Rhode Island 2025 Regular Session

Rhode Island House Bill H6062 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33
44
55 2025 -- H 6062
66 ========
77 LC000982
88 ========
99 S T A T E O F R H O D E I S L A N D
1010 IN GENERAL ASSEMBLY
1111 JANUARY SESSION, A.D. 2025
1212 ____________
1313
1414 A N A C T
1515 RELATING TO COMMERCI AL LAW--GENERAL REGULATORY PROVISION S --
1616 PRIVACY PROTECTIONS FOR LOCATION INFORMA TION DERIVED FROM
1717 ELECTRONIC DEVICES
1818 Introduced By: Representatives Tanzi, Donovan, Speakman, McGaw, Ajello, Knight,
1919 Stewart, Kislak, Felix, and Cruz
2020 Date Introduced: March 12, 2025
2121 Referred To: House Innovation, Internet, & Technology
2222
2323
2424 It is enacted by the General Assembly as follows:
2525 SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL 1
2626 REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2
2727 CHAPTER 61 3
2828 PRIVACY PROTECTIONS FOR LOCATION INFORMATION DERIVED FROM 4
2929 ELECTRONIC DEVICES 5
3030 6-61-1. Title. 6
3131 This chapter shall be known and may be cited as the "Privacy Protections for Location 7
3232 Information Derived from Electronic Devices". 8
3333 6-61-2. Definitions. 9
3434 As used in this chapter: 10
3535 (1) "Application" means a software program that runs on the operating system of a device. 11
3636 (2) "Collect" means to obtain, infer, generate, create, receive, or access an individual's 12
3737 location information. 13
3838 (3) "Consent" means to freely given, specific, informed, unambiguous, opt-in consent. This 14
3939 term does not include either of the following: 15
4040 (i) Agreement secured without first providing to the individual a clear and conspicuous 16
4141 disclosure of all information material to the provision of consent, apart from any privacy policy, 17
4242 terms of service, terms of use, general release, user agreement, or other similar document; or 18
4343
4444
4545 LC000982 - Page 2 of 9
4646 (ii) Agreement obtained through the use of a user interface designed or manipulated with 1
4747 the substantial effect of subverting or impairing user autonomy, decision making, or choice. 2
4848 (4) "Covered entity" means any individual, partnership, corporation, limited liability 3
4949 company, association, or other group, however organized. A covered entity does not include a state 4
5050 or local government agency, or any court of Rhode Island, a clerk of the court, or a judge or justice 5
5151 thereof. A covered entity does not include an individual acting in a non-commercial context. A 6
5252 covered entity includes all agents of the entity. 7
5353 (5) "Device" means a mobile telephone or any other electronic device that is or may 8
5454 commonly be carried by or on an individual and is capable of connecting to a cellular, Bluetooth, 9
5555 or other wireless network. 10
5656 (6) “Director” means the director of the department of business regulation established 11
5757 pursuant to § 42-14-1. 12
5858 (7) "Disclose" means to make location information available to a third party including, but 13
5959 not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, 14
6060 or otherwise communicating such location information orally, in writing, electronically, or by any 15
6161 other means. 16
6262 (8) "Individual" means a person located in the State of Rhode Island. 17
6363 (9) "Location information" means information derived from a device or from interactions 18
6464 between devices, with or without the knowledge of the user and regardless of the technological 19
6565 method used, that pertains to or directly or indirectly reveals the present or past geographical 20
6666 location of an individual or device within the State of Rhode Island with sufficient precision to 21
6767 identify street-level location information within a range of one thousand eight hundred fifty feet 22
6868 (1,850') or less. Location information includes, but is not limited to: 23
6969 (i) An Internet protocol (IP) address capable of revealing the physical or geographical 24
7070 location of an individual; 25
7171 (ii) Global positioning system (GPS) coordinates; and 26
7272 (iii) Cell-site location information. This term does not include location information 27
7373 identifiable or derived solely from the visual content of a legally obtained image, including the 28
7474 location of the device that captured such image, or publicly posted words. 29
7575 (10) "Location privacy policy" means a description of the policies, practices, and 30
7676 procedures controlling a covered entity's collection, processing, management, storage, retention, 31
7777 and deletion of location information. 32
7878 (11) ''Mobile telephone'' means a handheld or portable cellular, analog, wireless, satellite 33
7979 or digital telephone, including a telephone with two (2)-way radio functionality, capable of sending 34
8080
8181
8282 LC000982 - Page 3 of 9
8383 or receiving telephone communications and with which a user initiates, terminates or engages in a 1
8484 call using at least one hand. For the purposes of this chapter, ''mobile telephone'' shall not include 2
