2019 -- S 0234 | |
======== | |
LC000789 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2019 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- | |
CONSUMER PRIVACY PROTECTION | |
| |
Introduced By: Senators Conley, DiPalma, Lawson, Satchell, and Cano | |
Date Introduced: January 31, 2019 | |
Referred To: Senate Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.1 |
4 | CONSUMER PRIVACY PROTECTION ACT |
5 | 6-48.1-1. Short title. |
6 | This chapter shall be known and may be cited as the "Consumer Privacy Protection Act." |
7 | 6-48.1-2. Definitions. |
8 | As used in this chapter, unless the context requires otherwise: |
9 | (1) "Aggregate consumer information" means information that relates to a group or |
10 | category of consumers, from which individual consumer identities have been removed, that is not |
11 | linked or reasonably linkable to any consumer or household, including via a device. "Aggregate |
12 | consumer information" does not mean one or more individual consumer records that have been |
13 | deidentified. |
14 | (2) "Biometric information" means an individual's physiological, biological or behavioral |
15 | characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or |
16 | in combination with each other or with other identifying data, to establish individual identity. |
17 | Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, |
18 | hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a |
| |
1 | faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or |
2 | rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying |
3 | information. |
4 | (3) "Business" means: |
5 | (i) A sole proprietorship, partnership, limited liability company, corporation, association, |
6 | or other legal entity that is organized or operated for the profit or financial benefit of its |
7 | shareholders or other owners, that collects consumers' personal information, or on the behalf of |
8 | which such information is collected and that alone, or jointly with others, determines the purposes |
9 | and means of the processing of consumers' personal information, that does business in the state of |
10 | Rhode Island, and that satisfies one or more of the following thresholds: |
11 | (A) Has annual gross revenues in excess of five million dollars ($5,000,000); |
12 | (B) Alone or in combination, annually buys, receives for the business' commercial |
13 | purposes, sells, or shares for commercial purposes, alone or in combination, the personal |
14 | information of fifty thousand (50,000) or more consumers, households, or devices; or |
15 | (C) Derives fifty percent (50%) or more of its annual revenues from selling consumers' |
16 | personal information. |
17 | (ii) Any entity that controls or is controlled by a business, as defined in this subsection |
18 | and that shares common branding with the business. "Control" or "controlled" means ownership |
19 | of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of |
20 | voting security of a business; control in any manner over the election of a majority of the |
21 | directors, or of individuals exercising similar functions; or the power to exercise a controlling |
22 | influence over the management of a company. "Common branding" means a shared name, |
23 | servicemark, or trademark. |
24 | (4) "Business purpose" means the use of personal information for the business' or a |
25 | service provider's operational purposes, or other notified purposes, provided that the use of |
26 | personal information shall be reasonably necessary and proportionate to achieve the operational |
27 | purpose for which the personal information was collected or processed or for another operational |
28 | purpose that is compatible with the context in which the personal information was collected. |
29 | Business purposes are: |
30 | (i) Auditing related to a current interaction with the consumer and concurrent |
31 | transactions, including, but not limited to, counting ad impressions to unique visitors, verifying |
32 | positioning and quality of ad impressions, and auditing compliance with this specification and |
33 | other standards. |
34 | (ii) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or |
| LC000789 - Page 2 of 16 |
1 | illegal activity, and prosecuting those responsible for that activity. |
2 | (iii) Debugging to identify and repair errors that impair existing intended functionality. |
3 | (iv) Short-term, transient use, provided the personal information that is not disclosed to |
4 | another third party and is not used to build a profile about a consumer or otherwise alter an |
5 | individual consumer's experience outside the current interaction, including, but not limited to, the |
6 | contextual customization of ads shown as part of the same interaction. |
7 | (v) Performing services on behalf of the business or service provider, including |
8 | maintaining or servicing accounts, providing customer service, processing or fulfilling orders and |
9 | transactions, verifying customer information, processing payments, providing financing, |
