| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | 2023 -- H 5354 |
|---|
| 6 | 6 | | ======== |
|---|
| 7 | 7 | | LC000589 |
|---|
| 8 | 8 | | ======== |
|---|
| 9 | 9 | | S TATE OF RHODE IS LAND |
|---|
| 10 | 10 | | IN GENERAL ASSEMBLY |
|---|
| 11 | 11 | | JANUARY SESSION, A.D. 2023 |
|---|
| 12 | 12 | | ____________ |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A N A C T |
|---|
| 15 | 15 | | RELATING TO COMMERCI AL LAW--GENERAL REGULATORY PROVISION S -- RHODE |
|---|
| 16 | 16 | | ISLAND DATA TRANSPAR ENCY AND PRIVACY PRO TECTION ACT |
|---|
| 17 | 17 | | Introduced By: Representatives Shanley, Carson, Edwards, Craven, Bennett, Cotter, |
|---|
| 18 | 18 | | Spears, Dawson, Vella-Wilkinson, and O'Brien |
|---|
| 19 | 19 | | Date Introduced: February 03, 2023 |
|---|
| 20 | 20 | | Referred To: House Innovation, Internet, & Technology |
|---|
| 21 | 21 | | |
|---|
| 22 | 22 | | |
|---|
| 23 | 23 | | It is enacted by the General Assembly as follows: |
|---|
| 24 | 24 | | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL 1 |
|---|
| 25 | 25 | | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2 |
|---|
| 26 | 26 | | CHAPTER 48.1 3 |
|---|
| 27 | 27 | | RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT 4 |
|---|
| 28 | 28 | | 6-48.1-1. Short title. 5 |
|---|
| 29 | 29 | | This chapter shall be known and may be cited as the "Rhode Island Data Transparency and 6 |
|---|
| 30 | 30 | | Privacy Protection Act." 7 |
|---|
| 31 | 31 | | 6-48.1-2. Legislative findings. 8 |
|---|
| 32 | 32 | | The general assembly hereby finds and declares that: 9 |
|---|
| 33 | 33 | | (1) The right to privacy is a personal and fundamental right protected by the United States 10 |
|---|
| 34 | 34 | | Constitution. As such, all individuals have a right to privacy in information pertaining to them. This 11 |
|---|
| 35 | 35 | | state recognizes the importance of providing consumers with transparency about how their 12 |
|---|
| 36 | 36 | | personally identifiable information, especially information relating to their children, is shared by 13 |
|---|
| 37 | 37 | | businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their 14 |
|---|
| 38 | 38 | | families from cyber-crimes and identity thieves. 15 |
|---|
| 39 | 39 | | (2) Furthermore, for free market forces to have a role in shaping the privacy practices and 16 |
|---|
| 40 | 40 | | for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely informed 17 |
|---|
| 41 | 41 | | that a business might share personally identifiable information with third parties (as that term is 18 |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | LC000589 - Page 2 of 6 |
|---|
| 45 | 45 | | hereinafter defined). Consumers must be better informed about what kinds of personally 1 |
|---|
| 46 | 46 | | identifiable information is shared with other businesses. With these specifics, consumers can 2 |
|---|
| 47 | 47 | | knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose (as that term is 3 |
|---|
| 48 | 48 | | hereinafter defined) personally identifiable information to third parties on the basis of how 4 |
|---|
| 49 | 49 | | protective the business is of consumers' privacy. 5 |
|---|
| 50 | 50 | | (3) Businesses are now collecting personally identifiable information and disclosing it in 6 |
|---|
| 51 | 51 | | ways not contemplated or properly covered by the current law. Some websites are installing 7 |
|---|
| 52 | 52 | | tracking tools that record when consumers visit webpages, and sending personally identifiable 8 |
|---|
| 53 | 53 | | information, such as age, gender, race, income, health concerns, religion, and recent purchases to 9 |
|---|
| 54 | 54 | | third-party marketers and data brokers. Third-party data broker companies are buying and 10 |
|---|
| 55 | 55 | | disclosing personally identifiable information obtained from mobile phones, financial institutions, 11 |
|---|
| 56 | 56 | | social media sites, and other online and brick and mortar companies. Some mobile applications are 12 |
|---|
| 57 | 57 | | sharing personally identifiable information, such as location information, unique phone 13 |
|---|
| 58 | 58 | | identification numbers, age, gender, and other personal details with third-party companies. 14 |
|---|
| 59 | 59 | | (4) As such, consumers need to know the ways that their personally identifiable 15 |
|---|
| 60 | 60 | | information is being collected by companies and then shared or sold to third parties in order to 16 |
|---|
| 61 | 61 | | properly protect their privacy, personal safety, and financial security. 17 |
