| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | 2025 -- H 5830 |
|---|
| 6 | 6 | | ======== |
|---|
| 7 | 7 | | LC001708 |
|---|
| 8 | 8 | | ======== |
|---|
| 9 | 9 | | S T A T E O F R H O D E I S L A N D |
|---|
| 10 | 10 | | IN GENERAL ASSEMBLY |
|---|
| 11 | 11 | | JANUARY SESSION, A.D. 2025 |
|---|
| 12 | 12 | | ____________ |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A N A C T |
|---|
| 15 | 15 | | RELATING TO COMMERCI AL LAW -- GENERAL REGULATORY PROVISION S -- AGE- |
|---|
| 16 | 16 | | APPROPRIATE DESIGN CODE |
|---|
| 17 | 17 | | Introduced By: Representatives Cotter, Spears, McGaw, Carson, Chippendale, Tanzi, |
|---|
| 18 | 18 | | Caldwell, Kislak, McNamara, and Hopkins |
|---|
| 19 | 19 | | Date Introduced: February 28, 2025 |
|---|
| 20 | 20 | | Referred To: House Corporations |
|---|
| 21 | 21 | | |
|---|
| 22 | 22 | | |
|---|
| 23 | 23 | | It is enacted by the General Assembly as follows: |
|---|
| 24 | 24 | | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL 1 |
|---|
| 25 | 25 | | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2 |
|---|
| 26 | 26 | | CHAPTER 48.2 3 |
|---|
| 27 | 27 | | AGE-APPROPRIATE DESIGN CODE 4 |
|---|
| 28 | 28 | | 6-48.2-1. Definitions. 5 |
|---|
| 29 | 29 | | As used in this chapter the following words have the following meanings: 6 |
|---|
| 30 | 30 | | (1) "Actual knowledge" or "known" means a covered entity knows that a consumer is a 7 |
|---|
| 31 | 31 | | child based upon: 8 |
|---|
| 32 | 32 | | (i) The self-identified age provided by the minor, an age provided by a third party, or an 9 |
|---|
| 33 | 33 | | age or closely related proxy that the covered entity knows or has associated with, attributed to or 10 |
|---|
| 34 | 34 | | derived or inferred for the consumer, including for the purposes of advertising, marketing or 11 |
|---|
| 35 | 35 | | product development; or 12 |
|---|
| 36 | 36 | | (ii) The consumer's use of an online feature, product or service or a portion of such an 13 |
|---|
| 37 | 37 | | online feature, product or service that is directed to children. 14 |
|---|
| 38 | 38 | | (2) "Affiliate" has the same meaning as provided in § 6-48.1-2. 15 |
|---|
| 39 | 39 | | (3) "Child" means an individual who is under eighteen (18) years of age. 16 |
|---|
| 40 | 40 | | (4) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any 17 |
|---|
| 41 | 41 | | personal data pertaining to a consumer by any means, including receiving data from the consumer, 18 |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | LC001708 - Page 2 of 11 |
|---|
| 45 | 45 | | either actively or passively, or by observing the consumer’s behavior. 1 |
|---|
| 46 | 46 | | (5) "Common branding" means a shared name, service mark, or trademark that the average 2 |
|---|
| 47 | 47 | | consumer would understand that two (2) or more entities are commonly owned. For purposes of 3 |
|---|
| 48 | 48 | | this chapter, for a joint venture or partnership composed of covered entities in which each covered 4 |
|---|
| 49 | 49 | | entity has at least a forty percent (40%) interest, the joint venture or partnership and each covered 5 |
|---|
| 50 | 50 | | entity that composes the joint venture or partnership shall separately be considered a single covered 6 |
|---|
| 51 | 51 | | entity, except that personal data in the possession of each covered entity and disclosed to the joint 7 |
|---|
| 52 | 52 | | venture or partnership shall not be shared with the other covered entity. 8 |
|---|
| 53 | 53 | | (6) "Consumer" means a natural person who is a Rhode Island resident, however identified, 9 |
|---|
| 54 | 54 | | including by any unique identifier. 10 |
|---|
| 55 | 55 | | (7) "Covered entity" means: 11 |
|---|
| 56 | 56 | | (i) A sole proprietorship, partnership, limited liability company, corporation, association, 12 |
|---|
| 57 | 57 | | or other legal entity that is organized or operated for the profit or financial benefit of its shareholders 13 |
|---|
| 58 | 58 | | or other owners engaged in an activity pursuant to the provisions of § 6-48.2-2; 14 |
|---|
| 59 | 59 | | (ii) An affiliate of a covered entity that shares common branding with the covered entity. 15 |
