1 | 1 | | |
---|
2 | 2 | | |
---|
3 | 3 | | |
---|
4 | 4 | | |
---|
5 | 5 | | 2025 -- H 6062 |
---|
6 | 6 | | ======== |
---|
7 | 7 | | LC000982 |
---|
8 | 8 | | ======== |
---|
9 | 9 | | S T A T E O F R H O D E I S L A N D |
---|
10 | 10 | | IN GENERAL ASSEMBLY |
---|
11 | 11 | | JANUARY SESSION, A.D. 2025 |
---|
12 | 12 | | ____________ |
---|
13 | 13 | | |
---|
14 | 14 | | A N A C T |
---|
15 | 15 | | RELATING TO COMMERCI AL LAW--GENERAL REGULATORY PROVISION S -- |
---|
16 | 16 | | PRIVACY PROTECTIONS FOR LOCATION INFORMA TION DERIVED FROM |
---|
17 | 17 | | ELECTRONIC DEVICES |
---|
18 | 18 | | Introduced By: Representatives Tanzi, Donovan, Speakman, McGaw, Ajello, Knight, |
---|
19 | 19 | | Stewart, Kislak, Felix, and Cruz |
---|
20 | 20 | | Date Introduced: March 12, 2025 |
---|
21 | 21 | | Referred To: House Innovation, Internet, & Technology |
---|
22 | 22 | | |
---|
23 | 23 | | |
---|
24 | 24 | | It is enacted by the General Assembly as follows: |
---|
25 | 25 | | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL 1 |
---|
26 | 26 | | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2 |
---|
27 | 27 | | CHAPTER 61 3 |
---|
28 | 28 | | PRIVACY PROTECTIONS FOR LOCATION INFORMATION DERIVED FROM 4 |
---|
29 | 29 | | ELECTRONIC DEVICES 5 |
---|
30 | 30 | | 6-61-1. Title. 6 |
---|
31 | 31 | | This chapter shall be known and may be cited as the "Privacy Protections for Location 7 |
---|
32 | 32 | | Information Derived from Electronic Devices". 8 |
---|
33 | 33 | | 6-61-2. Definitions. 9 |
---|
34 | 34 | | As used in this chapter: 10 |
---|
35 | 35 | | (1) "Application" means a software program that runs on the operating system of a device. 11 |
---|
36 | 36 | | (2) "Collect" means to obtain, infer, generate, create, receive, or access an individual's 12 |
---|
37 | 37 | | location information. 13 |
---|
38 | 38 | | (3) "Consent" means to freely given, specific, informed, unambiguous, opt-in consent. This 14 |
---|
39 | 39 | | term does not include either of the following: 15 |
---|
40 | 40 | | (i) Agreement secured without first providing to the individual a clear and conspicuous 16 |
---|
41 | 41 | | disclosure of all information material to the provision of consent, apart from any privacy policy, 17 |
---|
42 | 42 | | terms of service, terms of use, general release, user agreement, or other similar document; or 18 |
---|
43 | 43 | | |
---|
44 | 44 | | |
---|
45 | 45 | | LC000982 - Page 2 of 9 |
---|
46 | 46 | | (ii) Agreement obtained through the use of a user interface designed or manipulated with 1 |
---|
47 | 47 | | the substantial effect of subverting or impairing user autonomy, decision making, or choice. 2 |
---|
48 | 48 | | (4) "Covered entity" means any individual, partnership, corporation, limited liability 3 |
---|
49 | 49 | | company, association, or other group, however organized. A covered entity does not include a state 4 |
---|
50 | 50 | | or local government agency, or any court of Rhode Island, a clerk of the court, or a judge or justice 5 |
---|
51 | 51 | | thereof. A covered entity does not include an individual acting in a non-commercial context. A 6 |
---|
52 | 52 | | covered entity includes all agents of the entity. 7 |
---|
53 | 53 | | (5) "Device" means a mobile telephone or any other electronic device that is or may 8 |
---|
54 | 54 | | commonly be carried by or on an individual and is capable of connecting to a cellular, Bluetooth, 9 |
---|
55 | 55 | | or other wireless network. 10 |
---|
56 | 56 | | (6) “Director” means the director of the department of business regulation established 11 |
---|
57 | 57 | | pursuant to § 42-14-1. 12 |
---|
58 | 58 | | (7) "Disclose" means to make location information available to a third party including, but 13 |
---|
59 | 59 | | not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, 14 |
---|
60 | 60 | | or otherwise communicating such location information orally, in writing, electronically, or by any 15 |
---|
61 | 61 | | other means. 16 |
---|
62 | 62 | | (8) "Individual" means a person located in the State of Rhode Island. 17 |
