2023 -- H 5745 | |
======== | |
LC000015 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2023 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- RHODE ISLAND PERSONAL DATA AND | |
ONLINE PRIVACY PROTECTION ACT | |
| |
Introduced By: Representative Joseph M. McNamara | |
Date Introduced: February 21, 2023 | |
Referred To: House Innovation, Internet, & Technology | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 59 |
4 | RHODE ISLAND PERSONAL DATA AND ONLINE PRIVACY PROTECTION ACT |
5 | 6-59-1. Short title. |
6 | This act shall be known and may be cited as the "Rhode Island personal data and online |
7 | privacy protection act." |
8 | 6-59-2. Definitions. |
9 | As used in this chapter, the following words and phrases shall have the following meanings, |
10 | unless the context clearly indicates otherwise: |
11 | (1) "Affiliate" means a legal entity that shares common branding with another legal entity |
12 | or controls, is controlled by, or is under common control with, another legal entity. For the purposes |
13 | of this definition, "control" or "controlled" means: |
14 | (i) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding |
15 | shares of any class of voting security of a company; |
16 | (ii) Control in any manner over the election of a majority of the directors or of individuals |
17 | exercising similar functions; or |
18 | (iii) The power to exercise controlling influence over the management of a company. |
| |
1 | (2) "Authenticate" means to use reasonable means to determine that a request to exercise |
2 | any of the rights afforded under this chapter being made by, or on behalf of, the consumer who is |
3 | entitled to exercise such consumer rights with respect to the personal data at issue. |
4 | (3) "Biometric data" means data generated by automatic measurements of an individual's |
5 | biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique |
6 | biological patterns or characteristics that are used to identify a specific individual. "Biometric data" |
7 | does not include: |
8 | (i) A digital or physical photograph; |
9 | (ii) An audio or video recording; or |
10 | (iii) Any data generated from a digital or physical photograph, or an audio or video |
11 | recording, unless such data is generated to identify a specific individual. |
12 | (4) "Business associate" has the same meaning as provided in HIPAA. |
13 | (5) "Child" has the same meaning as provided in COPPA. |
14 | (6) "Consent" means a clear affirmative act signifying a consumer's freely given, specific, |
15 | informed and unambiguous agreement to allow the processing of personal data relating to the |
16 | consumer. "Consent" may include a written statement, including by electronic means, or any other |
17 | unambiguous affirmative action. "Consent" does not include: |
18 | (i) Acceptance of a general or broad terms of use or similar document that contains |
19 | descriptions of personal data processing along with other, unrelated information; |
20 | (ii) Hovering over, muting, pausing or closing a given piece of content; or |
21 | (iii) Agreement obtained through the use of dark patterns. |
22 | (7) "Consumer" means an individual who is a resident of the State of Rhode Island. |
23 | "Consumer" does not include an individual acting in a commercial or employment context or as an |
24 | employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, |
25 | nonprofit or government agency whose communications or transactions with the controller occur |
26 | solely within the context of that individual's role with the company, partnership, sole proprietorship, |
27 | nonprofit, or government agency. |
28 | (8) "Controller" means an individual who, or legal entity that, alone or jointly with others |
29 | determines the purpose and means of processing personal data. |
30 | (9) "COPPA" means the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ |
31 | 6501 et seq., and the regulations, rules, guidance and exemptions adopted pursuant to said act, as |
32 | said act and such regulations, rules, guidance and exemptions may be amended from time to time. |
33 | (10) "Covered entity" has the same meaning as provided in HIPAA. |
34 | (11) "Dark pattern" means a user interface designed or manipulated with the substantial |
| LC000015 - Page 2 of 21 |
1 | effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is |
2 | not limited to, any practice the Federal Trade Commission refers to as a "dark pattern". |
3 | (12) "Decisions that produce legal or similarly significant effects concerning the consumer" |
4 | means decisions made by the controller that result in the provision or denial by the controller of |
5 | financial or lending services, housing, insurance, education enrollment or opportunity, criminal |
6 | justice, employment opportunities, health care services or access to essential goods or services. |
7 | (13) "De-identified data" means data that cannot reasonably be used to infer information |
8 | about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such |
9 | individual, if the controller that possesses such data takes reasonable measures to ensure that such |
10 | data cannot be associated with an individual, publicly commits to process such data only in a de- |
11 | identified fashion and not attempt to re-identify such data, and contractually obligates any |
12 | recipients of such data to satisfy the criteria set forth in this subsection. |
13 | (14) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42 |
14 | U.S.C. § 1320d, as amended from time to time. |
15 | (15) "Identified or identifiable individual" means an individual who can be readily |
16 | identified, directly or indirectly. |
17 | (16) "Institution of higher education" means any individual who, or school, board, |
18 | association, limited liability company or corporation that, is licensed or accredited to offer one or |
19 | more programs of higher learning leading to one or more degrees. |
20 | (17) "Nonprofit organization" means any organization that is exempt from taxation under |
21 | 26 U.S.C. §§ 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, |
22 | or any subsequent corresponding internal revenue code of the United States, as amended from time |
23 | to time. |
24 | (18) "Personal data" means any information that is linked or reasonably linkable to an |
25 | identified or identifiable individual. "Personal data" does not include de-identified data or publicly |
26 | available information. |
27 | (19) "Precise geolocation data" means information derived from technology, including, but |
28 | not limited to, global positioning system level latitude and longitude coordinates or other |
29 | mechanisms, that directly identifies the specific location of an individual with precision and |
30 | accuracy within a radius of one thousand seven hundred fifty feet (1750'). "Precise geolocation |