|---|
| 60 | 60 | | (8) "Dark pattern" means a user interface designed or manipulated with the purpose of 16 |
|---|
| 61 | 61 | | subverting or impairing user autonomy, decision making, or choice. 17 |
|---|
| 62 | 62 | | (9) "Default" means a preselected option adopted by the covered entity for the online 18 |
|---|
| 63 | 63 | | service, product, or feature. 19 |
|---|
| 64 | 64 | | (10) "Deidentified" means data that cannot reasonably be used to infer information about, 20 |
|---|
| 65 | 65 | | or otherwise be linked to, an identified or identifiable consumer, or a device linked to such 21 |
|---|
| 66 | 66 | | consumer; provided that, the covered entity that possesses the data: 22 |
|---|
| 67 | 67 | | (i) Takes reasonable measures to ensure that the data cannot be associated with a consumer; 23 |
|---|
| 68 | 68 | | (ii) Publicly commits to maintain and use the data only in a deidentified fashion and not 24 |
|---|
| 69 | 69 | | attempt to re-identify the data; and 25 |
|---|
| 70 | 70 | | (iii) Contractually obligates any recipients of the data to comply with all provisions of this 26 |
|---|
| 71 | 71 | | chapter. 27 |
|---|
| 72 | 72 | | (11) "Derived data" means data that is created by the derivation of information, data, 28 |
|---|
| 73 | 73 | | assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another 29 |
|---|
| 74 | 74 | | source of information or data about a known child or a child’s device. 30 |
|---|
| 75 | 75 | | (12) "Online service, product, or feature" means access to various types of data on the 31 |
|---|
| 76 | 76 | | Internet, including banking, education, entertainment, news, shopping and commercial services. 32 |
|---|
| 77 | 77 | | "Online service, product, or feature" does not mean any of the following: 33 |
|---|
| 78 | 78 | | (i) "Telecommunications service," as defined in 47 U.S.C. § 153; 34 |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | LC001708 - Page 3 of 11 |
|---|
| 82 | 82 | | (ii) A broadband Internet access service; or 1 |
|---|
| 83 | 83 | | (iii) The sale, delivery, or use of a physical product. 2 |
|---|
| 84 | 84 | | (13) "Personal data" means any information, including derived data, that is linked or 3 |
|---|
| 85 | 85 | | reasonably linkable, alone or in combination with other information, to an identified or identifiable 4 |
|---|
| 86 | 86 | | consumer. Personal data does not include deidentified data or publicly available information. 5 |
|---|
| 87 | 87 | | (14) "Publicly available information" means information that either: 6 |
|---|
| 88 | 88 | | (i) Is made available from federal, state, or local government records or widely distributed 7 |
|---|
| 89 | 89 | | media; or 8 |
|---|
| 90 | 90 | | (ii) A covered entity has a reasonable basis to believe a consumer has lawfully made 9 |
|---|
| 91 | 91 | | available to the public such that the consumer no longer has a reasonable expectation of privacy in 10 |
|---|
| 92 | 92 | | the information. 11 |
|---|
| 93 | 93 | | (15) "Precise geolocation" means any data that is derived from a device and that is used or 12 |
|---|
| 94 | 94 | | intended to be used to locate a consumer within a geographic area that is equal to or less than the 13 |
|---|
| 95 | 95 | | area of a circle with a radius of one thousand eight hundred fifty feet (1,850'). 14 |
|---|
| 96 | 96 | | (16) "Process" or "processing" means to conduct or direct any operation or set of operations 15 |
|---|
| 97 | 97 | | performed, whether by manual or automated means, on personal data or on sets of personal data, 16 |
|---|
| 98 | 98 | | such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise 17 |
|---|
| 99 | 99 | | handling of personal data. 18 |
|---|
| 100 | 100 | | (17) "Product experimentation results" means the data that companies collect to understand 19 |
|---|
| 101 | 101 | | the experimental impact of their products. 20 |
|---|
| 102 | 102 | | (18) "Profile" or "profiling" means any form of automated processing of personal data to 21 |
|---|
| 103 | 103 | | evaluate, analyze, or predict personal aspects concerning an identified or identifiable consumer’s 22 |