8585 amateur radios operated by those licensed by the Federal Communications Commission to operate 3
8686 such radios, or citizen band radios. 4
8787 (12) "Monetize" means to collect, process, or disclose an individual's location information 5
8888 for profit or in exchange for monetary or other consideration. This term includes, but is not limited 6
8989 to, selling, renting, trading, or leasing location information. 7
9090 (13) "Person" means any natural person. 8
9191 (14) "Permissible purpose" means one of the following purposes: 9
9292 (i) Provision of a product, service, or service feature to the individual to whom the location 10
9393 information pertains when that individual requested the provision of such product, service, or 11
9494 service feature by subscribing to, creating an account, or otherwise contracting with a covered 12
9595 entity; 13
9696 (ii) Initiation, management, execution, or completion of a financial or commercial 14
9797 transaction or fulfill an order for specific products or services requested by an individual, including 15
9898 any associated routine administrative, operational, and account-servicing activity such as billing, 16
9999 shipping, delivery, storage, and accounting; 17
100100 (iii) Compliance with an obligation under federal or state law; or 18
101101 (iv) Response to an emergency service agency, an emergency alert, a 911 communication, 19
102102 or any other communication reporting an imminent threat to human life. 20
103103 (15) "Process" means to perform any action or set of actions on or with location information 21
104104 including, but not limited to, collecting, accessing, using, storing, retaining, analyzing, creating, 22
105105 generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, 23
106106 structuring, disposing of, destroying, de-identifying, or otherwise manipulating location 24
107107 information. This term does not include disclosing location information. 25
108108 (16) "Reasonably understandable" means of length and complexity such that an individual 26
109109 with an eighth-grade reading level, as established by the department of elementary and secondary 27
110110 education, can read and comprehend. 28
111111 (17) "Service feature" means a discrete aspect of a service provided by a covered entity 29
112112 including, but not limited to, real-time directions, real-time weather, and identity authentication. 30
113113 (18) "Service provider" means an individual, partnership, corporation, limited liability 31
114114 company, association, or other group, however organized, that collects, processes, or transfers 32
115115 location information for the sole purpose of, and only to the extent that such service provider is, 33
116116 conducting business activities on behalf of, for the benefit of, at the direction of, and under 34
117117
118118
119119 LC000982 - Page 4 of 9
120120 contractual agreement with a covered entity. 1
121121 (19) "Third party" means any covered entity or person other than: 2
122122 (i) A covered entity that collected or processed location information in accordance with 3
123123 this chapter or its service providers; or 4
124124 (ii) The individual to whom the location information pertains. This term does not include 5
125125 government entities. 6
126126 6-61-3. Protection of location information. 7
127127 (a) No covered entity shall collect or process an individual's location information except 8
128128 for a permissible purpose. Prior to collecting or processing an individual's location information for 9
129129 one of those permissible purposes, a covered entity shall provide the individual with a copy of the 10
130130 location privacy policy and obtain consent from that individual; provided, however, that this shall 11
131131 not be required when the collection and processing is done in: 12
132132 (1) Compliance with an obligation under federal or state law; or 13
133133 (2) In response to an emergency service agency, an emergency alert, a 911 communication, 14
134134 or any other communication reporting an imminent threat to human life. 15
135135 (b) If a covered entity collects location information for the provision of multiple 16
136136 permissible purposes, it should be mentioned in the location privacy policy and individuals shall 17
137137 provide informed consent for each purpose; provided, however, that this shall not be required for 18
138138 the purpose of collecting and processing location information to comply with an obligation under 19
139139 federal or state law or to respond to an emergency service agency, an emergency alert, a 911 20
140140 communication, or any other communication reporting an imminent threat to human life. 21
141141 (c) A covered entity that directly delivers targeted advertisements as part of its product or 22
142142 services shall provide individuals with a clear, conspicuous, and simple means to opt out of the 23
143143 processing of their location information for purposes of selecting and delivering targeted 24
144144 advertisements. 25