10 | providing advertising or marketing services, providing analytic services, or providing similar |
11 | services on behalf of the business or service provider. |
12 | (vi) Undertaking internal research for technological development and demonstration. |
13 | (vii) Undertaking activities to verify or maintain the quality or safety of a service or |
14 | device that is owned, manufactured, manufactured for, or controlled by the business, and to |
15 | improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured |
16 | for, or controlled by the business. |
17 | (5) "Collects," "collected," or "collection" means buying, renting, gathering, obtaining, |
18 | receiving, or accessing any personal information pertaining to a consumer by any means. This |
19 | includes receiving information from the consumer, either actively or passively, or by observing |
20 | the consumer's behavior. |
21 | (6) "Commercial purposes" means to advance a person's commercial or economic |
22 | interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or |
23 | exchange products, goods, property, information, or services, or enabling or effecting, directly or |
24 | indirectly, a commercial transaction. "Commercial purposes" do not include for the purpose of |
25 | engaging in speech that state or federal courts have recognized as noncommercial speech, |
26 | including political speech and journalism. |
27 | (7) "Consumer" means a natural person who is a Rhode Island resident. |
28 | (8) "Deidentified" means information that cannot reasonably identify, relate to, describe, |
29 | be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, |
30 | provided that a business that uses deidentified information: |
31 | (i) Has implemented technical safeguards that prohibit reidentification of the consumer to |
32 | whom the information may pertain. |
33 | (ii) Has implemented business processes that specifically prohibit reidentification of the |
34 | information. |
| LC000789 - Page 3 of 16 |
1 | (iii) Has implemented business processes to prevent inadvertent release of deidentified |
2 | information. |
3 | (iv) Makes no attempt to reidentify the information. |
4 | (9) "Designated methods for submitting requests" means a mailing address, email |
5 | address, Internet webpage, Internet web portal, toll-free telephone number, or other applicable |
6 | contact information, whereby consumers may submit a request or direction under this chapter. |
7 | (10) "Device" means any physical object that is capable of connecting to the Internet, |
8 | directly or indirectly, or to another device. |
9 | (11) "Health insurance information" means a consumer's insurance policy number or |
10 | subscriber identification number, any unique identifier used by a health insurer to identify the |
11 | consumer, or any information in the consumer's application and claims history, including any |
12 | appeals records, if the information is linked or reasonably linkable to a consumer or household, |
13 | including via a device, by a business or service provider. |
14 | (12) "Homepage" means the introductory page of an Internet website and any Internet |
15 | webpage where personal information is collected. In the case of an online service, such as a |
16 | mobile application, "homepage" means the application's platform page or download page, a link |
17 | within the application, such as from the application configuration, "About," "Information," or |
18 | settings page, and any other location that allows consumers to review the notice, including, but |
19 | not limited to, before downloading the application. |
20 | (13) "Infer" or "inference" means the derivation of information, data, assumptions, or |
21 | conclusions from facts, evidence, or another source of information or data. |
22 | (14) "Person" means an individual, proprietorship, firm, partnership, joint venture, |
23 | syndicate, business trust, company, corporation, limited liability company, association, |
24 | committee, and any other organization or group of persons acting in concert. |
25 | (15)(i) "Personal information" means information that identifies, relates to, describes, is |
26 | capable of being associated with, or could reasonably be linked, directly or indirectly, with a |
27 | particular consumer or household. Personal information includes, but is not limited to, the |
28 | following: |
29 | (A) Identifiers such as a real name, alias, postal address, unique personal identifier, |
30 | online identifier Internet Protocol address, email address, account name, social security number, |
31 | driver's license number, passport number, or other similar identifiers; |
32 | (B) Commercial information, including records of personal property, products or services |
33 | purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; |
34 | (C) Biometric information; |
| LC000789 - Page 4 of 16 |
1 | (D) Internet or other electronic network activity information, including, but not limited |