31 | data" does not include the content of communications or any data generated by or connected to |
32 | advanced utility metering infrastructure systems or equipment for use by a utility. |
33 | (20) "Process" or "processing" means any operation or set of operations performed, |
34 | whether by manual or automated means, on personal data or on sets of personal data, such as the |
| LC000015 - Page 3 of 21 |
1 | collection, use, storage, disclosure, analysis, deletion or modification of personal data. |
2 | (21) "Processor" means an individual who, or legal entity that, processes personal data on |
3 | behalf of a controller. |
4 | (22) "Profiling" means any form of automated processing performed on personal data to |
5 | evaluate, analyze or predict personal aspects related to an identified or identifiable individual's |
6 | economic situation, health, personal preferences, interests, reliability, behavior, location or |
7 | movements. |
8 | (23) "Protected health information" has the same meaning as provided in HIPAA. |
9 | (24) "Pseudonymous data" means personal data that cannot be attributed to a specific |
10 | individual without the use of additional information, provided such additional information is kept |
11 | separately and is subject to appropriate technical and organizational measures to ensure that the |
12 | personal data is not attributed to an identified or identifiable individual. |
13 | (25) "Publicly available information" means information that: |
14 | (i) Is lawfully made available through federal, state or municipal government records or |
15 | widely distributed media; and |
16 | (ii) A controller has a reasonable basis to believe a consumer has lawfully made available |
17 | to the general public. |
18 | (26) "Sale of personal data" means the exchange of personal data for monetary or other |
19 | valuable consideration by the controller to a third party. "Sale of personal data" does not include: |
20 | (i) The disclosure of personal data to a processor that processes the personal data on behalf |
21 | of the controller; |
22 | (ii) The disclosure of personal data to a third party for purposes of providing a product or |
23 | service requested by the consumer; |
24 | (iii) The disclosure or transfer of personal data to an affiliate of the controller; |
25 | (iv) The disclosure of personal data where the consumer directs the controller to disclose |
26 | the personal data or intentionally uses the controller to interact with a third party; |
27 | (v) The disclosure of personal data that the consumer intentionally made available to the |
28 | general public via a channel of mass media, and did not restrict to a specific audience; and |
29 | (vi) The disclosure or transfer of personal data to a third party as an asset that is part of a |
30 | merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy |
31 | or other transaction, in which the third party assumes control of all or part of the controller's assets. |
32 | (27) "Sensitive data" means personal data that includes: |
33 | (i) Data revealing racial or ethnic origin, religious beliefs, mental or physical health |
34 | condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; |
| LC000015 - Page 4 of 21 |
1 | (ii) The processing of genetic or biometric data for the purpose of uniquely identifying an |
2 | individual; |
3 | (iii) Personal data collected from a known child; or |
4 | (iv) Precise geolocation data. |
5 | (28) "Targeted advertising" means displaying advertisements to a consumer where the |
6 | advertisement is selected based on personal data obtained or inferred from that consumer's activities |
7 | over time and across nonaffiliated Internet websites or online applications to predict such |
8 | consumer's preferences or interests. "Targeted advertising" does not include: |
9 | (i) Advertisements based on activities within a controller's own Internet websites or online |
10 | applications; |
11 | (ii) Advertisements based on the context of a consumer's current search query, visit to an |
12 | Internet website or online application; |
13 | (iii) Advertisements directed to a consumer in response to the consumer's request for |
14 | information or feedback; or |
15 | (iv) Processing personal data solely to measure or report advertising frequency, |
16 | performance or reach. |
17 | (29) "Third-party" means an individual or legal entity, such as a public authority, agency |
18 | or body, other than the consumer, controller or processor or an affiliate of the processor or the |
19 | controller. |
20 | (30) "Trade secret" has the same meaning as provided in § 6-41-1. |
21 | 6-59-3. Application of chapter. |
22 | (a) The provisions of this chapter apply to persons that conduct business in this state or |
23 | persons that produce products or services that are targeted to residents of this state and that during |
24 | the preceding calendar year: |
25 | (1) Controlled or processed the personal data of not less than one hundred thousand |
26 | (100,000) consumers, excluding personal data controlled or processed solely for the purpose of |
27 | completing a payment transaction; or |
28 | (2) Controlled or processed the personal data of not less than twenty-five thousand (25,000) |
29 | consumers and derived more than twenty-five percent (25%) of their gross revenue from the sale |
30 | of personal data. |
31 | 6-59-4. Limitations of chapter. |
32 | (a) The provisions of this chapter do not apply to any: |
33 | (1) Body, authority, board, bureau, commission, district or agency of this state or of any |
34 | political subdivision of this state; |
| LC000015 - Page 5 of 21 |
1 | (2) Nonprofit organization; |
2 | (3) Institution of higher education; |
3 | (4) National securities association that is registered under 15 U.S.C. § 78o-3 of the |
4 | Securities Exchange Act of 1934, as amended from time to time; |
5 | (5) Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 |
6 | U.S.C. §§ 6801 et seq.; or |
7 | (6) Covered entity or business associate, as defined in 45 C.F.R. 160.103. |
8 | (b) The following information and data is exempt from the provisions of this chapter: |
9 | (1) Protected health information under HIPAA; |
10 | (2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2; |
11 | (3) Identifiable private information for purposes of the federal policy for the protection of |
12 | human subjects under 45 C.F.R. 46; |
13 | (4) Identifiable private information that is otherwise information collected as part of human |
14 | subjects research pursuant to the good clinical practice guidelines issued by the International |
15 | Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; |
16 | (5) The protection of human subjects under 21 C.F.R. Parts 6, 50 and 56, or personal data |
