§ 6-48.1-5. Customer rights. [Effective January 1, 2026.]
(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
(b) No controller shall discriminate against a customer for exercising their customer rights.
(c) No controller shall deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection.
(d) Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount, or club card programs in which customers voluntarily participate.
(e) A customer shall have the right to:
(1) Confirm whether or not a controller is processing the customer’s personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
(2) Correct inaccuracies in the customer’s personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer’s personal data;
(3) Obtain a copy of the customer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and
(4) Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.
(f) A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller’s privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child’s behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer’s behalf.
History of Section.
P.L. 2024, ch. 430, § 2, effective January 1, 2026; P.L. 2024, ch. 453, § 2, effective
January 1, 2026.