|---|
| 104 | 104 | | economic situation, health, personal preferences, interests, reliability, behavior, location, or 23 |
|---|
| 105 | 105 | | movements. "Profiling" does not include the processing of information that does not result in an 24 |
|---|
| 106 | 106 | | assessment or judgment about a consumer. 25 |
|---|
| 107 | 107 | | (19) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other 26 |
|---|
| 108 | 108 | | valuable consideration by a covered entity to a third party. It does not include the following: 27 |
|---|
| 109 | 109 | | (i) The disclosure of personal data to a third party who processes the personal data on behalf 28 |
|---|
| 110 | 110 | | of the covered entity; 29 |
|---|
| 111 | 111 | | (ii) The disclosure of personal data to a third party with whom the consumer has a direct 30 |
|---|
| 112 | 112 | | relationship for purposes of providing a product or service requested by the consumer; 31 |
|---|
| 113 | 113 | | (iii) The disclosure or transfer of personal data to an affiliate of the covered entity; 32 |
|---|
| 114 | 114 | | (iv) The disclosure of data that the consumer intentionally made available to the general 33 |
|---|
| 115 | 115 | | public such that the consumer no longer maintains a reasonable expectation of privacy in the data; 34 |
|---|
| 116 | 116 | | |
|---|
| 117 | 117 | | |
|---|
| 118 | 118 | | LC001708 - Page 4 of 11 |
|---|
| 119 | 119 | | or 1 |
|---|
| 120 | 120 | | (v) The disclosure or transfer of personal data to a third party as an asset that is part of a 2 |
|---|
| 121 | 121 | | completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party 3 |
|---|
| 122 | 122 | | assumes control of all or part of the covered entity’s assets, provided the consumer has the 4 |
|---|
| 123 | 123 | | opportunity to opt out of the transfer. 5 |
|---|
| 124 | 124 | | (20) "Share" means sharing, renting, releasing, disclosing, disseminating, making 6 |
|---|
| 125 | 125 | | available, transferring, or otherwise communicating orally, in writing, or by electronic or other 7 |
|---|
| 126 | 126 | | means a consumer’s personal data by the covered entity to a third party for cross-context behavioral 8 |
|---|
| 127 | 127 | | advertising, whether or not for monetary or other valuable consideration, including transactions 9 |
|---|
| 128 | 128 | | between a covered entity and a third party for cross-context behavioral advertising for the benefit 10 |
|---|
| 129 | 129 | | of a covered entity in which no money is exchanged. 11 |
|---|
| 130 | 130 | | (21) "Third party" means a natural or legal person, public authority, agency, or body, other 12 |
|---|
| 131 | 131 | | than the consumer or the covered entity. 13 |
|---|
| 132 | 132 | | 6-48.2-2. Scope - Exclusions. 14 |
|---|
| 133 | 133 | | (a) An entity is considered a covered entity for the purposes of this chapter if the entity: 15 |
|---|
| 134 | 134 | | (1) Collects consumers’ personal data or has individuals’ personal data collected on the 16 |
|---|
| 135 | 135 | | entity's behalf by a third party; 17 |
|---|
| 136 | 136 | | (2) Alone or jointly with others, determines the purposes and means of the processing of 18 |
|---|
| 137 | 137 | | individuals’ personal data; 19 |
|---|
| 138 | 138 | | (3) Operates in Rhode Island; and 20 |
|---|
| 139 | 139 | | (4) Satisfies one or more of the following thresholds: 21 |
|---|
| 140 | 140 | | (i) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as 22 |
|---|
| 141 | 141 | | adjusted every odd-numbered year to reflect the Consumer Price Index; 23 |
|---|
| 142 | 142 | | (ii) Alone or in combination, annually buys, receives for the covered entity’s commercial 24 |
|---|
| 143 | 143 | | purposes, sells, or shares for commercial purposes, alone or in combination, the personal data of 25 |
|---|
| 144 | 144 | | fifty thousand (50,000) or more individuals, households, or devices; or 26 |
|---|
| 145 | 145 | | (iii) Derives fifty percent (50%) or more of its annual revenues from selling individuals’ 27 |
|---|
| 146 | 146 | | personal data. 28 |
|---|
| 147 | 147 | | (b) This chapter shall not apply to: 29 |
|---|