17 | used or shared in research, as defined in 45 C.F.R. 164.501, that is conducted in accordance with |
18 | the standards set forth in subsection (b)(5) of this section and subsections (b)(3) and (4) of this |
19 | section, or other research conducted in accordance with applicable law; |
20 | (6) Information and documents created for purposes of the Health Care Quality |
21 | Improvement Act of 1986, 42 U.S.C. §§ 11101 et seq.; |
22 | (7) Patient safety work product for purposes of the Patient Safety and Quality Improvement |
23 | Act, 42 U.S.C. §§ 299b-21 et seq., as amended from time to time; |
24 | (8) Information derived from any of the health care related information listed in this |
25 | subsection that is de-identified in accordance with the requirements for de-identification pursuant |
26 | to HIPAA; |
27 | (9) Information originating from and intermingled to be indistinguishable with, or |
28 | information treated in the same manner as, information exempt under this subsection that is |
29 | maintained by a covered entity or business associate, program or qualified service organization, as |
30 | specified in 42 U.S.C. § 290dd-2, as amended from time to time; |
31 | (10) Information used for public health activities and purposes as authorized by HIPAA, |
32 | community health activities and population health activities; |
33 | (11) The collection, maintenance, disclosure, sale, communication or use of any personal |
34 | information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, |
| LC000015 - Page 6 of 21 |
1 | general reputation, personal characteristics or mode of living by a consumer reporting agency, |
2 | furnisher or user that provides information for use in a consumer report, and by a user of a consumer |
3 | report, but only to the extent that such activity is regulated by and authorized under the Fair Credit |
4 | Reporting Act, 15 U.S.C. §§ 1681 et seq., as amended from time to time; |
5 | (12) Personal data collected, processed, sold or disclosed in compliance with the Driver's |
6 | Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., as amended from time to time; |
7 | (13) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. |
8 | §§ 1232g et seq., as amended from time to time; |
9 | (14) Personal data collected, processed, sold or disclosed in compliance with the Farm |
10 | Credit Act, 12 U.S.C. §§ 2001 et seq., as amended from time to time; |
11 | (15) Data processed or maintained: |
12 | (i) In the course of an individual applying to, employed by or acting as an agent or |
13 | independent contractor of a controller, processor or third-party, to the extent that the data is |
14 | collected and used within the context of that role; |
15 | (ii) As the emergency contact information of an individual under this section used for |
16 | emergency contact purposes; or |
17 | (iii) That is necessary to retain to administer benefits for another individual relating to the |
18 | individual who is the subject of the information, and is used for the purposes of administering such |
19 | benefits; and |
20 | (16) Personal data collected, processed, sold or disclosed in relation to price, route or |
21 | service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. §§ 40101 et seq., as |
22 | amended from time to time, by an air carrier subject to said act, to the extent the provisions of this |
23 | act are preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended from time to |
24 | time. |
25 | (c) Controllers and processors that comply with the verifiable parental consent |
26 | requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent |
27 | pursuant to subsections (a) and (b) of this section, inclusive, of this chapter. |
28 | 6-59-5. Consumer rights. |
29 | (a) A consumer shall have the right to: |
30 | (1) Confirm whether or not a controller is processing the consumer's personal data and |
31 | access to such personal data, unless such confirmation or access would require the controller to |
32 | reveal a trade secret; |
33 | (2) Correct inaccuracies in the consumer's personal data, taking into account the nature of |
34 | the personal data and the purposes of the processing of the consumer's personal data; |
| LC000015 - Page 7 of 21 |
1 | (3) Delete personal data provided by, or obtained about, the consumer; |
2 | (4) Obtain a copy of the consumer's personal data processed by the controller, in a portable |
3 | and, to the extent technically feasible, readily usable format that allows the consumer to transmit |
4 | the data to another controller without hindrance, where the processing is carried out by automated |
5 | means, provided such controller shall not be required to reveal any trade secret; and |
6 | (5) Opt out of the processing of the personal data for purposes of: |
7 | (i) Targeted advertising; |
8 | (ii) The sale of personal data, except as provided otherwise in this chapter; or |
9 | (iii) Profiling in furtherance of solely automated decisions that produce legal or similarly |
10 | significant effects concerning the consumer. |
11 | (b) A consumer may exercise rights under this section by a secure and reliable means |
12 | established by the controller and described to the consumer in the controller's privacy notice. A |
13 | consumer may designate an authorized agent in accordance with this chapter to exercise the rights |
14 | of such consumer to opt out of the processing of such consumer's personal data for purposes of this |
15 | section on behalf of the consumer. In the case of processing personal data of a known child, the |
16 | parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of |
17 | processing personal data concerning a consumer subject to a guardianship, conservatorship or other |
18 | protective arrangement, the guardian or the conservator of the consumer may exercise such rights |
19 | on the consumer's behalf. |
20 | (c) Except as expressly otherwise provided in this chapter, a controller shall comply with |
21 | a request by a consumer to exercise the consumer rights authorized by this chapter as follows: |
22 | (1) A controller shall respond to the consumer without undue delay, but not later than forty- |
23 | five (45) days after receipt of the request. The controller may extend the response period by forty- |
24 | five (45) additional days when reasonably necessary, considering the complexity and number of |
25 | the consumer's requests, provided the controller informs the consumer of any such extension within |
26 | the initial forty-five (45) day response period and of the reason for the extension. |
27 | (2) If a controller declines to take action regarding the consumer's request, the controller |
28 | shall inform the consumer without undue delay, but not later than forty-five (45) days after receipt |
29 | of the request, of the justification for declining to take action and instructions for how to appeal the |