2 | to, browsing history, search history, and information regarding a consumer's interaction with an |
3 | Internet website, application, or advertisement; |
4 | (E) Geolocation data; |
5 | (F) Audio, electronic, visual, thermal, olfactory, or similar information; |
6 | (G) Professional or employment-related information; |
7 | (H) Education information, defined as information that is not publicly available |
8 | personally identifiable information; |
9 | (I) Inferences drawn from any of the information identified in this subsection to create a |
10 | profile about a consumer reflecting the consumer's preferences, characteristics, psychological |
11 | trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; |
12 | (ii) "Personal information" does not include publicly available information. For these |
13 | purposes, "publicly available" means information that is lawfully made available from federal, |
14 | state, or local government records, if any conditions associated with such information. "Publicly |
15 | available" does not mean biometric information collected by a business about a consumer without |
16 | the consumer's knowledge. Information is not "publicly available" if that data is used for a |
17 | purpose that is not compatible with the purpose for which the data is maintained and made |
18 | available in the government records or for which it is publicly maintained. "Publicly available" |
19 | does not include consumer information that is deidentified or aggregate consumer information. |
20 | (16) "Probabilistic identifier" means the identification of a consumer or a device to a |
21 | degree of certainty of more probable than not based on any categories of personal information |
22 | included in, or similar to, the categories enumerated in the definition of personal information. |
23 | (17) "Processing" means any operation or set of operations that are performed on |
24 | personal data or on sets of personal data, whether or not by automated means. |
25 | (18) "Pseudonymize" or "Pseudonymization" means the processing of personal |
26 | information in a manner that renders the personal information no longer attributable to a specific |
27 | consumer without the use of additional information, provided that the additional information is |
28 | kept separately and is subject to technical and organizational measures to ensure that the personal |
29 | information is not attributed to an identified or identifiable consumer. |
30 | (19) "Research" means scientific, systematic study and observation, including basic |
31 | research or applied research that is in the public interest and that adheres to all other applicable |
32 | ethics and privacy laws or studies conducted in the public interest in the area of public health. |
33 | Research with personal information that may have been collected from a consumer in the course |
34 | of the consumer's interactions with a business' service or device for other purposes shall be: |
| LC000789 - Page 5 of 16 |
1 | (i) Compatible with the business purpose for which the personal information was |
2 | collected; |
3 | (ii) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, |
4 | such that the information cannot reasonably identify, relate to, describe, be capable of being |
5 | associated with, or be linked, directly or indirectly, to a particular consumer; |
6 | (iii) Made subject to technical safeguards that prohibit reidentification of the consumer to |
7 | whom the information may pertain; |
8 | (iv) Subject to business processes that specifically prohibit reidentification of the |
9 | information; |
10 | (v) Made subject to business processes to prevent inadvertent release of deidentified |
11 | information; |
12 | (vi) Protected from any reidentification attempts; |
13 | (vii) Used solely for research purposes that are compatible with the context in which the |
14 | personal information was collected; |
15 | (viii) Not be used for any commercial purpose; |
16 | (ix) Subjected by the business conducting the research to additional security controls |
17 | limit access to the research data to only those individuals in a business as are necessary to carry |
18 | out the research purpose. |
19 | (20)(i) "Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing, |
20 | disseminating, making available, transferring, or otherwise communicating orally, in writing, or |
21 | by electronic or other means, a consumer's personal information by the business to another |
22 | business or a third party for monetary or other valuable consideration; |
23 | (ii) For purposes of this chapter, a business does not sell personal information when: |
24 | (A) A consumer uses or directs the business to intentionally disclose personal information |
25 | or uses the business to intentionally interact with a third party, provided the third party does not |
26 | also sell the personal information, unless that disclosure would be consistent with the provisions |
27 | of this title. An intentional interaction occurs when the consumer intends to interact with the third |
