§ 6-48.1-6. Exercising customer rights. [Effective January 1, 2026.]
(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
(b) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows:
(1) A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer’s requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension.
(2) If a controller declines to act regarding the customer’s request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision.
(3) Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve-month (12) period. If requests from a customer are manifestly unfounded, excessive, or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
(4) If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer’s request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.
(5) A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer’s request to delete such data by doing the following:
(i) Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer’s personal data remains deleted from the controller’s records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or
(ii) Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter.
(6) A controller shall establish a process for a customer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the customer’s receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general.
(7) A customer may designate another person to serve as the customer’s authorized agent and act on such customer’s behalf, to opt out of the processing of such customer’s personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent’s authority to act on the customer’s behalf.
History of Section.
P.L. 2024, ch. 430, § 2, effective January 1, 2026; P.L. 2024, ch. 453, § 2, effective
January 1, 2026.