| 148 | 148 | | (1) Protected health information that is collected by a covered entity or covered entity 30 |
|---|
| 149 | 149 | | associate governed by the privacy, security, and breach notification rules issued by the U.S. 31 |
|---|
| 150 | 150 | | Department of Health and Human Services, 45 C.F.R. Parts 160 and 164; 32 |
|---|
| 151 | 151 | | (2) A covered entity governed by the privacy, security, and breach notification rules issued 33 |
|---|
| 152 | 152 | | by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, to the extent 34 |
|---|
| 153 | 153 | | |
|---|
| 154 | 154 | | |
|---|
| 155 | 155 | | LC001708 - Page 5 of 11 |
|---|
| 156 | 156 | | the provider or covered entity maintains patient information in the same manner as medical 1 |
|---|
| 157 | 157 | | information or protected health information as described in subsection (b)(1) of this section; and 2 |
|---|
| 158 | 158 | | (3) Information collected as part of a clinical trial subject to the federal Policy for the 3 |
|---|
| 159 | 159 | | Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice 4 |
|---|
| 160 | 160 | | guidelines issued by the International Council for Harmonisation of Technical Requirements for 5 |
|---|
| 161 | 161 | | Pharmaceuticals for Human Use or pursuant to human subject protection requirements of the U.S. 6 |
|---|
| 162 | 162 | | Food and Drug Administration. 7 |
|---|
| 163 | 163 | | (c) Nothing in this chapter shall be interpreted to interfere with any obligation or 8 |
|---|
| 164 | 164 | | requirement under chapter 48.1 of title 6. The covered entity authorized pursuant to § 6-48.1-4 9 |
|---|
| 165 | 165 | | regarding sensitive data concerning known children shall have no additional obligation pursuant to 10 |
|---|
| 166 | 166 | | this chapter. 11 |
|---|
| 167 | 167 | | 6-48.2-3. Heightened risk of harm to children -- Presumption -- Definitions. 12 |
|---|
| 168 | 168 | | (a) Each covered entity that offers any online service, product or feature to a consumer 13 |
|---|
| 169 | 169 | | whom such covered entity has actual knowledge, or willfully disregards is a child shall use 14 |
|---|
| 170 | 170 | | reasonable care to avoid any heightened risk of harm to children caused by such online service, 15 |
|---|
| 171 | 171 | | product or feature. In any enforcement action brought by the attorney general pursuant to § 6-48.2-16 |
|---|
| 172 | 172 | | 7, there shall be a rebuttable presumption that a covered entity used reasonable care as required 17 |
|---|
| 173 | 173 | | under this section if the covered entity complied with the provisions of § 6-48.2-4 concerning data 18 |
|---|
| 174 | 174 | | protection assessments. 19 |
|---|
| 175 | 175 | | (b) As used in this chapter, “heightened risk of harm to children” means processing known 20 |
|---|
| 176 | 176 | | children’s personal data in a manner that presents any reasonably foreseeable risk of: 21 |
|---|
| 177 | 177 | | (1) Any unfair or deceptive treatment of, or any unlawful disparate impact on, children; 22 |
|---|
| 178 | 178 | | (2) Any financial or reputational injury to children; 23 |
|---|
| 179 | 179 | | (3) Any physical or other intrusion upon the solitude or seclusion, or the private affairs or 24 |
|---|
| 180 | 180 | | concerns, of children if such intrusion would be highly offensive to a reasonable person; or 25 |
|---|
| 181 | 181 | | (4) Discrimination against the child based upon race, color, religion, national origin, 26 |
|---|
| 182 | 182 | | disability, sex, sexual orientation, or gender identity or expression. 27 |
|---|
| 183 | 183 | | 6-48.2-4. Covered entity obligations. 28 |
|---|
| 184 | 184 | | (a) A covered entity subject to this chapter shall: 29 |
|---|
| 185 | 185 | | (1) Complete a data protection impact assessment for an online service, product, or feature 30 |
|---|
| 186 | 186 | | that is reasonably likely to be accessed by children and maintain documentation of the data 31 |
|---|
| 187 | 187 | | protection impact assessment for as long as the online service, product, or feature is reasonably 32 |
|---|
| 188 | 188 | | known to be used by children. The data protection impact assessment shall consist of a systematic 33 |
|---|