28 | party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given |
29 | piece of content does not constitute a consumer's intent to interact with a third party; |
30 | (B) The business uses or shares an identifier for a consumer who has opted out of the sale |
31 | of the consumer's personal information for the purposes of alerting third parties that the consumer |
32 | has opted out of the sale of the consumer's personal information; |
33 | (C) The business uses or shares with a service provider personal information of a |
34 | consumer that is necessary to perform a business purpose if both of the following conditions are |
| LC000789 - Page 6 of 16 |
1 | met: services that the service provider performs on the business' behalf, provided that the service |
2 | provider also does not sell the personal information. |
3 | (I) The business has provided notice that information being used or shared in its terms |
4 | and conditions; |
5 | (II) The service provider does not further collect, sell, or use the personal information of |
6 | the consumer except as necessary to perform the business purpose; |
7 | (D) The business transfers to a third party the personal information of a consumer as an |
8 | asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party |
9 | assumes control of all or part of the business, provided that information is used consistently with |
10 | this chapter. If a third party materially alters how it uses or shares the personal information of a |
11 | consumer in a manner that is materially inconsistent with the promises made at the time of |
12 | collection, it shall provide prior notice of the new or changed practice to the consumer. |
13 | (21) "Service" or "services" means work, labor, and services, including services furnished |
14 | in connection with the sale or repair of goods. |
15 | (22) "Service provider" means a sole proprietorship, partnership, limited liability |
16 | company, corporation, association, or other legal entity that is organized or operated for the profit |
17 | or financial benefit of its shareholders or other owners, that processes information on behalf of a |
18 | business and to which the business discloses a consumer's personal information for a business |
19 | purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the |
20 | information from retaining, using, or disclosing the personal information for any purpose other |
21 | than for the specific purpose of performing the services specified in the contract for the business, |
22 | or as otherwise permitted by this title, including retaining, using, or disclosing the personal |
23 | information for a commercial purpose other than providing the services specified in the contract |
24 | with the business. |
25 | (23) "Third party" means a person who is not any of the following: |
26 | (i) The business that collects personal information from consumers under this title; |
27 | (ii) A person to whom the business discloses a consumer's personal information for a |
28 | business purpose pursuant to a written contract, provided that the contract: |
29 | (A) Prohibits the person receiving the personal information from: |
30 | (I) Selling the personal information; |
31 | (II) Retaining, using, or disclosing the personal information for any purpose other than |
32 | for the specific purpose of performing the services specified in the contract, including retaining, |
33 | using, or disclosing the personal information for a commercial purpose other than providing the |
34 | services specified in the contract; |
| LC000789 - Page 7 of 16 |
1 | (III) Retaining, using, or disclosing the information outside of the direct business |
2 | relationship between the person and the business; |
3 | (B) Includes a certification made by the person receiving the personal information that |
4 | the person understands the restrictions in this chapter and will comply with them. |
5 | Any person who violates any of the restrictions set forth in this chapter shall be liable for |
6 | the violations. A business that discloses personal information to a person in compliance with this |
7 | chapter shall not be liable under this title if the person receiving the personal information uses it |
8 | in violation of the restrictions set forth in this chapter; provided that, at the time of disclosing the |
9 | personal information, the business does not have actual knowledge, or reason to believe, that the |
10 | person intends to commit such a violation. |
11 | (24) "Unique identifier" or "unique personal identifier" means a persistent identifier that |
12 | can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, |
13 | over time and across different services, including, but not limited to, a device identifier; an |
14 | Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar |
15 | technology; customer number, unique pseudonym, or user alias; telephone numbers, or other |
16 | forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or |
17 | device. For purposes of this subsection, "family" means a custodial parent or guardian and any |
