2022 -- H 7400 | |
======== | |
LC003955 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2022 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
| |
Introduced By: Representatives Shanley, Carson, Edwards, Ruggiero, Cortvriend, and | |
Date Introduced: February 09, 2022 | |
Referred To: House Innovation, Internet, & Technology | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.1 |
4 | RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT |
5 | 6-48.1-1. Short title. |
6 | This chapter shall be known and may be cited as the "Rhode Island Data Transparency and |
7 | Privacy Protection Act." |
8 | 6-48.1-2. Legislative findings. |
9 | The general assembly hereby finds and declares that: |
10 | (1) The right to privacy is a personal and fundamental right protected by the United States |
11 | Constitution. As such, all individuals have a right to privacy in information pertaining to them. This |
12 | state recognizes the importance of providing consumers with transparency about how their |
13 | personally identifiable information, especially information relating to their children, is shared by |
14 | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their |
15 | families from cyber-crimes and identity thieves. |
16 | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and |
17 | for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely informed |
18 | that a business might share personally identifiable information with third parties (as that term is |
| |
1 | hereinafter defined). Consumers must be better informed about what kinds of personally |
2 | identifiable information is shared with other businesses. With these specifics, consumers can |
3 | knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose (as that term is |
4 | hereinafter defined) personally identifiable information to third parties on the basis of how |
5 | protective the business is of consumers' privacy. |
6 | (3) Businesses are now collecting personally identifiable information and disclosing it in |
7 | ways not contemplated or properly covered by the current law. Some websites are installing |
8 | tracking tools that record when consumers visit webpages, and sending personally identifiable |
9 | information, such as age, gender, race, income, health concerns, religion, and recent purchases to |
10 | third-party marketers and data brokers. Third-party data broker companies are buying and |
11 | disclosing personally identifiable information obtained from mobile phones, financial institutions, |
12 | social media sites, and other online and brick and mortar companies. Some mobile applications are |
13 | sharing personally identifiable information, such as location information, unique phone |
14 | identification numbers, age, gender, and other personal details with third-party companies. |
15 | (4) As such, consumers need to know the ways that their personally identifiable |
16 | information is being collected by companies and then shared or sold to third parties in order to |
17 | properly protect their privacy, personal safety, and financial security. |
18 | 6-48.1-3. Definitions. |
19 | As used in this chapter: |
20 | (1) "Affiliate" means any entity that, directly or indirectly, controls, is controlled by, or is |
21 | under common control with, the entity that has disclosed personally identifiable information to it. |
22 | (2) "Customer" means an individual residing in this state who provides, either knowingly |
23 | or unknowingly, personally identifiable information to any entity, with or without an exchange of |
24 | consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using |
25 | real or personal property, or any interest therein, or obtaining a product or service, including |
26 | advertising or any other content. |
27 | (3) "Disclose" means to sell, release, transfer, share, disseminate, make available, or |
28 | otherwise communicate orally, in writing, or by electronic means or any other means to any |
29 | individual or third party in exchange for anything of value. "Disclose" does not include the |
30 | following: |
31 | (i) Disclosure to an affiliate, provided that the affiliate does not disclose the personally |
32 | identifiable information to any third party; |
33 | (ii) Disclosure of personally identifiable information by any entity to a third party under a |
34 | written contract authorizing the third party to utilize the personally identifiable information to |
| LC003955 - Page 2 of 6 |
1 | perform services on behalf of such entity, including maintaining or servicing accounts, providing |
2 | customer service, processing or fulfilling orders and transactions, verifying customer information, |
3 | processing payments, providing financing, or similar services, but only if: |
4 | (A) The contract prohibits the third party from using the personally identifiable information |
5 | for any reason other than performing the specified service or services on behalf of such entity and |
6 | from disclosing any such personally identifiable information to additional third parties; and |
7 | (B) The entity effectively enforces these prohibitions; |
8 | (iii) Disclosure of personally identifiable information by a business to a third party based |
9 | on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal |
10 | process, or court order; or |
11 | (iv) Disclosure of personally identifiable information by any entity to a third party that is |
12 | reasonably necessary to address fraud, security, or technical issues; to protect the disclosing entity's |
13 | rights or property; or to protect customers or the public from illegal activities as required or |
14 | permitted by law. |
15 | (4) "Operator" means any person or entity that owns a website located on the Internet or an |
16 | online service that collects and maintains personally identifiable information from a customer |
17 | residing in this state who uses or visits the website or online service if the website or online service |
18 | is operated for commercial purposes. It does not include any third party that operates, hosts, or |
19 | manages, but does not own, a website or online service on the owner's behalf or by processing |
20 | information on behalf of the owner. "Operator" does not include businesses having ten (10) or fewer |
21 | employees, or any third party that operates, hosts, or manages, but does not own, a website or online |
22 | service on the owner’s behalf or by processing information on behalf of the owner. |
23 | (5) "Personally identifiable information" or "personal information" means an individual's |
24 | first name or first initial and last name in combination with any one or more of the following data |