| 189 | 189 | | survey to assess compliance with the duty to use reasonable care to avoid any heightened risk of 34 |
|---|
| 190 | 190 | | |
|---|
| 191 | 191 | | |
|---|
| 192 | 192 | | LC001708 - Page 6 of 11 |
|---|
| 193 | 193 | | harm to known children and shall include a plan to ensure that all online products, services, or 1 |
|---|
| 194 | 194 | | features provided by the covered entity and known to be used by children are designed and offered 2 |
|---|
| 195 | 195 | | in a manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to 3 |
|---|
| 196 | 196 | | known children. The plan shall include a description of steps the covered entity has taken and shall 4 |
|---|
| 197 | 197 | | take to comply with the duty to use reasonable care to avoid any heightened risk of harm to known 5 |
|---|
| 198 | 198 | | children. 6 |
|---|
| 199 | 199 | | (2) Review and modify all data protection impact assessments as necessary to account for 7 |
|---|
| 200 | 200 | | material changes to processing pertaining to the online service, product, or feature within ninety 8 |
|---|
| 201 | 201 | | (90) days after any material changes. 9 |
|---|
| 202 | 202 | | (3) Within five (5) days after receipt of a written request by the attorney general, provide 10 |
|---|
| 203 | 203 | | to the attorney general a list of all data protection impact assessments the covered entity has 11 |
|---|
| 204 | 204 | | completed. 12 |
|---|
| 205 | 205 | | (4) Within seven (7) days after receipt of a written request by the attorney general, provide 13 |
|---|
| 206 | 206 | | the attorney general with a copy of a data protection impact assessment; provided that, the attorney 14 |
|---|
| 207 | 207 | | general may, in the attorney general’s discretion, extend beyond seven (7) days the amount of time 15 |
|---|
| 208 | 208 | | allowed for a covered entity to produce a data protection impact assessment. 16 |
|---|
| 209 | 209 | | (5) Configure all default privacy settings provided to known children by the online service, 17 |
|---|
| 210 | 210 | | product, or feature to settings that offer a high level of privacy, unless the covered entity can 18 |
|---|
| 211 | 211 | | demonstrate a compelling reason that a different setting is consistent with the duty to use reasonable 19 |
|---|
| 212 | 212 | | care to avoid any heightened risk of harm to children, as defined pursuant to the provisions of § 6-20 |
|---|
| 213 | 213 | | 48.2-3(b). 21 |
|---|
| 214 | 214 | | (6) Provide any privacy information, terms of service, policies, and community standards 22 |
|---|
| 215 | 215 | | concisely, prominently, and using clear language suited to the age of children known to access that 23 |
|---|
| 216 | 216 | | online service, product, or feature. 24 |
|---|
| 217 | 217 | | (7) Provide prominent, accessible, and responsive tools to assist known children in a form 25 |
|---|
| 218 | 218 | | or manner required by the general attorney, or, if applicable, their parents or guardians, in the 26 |
|---|
| 219 | 219 | | exercise of their privacy rights and to report concerns. 27 |
|---|
| 220 | 220 | | (b) A data protection impact assessment required by this section shall: 28 |
|---|
| 221 | 221 | | (1) Identify the purpose of the online service, product, or feature; 29 |
|---|
| 222 | 222 | | (2) Disclose how it uses children’s personal data; and 30 |
|---|
| 223 | 223 | | (3) Determine whether the online service, product, or feature is designed and offered in a 31 |
|---|
| 224 | 224 | | manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to 32 |
|---|
| 225 | 225 | | children and: 33 |
|---|
| 226 | 226 | | (i) Whether the design of the online service, product, or feature is reasonably expected to 34 |
|---|
| 227 | 227 | | |
|---|
| 228 | 228 | | |
|---|
| 229 | 229 | | LC001708 - Page 7 of 11 |
|---|
| 230 | 230 | | allow known children to be party to or exploited by a contract on the online service, product, or 1 |
|---|
| 231 | 231 | | feature that would result in reasonably foreseeable and material financial harm to the child; a highly 2 |
|---|
| 232 | 232 | | offensive intrusion on the reasonable privacy expectations of the child; or discrimination against 3 |