|---|
| 62 | 62 | | 6-48.1-3. Definitions. 18 |
|---|
| 63 | 63 | | As used in this chapter: 19 |
|---|
| 64 | 64 | | (1) "Affiliate" means any entity that, directly or indirectly, controls, is controlled by, or is 20 |
|---|
| 65 | 65 | | under common control with, the entity that has disclosed personally identifiable information to it. 21 |
|---|
| 66 | 66 | | (2) "Customer" means an individual residing in this state who provides, either knowingly 22 |
|---|
| 67 | 67 | | or unknowingly, personally identifiable information to any entity, with or without an exchange of 23 |
|---|
| 68 | 68 | | consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using 24 |
|---|
| 69 | 69 | | real or personal property, or any interest therein, or obtaining a product or service, including 25 |
|---|
| 70 | 70 | | advertising or any other content. 26 |
|---|
| 71 | 71 | | (3) "Disclose" means to sell, release, transfer, share, disseminate, make available, or 27 |
|---|
| 72 | 72 | | otherwise communicate orally, in writing, or by electronic means or any other means to any 28 |
|---|
| 73 | 73 | | individual or third party in exchange for anything of value. "Disclose" does not include the 29 |
|---|
| 74 | 74 | | following: 30 |
|---|
| 75 | 75 | | (i) Disclosure to an affiliate, provided that the affiliate does not disclose the personally 31 |
|---|
| 76 | 76 | | identifiable information to any third party; 32 |
|---|
| 77 | 77 | | (ii) Disclosure of personally identifiable information by any entity to a third party under a 33 |
|---|
| 78 | 78 | | written contract authorizing the third party to utilize the personally identifiable information to 34 |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | LC000589 - Page 3 of 6 |
|---|
| 82 | 82 | | perform services on behalf of such entity, including maintaining or servicing accounts, providing 1 |
|---|
| 83 | 83 | | customer service, processing or fulfilling orders and transactions, verifying customer information, 2 |
|---|
| 84 | 84 | | processing payments, providing financing, or similar services, but only if: 3 |
|---|
| 85 | 85 | | (A) The contract prohibits the third party from using the personally identifiable information 4 |
|---|
| 86 | 86 | | for any reason other than performing the specified service or services on behalf of such entity and 5 |
|---|
| 87 | 87 | | from disclosing any such personally identifiable information to additional third parties; and 6 |
|---|
| 88 | 88 | | (B) The entity effectively enforces these prohibitions; 7 |
|---|
| 89 | 89 | | (iii) Disclosure of personally identifiable information by a business to a third party based 8 |
|---|
| 90 | 90 | | on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal 9 |
|---|
| 91 | 91 | | process, or court order; or 10 |
|---|
| 92 | 92 | | (iv) Disclosure of personally identifiable information by any entity to a third party that is 11 |
|---|
| 93 | 93 | | reasonably necessary to address fraud, security, or technical issues; to protect the disclosing entity's 12 |
|---|
| 94 | 94 | | rights or property; or to protect customers or the public from illegal activities as required or 13 |
|---|
| 95 | 95 | | permitted by law. 14 |
|---|
| 96 | 96 | | (4) "Operator" means any person or entity that owns a website located on the Internet or an 15 |
|---|
| 97 | 97 | | online service that collects and maintains personally identifiable information from a customer 16 |
|---|
| 98 | 98 | | residing in this state who uses or visits the website or online service if the website or online service 17 |
|---|
| 99 | 99 | | is operated for commercial purposes. It does not include any third party that operates, hosts, or 18 |
|---|
| 100 | 100 | | manages, but does not own, a website or online service on the owner's behalf or by processing 19 |
|---|
| 101 | 101 | | information on behalf of the owner. "Operator" does not include businesses having ten (10) or fewer 20 |
|---|
| 102 | 102 | | employees, or any third party that operates, hosts, or manages, but does not own, a website or online 21 |
|---|
| 103 | 103 | | service on the owner’s behalf or by processing information on behalf of the owner. 22 |
|---|
| 104 | 104 | | (5) "Personally identifiable information" or "personal information" means an individua l's 23 |
|---|
| 105 | 105 | | first name or first initial and last name in combination with any one or more of the following data 24 |
|---|