---|
63 | 63 | | (9) "Location information" means information derived from a device or from interactions 18 |
---|
64 | 64 | | between devices, with or without the knowledge of the user and regardless of the technological 19 |
---|
65 | 65 | | method used, that pertains to or directly or indirectly reveals the present or past geographical 20 |
---|
66 | 66 | | location of an individual or device within the State of Rhode Island with sufficient precision to 21 |
---|
67 | 67 | | identify street-level location information within a range of one thousand eight hundred fifty feet 22 |
---|
68 | 68 | | (1,850') or less. Location information includes, but is not limited to: 23 |
---|
69 | 69 | | (i) An Internet protocol (IP) address capable of revealing the physical or geographical 24 |
---|
70 | 70 | | location of an individual; 25 |
---|
71 | 71 | | (ii) Global positioning system (GPS) coordinates; and 26 |
---|
72 | 72 | | (iii) Cell-site location information. This term does not include location information 27 |
---|
73 | 73 | | identifiable or derived solely from the visual content of a legally obtained image, including the 28 |
---|
74 | 74 | | location of the device that captured such image, or publicly posted words. 29 |
---|
75 | 75 | | (10) "Location privacy policy" means a description of the policies, practices, and 30 |
---|
76 | 76 | | procedures controlling a covered entity's collection, processing, management, storage, retention, 31 |
---|
77 | 77 | | and deletion of location information. 32 |
---|
78 | 78 | | (11) ''Mobile telephone'' means a handheld or portable cellular, analog, wireless, satellite 33 |
---|
79 | 79 | | or digital telephone, including a telephone with two (2)-way radio functionality, capable of sending 34 |
---|
80 | 80 | | |
---|
81 | 81 | | |
---|
82 | 82 | | LC000982 - Page 3 of 9 |
---|
83 | 83 | | or receiving telephone communications and with which a user initiates, terminates or engages in a 1 |
---|
84 | 84 | | call using at least one hand. For the purposes of this chapter, ''mobile telephone'' shall not include 2 |
---|
85 | 85 | | amateur radios operated by those licensed by the Federal Communications Commission to operate 3 |
---|
86 | 86 | | such radios, or citizen band radios. 4 |
---|
87 | 87 | | (12) "Monetize" means to collect, process, or disclose an individual's location information 5 |
---|
88 | 88 | | for profit or in exchange for monetary or other consideration. This term includes, but is not limited 6 |
---|
89 | 89 | | to, selling, renting, trading, or leasing location information. 7 |
---|
90 | 90 | | (13) "Person" means any natural person. 8 |
---|
91 | 91 | | (14) "Permissible purpose" means one of the following purposes: 9 |
---|
92 | 92 | | (i) Provision of a product, service, or service feature to the individual to whom the location 10 |
---|
93 | 93 | | information pertains when that individual requested the provision of such product, service, or 11 |
---|
94 | 94 | | service feature by subscribing to, creating an account, or otherwise contracting with a covered 12 |
---|
95 | 95 | | entity; 13 |
---|
96 | 96 | | (ii) Initiation, management, execution, or completion of a financial or commercial 14 |
---|
97 | 97 | | transaction or fulfill an order for specific products or services requested by an individual, including 15 |
---|
98 | 98 | | any associated routine administrative, operational, and account-servicing activity such as billing, 16 |
---|
99 | 99 | | shipping, delivery, storage, and accounting; 17 |
---|
100 | 100 | | (iii) Compliance with an obligation under federal or state law; or 18 |
---|
101 | 101 | | (iv) Response to an emergency service agency, an emergency alert, a 911 communication, 19 |
---|
102 | 102 | | or any other communication reporting an imminent threat to human life. 20 |
---|
103 | 103 | | (15) "Process" means to perform any action or set of actions on or with location information 21 |
---|
104 | 104 | | including, but not limited to, collecting, accessing, using, storing, retaining, analyzing, creating, 22 |