30 | decision. |
31 | (3) Information provided in response to a consumer request shall be provided by a |
32 | controller, free of charge, once per consumer during any twelve (12) month period. If requests from |
33 | a consumer are manifestly unfounded, excessive or repetitive, the controller may charge the |
34 | consumer a reasonable fee to cover the administrative costs of complying with the request or |
| LC000015 - Page 8 of 21 |
1 | decline to act on the request. The controller bears the burden of demonstrating the manifestly |
2 | unfounded, excessive or repetitive nature of the request. |
3 | (4) If a controller is unable to authenticate a request to exercise any of the rights afforded |
4 | under subsection (a) of this section using commercially reasonable efforts, the controller shall not |
5 | be required to comply with a request to initiate an action pursuant to this section and shall provide |
6 | notice to the consumer that the controller is unable to authenticate the request to exercise such right |
7 | or rights until such consumer provides additional information reasonably necessary to authenticate |
8 | such consumer and such consumer's request to exercise such right or rights. A controller shall not |
9 | be required to authenticate an opt-out request, but a controller may deny an opt-out request if the |
10 | controller has a good faith, reasonable and documented belief that such request is fraudulent. If a |
11 | controller denies an opt-out request because the controller believes such request is fraudulent, the |
12 | controller shall send a notice to the person who made such request disclosing that such controller |
13 | believes such request is fraudulent, why such controller believes such request is fraudulent and that |
14 | such controller shall not comply with such request. |
15 | (5) A controller that has obtained personal data about a consumer from a source other than |
16 | the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant |
17 | to this section by: |
18 | (i) Retaining a record of the deletion request and the minimum data necessary for the |
19 | purpose of ensuring the consumer's personal data remains deleted from the controller's records and |
20 | not using such retained data for any other purpose pursuant to the provisions of this chapter; or |
21 | (ii) Opting the consumer out of the processing of such personal data for any purpose except |
22 | for those exempted pursuant to the provisions of this chapter. |
23 | (d) A controller shall establish a process for a consumer to appeal the controller's refusal |
24 | to take action on a request within a reasonable period of time after the consumer's receipt of the |
25 | decision. The appeal process shall be conspicuously available and similar to the process for |
26 | submitting requests to initiate action pursuant to this section. Not later than sixty (60) days after |
27 | receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not |
28 | taken in response to the appeal, including a written explanation of the reasons for the decisions. If |
29 | the appeal is denied, the controller shall also provide the consumer with an online mechanism, if |
30 | available, or other method through which the consumer may contact the attorney general to submit |
31 | a complaint. |
32 | 6-59-6. Designation of agent. |
33 | A consumer may designate another person to serve as the consumer's authorized agent, and |
34 | act on such consumer's behalf, to opt-out of the processing of such consumer's personal data for |
| LC000015 - Page 9 of 21 |
1 | one or more of the purposes specified in this chapter. The consumer may designate such authorized |
2 | agent by way of, among other things, a technology, including, but not limited to, an Internet link |
3 | or a browser setting, browser extension or global device setting, indicating such consumer's intent |
4 | to opt-out of such processing. A controller shall comply with an opt-out request received from an |
5 | authorized agent if the controller is able to verify, with commercially reasonable effort, the identity |
6 | of the consumer and the authorized agent's authority to act on such consumer’s behalf. |
7 | 6-59-7. Actions of controller. |
8 | (a) A controller shall: |
9 | (1) Limit the collection of personal data to what is adequate, relevant and reasonably |
10 | necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; |
11 | (2) Except as otherwise provided in this chapter, not process personal data for purposes |
12 | that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such |
13 | personal data is processed, as disclosed to the consumer, unless the controller obtains the |
14 | consumer's consent; |
15 | (3) Establish, implement and maintain reasonable administrative, technical and physical |
16 | data security practices to protect the confidentiality, integrity and accessibility of personal data |
17 | appropriate to the volume and nature of the personal data at issue; |
18 | (4) Not process sensitive data concerning a consumer without obtaining the consumer's |
19 | consent, or, in the case of the processing of sensitive data concerning a known child, without |
20 | processing such data in accordance with COPPA; |
21 | (5) Not process personal data in violation of the laws of this state and federal laws that |
22 | prohibit unlawful discrimination against consumers; |
23 | (6) Provide an effective mechanism for a consumer to revoke the consumer's consent under |
24 | this section that is at least as easy as the mechanism by which the consumer provided the consumer's |
25 | consent and, upon revocation of such consent, cease to process the data as soon as practicable, but |
26 | not later than fifteen (15) days after the receipt of such request; and |
27 | (7) Not process the personal data of a consumer for purposes of targeted advertising, or sell |
28 | the consumer's personal data without the consumer's consent, under circumstances where a |
29 | controller has actual knowledge, and wilfully disregards, that the consumer is at least thirteen (13) |
30 | years of age, but younger than sixteen (16) years of age. A controller shall not discriminate against |
31 | a consumer for exercising any of the consumer rights contained in this chapter, including denying |
32 | goods or services, charging different prices or rates for goods or services or providing a different |
33 | level of quality of goods or services to the consumer. |
34 | (b) Nothing in subsection (a) of this section shall be construed to require a controller to |
| LC000015 - Page 10 of 21 |
1 | provide a product or service that requires the personal data of a consumer which the controller does |
2 | not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality |
3 | or selection of goods or services to a consumer, including offering goods or services for no fee, if |