| 106 | 106 | | elements, when the name and the data elements are not either encrypted or utilizing a protocol that 25 |
|---|
| 107 | 107 | | provides a higher degree of security or are in hard copy, paper format: 26 |
|---|
| 108 | 108 | | (i) Social security number; 27 |
|---|
| 109 | 109 | | (ii) Driver's license number, passport number, Rhode Island identification card number, or 28 |
|---|
| 110 | 110 | | tribal identification number; 29 |
|---|
| 111 | 111 | | (iii) Account number, credit or debit card number, in combination with any required 30 |
|---|
| 112 | 112 | | security code, access code, password, or personal identification number, that would permit access 31 |
|---|
| 113 | 113 | | to an individual's financial account; 32 |
|---|
| 114 | 114 | | (iv) Medical or health insurance information; 33 |
|---|
| 115 | 115 | | (v) Email address with any required security code, access code, or password that would 34 |
|---|
| 116 | 116 | | |
|---|
| 117 | 117 | | |
|---|
| 118 | 118 | | LC000589 - Page 4 of 6 |
|---|
| 119 | 119 | | permit access to an individual's personal, medical, insurance, or financial account; or 1 |
|---|
| 120 | 120 | | (vi) Biometric data. 2 |
|---|
| 121 | 121 | | (6) "Third party" means any entity that is a separate legal entity from the entity that has 3 |
|---|
| 122 | 122 | | disclosed the personally identifiable information; provided, however, that an affiliate of the entity 4 |
|---|
| 123 | 123 | | that has disclosed the personally identifiable information shall not be considered a third party. 5 |
|---|
| 124 | 124 | | 6-48.1-4. Information sharing practices. 6 |
|---|
| 125 | 125 | | (a) An operator of a commercial website or online service that collects, stores and sells 7 |
|---|
| 126 | 126 | | categories of personally identifiable information through the Internet about individual customers 8 |
|---|
| 127 | 127 | | residing in this state who use or visit its commercial website or online service shall, in its customer 9 |
|---|
| 128 | 128 | | agreement or incorporated addendum or in another conspicuous location on its website or online 10 |
|---|
| 129 | 129 | | service platform where similar notices are customarily posted: 11 |
|---|
| 130 | 130 | | (1) Identify all categories of personally identifiable information that the operator collects 12 |
|---|
| 131 | 131 | | through the website or online service about individual customers who use or visit its commercial 13 |
|---|
| 132 | 132 | | website or online service; and 14 |
|---|
| 133 | 133 | | (2) Identify all third-party persons or entities with whom the operator may disclose that 15 |
|---|
| 134 | 134 | | personally identifiable information. 16 |
|---|
| 135 | 135 | | (b) Nothing in this chapter shall be construed to authorize the collection, storage or 17 |
|---|
| 136 | 136 | | disclosure of information or data that is otherwise prohibited, restricted or regulated by state or 18 |
|---|
| 137 | 137 | | federal law. 19 |
|---|
| 138 | 138 | | 6-48.1-5. Violations. 20 |
|---|
| 139 | 139 | | (a) A violation of this chapter constitutes a violation of the general regulatory provisions 21 |
|---|
| 140 | 140 | | of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter 22 |
|---|
| 141 | 141 | | 13.1 of title 6; provided further, that in the event that any individual or entity intentionally discloses 23 |
|---|
| 142 | 142 | | personally identifiable information: 24 |
|---|
| 143 | 143 | | (1) To a shell company or any entity that has been formed or established solely, or in part, 25 |
|---|
| 144 | 144 | | for the purposes of circumventing the intent of this chapter; 26 |
|---|
| 145 | 145 | | (2) To any third party that is not exempt pursuant to § 6-48.1-3; or 27 |
|---|
| 146 | 146 | | (3) In violation of any provision of this chapter, that individual or entity shall pay a fine of 28 |
|---|
| 147 | 147 | | not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each 29 |
|---|
| 148 | 148 | | such disclosure. 30 |
|---|
| 149 | 149 | | (b) The office of the attorney general shall have sole enforcement authority of the 31 |
|---|
| 150 | 150 | | provisions of this chapter and may enforce a violation of this chapter pursuant to: 32 |
|---|
| 151 | 151 | | (1) The provisions of this section; or 33 |
|---|
| 152 | 152 | | (2) General regulatory provisions of commercial law in title 6, or both. 34 |
|---|
| 153 | 153 | | |
|---|
| 154 | 154 | | |
|---|
| 155 | 155 | | LC000589 - Page 5 of 6 |
|---|
| 156 | 156 | | (c) Nothing in this section shall be construed to authorize any private right of action to 1 |