145145 (d) Consent provided under this section shall expire: 26
146146 (1) After one year; 27
147147 (2) When the initial purpose for processing the information has been satisfied; or 28
148148 (3) When the individual revokes consent, whichever occurs first; provided that, consent 29
149149 may be renewed pursuant to the same procedures. Upon expiration of consent, any location 30
150150 information possessed by a covered entity must be permanently destroyed. 31
151151 (e) No covered entity or service provider that lawfully collects and processes location 32
152152 information shall: 33
153153 (1) Collect more precise location information than necessary to carry out the permissible 34
154154
155155
156156 LC000982 - Page 5 of 9
157157 purpose; 1
158158 (2) Retain location information longer than necessary to carry out the permissible purpose; 2
159159 (3) Sell, rent, trade, or lease location information to third parties; 3
160160 (4) Derive or infer from location information any data that is not necessary to carry out a 4
161161 permissible purpose; or 5
162162 (5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individual's 6
163163 location information to third parties, unless such disclosure is: 7
164164 (i) Necessary to carry out the permissible purpose for which the information was collected; 8
165165 or 9
166166 (ii) Requested by the individual to whom the location data pertains. 10
167167 (f) No covered entity or service providers shall disclose location information to any federal, 11
168168 state, or local government agency or official unless: 12
169169 (1) The agency or official serves the covered entity or service provider with a valid warrant 13
170170 or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant; 14
171171 (2) Disclosure is mandated under federal or state law; or 15
172172 (3) The data subject requests such disclosure. 16
173173 (g) A covered entity shall maintain and make available to the data subject a location privacy 17
174174 policy, which shall include, at a minimum, the following: 18
175175 (1) The permissible purpose for which the covered entity is collecting, processing, or 19
176176 disclosing any location information; 20
177177 (2) The type of location information collected, including the precision of the data; 21
178178 (3) The identities of service providers with which the covered entity contracts with respect 22
179179 to location data; 23
180180 (4) Any disclosures of location data necessary to carry out a permissible purpose and the 24
181181 identities of the third parties to whom the location information could be disclosed; 25
182182 (5) Whether the covered entity's practices include the internal use of location information 26
183183 for purposes of targeted advertisement; 27
184184 (6) The data management and data security policies governing location information; 28
185185 (7) The retention schedule and guidelines for permanently deleting location information. 29
186186 (h) A covered entity in lawful possession of location information shall provide notice to 30
187187 individuals to whom that information pertains of any change to its location privacy policy at least 31
188188 twenty (20) business days before the change goes into effect, and shall request and obtain consent 32
189189 before collecting or processing location information in accordance with the new location privacy 33
190190 policy. 34
191191
192192
193193 LC000982 - Page 6 of 9
194194 (i) No government entity shall monetize location information. 1
195195 6-61-4. Transparency. 2
196196 (a) A covered entity shall, on an annual basis, report to the director aggregate information 3
197197 pertaining to any warrants seeking location information collected and processed by that covered 4
198198 entity that were received during the preceding calendar year by the entity and, if known, by any 5
199199 service providers and third parties. The report shall disaggregate orders by requesting agency, 6
200200 statutory offense under investigation, and source of authority. 7
201201 (b) Covered entities that are required to regularly disclose location information as a matter 8
202202 of law shall, on an annual basis, report to the director aggregate information related to such 9
203203 disclosures. 10
204204 (c) The director shall develop standardized reporting forms to comply with this section and 11
205205 make the reports available to the general public online. 12
206206 6-61-5. Prohibition against retaliation. 13
207207 A covered entity shall not take adverse action against an individual because the individual 14
208208 exercised or refused to waive any of such individual's rights under this chapter, unless location data 15
209209 is essential to the provision of the good, service, or service feature that the individual requests, and 16
210210 then only to the extent that such data is essential. This prohibition includes, but is not limited to: 17
211211 (1) Refusing to provide a good or service to the individual; 18
212212 (2) Charging different prices or rates for goods or services, including through the use of 19