4 | the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, |
5 | rewards, premium features, discounts or club card program. |
6 | (c) A controller shall provide consumers with a reasonably accessible, clear and meaningful |
7 | privacy notice that includes: |
8 | (1) The categories of personal data processed by the controller; |
9 | (2) The purpose for processing personal data; |
10 | (3) How consumers may exercise their consumer rights, including how a consumer may |
11 | appeal a controller's decision with regard to the consumer's request; |
12 | (4) The categories of personal data that the controller shares with third parties, if any; |
13 | (5) The categories of third parties, if any, with which the controller shares personal data; |
14 | and |
15 | (6) An active electronic mail address or other online mechanism that the consumer may |
16 | use to contact the controller. |
17 | (d) If a controller sells personal data to third parties or processes personal data for targeted |
18 | advertising, the controller shall clearly and conspicuously disclose such processing, as well as the |
19 | manner in which a consumer may exercise the right to opt out of such processing. |
20 | (e) A controller shall establish, and shall describe in a privacy notice, one or more secure |
21 | and reliable means for consumers to submit a request to exercise their consumer rights pursuant to |
22 | the provisions of this chapter. Such means shall take into account the ways in which consumers |
23 | normally interact with the controller, the need for secure and reliable communication of such |
24 | requests and the ability of the controller to verify the identity of the consumer making the request. |
25 | A controller shall not require a consumer to create a new account in order to exercise consumer |
26 | rights, but may require a consumer to use an existing account. |
27 | (f) The “secure and reliable means” referred to in subsection (e) of this section include: |
28 | (1) Providing a clear and conspicuous link on the controller's Internet website to an Internet |
29 | webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising |
30 | or sale of the consumer's personal data; and |
31 | (2) Not later than January 1, 2025, allowing a consumer to opt out of any processing of the |
32 | consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, |
33 | through an opt-out preference signal sent, with such consumer's consent, by a platform, technology |
34 | or mechanism to the controller indicating such consumer's intent to opt-out of any such processing |
| LC000015 - Page 11 of 21 |
1 | or sale. Such platform, technology or mechanism shall: |
2 | (A) Not unfairly disadvantage another controller; |
3 | (B) Not make use of a default setting, but, rather, require the consumer to make an |
4 | affirmative, freely given and unambiguous choice to opt-out of any processing of such consumer's |
5 | personal data pursuant to the provisions of this chapter; |
6 | (C) Be consumer-friendly and easy to use by the average consumer; |
7 | (D) Be as consistent as possible with any other similar platform, technology or mechanism |
8 | required by any federal or state law or regulation; and |
9 | (E) Enable the controller to accurately determine whether the consumer is a resident of this |
10 | state and whether the consumer has made a legitimate request to opt-out of any sale of such |
11 | consumer's personal data or targeted advertising. |
12 | (g) If a consumer's decision to opt-out of any processing of the consumer's personal data |
13 | for the purposes of targeted advertising, or any sale of such personal data, through an opt-out |
14 | preference signal sent in accordance with the provisions of this section conflicts with the |
15 | consumer's existing controller-specific privacy setting or voluntary participation in a controller's |
16 | bona fide loyalty, rewards, premium features, discounts or club card program, the controller shall |
17 | comply with such consumer's opt-out preference signal but may notify such consumer of such |
18 | conflict and provide to such consumer the choice to confirm such controller-specific privacy setting |
19 | or participation in such program. |
20 | (h) If a controller responds to consumer opt‐out requests received pursuant to this |
21 | subsection by informing the consumer of a charge for the use of any product or service, the |
22 | controller shall present the terms of any financial incentive offered pursuant to this section for the |
23 | retention, use, sale or sharing of the consumer's personal data. |
24 | 6-59-8. Processor actions. |
25 | (a) A processor shall adhere to the instructions of a controller and shall assist the controller |
26 | in meeting the controller's obligations under the provisions of this chapter. Such assistance shall |
27 | include: |
28 | (1) Taking into account the nature of processing and the information available to the |
29 | processor, by appropriate technical and organizational measures, insofar as is reasonably |
30 | practicable, to fulfill the controller's obligation to respond to consumer rights requests; |
31 | (2) Taking into account the nature of processing and the information available to the |
32 | processor, by assisting the controller in meeting the controller's obligations in relation to the |
33 | security of processing the personal data and in relation to the notification of a breach of security of |
34 | the system of the processor, in order to meet the controller's obligations; and |
| LC000015 - Page 12 of 21 |
1 | (3) Providing necessary information to enable the controller to conduct and document data |
2 | protection assessments. |
3 | (b) A contract between a controller and a processor shall govern the processor's data |
4 | processing procedures with respect to processing performed on behalf of the controller. The |
5 | contract shall be binding and clearly set forth instructions for processing data, the nature and |
6 | purpose of processing, the type of data subject to processing, the duration of processing and the |
7 | rights and obligations of both parties. The contract shall also require that the processor: |
8 | (1) Ensure that each person processing personal data is subject to a duty of confidentiality |
9 | with respect to the data; |
10 | (2) At the controller's direction, delete or return all personal data to the controller as |
11 | requested at the end of the provision of services, unless retention of the personal data is required |
12 | by law; |
13 | (3) Upon the reasonable request of the controller, make available to the controller all |
14 | information in its possession necessary to demonstrate the processor's compliance with the |
15 | obligations in the provisions of this chapter; |