|---|
| 157 | 157 | | enforce any provision of this chapter, any regulation hereunder, or any other provisions of 2 |
|---|
| 158 | 158 | | commercial law in title 6. 3 |
|---|
| 159 | 159 | | 6-48.1-6. Waivers -- Severability. 4 |
|---|
| 160 | 160 | | Any waiver of the provisions of this chapter shall be void and unenforceable. If any 5 |
|---|
| 161 | 161 | | provision of this chapter or its application to any person or circumstance is held invalid by a court 6 |
|---|
| 162 | 162 | | of competent jurisdiction, the invalidity shall not affect other provisions of applications of the 7 |
|---|
| 163 | 163 | | chapter that can be given effect without the invalid provision or application, and to this end the 8 |
|---|
| 164 | 164 | | provisions of the chapter are severable. 9 |
|---|
| 165 | 165 | | 6-48.1-7. Construction. 10 |
|---|
| 166 | 166 | | (a) Nothing in this chapter shall be deemed to apply in any manner to a financial institution 11 |
|---|
| 167 | 167 | | or an affiliate of a financial institution subject to Title V of the Federal Gramm-Leach-Bliley Act 12 |
|---|
| 168 | 168 | | 15 U.S.C. § 6801 et seq. and its implementing regulations, or to information or data subject to the 13 |
|---|
| 169 | 169 | | Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191; provided, 14 |
|---|
| 170 | 170 | | however, no entity or individual shall be exempt from the provisions of this chapter. 15 |
|---|
| 171 | 171 | | (b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or 16 |
|---|
| 172 | 172 | | agent of a state agency or local unit of government when working for that state agency or local unit 17 |
|---|
| 173 | 173 | | of government. 18 |
|---|
| 174 | 174 | | (c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-19 |
|---|
| 175 | 175 | | exempt organization under the Internal Revenue Code. 20 |
|---|
| 176 | 176 | | (d) Nothing in this chapter shall be construed to mandate and/or require the retention or 21 |
|---|
| 177 | 177 | | disclosure of any specific individual's personally identifiable information. 22 |
|---|
| 178 | 178 | | (e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product 23 |
|---|
| 179 | 179 | | sales summaries or statistical information or aggregate customer data which may include personally 24 |
|---|
| 180 | 180 | | identifiable information. 25 |
|---|
| 181 | 181 | | (f) Nothing in this chapter shall be construed to apply to any personally identifiable 26 |
|---|
| 182 | 182 | | information or any other information collected, used, processed, or disclosed by or for a consumer 27 |
|---|
| 183 | 183 | | reporting agency as defined by 15 U.S.C. § 1681a(f). 28 |
|---|
| 184 | 184 | | SECTION 2. This act shall take effect on January 1, 2024. 29 |
|---|
| 185 | 185 | | ======== |
|---|
| 186 | 186 | | LC000589 |
|---|
| 187 | 187 | | ======== |
|---|
| 188 | 188 | | |
|---|
| 189 | 189 | | |
|---|
| 190 | 190 | | LC000589 - Page 6 of 6 |
|---|
| 191 | 191 | | EXPLANATION |
|---|
| 192 | 192 | | BY THE LEGISLATIVE COUNCIL |
|---|
| 193 | 193 | | OF |
|---|
| 194 | 194 | | A N A C T |
|---|
| 195 | 195 | | RELATING TO COMMERCI AL LAW--GENERAL REGULATORY P ROVISIONS -- RHODE |
|---|
| 196 | 196 | | ISLAND DATA TRANSPAR ENCY AND PRIVACY PRO TECTION ACT |
|---|
| 197 | 197 | | *** |
|---|
| 198 | 198 | | This act would require online service providers and commercial websites that collect, store 1 |
|---|
| 199 | 199 | | and sell personally identifiable information to disclose what categories of personally identifiable 2 |
|---|
| 200 | 200 | | information they collect and to what third parties they sell the information. This act would not 3 |
|---|
| 201 | 201 | | prohibit the collection or sale of personally identifiable information and would not require the 4 |
|---|
| 202 | 202 | | retention or disclosure of personally identifiable information by online service providers or 5 |
|---|
| 203 | 203 | | commercial websites. Any intentional disclosure of personal information in violation of the 6 |
|---|
| 204 | 204 | | provisions of this act would be punishable by a fine of not less than one hundred dollars ($100) nor 7 |
|---|
| 205 | 205 | | more than five hundred dollars ($500) per disclosure with sole enforcement of its provisions vested 8 |
|---|
| 206 | 206 | | in the department of the attorney general. 9 |
|---|
| 207 | 207 | | This act would take effect on January 1, 2024. 10 |
|---|
| 208 | 208 | | ======== |
|---|
| 209 | 209 | | LC000589 |
|---|
| 210 | 210 | | ======== |
|---|