2023 -- H 5354
========
LC000589
========
S TATE OF RHODE IS LAND
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2023
____________
A N A C T
RELATING TO COMMERCI AL LAW--GENERAL REGULATORY PROVISION S -- RHODE
ISLAND DATA TRANSPAR ENCY AND PRIVACY PRO TECTION ACT
Introduced By: Representatives Shanley, Carson, Edwards, Craven, Bennett, Cotter,
Spears, Dawson, Vella-Wilkinson, and O'Brien
Date Introduced: February 03, 2023
Referred To: House Innovation, Internet, & Technology
It is enacted by the General Assembly as follows:
SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL 1
REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2
CHAPTER 48.1 3
RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT 4
6-48.1-1. Short title. 5
This chapter shall be known and may be cited as the "Rhode Island Data Transparency and 6
Privacy Protection Act." 7
6-48.1-2. Legislative findings. 8
The general assembly hereby finds and declares that: 9
(1) The right to privacy is a personal and fundamental right protected by the United States 10
Constitution. As such, all individuals have a right to privacy in information pertaining to them. This 11
state recognizes the importance of providing consumers with transparency about how their 12
personally identifiable information, especially information relating to their children, is shared by 13
businesses. This transparency is crucial for Rhode Island citizens to protect themselves and their 14
families from cyber-crimes and identity thieves. 15
(2) Furthermore, for free market forces to have a role in shaping the privacy practices and 16
for "opt-in" and "opt-out" remedies to be effective, consumers must be more than vaguely informed 17
that a business might share personally identifiable information with third parties (as that term is 18
LC000589 - Page 2 of 6
hereinafter defined). Consumers must be better informed about what kinds of personally 1
identifiable information is shared with other businesses. With these specifics, consumers can 2
knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose (as that term is 3
hereinafter defined) personally identifiable information to third parties on the basis of how 4
protective the business is of consumers' privacy. 5
(3) Businesses are now collecting personally identifiable information and disclosing it in 6
ways not contemplated or properly covered by the current law. Some websites are installing 7
tracking tools that record when consumers visit webpages, and sending personally identifiable 8
information, such as age, gender, race, income, health concerns, religion, and recent purchases to 9
third-party marketers and data brokers. Third-party data broker companies are buying and 10
disclosing personally identifiable information obtained from mobile phones, financial institutions, 11
social media sites, and other online and brick and mortar companies. Some mobile applications are 12
sharing personally identifiable information, such as location information, unique phone 13
identification numbers, age, gender, and other personal details with third-party companies. 14
(4) As such, consumers need to know the ways that their personally identifiable 15
information is being collected by companies and then shared or sold to third parties in order to 16
properly protect their privacy, personal safety, and financial security. 17
6-48.1-3. Definitions. 18
As used in this chapter: 19
(1) "Affiliate" means any entity that, directly or indirectly, controls, is controlled by, or is 20
under common control with, the entity that has disclosed personally identifiable information to it. 21
(2) "Customer" means an individual residing in this state who provides, either knowingly 22
or unknowingly, personally identifiable information to any entity, with or without an exchange of 23
consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using 24
real or personal property, or any interest therein, or obtaining a product or service, including 25
advertising or any other content. 26
(3) "Disclose" means to sell, release, transfer, share, disseminate, make available, or 27
otherwise communicate orally, in writing, or by electronic means or any other means to any 28
individual or third party in exchange for anything of value. "Disclose" does not include the 29
following: 30
(i) Disclosure to an affiliate, provided that the affiliate does not disclose the personally 31
identifiable information to any third party; 32
(ii) Disclosure of personally identifiable information by any entity to a third party under a 33
written contract authorizing the third party to utilize the personally identifiable information to 34
LC000589 - Page 3 of 6
perform services on behalf of such entity, including maintaining or servicing accounts, providing 1
customer service, processing or fulfilling orders and transactions, verifying customer information, 2
processing payments, providing financing, or similar services, but only if: 3
(A) The contract prohibits the third party from using the personally identifiable information 4
for any reason other than performing the specified service or services on behalf of such entity and 5
from disclosing any such personally identifiable information to additional third parties; and 6
(B) The entity effectively enforces these prohibitions; 7
(iii) Disclosure of personally identifiable information by a business to a third party based 8
on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal 9
process, or court order; or 10
(iv) Disclosure of personally identifiable information by any entity to a third party that is 11
reasonably necessary to address fraud, security, or technical issues; to protect the disclosing entity's 12
rights or property; or to protect customers or the public from illegal activities as required or 13
permitted by law. 14
(4) "Operator" means any person or entity that owns a website located on the Internet or an 15
online service that collects and maintains personally identifiable information from a customer 16
residing in this state who uses or visits the website or online service if the website or online service 17
is operated for commercial purposes. It does not include any third party that operates, hosts, or 18
manages, but does not own, a website or online service on the owner's behalf or by processing 19
information on behalf of the owner. "Operator" does not include businesses having ten (10) or fewer 20
employees, or any third party that operates, hosts, or manages, but does not own, a website or online 21
service on the owner’s behalf or by processing information on behalf of the owner. 22
(5) "Personally identifiable information" or "personal information" means an individua l's 23