16 | (4) After providing the controller an opportunity to object, engage any subcontractor |
17 | pursuant to a written contract that requires the subcontractor to meet the obligations of the processor |
18 | with respect to the personal data; and |
19 | (5) Allow, and cooperate with, reasonable assessments by the controller or the controller's |
20 | designated assessor, or the processor may arrange for a qualified and independent assessor to |
21 | conduct an assessment of the processor's policies and technical and organizational measures in |
22 | support of the obligations under the provisions of this chapter, using an appropriate and accepted |
23 | control standard or framework and assessment procedure for such assessments. The processor shall |
24 | provide a report of such assessment to the controller upon request. |
25 | (c) Nothing in this section shall be construed to relieve a controller or processor from the |
26 | liabilities imposed on the controller or processor by virtue of such controller's or processor's role |
27 | in the processing relationship, as described in the provisions of this chapter. |
28 | (d) Determining whether a person is acting as a controller or processor with respect to a |
29 | specific processing of data is a fact-based determination that depends upon the context in which |
30 | personal data is to be processed. A person who is not limited in such person's processing of personal |
31 | data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller |
32 | and not a processor with respect to a specific processing of data. A processor that continues to |
33 | adhere to a controller's instructions with respect to a specific processing of personal data remains a |
34 | processor. If a processor begins, alone or jointly with others, determining the purposes and means |
| LC000015 - Page 13 of 21 |
1 | of the processing of personal data, the processor is a controller with respect to such processing and |
2 | may be subject to an enforcement action under this chapter. |
3 | 6-59-9. Further actions required of controller -- Data protection assessment. |
4 | (a) A controller shall conduct and document a data protection assessment for each of the |
5 | controller's processing activities that presents a heightened risk of harm to a consumer. For the |
6 | purposes of this section, processing that presents a heightened risk of harm to a consumer includes: |
7 | (1) The processing of personal data for the purposes of targeted advertising; |
8 | (2) The sale of personal data; |
9 | (3) The processing of personal data for the purposes of profiling, where such profiling |
10 | presents a reasonably foreseeable risk of: |
11 | (i) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers; |
12 | (ii) Financial, physical or reputational injury to consumers; |
13 | (iii) A physical or other intrusion upon the solitude or seclusion, or the private affairs or |
14 | concerns, of consumers, where such intrusion would be offensive to a reasonable person; or |
15 | (iv) Other substantial injury to consumers; and |
16 | (4) The processing of sensitive data. |
17 | (b) Data protection assessments conducted pursuant to subsection (a) of this section shall |
18 | identify and weigh the benefits that may flow, directly and indirectly, from the processing to the |
19 | controller, the consumer, other stakeholders and the public against the potential risks to the rights |
20 | of the consumer associated with such processing, as mitigated by safeguards that can be employed |
21 | by the controller to reduce such risks. The controller shall factor into any such data protection |
22 | assessment the use of de-identified data and the reasonable expectations of consumers, as well as |
23 | the context of the processing and the relationship between the controller and the consumer whose |
24 | personal data will be processed. |
25 | (c) The attorney general may require that a controller disclose any data protection |
26 | assessment that is relevant to an investigation conducted by the attorney general, and the controller |
27 | shall make the data protection assessment available to the attorney general. The attorney general |
28 | may evaluate the data protection assessment for compliance with the responsibilities set forth in |
29 | the provisions of this chapter. Data protection assessments shall be confidential and shall be exempt |
30 | from disclosure under the Freedom of Information Act and shall not be deemed to be a public record |
31 | pursuant to chapter 2 of title 38. To the extent any information contained in a data protection |
32 | assessment disclosed to the attorney general includes information subject to attorney-client |
33 | privilege or work product protection, such disclosure shall not constitute a waiver of such privilege |
34 | or protection. |
| LC000015 - Page 14 of 21 |
1 | (d) A single data protection assessment may address a comparable set of processing |
2 | operations that include similar activities. |
3 | (e) If a controller conducts a data protection assessment for the purpose of complying with |
4 | another applicable law or regulation, the data protection assessment shall be deemed to satisfy the |
5 | requirements established in this section if such data protection assessment is reasonably similar in |
6 | scope and effect to the data protection assessment that would otherwise be conducted pursuant to |
7 | this section. |
8 | (f) Data protection assessment requirements shall apply to processing activities created or |
9 | generated after July 1, 2023, and are not retroactive. |
10 | 6-59-10. Handling requirements for de-identified data. |
11 | (a) Any controller in possession of de-identified data shall: |
12 | (1) Take reasonable measures to ensure that the data cannot be associated with an |
13 | individual; |
14 | (2) Publicly commit to maintaining and using de-identified data without attempting to re- |
15 | identify the data; and |
16 | (3) Contractually obligate any recipients of the de-identified data to comply with all |
17 | provisions of the provisions of this chapter. |
18 | (b) Nothing in the provisions of this chapter shall be construed to: |
19 | (1) Require a controller or processor to re-identify de-identified data or pseudonymous |
20 | data; or |
21 | (2) Maintain data in identifiable form, or collect, obtain, retain or access any data or |
22 | technology, in order to be capable of associating an authenticated consumer request with personal |
23 | data. |
24 | (c) Nothing in the provisions of this chapter shall be construed to require a controller or |
25 | processor to comply with an authenticated consumer rights request if the controller: |
26 | (1) Is not reasonably capable of associating the request with the personal data or it would |
27 | be unreasonably burdensome for the controller to associate the request with the personal data; |