213213 discounts or other benefits or imposing penalties; or 20
214214 (3) Providing a different level or quality of goods or services to the individual. 21
215215 6-61-6. Enforcement. 22
216216 (a) A violation of this chapter or a regulation promulgated under this chapter regarding an 23
217217 individual's location information constitutes an injury to that individual. 24
218218 (b) Any individual alleging a violation of this chapter by a covered entity or service 25
219219 provider may bring a civil action in the superior court or any court of competent jurisdiction; 26
220220 provided that, venue in the superior court shall be proper in the county in which the plaintiff resides 27
221221 or was located at the time of any violation. 28
222222 (c) An individual protected by this chapter shall not be required, as a condition of service 29
223223 or otherwise, to file an administrative complaint with the director or to accept mandatory arbitration 30
224224 of a claim arising under this chapter. 31
225225 (d) In a civil action in which the plaintiff prevails, the court may award: 32
226226 (1) Actual damages, including damages for emotional distress, or five thousand dollars 33
227227 ($5,000) per violation, whichever is greater; 34
228228
229229
230230 LC000982 - Page 7 of 9
231231 (2) Punitive damages; and 1
232232 (3) Any other relief including, but not limited to, an injunction or declaratory judgment, 2
233233 that the court deems to be appropriate. 3
234234 (e) The court shall consider each instance in which a covered entity or service provider 4
235235 collects, processes, or discloses location information in a manner prohibited by this chapter or a 5
236236 regulation promulgated under this chapter as constituting a separate violation of this chapter or 6
237237 regulation promulgated under this chapter. In addition to any relief awarded, the court shall award 7
238238 reasonable attorneys' fees and costs to any prevailing plaintiff. 8
239239 (f) Any provision of a contract or agreement of any kind, including a covered entity's terms 9
240240 of service or policies including, but not limited to, the location privacy policy, that purports to 10
241241 waive or limit in any way an individual's rights under this chapter including, but not limited to, any 11
242242 right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void 12
243243 and unenforceable. 13
244244 (g) No private or government action brought pursuant to this chapter shall preclude any 14
245245 other action under this chapter. 15
246246 6-61-7. Non-applicability. 16
247247 This chapter shall not apply to location information collected from a patient by a healthcare 17
248248 provider or healthcare facility, or collected, processed, used, or stored exclusively for medical 18
249249 education or research, public health or epidemiological purposes, healthcare treatment, health 19
250250 insurance, payment, or operations, if the information is protected from disclosure under the federal 20
251251 Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), as amended, 21
252252 or other applicable federal and state laws and regulations. 22
253253 6-61-8. Regulations. 23
254254 (a) The department of the business regulator shall: 24
255255 (1) Promulgate rules and regulations for the implementation, administration, and 25
256256 enforcement of this chapter; 26
257257 (2) Gather facts and information applicable to the attorney general's obligation to enforce 27
258258 this chapter and ensure its compliance; 28
259259 (3) Conduct investigations for possible violations of this chapter; 29
260260 (4) Refer cases for criminal prosecution to the appropriate federal, state, or local 30
261261 authorities; and 31
262262 (5) Maintain an official Internet website outlining the provisions of this chapter. 32
263263 6-61-9. Location information collected before effective date. 33
264264 Within six (6) months after the effective date of this chapter, covered entities shall obtain 34
265265
266266
267267 LC000982 - Page 8 of 9
268268 consent in accordance with the provisions of § 6-61-3 for any location information collected, 1
269269 processed, and stored before such effective date, and shall permanently destroy any location 2
270270 information for which they have not obtained consent. 3
271271 SECTION 2. This act shall take effect upon passage. 4
272272 ========
273273 LC000982
274274 ========
275275
276276
277277 LC000982 - Page 9 of 9
278278 EXPLANATION
279279 BY THE LEGISLATIVE COUNCIL
280280 OF
281281 A N A C T
282282 RELATING TO COMMERCI AL LAW--GENERAL REGULAT ORY PROVISIONS --
283283 PRIVACY PROTECTIONS FOR LOCATION INFORMA TION DERIVED FROM
284284 ELECTRONIC DEVICES
285285 ***
286286 This act would establish a new chapter for privacy protections for location information 1
287287 derived from electronic devices. The department of the business regulation would be responsible 2
288288 for promulgating rules and regulations to implement, administer, and enforce this chapter. 3
289289 This act would take effect upon passage. 4
290290 ========
291291 LC000982
292292 ========