|---|
| 233 | 233 | | the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or 4 |
|---|
| 234 | 234 | | gender identity or expression; 5 |
|---|
| 235 | 235 | | (ii) Whether targeted advertising systems used by the online service, product, or feature 6 |
|---|
| 236 | 236 | | would result in reasonably foreseeable and material financial harm to the known child; a highly 7 |
|---|
| 237 | 237 | | offensive intrusion on the reasonable privacy expectations of the child; or discrimination against 8 |
|---|
| 238 | 238 | | the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or 9 |
|---|
| 239 | 239 | | gender identity or expression; 10 |
|---|
| 240 | 240 | | (iii) Whether the online service, product, or feature uses system design features to increase, 11 |
|---|
| 241 | 241 | | sustain, or extend use of the online service, product, or feature by known children, including the 12 |
|---|
| 242 | 242 | | automatic playing of media, rewards for time spent, and notifications, that would result in 13 |
|---|
| 243 | 243 | | reasonably foreseeable and material financial harm to the child or a highly offensive intrusion on 14 |
|---|
| 244 | 244 | | the reasonable privacy expectations of the child; or discrimination against the child based upon 15 |
|---|
| 245 | 245 | | race, color, religion, national origin, disability, sex, sexual orientation, or gender identity or 16 |
|---|
| 246 | 246 | | expression; 17 |
|---|
| 247 | 247 | | (iv) Whether, how, and for what purpose the online product, service, or feature collects or 18 |
|---|
| 248 | 248 | | processes personal data of known children and whether those practices would result in reasonably 19 |
|---|
| 249 | 249 | | foreseeable and material financial harm to the child; a highly offensive intrusion on the reasonable 20 |
|---|
| 250 | 250 | | privacy expectations of the child; or discrimination against the child based upon race, color, 21 |
|---|
| 251 | 251 | | religion, national origin, disability, sex, sexual orientation, or gender identity or expression; and 22 |
|---|
| 252 | 252 | | (v) Whether and how product experimentation results for the online product, service, or 23 |
|---|
| 253 | 253 | | feature reveal data management or design practices that would result in reasonably foreseeable and 24 |
|---|
| 254 | 254 | | material financial harm to the known child; a highly offensive intrusion on the reasonable privacy 25 |
|---|
| 255 | 255 | | expectations of the child; or discrimination against the child based upon race, color, religion, 26 |
|---|
| 256 | 256 | | national origin, disability, sex, sexual orientation, or gender identity or expression. 27 |
|---|
| 257 | 257 | | (c) A data protection impact assessment conducted by a covered entity for the purpose of 28 |
|---|
| 258 | 258 | | compliance with any other law may be utilized to comply with the provisions of this chapter if the 29 |
|---|
| 259 | 259 | | data protection impact assessment meets the requirements of this chapter. 30 |
|---|
| 260 | 260 | | (d) A single data protection impact assessment may contain multiple similar processing 31 |
|---|
| 261 | 261 | | operations that present similar risk only if each relevant online service, product, or feature is 32 |
|---|
| 262 | 262 | | addressed separately. 33 |
|---|
| 263 | 263 | | (e) A covered entity may process only the personal data reasonably necessary to provide 34 |
|---|
| 264 | 264 | | |
|---|
| 265 | 265 | | |
|---|
| 266 | 266 | | LC001708 - Page 8 of 11 |
|---|
| 267 | 267 | | an online service, product, or feature with which a child is actively and knowingly engaged to 1 |
|---|
| 268 | 268 | | estimate age. 2 |
|---|
| 269 | 269 | | (f) A data protection impact assessment created pursuant to this section is exempt from 3 |
|---|
| 270 | 270 | | public disclosure and to the extent required to be disclosed to public officials shall not constitute a 4 |
|---|
| 271 | 271 | | public record pursuant to the provisions of chapter 2 of title 38 (“access to public records”). 5 |
|---|
| 272 | 272 | | 6-48.2-5. Covered entity prohibitions. 6 |
|---|