28 | (2) Does not use the personal data to recognize or respond to the specific consumer who is |
29 | the subject of the personal data, or associate the personal data with other personal data about the |
30 | same specific consumer; and |
31 | (3) Does not sell the personal data to any third-party or otherwise voluntarily disclose the |
32 | personal data to any third-party other than a processor, except as otherwise permitted in this section. |
33 | (d) The rights afforded under this chapter shall not apply to pseudonymous data in cases |
34 | where the controller is able to demonstrate that any information necessary to identify the consumer |
| LC000015 - Page 15 of 21 |
1 | is kept separately and is subject to effective technical and organizational controls that prevent the |
2 | controller from accessing such information. |
3 | (e) A controller that discloses pseudonymous data or de-identified data shall exercise |
4 | reasonable oversight to monitor compliance with any contractual commitments to which the |
5 | pseudonymous data or de-identified data is subject and shall take appropriate steps to address any |
6 | breaches of those contractual commitments. |
7 | 6-59-11. Actions that are not restricted. |
8 | (a) Nothing in the provisions of this chapter shall be construed to restrict a controller's or |
9 | processor's ability to: |
10 | (1) Comply with federal, state or municipal ordinances or regulations; |
11 | (2) Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or |
12 | summons by federal, state, municipal or other governmental authorities; |
13 | (3) Cooperate with law enforcement agencies concerning conduct or activity that the |
14 | controller or processor reasonably and in good faith believes may violate federal, state or municipal |
15 | ordinances or regulations; |
16 | (4) Investigate, establish, exercise, prepare for or defend legal claims; |
17 | (5) Provide a product or service specifically requested by a consumer; |
18 | (6) Perform under a contract to which a consumer is a party, including fulfilling the terms |
19 | of a written warranty; |
20 | (7) Take steps at the request of a consumer prior to entering into a contract; |
21 | (8) Take immediate steps to protect an interest that is essential for the life or physical safety |
22 | of the consumer or another individual, and where the processing cannot be manifestly based on |
23 | another legal basis; |
24 | (9) Prevent, detect, protect against or respond to security incidents, identity theft, fraud, |
25 | harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or |
26 | security of systems or investigate, report or prosecute those responsible for any such action; |
27 | (10) Engage in public or peer-reviewed scientific or statistical research in the public interest |
28 | that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed |
29 | by an institutional review board that determines, or similar independent oversight entities that |
30 | determine whether the deletion of the information is likely to provide substantial benefits that do |
31 | not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy |
32 | risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks |
33 | associated with research, including any risks associated with re-identification; |
34 | (11) Assist another controller, processor or third party with any of the obligations under |
| LC000015 - Page 16 of 21 |
1 | the provisions of this chapter; or |
2 | (12) Process personal data for reasons of public interest in the area of public health, |
3 | community health or population health, but solely to the extent that such processing is subject to |
4 | suitable and specific measures to safeguard the rights of the consumer whose personal data is being |
5 | processed, and under the responsibility of a professional subject to confidentiality obligations under |
6 | federal, state or local law. |
7 | (b) The obligations imposed on controllers or processors under the provisions of this |
8 | chapter shall not restrict a controller's or processor's ability to collect, use or retain data for internal |
9 | use to: |
10 | (1) Conduct internal research to develop, improve or repair products, services or |
11 | technology; |
12 | (2) Effectuate a product recall; |
13 | (3) Identify and repair technical errors that impair existing or intended functionality; or |
14 | (4) Perform internal operations that are reasonably aligned with the expectations of the |
15 | consumer or reasonably anticipated based on the consumer's existing relationship with the |
16 | controller, or are otherwise compatible with processing data in furtherance of the provision of a |
17 | product or service specifically requested by a consumer or the performance of a contract to which |
18 | the consumer is a party. |
19 | (c) The obligations imposed on controllers or processors under the provisions of this |
20 | chapter shall not apply where compliance by the controller or processor with said sections would |
21 | violate an evidentiary privilege under the laws of this state. Nothing in the provisions of this chapter |
22 | shall be construed to prevent a controller or processor from providing personal data concerning a |
23 | consumer to a person covered by an evidentiary privilege under the laws of the state as part of a |
24 | privileged communication. |
25 | (d) A controller or processor that discloses personal data to a processor or third-party |
26 | controller in accordance with the provisions of this chapter shall not be deemed to have violated |
27 | said sections if the processor or third-party controller that receives and processes such personal data |
28 | violates said sections, provided, at the time the disclosing controller or processor disclosed such |
29 | personal data, the disclosing controller or processor did not have actual knowledge that the |
30 | receiving processor or third-party controller would violate said sections. A third-party controller or |
31 | processor receiving personal data from a controller or processor in compliance with the provisions |
32 | of this chapter is likewise not in violation of said sections for the transgressions of the controller or |
33 | processor from which such third-party controller or processor receives such personal data. |
34 | (e) Nothing in the provisions of this chapter shall be construed to impose any obligation on |
| LC000015 - Page 17 of 21 |
1 | a controller or processor that adversely affects the rights or freedoms of any person, including, but |
2 | not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in |
3 | the First Amendment to the United States Constitution, or apply to any person's processing of |
4 | personal data in the course of such person's purely personal or household activities. |