18 | minor children over which the parent or guardian has custody. |
19 | (25) "Verifiable consumer request" means a request that is made by a consumer, by a |
20 | consumer on behalf of the consumer's minor child, or by a natural person that the business can |
21 | reasonably verify, to be the consumer about whom the business has collected personal |
22 | information. A business is not obligated to provide information to the consumer if the business |
23 | cannot verify, that the consumer making the request is the consumer about whom the business has |
24 | collected information. |
25 | 6-48.1-3. Businesses that collect information. |
26 | (a) A consumer shall have the right to request that a business that collects a consumer's |
27 | personal information disclose to that consumer the categories and specific pieces of personal |
28 | information the business has collected. |
29 | (b) A business that collects a consumer's personal information shall, at or before the point |
30 | of collection, inform consumers as to the categories of personal information to be collected and |
31 | the purposes for which the categories of personal information shall be used. A business shall not |
32 | collect additional categories of personal information or use personal information collected for |
33 | additional purposes without providing the consumer with notice consistent with this section. |
34 | (c) A business shall provide the information specified in subsection (a) of this section to a |
| LC000789 - Page 8 of 16 |
1 | consumer only upon receipt of a verifiable consumer request. |
2 | (d) A business that receives a verifiable consumer request from a consumer to access |
3 | personal information shall promptly take steps to disclose and deliver, free of charge to the |
4 | consumer, the personal information required by this section. The information may be delivered by |
5 | mail or electronically, and if provided electronically, the information shall be in a portable and, to |
6 | the extent technically feasible, in a readily useable format that allows the consumer to transmit |
7 | this information to another entity without hindrance. A business may provide personal |
8 | information to a consumer at any time, but shall not be required to provide personal information |
9 | to a consumer more than twice in a twelve (12) month period. |
10 | (e) This section shall not require a business to retain any personal information collected |
11 | for a single, one-time transaction, if such information is not sold or retained by the business or to |
12 | reidentify or otherwise link information that is not maintained in a manner that would be |
13 | considered personal information. |
14 | 6-48.1-4. Request to delete information. |
15 | (a) A consumer shall have the right to request that a business delete any personal |
16 | information about the consumer which the business has collected from the consumer. |
17 | (b) A business that collects personal information about consumers shall disclose, at or |
18 | before the point of collection the consumer's rights to request the deletion of the consumer's |
19 | personal information. |
20 | (c) A business that receives a verifiable request from a consumer to delete the consumer's |
21 | personal information shall delete the consumer's personal information from its records and direct |
22 | any service providers to delete the consumer's personal information from their records, except as |
23 | provided in subsection (d) of this section. |
24 | (d) A business or a service provider shall not be required to comply with a consumer's |
25 | request to delete the consumer's personal information if it is necessary for the business or service |
26 | provider to maintain the consumer's personal information in order to: |
27 | (1) Complete the transaction for which the personal information was collected, provide a |
28 | good or service requested by the consumer, or reasonably anticipated within the context of a |
29 | business's ongoing business relationship with the consumer, or otherwise perform a contract |
30 | between the business and the consumer; |
31 | (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal |
32 | activity; or prosecute those responsible for that activity; |
33 | (3) Debug to identify and repair errors that impair existing intended functionality; |
34 | (4) Exercise free speech, ensure the right of another consumer to exercise his or her right |
| LC000789 - Page 9 of 16 |
1 | of free speech, or exercise another right provided for by law; |
2 | (5) Engage in public or peer-reviewed scientific, historical, or statistical research in the |
3 | public interest that adheres to all other applicable ethics and privacy laws, when the businesses' |
4 | deletion of the information is likely to render impossible or seriously impair the achievement of |
5 | such research, if the consumer has provided informed consent; |
6 | (6) To enable solely internal uses that are reasonably aligned with the expectations of the |
