selling consumer personal information shall:

26

     (1) Make available to consumers two (2) or more designated methods for submitting

27

requests for information required to be disclosed pursuant to this chapter, including, at a

28

minimum, a toll-free telephone number, and if the business maintains an Internet website, a

29

website address.

30

     (2) Disclose and deliver the required information to a consumer free of charge within

31

forty-five (45) days of receiving a verifiable request from the consumer. The business shall

32

promptly take steps to determine whether the request is a verifiable request, but this shall not

33

extend the business' duty to disclose and deliver the information within forty-five (45) days of

34

receipt of the consumer's request. The time period to provide the required information may be

 

LC000789 - Page 12 of 16

1

extended once by an additional forty-five (45) days when reasonably necessary, provided the

2

consumer is provided notice of the extension within the first forty-five (45) day period. The

3

disclosure shall cover the twelve (12) month period preceding the business' receipt of the

4

verifiable request and shall be made in writing and delivered through the consumer's account with

5

the business, if the consumer maintains an account with the business, or by mail or electronically

6

at the consumer's option if the consumer does not maintain an account with the business, in a

7

readily useable format that allows the consumer to transmit this information from one entity to

8

another entity without hindrance. The business shall not require the consumer to create an

9

account with the business in order to make a verifiable request.

10

     6-48.1-10. Internet webpage.

11

     A business that is required to comply with this chapter, in a form that is reasonably

12

accessible to consumers:

13

     (1) Provide a clear and conspicuous link on the business' Internet homepage, titled "Do

14

Not Sell My Personal Information," to an Internet webpage that enables a consumer, or a person

15

authorized by the consumer, to opt out of the sale of the consumer's personal information. A

16

business shall not require a consumer to create an account in order to direct the business not to

17

sell the consumer's personal information.

18

     (2) Include a description of a consumer's rights pursuant to this chapter, along with a

19

separate link to the "Do Not Sell My Personal Information" Internet webpage in:

20

     (i) Its online privacy policy or policies if the business has an online privacy policy or

21

policies.

22

     (ii) Any Rhode Island-specific description of consumers' privacy rights.

23

     (3) Ensure that all individuals responsible for handling consumer inquiries about the

24

business' privacy practices or the business' compliance with this chapter are informed of all

25

requirements in this chapter and how to direct consumers to exercise their rights under those

26

sections.

27

     (4) For consumers who exercise their right to opt out of the sale of their personal

28

information, refrain from selling personal information collected by the business about the

29

consumer.

30

     (5) For a consumer who has opted out of the sale of the consumer's personal information,

31

respect the consumer's decision to opt out for at least twelve (12) months before requesting that

32

the consumer authorize the sale of the consumer's personal information.

33

     (6) Use any personal information collected from the consumer in connection with the

34

submission of the consumer's opt-out request solely for the purposes of complying with the opt-

 

LC000789 - Page 13 of 16

1

out request.

2

     6-48.1-11. Enforcement.

3

     (a)(1) Any consumer whose non-encrypted or non-redacted personal information is

4

subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business'

5

violation of the duty to implement and maintain reasonable security procedures and practices

6

appropriate to the nature of the information to protect the personal information may institute a

7

civil action for any of the following:

8

     (i) To recover damages in an amount not less than one hundred dollars ($100), and not

9

more than seven hundred fifty dollars ($750) per consumer, per incident, or the consumer's actual

10

damages, whichever is greater;

11

     (ii) Injunctive or declaratory relief;

12

     (iii) Any other relief the court deems proper.

13

     (2) In assessing the amount of damages under this section, the court shall consider any

14

one or more of the relevant circumstances presented by any of the parties to the case, including,

15

but not limited to:

16

     (i) The nature and seriousness of the misconduct;

17

     (ii) The number of violations;

18

     (iii) The persistence of the misconduct;

19

     (iv) The length of time over which the misconduct occurred;

20

     (v) The willfulness of the defendant's misconduct; and

21

     (vi) The defendant's assets, liabilities, and net worth.

22

     (b) Actions pursuant to this section may be brought by a consumer if, prior to initiating

23

any action against a business for statutory damages on an individual or class-wide basis, unless

24

the consumer shall provide a business thirty (30) days' written notice identifying the specific

25

provisions of this chapter the consumer alleges have been or are being violated. In the event a

26

cure is possible, if within the thirty (30) days the business actually cures the noticed violation and

27

provides the consumer an express written statement that the violations have been cured and that

28

no further violations shall occur, no action for individual damages or class-wide damages may be

29

initiated against the business. No notice shall be required prior to an individual consumer

30

initiating an action solely for actual pecuniary damages suffered as a result of the alleged

31

violations of this chapter. If a business continues to violate this chapter in breach of the express

32

written statement provided to the consumer under this section, the consumer may initiate an

33

action against the business to enforce the written statement and may pursue statutory damages for

34

each breach of the express written statement, as well as any other violation of the chapter that

 

LC000789 - Page 14 of 16

1

postdates the written statement.

2

     (c) Nothing in this chapter shall be interpreted to serve as the basis for a private right of

3

action under any other law. This shall not be construed to relieve any party from any duties or

4

obligations imposed under chapter 49.3 of title 11.

5

     6-48.1-12. Public policy.

6

     Any provision of a contract or agreement of any kind that purports to waive or limit in

7

any way a consumer's rights under this chapter, including, but not limited to, any right to a

8

remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and

9

unenforceable. This section shall not prevent a consumer from declining to request information

10

from a business, declining to opt out of a business' sale of the consumer's personal information, or

11

authorizing a business to sell the consumer's personal information after previously opting out.

12

     SECTION 2. This act shall take effect upon passage.

========

LC000789

========

 

LC000789 - Page 15 of 16

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS --

CONSUMER PRIVACY PROTECTION

***

1

     This act would create the "Consumer Privacy Protection Act." It would require

2

businesses that collect, maintain or sell personal information to notify consumers and would

3

disclose the information and the businesses' use of the information. The act would also provide

4

that consumers may opt out and have personal information deleted.

5

     This act would take effect upon passage.

========

LC000789

========

 

LC000789 - Page 16 of 16