---|
105 | 105 | | generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, 23 |
---|
106 | 106 | | structuring, disposing of, destroying, de-identifying, or otherwise manipulating location 24 |
---|
107 | 107 | | information. This term does not include disclosing location information. 25 |
---|
108 | 108 | | (16) "Reasonably understandable" means of length and complexity such that an individual 26 |
---|
109 | 109 | | with an eighth-grade reading level, as established by the department of elementary and secondary 27 |
---|
110 | 110 | | education, can read and comprehend. 28 |
---|
111 | 111 | | (17) "Service feature" means a discrete aspect of a service provided by a covered entity 29 |
---|
112 | 112 | | including, but not limited to, real-time directions, real-time weather, and identity authentication. 30 |
---|
113 | 113 | | (18) "Service provider" means an individual, partnership, corporation, limited liability 31 |
---|
114 | 114 | | company, association, or other group, however organized, that collects, processes, or transfers 32 |
---|
115 | 115 | | location information for the sole purpose of, and only to the extent that such service provider is, 33 |
---|
116 | 116 | | conducting business activities on behalf of, for the benefit of, at the direction of, and under 34 |
---|
117 | 117 | | |
---|
118 | 118 | | |
---|
119 | 119 | | LC000982 - Page 4 of 9 |
---|
120 | 120 | | contractual agreement with a covered entity. 1 |
---|
121 | 121 | | (19) "Third party" means any covered entity or person other than: 2 |
---|
122 | 122 | | (i) A covered entity that collected or processed location information in accordance with 3 |
---|
123 | 123 | | this chapter or its service providers; or 4 |
---|
124 | 124 | | (ii) The individual to whom the location information pertains. This term does not include 5 |
---|
125 | 125 | | government entities. 6 |
---|
126 | 126 | | 6-61-3. Protection of location information. 7 |
---|
127 | 127 | | (a) No covered entity shall collect or process an individual's location information except 8 |
---|
128 | 128 | | for a permissible purpose. Prior to collecting or processing an individual's location information for 9 |
---|
129 | 129 | | one of those permissible purposes, a covered entity shall provide the individual with a copy of the 10 |
---|
130 | 130 | | location privacy policy and obtain consent from that individual; provided, however, that this shall 11 |
---|
131 | 131 | | not be required when the collection and processing is done in: 12 |
---|
132 | 132 | | (1) Compliance with an obligation under federal or state law; or 13 |
---|
133 | 133 | | (2) In response to an emergency service agency, an emergency alert, a 911 communication, 14 |
---|
134 | 134 | | or any other communication reporting an imminent threat to human life. 15 |
---|
135 | 135 | | (b) If a covered entity collects location information for the provision of multiple 16 |
---|
136 | 136 | | permissible purposes, it should be mentioned in the location privacy policy and individuals shall 17 |
---|
137 | 137 | | provide informed consent for each purpose; provided, however, that this shall not be required for 18 |
---|
138 | 138 | | the purpose of collecting and processing location information to comply with an obligation under 19 |
---|
139 | 139 | | federal or state law or to respond to an emergency service agency, an emergency alert, a 911 20 |
---|
140 | 140 | | communication, or any other communication reporting an imminent threat to human life. 21 |
---|
141 | 141 | | (c) A covered entity that directly delivers targeted advertisements as part of its product or 22 |
---|
142 | 142 | | services shall provide individuals with a clear, conspicuous, and simple means to opt out of the 23 |
---|
143 | 143 | | processing of their location information for purposes of selecting and delivering targeted 24 |
---|
144 | 144 | | advertisements. 25 |
---|
145 | 145 | | (d) Consent provided under this section shall expire: 26 |
---|
146 | 146 | | (1) After one year; 27 |