first name or first initial and last name in combination with any one or more of the following data 24
elements, when the name and the data elements are not either encrypted or utilizing a protocol that 25
provides a higher degree of security or are in hard copy, paper format: 26
(i) Social security number; 27
(ii) Driver's license number, passport number, Rhode Island identification card number, or 28
tribal identification number; 29
(iii) Account number, credit or debit card number, in combination with any required 30
security code, access code, password, or personal identification number, that would permit access 31
to an individual's financial account; 32
(iv) Medical or health insurance information; 33
(v) Email address with any required security code, access code, or password that would 34
LC000589 - Page 4 of 6
permit access to an individual's personal, medical, insurance, or financial account; or 1
(vi) Biometric data. 2
(6) "Third party" means any entity that is a separate legal entity from the entity that has 3
disclosed the personally identifiable information; provided, however, that an affiliate of the entity 4
that has disclosed the personally identifiable information shall not be considered a third party. 5
6-48.1-4. Information sharing practices. 6
(a) An operator of a commercial website or online service that collects, stores and sells 7
categories of personally identifiable information through the Internet about individual customers 8
residing in this state who use or visit its commercial website or online service shall, in its customer 9
agreement or incorporated addendum or in another conspicuous location on its website or online 10
service platform where similar notices are customarily posted: 11
(1) Identify all categories of personally identifiable information that the operator collects 12
through the website or online service about individual customers who use or visit its commercial 13
website or online service; and 14
(2) Identify all third-party persons or entities with whom the operator may disclose that 15
personally identifiable information. 16
(b) Nothing in this chapter shall be construed to authorize the collection, storage or 17
disclosure of information or data that is otherwise prohibited, restricted or regulated by state or 18
federal law. 19
6-48.1-5. Violations. 20
(a) A violation of this chapter constitutes a violation of the general regulatory provisions 21
of commercial law in title 6 and shall constitute a deceptive trade practice in violation of chapter 22
13.1 of title 6; provided further, that in the event that any individual or entity intentionally discloses 23
personally identifiable information: 24
(1) To a shell company or any entity that has been formed or established solely, or in part, 25
for the purposes of circumventing the intent of this chapter; 26
(2) To any third party that is not exempt pursuant to § 6-48.1-3; or 27
(3) In violation of any provision of this chapter, that individual or entity shall pay a fine of 28
not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each 29
such disclosure. 30
(b) The office of the attorney general shall have sole enforcement authority of the 31
provisions of this chapter and may enforce a violation of this chapter pursuant to: 32
(1) The provisions of this section; or 33
(2) General regulatory provisions of commercial law in title 6, or both. 34
LC000589 - Page 5 of 6
(c) Nothing in this section shall be construed to authorize any private right of action to 1
enforce any provision of this chapter, any regulation hereunder, or any other provisions of 2
commercial law in title 6. 3
6-48.1-6. Waivers -- Severability. 4
Any waiver of the provisions of this chapter shall be void and unenforceable. If any 5
provision of this chapter or its application to any person or circumstance is held invalid by a court 6
of competent jurisdiction, the invalidity shall not affect other provisions of applications of the 7
chapter that can be given effect without the invalid provision or application, and to this end the 8
provisions of the chapter are severable. 9
6-48.1-7. Construction. 10
(a) Nothing in this chapter shall be deemed to apply in any manner to a financial institution 11
or an affiliate of a financial institution subject to Title V of the Federal Gramm-Leach-Bliley Act 12
15 U.S.C. § 6801 et seq. and its implementing regulations, or to information or data subject to the 13
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191; provided, 14
however, no entity or individual shall be exempt from the provisions of this chapter. 15
(b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or 16
agent of a state agency or local unit of government when working for that state agency or local unit 17
of government. 18
(c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-19
exempt organization under the Internal Revenue Code. 20
(d) Nothing in this chapter shall be construed to mandate and/or require the retention or 21
disclosure of any specific individual's personally identifiable information. 22
(e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product 23
sales summaries or statistical information or aggregate customer data which may include personally 24
identifiable information. 25
(f) Nothing in this chapter shall be construed to apply to any personally identifiable 26
information or any other information collected, used, processed, or disclosed by or for a consumer 27
reporting agency as defined by 15 U.S.C. § 1681a(f). 28
SECTION 2. This act shall take effect on January 1, 2024. 29
========
LC000589
========
LC000589 - Page 6 of 6
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO COMMERCI AL LAW--GENERAL REGULATORY P ROVISIONS -- RHODE
ISLAND DATA TRANSPAR ENCY AND PRIVACY PRO TECTION ACT
***
This act would require online service providers and commercial websites that collect, store 1
and sell personally identifiable information to disclose what categories of personally identifiable 2
information they collect and to what third parties they sell the information. This act would not 3
prohibit the collection or sale of personally identifiable information and would not require the 4
retention or disclosure of personally identifiable information by online service providers or 5
commercial websites. Any intentional disclosure of personal information in violation of the 6
provisions of this act would be punishable by a fine of not less than one hundred dollars ($100) nor 7
more than five hundred dollars ($500) per disclosure with sole enforcement of its provisions vested 8
in the department of the attorney general. 9
This act would take effect on January 1, 2024. 10
========
LC000589
========