7 | consumer based on the consumer's relationship with the business; |
8 | (7) Comply with a legal obligation; |
9 | (8) Otherwise use the consumer's personal information, internally, in a lawful manner |
10 | that is compatible with the context in which the consumer provided the information. |
11 | 6-48.1-5. Information disclosed upon request. |
12 | (a) A consumer shall have the right to request that a business that collects, maintains or |
13 | sells personal information about the consumer disclose to the consumer the following: |
14 | (1) The categories of personal information it has collected about that consumer; |
15 | (2) The categories of sources from which the personal information is collected; |
16 | (3) The business or commercial purpose for collecting or selling personal information; |
17 | (4) The categories of third parties with whom the business shares personal information; |
18 | (5) The specific pieces of personal information it has collected about that consumer. |
19 | (b) A business that collects personal information about a consumer shall disclose to the |
20 | consumer the information specified in subsection (a) of this section upon receipt of a verifiable |
21 | request from the consumer. |
22 | (c) This section does not require a business to do the following: |
23 | (1) Retain any personal information about a consumer collected for a single one-time |
24 | transaction if, in the ordinary course of business, that information about the consumer is not |
25 | retained; |
26 | (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not |
27 | maintained in a manner that would be considered personal information. |
28 | 6-48.1-6. Businesses that sell information. |
29 | (a) A consumer shall have the right to request that a business that sells the consumer's |
30 | personal information, or that discloses it for a business purpose, disclose to that consumer: |
31 | (1) The categories of personal information that the business collected about the |
32 | consumer; |
33 | (2) The categories of personal information that the business sold about the consumer and |
34 | the categories of third parties to whom the personal information was sold, by category or |
| LC000789 - Page 10 of 16 |
1 | categories of personal information for each third party to whom the personal information was |
2 | sold; |
3 | (3) The categories of personal information that the business disclosed about the consumer |
4 | for a business purpose. |
5 | (b) A business that sells personal information about a consumer, or that discloses a |
6 | consumer's personal information for a business purpose, shall disclose, the information specified |
7 | in subsection (a) of this section to the consumer upon receipt of a verifiable request from the |
8 | consumer. |
9 | (c) A third party shall not sell personal information about a consumer that has been sold |
10 | to the third party by a business unless the consumer has received explicit notice and is provided |
11 | an opportunity to exercise the right to opt out pursuant to this chapter. |
12 | 6-48.1-7. Opt-out. |
13 | (a) A consumer shall have the right, at any time, to direct a business that sells personal |
14 | information about the consumer to third parties not to sell the consumer's personal information. |
15 | This right may be referred to as the right to opt out. |
16 | (b) A business that sells consumers' personal information to third parties shall provide |
17 | notice to consumers, that this information may be sold and that consumers have the right to opt |
18 | out of the sale of their personal information. |
19 | (c) A business that has received direction from a consumer not to sell the consumer's |
20 | personal information or, in the case of a minor consumer's personal information has not received |
21 | consent to sell the minor consumer's personal information shall be prohibited from selling the |
22 | consumer's personal information after its receipt of the consumer's direction, unless the consumer |
23 | subsequently provides express authorization for the sale of the consumer's personal information. |
24 | (d) Notwithstanding subsection (a) of this section, a business shall not sell the personal |
25 | information of consumers if the business has actual knowledge that the consumer is less than |
26 | sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and |
27 | sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are |
28 | less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's |
29 | personal information. A business that willfully disregards the consumer's age shall be deemed to |
30 | have had actual knowledge of the consumer's age. This right may be referred to as the "right to |
31 | opt in." |
32 | 6-48.1-8. Prohibition on discrimination. |
33 | (a)(1) A business shall not discriminate against a consumer because the consumer |
34 | exercised any of the consumer's rights under this chapter, including, but not limited to, by: |
| LC000789 - Page 11 of 16 |
1 | (i) Denying goods or services to the consumer; |