---|
147 | 147 | | (2) When the initial purpose for processing the information has been satisfied; or 28 |
---|
148 | 148 | | (3) When the individual revokes consent, whichever occurs first; provided that, consent 29 |
---|
149 | 149 | | may be renewed pursuant to the same procedures. Upon expiration of consent, any location 30 |
---|
150 | 150 | | information possessed by a covered entity must be permanently destroyed. 31 |
---|
151 | 151 | | (e) No covered entity or service provider that lawfully collects and processes location 32 |
---|
152 | 152 | | information shall: 33 |
---|
153 | 153 | | (1) Collect more precise location information than necessary to carry out the permissible 34 |
---|
154 | 154 | | |
---|
155 | 155 | | |
---|
156 | 156 | | LC000982 - Page 5 of 9 |
---|
157 | 157 | | purpose; 1 |
---|
158 | 158 | | (2) Retain location information longer than necessary to carry out the permissible purpose; 2 |
---|
159 | 159 | | (3) Sell, rent, trade, or lease location information to third parties; 3 |
---|
160 | 160 | | (4) Derive or infer from location information any data that is not necessary to carry out a 4 |
---|
161 | 161 | | permissible purpose; or 5 |
---|
162 | 162 | | (5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individual's 6 |
---|
163 | 163 | | location information to third parties, unless such disclosure is: 7 |
---|
164 | 164 | | (i) Necessary to carry out the permissible purpose for which the information was collected; 8 |
---|
165 | 165 | | or 9 |
---|
166 | 166 | | (ii) Requested by the individual to whom the location data pertains. 10 |
---|
167 | 167 | | (f) No covered entity or service providers shall disclose location information to any federal, 11 |
---|
168 | 168 | | state, or local government agency or official unless: 12 |
---|
169 | 169 | | (1) The agency or official serves the covered entity or service provider with a valid warrant 13 |
---|
170 | 170 | | or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant; 14 |
---|
171 | 171 | | (2) Disclosure is mandated under federal or state law; or 15 |
---|
172 | 172 | | (3) The data subject requests such disclosure. 16 |
---|
173 | 173 | | (g) A covered entity shall maintain and make available to the data subject a location privacy 17 |
---|
174 | 174 | | policy, which shall include, at a minimum, the following: 18 |
---|
175 | 175 | | (1) The permissible purpose for which the covered entity is collecting, processing, or 19 |
---|
176 | 176 | | disclosing any location information; 20 |
---|
177 | 177 | | (2) The type of location information collected, including the precision of the data; 21 |
---|
178 | 178 | | (3) The identities of service providers with which the covered entity contracts with respect 22 |
---|
179 | 179 | | to location data; 23 |
---|
180 | 180 | | (4) Any disclosures of location data necessary to carry out a permissible purpose and the 24 |
---|
181 | 181 | | identities of the third parties to whom the location information could be disclosed; 25 |
---|
182 | 182 | | (5) Whether the covered entity's practices include the internal use of location information 26 |
---|
183 | 183 | | for purposes of targeted advertisement; 27 |
---|
184 | 184 | | (6) The data management and data security policies governing location information; 28 |
---|
185 | 185 | | (7) The retention schedule and guidelines for permanently deleting location information. 29 |
---|
186 | 186 | | (h) A covered entity in lawful possession of location information shall provide notice to 30 |
---|
187 | 187 | | individuals to whom that information pertains of any change to its location privacy policy at least 31 |
---|
188 | 188 | | twenty (20) business days before the change goes into effect, and shall request and obtain consent 32 |
---|
189 | 189 | | before collecting or processing location information in accordance with the new location privacy 33 |
---|
190 | 190 | | policy. 34 |
---|
191 | 191 | | |
---|
192 | 192 | | |
---|
193 | 193 | | LC000982 - Page 6 of 9 |
---|
194 | 194 | | (i) No government entity shall monetize location information. 1 |
