§ 6-48.1-2. Definitions. [Effective January 1, 2026.]
As used in this chapter:
(1) “Affiliate” means any entity that shares common branding with another legal entity directly or indirectly, controls, is controlled by, or is under common control with another legal entity. For this purpose, “control” or “controlled” means ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise controlling influence over the management of a company.
(2) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights afforded under this chapter is being made by, or on behalf of, the customer who is entitled to exercise such customer rights with respect to the personal data at issue.
(3) “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. “Biometric data” does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
(4) “Business associate” has the same meaning as provided in 45 C.F.R. § 160.103.
(5) “Child” has the same meaning as provided in 15 U.S.C. § 6501.
(6) “Consent” means a clear, affirmative act signifying a customer has freely given specific, informed, and unambiguous agreement to allow the processing of personal data relating to the customer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing, or closing a given piece of content, or agreement obtained through the use of dark patterns.
(7) “Controller” means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
(8) “COPPA” means the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq., and the regulations, rules, guidance, and exemptions adopted, pursuant to said act, as said act and such regulations, rules, guidance, and exemptions may be amended from time to time.
(9) “Covered entity” has the same meaning as provided in 45 C.F.R. § 160.103.
(10) “Customer” means an individual residing in this state acting in an individual or household context. “Customer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
(11) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”.
(12) “Decisions that produce legal or similarly significant effects concerning the customer” means decisions made by the controller that result in the provision or denial by the controller of: financial or lending services; housing; insurance; education enrollment or opportunity; criminal justice; employment opportunities; healthcare services; or access to essential goods or services.
(13) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual.
(14) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as amended from time to time.
(15) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.
(16) “Institution of higher education” means any individual who, or school, board, association, limited liability company, or corporation that, is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.
(17) “Nonprofit organization” means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding Internal Revenue Code of the United States, as amended from time to time.
(18) “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
(19) “Precise geolocation data” means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750′). “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
(20) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. “Processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.
(21) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(22) “Protected health information” has the same meaning as provided in 42 U.S.C. § 1320d.
(23) “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information; provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
(24) “Publicly available information” means information that is lawfully made available through federal, state, or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.
(25) “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller; the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer; the disclosure or transfer of personal data to an affiliate of the controller; the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, the disclosure of personal data that the customer:
(i) Intentionally made available to the general public via a channel of mass media; and
(ii) Did not restrict to a specific audience, or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller’s assets.
(26) “Sensitive data” means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.
(27) “Targeted advertising” means displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from that customer’s activities over time and across nonaffiliated internet websites or online applications to predict such customer’s preferences or interests. “Targeted advertising” does not include advertisements based on activities within a controller’s own internet websites or online applications, advertisements based on the context of a customer’s current search query, or current visit to an internet website or online application, advertisements directed to a customer in response to the customer’s request for information or feedback, or processing personal data solely to measure or report advertising frequency, performance, or reach.
(28) “Third party” means an individual or legal entity, such as a public authority, agency, or body, other than the customer, controller, or processor, or an affiliate of the processor or of the controller.
(29) “Trade secret” has the same meaning as § 6-41-1.
History of Section.
P.L. 2024, ch. 430, § 2, effective January 1, 2026; P.L. 2024, ch. 453, § 2, effective
January 1, 2026.