25 | elements, when the name and the data elements are not either encrypted or utilizing a protocol that |
26 | provides a higher degree of security or are in hard copy, paper format: |
27 | (i) Social security number; |
28 | (ii) Driver's license number, passport number, Rhode Island identification card number, or |
29 | tribal identification number; |
30 | (iii) Account number, credit, or debit card number, in combination with any required |
31 | security code, access code, password, or personal identification number, that would permit access |
32 | to an individual's financial account; |
33 | (iv) Medical or health insurance information; or |
34 | (v) Email address with any required security code, access code, or password that would |
| LC003955 - Page 3 of 6 |
1 | permit access to an individual's personal, medical, insurance, or financial account. |
2 | (6) "Third party" means any entity that is a separate legal entity from the entity that has |
3 | disclosed the personally identifiable information; provided, however, that an affiliate of the entity |
4 | that has disclosed the personally identifiable information shall not be considered a third party. |
5 | 6-48.1-4. Information sharing practices. |
6 | (a) An operator of a commercial website or online service that collects, stores and sells |
7 | categories of personally identifiable information through the Internet about individual customers |
8 | residing in this state who use or visit its commercial website or online service shall, in its customer |
9 | agreement or incorporated addendum or in another conspicuous location on its website or online |
10 | service platform where similar notices are customarily posted: |
11 | (1) Identify all categories of personally identifiable information that the operator collects |
12 | through the website or online service about individual customers who use or visit its commercial |
13 | website or online service; and |
14 | (2) Identify all categories of third-party persons or entities with whom the operator may |
15 | disclose that personally identifiable information. |
16 | (b) Nothing in this chapter shall be construed to authorize the collection, storage or |
17 | disclosure of information or data that is otherwise prohibited, restricted or regulated by state or |
18 | federal law. |
19 | 6-48.1-5. Violations. |
20 | (a) A violation of this chapter constitutes a violation of the general regulatory provisions |
21 | of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter |
22 | 13.1 of title 6; provided further, that in the event that any individual or entity intentionally discloses |
23 | personally identifiable information: |
24 | (1) To a shell company or any entity that has been formed or established solely, or in part, |
25 | for the purposes of circumventing the intent of this chapter; |
26 | (2) To any third party that is not exempt pursuant to § 6-48.2-3; or |
27 | (3) In violation of any provision of this chapter, that individual or entity shall pay a fine of |
28 | not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each |
29 | such disclosure. |
30 | (b) The office of the attorney general shall have sole enforcement authority of the |
31 | provisions of this chapter and may enforce a violation of this chapter pursuant to: |
32 | (1) The provisions of this section; or |
33 | (2) General regulatory provisions of commercial law in title 6, or both. |
34 | (c) Nothing in this section shall be construed to authorize any private right of action to |
| LC003955 - Page 4 of 6 |
1 | enforce any provision of this chapter, any regulation hereunder, or any other provisions of |
2 | commercial law in title 6. |
3 | 6-48.1-6. Waivers -- Severability. |
4 | Any waiver of the provisions of this chapter shall be void and unenforceable. If any |
5 | provision of this chapter or its application to any person or circumstance is held invalid by a court |
6 | of competent jurisdiction, the invalidity shall not affect other provisions of applications of the |
7 | chapter that can be given effect without the invalid provision or application, and to this end the |
8 | provisions of the chapter are severable. |
9 | 6-48.1-7. Construction. |
10 | (a) Nothing in this chapter shall be deemed to apply in any manner to any information or |
11 | data that is subject to the Federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated |
12 | under that act, or to information or data subject to the Health Insurance Portability and |
13 | Accountability Act of 1996 (HIPAA); provided, however, no entity or individual shall be exempt |
14 | from the provisions of this chapter. |
15 | (b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
16 | agent of a state agency or local unit of government when working for that state agency or local unit |
17 | of government. |
18 | (c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax- |
19 | exempt organization under the Internal Revenue Code. |
20 | (d) Nothing in this chapter shall be construed to mandate and/or require the retention or |
21 | disclosure of any specific individual's personally identifiable information. |
22 | (e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product |
23 | sales summaries or statistical information or aggregate customer data which may include personally |
24 | identifiable information. |
25 | (f) Nothing in this chapter shall be construed to apply to any personally identifiable |
26 | information or any other information collected, used, processed, or disclosed by or for a consumer |
27 | reporting agency as defined by 15 USC § 1681a(f). |
28 | SECTION 2. This act shall take effect on January 1, 2023. |
======== | |
LC003955 | |
======== | |
| LC003955 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT | |
*** | |
1 | This act would require online service providers and commercial websites that collect, store |
2 | and sell personally identifiable information to disclose what categories of personally identifiable |
3 | information they collect and to what third parties they sell the information. This act does not |
4 | prohibit the collection or sale of personally identifiable information and does not require the |
5 | retention or disclosure of personally identifiable information by online service providers or |
6 | commercial websites. Any intentional disclosure of personal information in violation of the |
7 | provisions of this act would be punishable by a fine of not less than one hundred dollars ($100) nor |
8 | more than five hundred dollars ($500) per disclosure with sole enforcement vested in the |
9 | department of the attorney general. |
10 | This act would take effect on January 1, 2023. |
======== | |
LC003955 | |
======== | |
| LC003955 - Page 6 of 6 |