---|
195 | 195 | | 6-61-4. Transparency. 2 |
---|
196 | 196 | | (a) A covered entity shall, on an annual basis, report to the director aggregate information 3 |
---|
197 | 197 | | pertaining to any warrants seeking location information collected and processed by that covered 4 |
---|
198 | 198 | | entity that were received during the preceding calendar year by the entity and, if known, by any 5 |
---|
199 | 199 | | service providers and third parties. The report shall disaggregate orders by requesting agency, 6 |
---|
200 | 200 | | statutory offense under investigation, and source of authority. 7 |
---|
201 | 201 | | (b) Covered entities that are required to regularly disclose location information as a matter 8 |
---|
202 | 202 | | of law shall, on an annual basis, report to the director aggregate information related to such 9 |
---|
203 | 203 | | disclosures. 10 |
---|
204 | 204 | | (c) The director shall develop standardized reporting forms to comply with this section and 11 |
---|
205 | 205 | | make the reports available to the general public online. 12 |
---|
206 | 206 | | 6-61-5. Prohibition against retaliation. 13 |
---|
207 | 207 | | A covered entity shall not take adverse action against an individual because the individual 14 |
---|
208 | 208 | | exercised or refused to waive any of such individual's rights under this chapter, unless location data 15 |
---|
209 | 209 | | is essential to the provision of the good, service, or service feature that the individual requests, and 16 |
---|
210 | 210 | | then only to the extent that such data is essential. This prohibition includes, but is not limited to: 17 |
---|
211 | 211 | | (1) Refusing to provide a good or service to the individual; 18 |
---|
212 | 212 | | (2) Charging different prices or rates for goods or services, including through the use of 19 |
---|
213 | 213 | | discounts or other benefits or imposing penalties; or 20 |
---|
214 | 214 | | (3) Providing a different level or quality of goods or services to the individual. 21 |
---|
215 | 215 | | 6-61-6. Enforcement. 22 |
---|
216 | 216 | | (a) A violation of this chapter or a regulation promulgated under this chapter regarding an 23 |
---|
217 | 217 | | individual's location information constitutes an injury to that individual. 24 |
---|
218 | 218 | | (b) Any individual alleging a violation of this chapter by a covered entity or service 25 |
---|
219 | 219 | | provider may bring a civil action in the superior court or any court of competent jurisdiction; 26 |
---|
220 | 220 | | provided that, venue in the superior court shall be proper in the county in which the plaintiff resides 27 |
---|
221 | 221 | | or was located at the time of any violation. 28 |
---|
222 | 222 | | (c) An individual protected by this chapter shall not be required, as a condition of service 29 |
---|
223 | 223 | | or otherwise, to file an administrative complaint with the director or to accept mandatory arbitration 30 |
---|
224 | 224 | | of a claim arising under this chapter. 31 |
---|
225 | 225 | | (d) In a civil action in which the plaintiff prevails, the court may award: 32 |
---|
226 | 226 | | (1) Actual damages, including damages for emotional distress, or five thousand dollars 33 |
---|
227 | 227 | | ($5,000) per violation, whichever is greater; 34 |
---|
228 | 228 | | |
---|
229 | 229 | | |
---|
230 | 230 | | LC000982 - Page 7 of 9 |
---|
231 | 231 | | (2) Punitive damages; and 1 |
---|
232 | 232 | | (3) Any other relief including, but not limited to, an injunction or declaratory judgment, 2 |
---|
233 | 233 | | that the court deems to be appropriate. 3 |
---|
234 | 234 | | (e) The court shall consider each instance in which a covered entity or service provider 4 |
---|
235 | 235 | | collects, processes, or discloses location information in a manner prohibited by this chapter or a 5 |
---|
236 | 236 | | regulation promulgated under this chapter as constituting a separate violation of this chapter or 6 |
---|