2 | (ii) Charging different prices or rates for goods or services, including through the use of |
3 | discounts or other benefits or imposing penalties; |
4 | (iii) Providing a different level or quality of goods or services to the consumer, if the |
5 | consumer exercises the consumer's rights under this chapter. |
6 | (iv) Suggesting that the consumer will receive a different price or rate for goods or |
7 | services or a different level or quality of goods or services. |
8 | (2) Nothing in this subsection prohibits a business from charging a consumer a different |
9 | price or rate, or from providing a different level or quality of goods or services to the consumer, if |
10 | that difference is reasonably related to the value provided to the consumer by the consumer's data. |
11 | (b)(1) A business may offer financial incentives, including payments to consumers as |
12 | compensation, for the collection of personal information, the sale of personal information, or the |
13 | deletion of personal information. A business may also offer a different price, rate, level, or quality |
14 | of goods or services to the consumer if that price or difference is directly related to the value |
15 | provided to the consumer by the consumer's data. |
16 | (2) A business that offers any financial incentives pursuant to subsection (a) of this |
17 | section, shall notify consumers of the financial incentives. |
18 | (3) A business may enter a consumer into a financial incentive program only if the |
19 | consumer gives the business prior opt-in consent which clearly describes the material terms of the |
20 | financial incentive program, and which may be revoked by the consumer at any time. |
21 | (4) A business shall not use financial incentive practices that are unjust, unreasonable, |
22 | coercive, or usurious in nature. |
23 | 6-48.1-9. Designated method for submission. |
24 | (a) In order to comply with this chapter, in a form that is reasonably accessible to |
25 | consumers, a business collecting, maintaining or selling consumer personal information shall: |
26 | (1) Make available to consumers two (2) or more designated methods for submitting |
27 | requests for information required to be disclosed pursuant to this chapter, including, at a |
28 | minimum, a toll-free telephone number, and if the business maintains an Internet website, a |
29 | website address. |
30 | (2) Disclose and deliver the required information to a consumer free of charge within |
31 | forty-five (45) days of receiving a verifiable request from the consumer. The business shall |
32 | promptly take steps to determine whether the request is a verifiable request, but this shall not |
33 | extend the business' duty to disclose and deliver the information within forty-five (45) days of |
34 | receipt of the consumer's request. The time period to provide the required information may be |
| LC000789 - Page 12 of 16 |
1 | extended once by an additional forty-five (45) days when reasonably necessary, provided the |
2 | consumer is provided notice of the extension within the first forty-five (45) day period. The |
3 | disclosure shall cover the twelve (12) month period preceding the business' receipt of the |
4 | verifiable request and shall be made in writing and delivered through the consumer's account with |
5 | the business, if the consumer maintains an account with the business, or by mail or electronically |
6 | at the consumer's option if the consumer does not maintain an account with the business, in a |
7 | readily useable format that allows the consumer to transmit this information from one entity to |
8 | another entity without hindrance. The business shall not require the consumer to create an |
9 | account with the business in order to make a verifiable request. |
10 | 6-48.1-10. Internet webpage. |
11 | A business that is required to comply with this chapter, in a form that is reasonably |
12 | accessible to consumers: |
13 | (1) Provide a clear and conspicuous link on the business' Internet homepage, titled "Do |
14 | Not Sell My Personal Information," to an Internet webpage that enables a consumer, or a person |
15 | authorized by the consumer, to opt out of the sale of the consumer's personal information. A |
16 | business shall not require a consumer to create an account in order to direct the business not to |
17 | sell the consumer's personal information. |
18 | (2) Include a description of a consumer's rights pursuant to this chapter, along with a |
19 | separate link to the "Do Not Sell My Personal Information" Internet webpage in: |
20 | (i) Its online privacy policy or policies if the business has an online privacy policy or |
21 | policies. |
22 | (ii) Any Rhode Island-specific description of consumers' privacy rights. |
23 | (3) Ensure that all individuals responsible for handling consumer inquiries about the |
24 | business' privacy practices or the business' compliance with this chapter are informed of all |
25 | requirements in this chapter and how to direct consumers to exercise their rights under those |