| 273 | 273 | | A covered entity that provides an online service, product, or feature to known children shall 7 |
|---|
| 274 | 274 | | not: 8 |
|---|
| 275 | 275 | | (1) Process the personal data of any known child in a way that is inconsistent with the duty 9 |
|---|
| 276 | 276 | | to use reasonable care to avoid any heightened risk of harm to children, as defined pursuant to the 10 |
|---|
| 277 | 277 | | provisions of § 6-48.2-3(b); 11 |
|---|
| 278 | 278 | | (2) Profile a known child by default unless both of the following criteria are met: 12 |
|---|
| 279 | 279 | | (i) The covered entity can demonstrate it has appropriate safeguards in place to ensure that 13 |
|---|
| 280 | 280 | | profiling is consistent with the duty to use reasonable care to avoid any heightened risk of harm to 14 |
|---|
| 281 | 281 | | known children; and 15 |
|---|
| 282 | 282 | | (ii) Profiling is necessary to provide the online service, product, or feature requested and 16 |
|---|
| 283 | 283 | | only with respect to the aspects of the online service, product, or feature with which a known child 17 |
|---|
| 284 | 284 | | is actively and knowingly engaged; 18 |
|---|
| 285 | 285 | | (3) Process any personal data that is not reasonably necessary to provide an online service, 19 |
|---|
| 286 | 286 | | product, or feature with which a known child is actively and knowingly engaged; 20 |
|---|
| 287 | 287 | | (4) If the end user is a known child, process personal data for any reason other than a reason 21 |
|---|
| 288 | 288 | | for which that personal data was collected; 22 |
|---|
| 289 | 289 | | (5) Process any precise geolocation information of known children by default, unless the 23 |
|---|
| 290 | 290 | | collection of that precise geolocation information is strictly necessary for the covered entity to 24 |
|---|
| 291 | 291 | | provide the service, product, or feature requested and then only for the limited time that the 25 |
|---|
| 292 | 292 | | collection of precise geolocation information is necessary to provide the service, product, or 26 |
|---|
| 293 | 293 | | feature; 27 |
|---|
| 294 | 294 | | (6) Process any precise geolocation information of a known child without providing a 28 |
|---|
| 295 | 295 | | conspicuous sign to the child for the duration of that collection that precise geolocation information 29 |
|---|
| 296 | 296 | | is being collected; 30 |
|---|
| 297 | 297 | | (7) Use dark patterns to cause known children to provide personal data beyond what is 31 |
|---|
| 298 | 298 | | reasonably expected to provide that online service, product, or feature to forego privacy protections, 32 |
|---|
| 299 | 299 | | or to take any action that the covered entity knows, or has reason to know, is not consistent with 33 |
|---|
| 300 | 300 | | the duty to use reasonable care to avoid any heightened risk of harm to children; or 34 |
|---|
| 301 | 301 | | |
|---|
| 302 | 302 | | |
|---|
| 303 | 303 | | LC001708 - Page 9 of 11 |
|---|
| 304 | 304 | | (8) Allow a known child’s parent or any other consumer to monitor the child’s online 1 |
|---|
| 305 | 305 | | activity or track the child’s location, without providing a conspicuous signal to the child when the 2 |
|---|
| 306 | 306 | | child is being monitored or tracked. 3 |
|---|
| 307 | 307 | | 6-48.2-6. Impact assessments non-public information. 4 |
|---|
| 308 | 308 | | (a) A data protection impact assessment collected or maintained by the attorney general 5 |
|---|
| 309 | 309 | | pursuant to this chapter shall not be deemed public for purposes of chapter 2 of title 38 ("access to 6 |
|---|
| 310 | 310 | | public records"). 7 |
|---|
| 311 | 311 | | (b) To the extent any information contained in a data protection impact assessment 8 |
|---|
| 312 | 312 | | disclosed to the attorney general includes information subject to attorney-client privilege or work 9 |
|---|
| 313 | 313 | | product protection, disclosure pursuant to this chapter does not constitute a waiver of that privilege 10 |
|---|
| 314 | 314 | | or protection. 11 |
|---|
| 315 | 315 | | 6-48.2-7. Enforcement. 12 |
|---|
| 316 | 316 | | (a) The attorney general may seek the imposition of an injunction and a civil penalty of not 13 |
