§ 6-48.1-3. Information sharing practices. [Effective January 1, 2026.]
(a) Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or internet service provider collects, stores, and sells customers’ personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted:
(1) Identify all categories of personal data that the controller collects through the website or online service about customers;
(2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and
(3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.
(b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.
(c) Nothing in this chapter shall be construed to authorize the collection, storage, or disclosure of information or data that is otherwise prohibited or restricted by state or federal law.
(d) This chapter does not apply to any body, authority, board, bureau, commission, district, or agency of this state, or any political subdivision of this state; nonprofit organization; institution of higher education; national securities association that is registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934, as amended from time to time; financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; or covered entity or business associate, as defined in 45 C.F.R. § 160.103.
(e) The following information and data are exempt from the provisions of this chapter:
(1) Protected health information under HIPAA;
(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2;
(3) Identifiable private information for purposes of the federal policy for the protection of human research subjects under 45 C.F.R. §§ 46.101 through 46.124;
(4) Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use;
(5) The protection of human subjects under 21 C.F.R. Parts 50 and 56, or personal data used or shared in research, as defined in 45 C.F.R. § 164.501 or other research conducted in accordance with applicable law;
(6) Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq.;
(7) Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, 42 U.S.C. § 299b-21 et seq., as amended from time to time;
(8) Information derived from any of the healthcare-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
(9) Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection that is maintained by a covered entity or business associate, program, or qualified service organization, as specified in 42 U.S.C. § 290dd-2, as amended from time to time;
(10) Information used for public health activities and purposes as authorized by HIPAA, community health activities, and population health activities;
(11) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a customer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a customer reporting agency, furnisher, or user that provides information for use in a customer report, and by a user of a customer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended from time to time;
(12) Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq., as amended from time to time;
(13) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g et seq., as amended from time to time;
(14) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. § 2001 et seq., as amended from time to time;
(15) Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, as the emergency contact information of an individual or that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under this subsection and used for the purposes of administering such benefits; and
(16) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101 et seq., as amended from time to time, by an air carrier subject to said act, to the extent subsections (e)(1) to (e)(11), inclusive, of this section are preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended from time to time.
History of Section.
P.L. 2024, ch. 430, § 2, effective January 1, 2026; P.L. 2024, ch. 453, § 2, effective
January 1, 2026.