5 | (f) Personal data processed by a controller pursuant to this section may be processed to the |
6 | extent that such processing is: |
7 | (1) Reasonably necessary and proportionate to the purposes listed in this section; and |
8 | (2) Adequate, relevant and limited to what is necessary in relation to the specific purposes |
9 | listed in this section. Personal data collected, used or retained pursuant to this section shall, where |
10 | applicable, take into account the nature and purpose or purposes of such collection, use or retention. |
11 | Such data shall be subject to reasonable administrative, technical and physical measures to protect |
12 | the confidentiality, integrity and accessibility of the personal data and to reduce reasonably |
13 | foreseeable risks of harm to consumers relating to such collection, use or retention of personal data. |
14 | (g) If a controller processes personal data pursuant to an exemption in this section, the |
15 | controller bears the burden of demonstrating that such processing qualifies for the exemption and |
16 | complies with the requirements in subsection (f) of this section. |
17 | (h) Processing personal data for the purposes expressly identified in this section shall not |
18 | solely make a legal entity a controller with respect to such processing. |
19 | 6-59-12. Enforcement by attorney general. |
20 | (a) The attorney general shall have exclusive authority to enforce the provisions of this |
21 | chapter. |
22 | (b) During the period beginning on July 1, 2023, and ending on December 31, 2024, the |
23 | attorney general shall, prior to initiating any action for a violation of any provisions of this chapter, |
24 | issue a notice of violation to the controller if the attorney general determines that a cure is possible. |
25 | If the controller fails to cure such violation within sixty (60) days of receipt of the notice of |
26 | violation, the attorney general may bring an action pursuant to this section. |
27 | (c) Not later than February 1, 2025, the attorney general shall submit a report, to the house |
28 | and senate judiciary committees containing: |
29 | (1) The number of notices of violation the attorney general has issued; |
30 | (2) The nature of each violation; |
31 | (3) The number of violations that were cured during the sixty (60) day cure period; and |
32 | (4) Any other matter the attorney general deems relevant for the purposes of such report. |
33 | (d) Beginning on January 1, 2025, the attorney general may, in determining whether to |
34 | grant a controller or processor the opportunity to cure an alleged violation as permitted under this |
| LC000015 - Page 18 of 21 |
1 | section, consider: |
2 | (1) The number of violations; |
3 | (2) The size and complexity of the controller or processor; |
4 | (3) The nature and extent of the controller's or processor's processing activities; |
5 | (4) The substantial likelihood of injury to the public; |
6 | (5) The safety of persons or property; and |
7 | (6) Whether such alleged violation was likely caused by human or technical error. |
8 | (e) Nothing in this chapter shall be construed as providing the basis for, or be subject to, a |
9 | private right of action for violations of said sections or any other law. |
10 | (f) A violation of the requirements of the provisions of this chapter shall constitute an unfair |
11 | sales and deceptive trade practice for purposes of chapters 13 and 13.1 of title 6, and shall be |
12 | enforced solely by the attorney general. |
13 | 6-59-13. Joint study commission. |
14 | (a) Not later than September 1, 2023, the general assembly shall convene a joint study |
15 | commission to: |
16 | (1) Study information sharing among health care providers and social care providers and |
17 | make recommendations to eliminate health disparities and inequities across sectors; |
18 | (2) Study algorithmic decision-making and make recommendations concerning the proper |
19 | use of data to reduce bias in such decision-making; |
20 | (3) Make recommendations as to legislation that would require an operator, as defined in |
21 | the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq., as amended from time to |
22 | time, to, upon a parent's request, delete the account of a child and cease to collect, use or maintain, |
23 | in retrievable form, the child's personal data on the operator's Internet website or online service |
24 | directed to children, and provide parents with an accessible, reasonable and verifiable means to |
25 | make such a request; |
26 | (4) Any means available to verify the age of a child who creates a social media account; |
27 | (5) Issues concerning data colocation, including, but not limited to, the impact that the |
28 | provisions of this chapter have on third parties that provide data storage and colocation services; |
29 | (6) Recommend any legislation that would expand the provisions of this chapter to include |
30 | additional persons or groups; and |
31 | (7) Other topics concerning data privacy. |
32 | (b) The chairpersons of the house and senate judiciary committees shall serve as the |
33 | chairpersons of the study commission, and shall jointly appoint the members of the joint study |
34 | commission. Such members shall include, but need not be limited to: |
| LC000015 - Page 19 of 21 |
1 | (1) Representatives from business, academia, consumer advocacy groups, small and large |
2 | companies and the office of the attorney general; |
3 | (2) Members of the senate and the house of representatives; and |
4 | (3) Attorneys and other professionals with experience and expertise in privacy law. |
5 | (c) The speaker of the house and the president of the senate shall provide staffing and space |
6 | to the study commission as determined to be needed. |
7 | (d) Not later than January 1, 2024, the study commission shall submit a report on its |
8 | findings and recommendations to the house and senate judiciary committees. The study |
9 | commission shall terminate on the date that it submits such report or January 1, 2024 whichever is |
10 | later. |
11 | SECTION 2. This act shall take effect on July 1, 2023. |
======== | |
LC000015 | |
======== | |
| LC000015 - Page 20 of 21 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- RHODE ISLAND PERSONAL DATA AND | |
ONLINE PRIVACY PROTECTION ACT | |
*** | |
1 | This act would establish the Rhode Island personal data and online privacy protection act. |
2 | The act would provide for the protection of personal data of individuals which is collected by |
3 | certain commercial enterprises, including persons and enterprises that conduct business in the state. |
4 | The attorney general would be charged with enforcement of this act. |
5 | This act would take effect of July 1, 2023. |
======== | |
LC000015 | |
======== | |
| LC000015 - Page 21 of 21 |