237 | 237 | | regulation promulgated under this chapter. In addition to any relief awarded, the court shall award 7 |
---|
238 | 238 | | reasonable attorneys' fees and costs to any prevailing plaintiff. 8 |
---|
239 | 239 | | (f) Any provision of a contract or agreement of any kind, including a covered entity's terms 9 |
---|
240 | 240 | | of service or policies including, but not limited to, the location privacy policy, that purports to 10 |
---|
241 | 241 | | waive or limit in any way an individual's rights under this chapter including, but not limited to, any 11 |
---|
242 | 242 | | right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void 12 |
---|
243 | 243 | | and unenforceable. 13 |
---|
244 | 244 | | (g) No private or government action brought pursuant to this chapter shall preclude any 14 |
---|
245 | 245 | | other action under this chapter. 15 |
---|
246 | 246 | | 6-61-7. Non-applicability. 16 |
---|
247 | 247 | | This chapter shall not apply to location information collected from a patient by a healthcare 17 |
---|
248 | 248 | | provider or healthcare facility, or collected, processed, used, or stored exclusively for medical 18 |
---|
249 | 249 | | education or research, public health or epidemiological purposes, healthcare treatment, health 19 |
---|
250 | 250 | | insurance, payment, or operations, if the information is protected from disclosure under the federal 20 |
---|
251 | 251 | | Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), as amended, 21 |
---|
252 | 252 | | or other applicable federal and state laws and regulations. 22 |
---|
253 | 253 | | 6-61-8. Regulations. 23 |
---|
254 | 254 | | (a) The department of the business regulator shall: 24 |
---|
255 | 255 | | (1) Promulgate rules and regulations for the implementation, administration, and 25 |
---|
256 | 256 | | enforcement of this chapter; 26 |
---|
257 | 257 | | (2) Gather facts and information applicable to the attorney general's obligation to enforce 27 |
---|
258 | 258 | | this chapter and ensure its compliance; 28 |
---|
259 | 259 | | (3) Conduct investigations for possible violations of this chapter; 29 |
---|
260 | 260 | | (4) Refer cases for criminal prosecution to the appropriate federal, state, or local 30 |
---|
261 | 261 | | authorities; and 31 |
---|
262 | 262 | | (5) Maintain an official Internet website outlining the provisions of this chapter. 32 |
---|
263 | 263 | | 6-61-9. Location information collected before effective date. 33 |
---|
264 | 264 | | Within six (6) months after the effective date of this chapter, covered entities shall obtain 34 |
---|
265 | 265 | | |
---|
266 | 266 | | |
---|
267 | 267 | | LC000982 - Page 8 of 9 |
---|
268 | 268 | | consent in accordance with the provisions of § 6-61-3 for any location information collected, 1 |
---|
269 | 269 | | processed, and stored before such effective date, and shall permanently destroy any location 2 |
---|
270 | 270 | | information for which they have not obtained consent. 3 |
---|
271 | 271 | | SECTION 2. This act shall take effect upon passage. 4 |
---|
272 | 272 | | ======== |
---|
273 | 273 | | LC000982 |
---|
274 | 274 | | ======== |
---|
275 | 275 | | |
---|
276 | 276 | | |
---|
277 | 277 | | LC000982 - Page 9 of 9 |
---|
278 | 278 | | EXPLANATION |
---|
279 | 279 | | BY THE LEGISLATIVE COUNCIL |
---|
280 | 280 | | OF |
---|
281 | 281 | | A N A C T |
---|
282 | 282 | | RELATING TO COMMERCI AL LAW--GENERAL REGULAT ORY PROVISIONS -- |
---|
283 | 283 | | PRIVACY PROTECTIONS FOR LOCATION INFORMA TION DERIVED FROM |
---|
284 | 284 | | ELECTRONIC DEVICES |
---|
285 | 285 | | *** |
---|
286 | 286 | | This act would establish a new chapter for privacy protections for location information 1 |
---|
287 | 287 | | derived from electronic devices. The department of the business regulation would be responsible 2 |
---|
288 | 288 | | for promulgating rules and regulations to implement, administer, and enforce this chapter. 3 |
---|
289 | 289 | | This act would take effect upon passage. 4 |
---|
290 | 290 | | ======== |
---|
291 | 291 | | LC000982 |
---|
292 | 292 | | ======== |
---|