|---|
| 317 | 317 | | more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation 14 |
|---|
| 318 | 318 | | of this chapter, or not more than seven thousand five hundred dollars ($7,500) per affected child 15 |
|---|
| 319 | 319 | | for each intentional violation of this chapter, plus costs and reasonable attorneys’ fees for each 16 |
|---|
| 320 | 320 | | violation. 17 |
|---|
| 321 | 321 | | (b) Any penalties, fees, and expenses recovered in an action brought under this chapter 18 |
|---|
| 322 | 322 | | shall be deposited in a restricted receipt account and are to be appropriated to the attorney general 19 |
|---|
| 323 | 323 | | and utilized pursuant to the provisions of subsection (c) of this section. 20 |
|---|
| 324 | 324 | | (c) All fees collected by the office of the attorney general in accordance with subsection 21 |
|---|
| 325 | 325 | | (b) of this section shall be placed into a restricted receipt account to support the personnel costs, 22 |
|---|
| 326 | 326 | | operating costs and capital expenditure necessary to carry out the enforcement provisions of this 23 |
|---|
| 327 | 327 | | section; provided, however, that any fees charged shall be in addition to and not substituted for 24 |
|---|
| 328 | 328 | | funds appropriated for the office by the state or federal government. 25 |
|---|
| 329 | 329 | | (d) If a covered entity is in substantial compliance with the requirements of this chapter, 26 |
|---|
| 330 | 330 | | the attorney general shall, before initiating a civil action pursuant to the provisions of this chapter, 27 |
|---|
| 331 | 331 | | provide written notice to the covered entity identifying the specific provisions of this chapter that 28 |
|---|
| 332 | 332 | | the attorney general alleges have been or are being violated. If a covered entity satisfies the 29 |
|---|
| 333 | 333 | | provisions of § 6-48.2-4 before offering any new online product, service, or feature reasonably 30 |
|---|
| 334 | 334 | | likely to be accessed by children to the public, the covered entity shall have ninety (90) days to 31 |
|---|
| 335 | 335 | | fully comply with all provisions specified in the notice from the attorney general. If the covered 32 |
|---|
| 336 | 336 | | entity cures all noticed violations and provides the attorney general a written statement that the 33 |
|---|
| 337 | 337 | | alleged violations have been cured, and sufficient measures have been taken to prevent future 34 |
|---|
| 338 | 338 | | |
|---|
| 339 | 339 | | |
|---|
| 340 | 340 | | LC001708 - Page 10 of 11 |
|---|
| 341 | 341 | | violations, the covered entity shall not be liable for a civil penalty for any violation cured within 1 |
|---|
| 342 | 342 | | the ninety (90) day period. 2 |
|---|
| 343 | 343 | | (e) No individual entitlement or private right of action is created by this section. 3 |
|---|
| 344 | 344 | | SECTION 2. This act shall take effect on January 1, 2026. 4 |
|---|
| 345 | 345 | | ======== |
|---|
| 346 | 346 | | LC001708 |
|---|
| 347 | 347 | | ======== |
|---|
| 348 | 348 | | |
|---|
| 349 | 349 | | |
|---|
| 350 | 350 | | LC001708 - Page 11 of 11 |
|---|
| 351 | 351 | | EXPLANATION |
|---|
| 352 | 352 | | BY THE LEGISLATIVE COUNCIL |
|---|
| 353 | 353 | | OF |
|---|
| 354 | 354 | | A N A C T |
|---|
| 355 | 355 | | RELATING TO COMMERCI AL LAW -- GENERAL REGULATORY PROVISIONS -- AGE- |
|---|
| 356 | 356 | | APPROPRIATE DESIGN CODE |
|---|
| 357 | 357 | | *** |
|---|
| 358 | 358 | | This act would require that any covered entity that develops and provides online services, 1 |
|---|
| 359 | 359 | | products, or features that children are reasonably likely to access shall consider the best interest of 2 |
|---|
| 360 | 360 | | children when designing and developing such online service, product, or feature. The provisions of 3 |
|---|
| 361 | 361 | | this chapter may be enforced by the attorney general and violators are subject to civil penalties. 4 |
|---|
| 362 | 362 | | This act would take effect on January 1, 2026. 5 |
|---|
| 363 | 363 | | ======== |
|---|
| 364 | 364 | | LC001708 |
|---|
| 365 | 365 | | ======== |
|---|