26 | sections. |
27 | (4) For consumers who exercise their right to opt out of the sale of their personal |
28 | information, refrain from selling personal information collected by the business about the |
29 | consumer. |
30 | (5) For a consumer who has opted out of the sale of the consumer's personal information, |
31 | respect the consumer's decision to opt out for at least twelve (12) months before requesting that |
32 | the consumer authorize the sale of the consumer's personal information. |
33 | (6) Use any personal information collected from the consumer in connection with the |
34 | submission of the consumer's opt-out request solely for the purposes of complying with the opt- |
| LC000789 - Page 13 of 16 |
1 | out request. |
2 | 6-48.1-11. Enforcement. |
3 | (a)(1) Any consumer whose non-encrypted or non-redacted personal information is |
4 | subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' |
5 | violation of the duty to implement and maintain reasonable security procedures and practices |
6 | appropriate to the nature of the information to protect the personal information may institute a |
7 | civil action for any of the following: |
8 | (i) To recover damages in an amount not less than one hundred dollars ($100), and not |
9 | more than seven hundred fifty dollars ($750) per consumer, per incident, or the consumer's actual |
10 | damages, whichever is greater; |
11 | (ii) Injunctive or declaratory relief; |
12 | (iii) Any other relief the court deems proper. |
13 | (2) In assessing the amount of damages under this section, the court shall consider any |
14 | one or more of the relevant circumstances presented by any of the parties to the case, including, |
15 | but not limited to: |
16 | (i) The nature and seriousness of the misconduct; |
17 | (ii) The number of violations; |
18 | (iii) The persistence of the misconduct; |
19 | (iv) The length of time over which the misconduct occurred; |
20 | (v) The willfulness of the defendant's misconduct; and |
21 | (vi) The defendant's assets, liabilities, and net worth. |
22 | (b) Actions pursuant to this section may be brought by a consumer if, prior to initiating |
23 | any action against a business for statutory damages on an individual or class-wide basis, unless |
24 | the consumer shall provide a business thirty (30) days' written notice identifying the specific |
25 | provisions of this chapter the consumer alleges have been or are being violated. In the event a |
26 | cure is possible, if within the thirty (30) days the business actually cures the noticed violation and |
27 | provides the consumer an express written statement that the violations have been cured and that |
28 | no further violations shall occur, no action for individual damages or class-wide damages may be |
29 | initiated against the business. No notice shall be required prior to an individual consumer |
30 | initiating an action solely for actual pecuniary damages suffered as a result of the alleged |
31 | violations of this chapter. If a business continues to violate this chapter in breach of the express |
32 | written statement provided to the consumer under this section, the consumer may initiate an |
33 | action against the business to enforce the written statement and may pursue statutory damages for |
34 | each breach of the express written statement, as well as any other violation of the chapter that |
| LC000789 - Page 14 of 16 |
1 | postdates the written statement. |
2 | (c) Nothing in this chapter shall be interpreted to serve as the basis for a private right of |
3 | action under any other law. This shall not be construed to relieve any party from any duties or |
4 | obligations imposed under chapter 49.3 of title 11. |
5 | 6-48.1-12. Public policy. |
6 | Any provision of a contract or agreement of any kind that purports to waive or limit in |
7 | any way a consumer's rights under this chapter, including, but not limited to, any right to a |
8 | remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and |
9 | unenforceable. This section shall not prevent a consumer from declining to request information |
10 | from a business, declining to opt out of a business' sale of the consumer's personal information, or |
11 | authorizing a business to sell the consumer's personal information after previously opting out. |
12 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC000789 | |
======== | |
| LC000789 - Page 15 of 16 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- | |
CONSUMER PRIVACY PROTECTION | |
*** | |
1 | This act would create the "Consumer Privacy Protection Act." It would require |
2 | businesses that collect, maintain or sell personal information to notify consumers and would |
3 | disclose the information and the businesses' use of the information. The act would also provide |
4 | that consumers may opt out and have personal information deleted. |
5 | This act would take effect upon passage. |
======== | |
LC000789 | |
======== | |
| LC000789 - Page 16 of 16 |