2025 -- S 0903
========
LC002362
========
S T A T E O F R H O D E I S L A N D
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2025
____________
A N A C T
RELATING TO COMMERCI AL LAW -- GENERAL REGULATORY PROVISION S -- AGE-
APPROPRIATE DESIGN CODE
Introduced By: Senators Lawson, Lauria, Kallman, Tikoian, DiPalma, LaMountain,
Murray, Sosnowski, and Gallo
Date Introduced: March 27, 2025
Referred To: Senate Judiciary
It is enacted by the General Assembly as follows:
SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL 1
REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: 2
CHAPTER 48.2 3
AGE-APPROPRIATE DESIGN CODE 4
6-48.2-1. Definitions. 5
As used in this chapter the following words have the following meanings: 6
(1) "Actual knowledge" or "known" means a covered entity knows that a consumer is a 7
child based upon: 8
(i) The self-identified age provided by the minor, an age provided by a third party, or an 9
age or closely related proxy that the covered entity knows or has associated with, attributed to or 10
derived or inferred for the consumer, including for the purposes of advertising, marketing or 11
product development; or 12
(ii) The consumer's use of an online feature, product or service or a portion of such an 13
online feature, product or service that is directed to children. 14
(2) "Affiliate" has the same meaning as provided in § 6-48.1-2. 15
(3) "Child" means an individual who is under eighteen (18) years of age. 16
(4) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any 17
personal data pertaining to a consumer by any means, including receiving data from the consumer, 18
LC002362 - Page 2 of 11
either actively or passively, or by observing the consumer’s behavior. 1
(5) "Common branding" means a shared name, service mark, or trademark that the average 2
consumer would understand that two (2) or more entities are commonly owned. For purposes of 3
this chapter, for a joint venture or partnership composed of covered entities in which each covered 4
entity has at least a forty percent (40%) interest, the joint venture or partnership and each covered 5
entity that composes the joint venture or partnership shall separately be considered a single covered 6
entity, except that personal data in the possession of each covered entity and disclosed to the joint 7
venture or partnership shall not be shared with the other covered entity. 8
(6) "Consumer" means a natural person who is a Rhode Island resident, however identified, 9
including by any unique identifier. 10
(7) "Covered entity" means: 11
(i) A sole proprietorship, partnership, limited liability company, corporation, association, 12
or other legal entity that is organized or operated for the profit or financial benefit of its shareholders 13
or other owners engaged in an activity pursuant to the provisions of § 6-48.2-2; 14
(ii) An affiliate of a covered entity that shares common branding with the covered entity. 15
(8) "Dark pattern" means a user interface designed or manipulated with the purpose of 16
subverting or impairing user autonomy, decision making, or choice. 17
(9) "Default" means a preselected option adopted by the covered entity for the online 18
service, product, or feature. 19
(10) "Deidentified" means data that cannot reasonably be used to infer information about, 20
or otherwise be linked to, an identified or identifiable consumer, or a device linked to such 21
consumer; provided that, the covered entity that possesses the data: 22
(i) Takes reasonable measures to ensure that the data cannot be associated with a consumer; 23
(ii) Publicly commits to maintain and use the data only in a deidentified fashion and not 24
attempt to re-identify the data; and 25
(iii) Contractually obligates any recipients of the data to comply with all provisions of this 26
chapter. 27
(11) "Derived data" means data that is created by the derivation of information, data, 28
assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another 29
source of information or data about a known child or a child’s device. 30
(12) "Online service, product, or feature" means access to various types of data on the 31
Internet, including banking, education, entertainment, news, shopping and commercial services. 32
"Online service, product, or feature" does not mean any of the following: 33
(i) "Telecommunications service," as defined in 47 U.S.C. § 153; 34
LC002362 - Page 3 of 11
(ii) A broadband Internet access service; or 1
(iii) The sale, delivery, or use of a physical product. 2
(13) "Personal data" means any information, including derived data, that is linked or 3
reasonably linkable, alone or in combination with other information, to an identified or identifiable 4
consumer. Personal data does not include deidentified data or publicly available information. 5
(14) "Publicly available information" means information that either: 6
(i) Is made available from federal, state, or local government records or widely distributed 7
media; or 8
(ii) A covered entity has a reasonable basis to believe a consumer has lawfully made 9
available to the public such that the consumer no longer has a reasonable expectation of privacy in 10
the information. 11
(15) "Precise geolocation" means any data that is derived from a device and that is used or 12
intended to be used to locate a consumer within a geographic area that is equal to or less than the 13
area of a circle with a radius of one thousand eight hundred fifty feet (1,850'). 14
(16) "Process" or "processing" means to conduct or direct any operation or set of operations 15
performed, whether by manual or automated means, on personal data or on sets of personal data, 16
such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise 17
handling of personal data. 18
(17) "Product experimentation results" means the data that companies collect to understand 19
the experimental impact of their products. 20
(18) "Profile" or "profiling" means any form of automated processing of personal data to 21
evaluate, analyze, or predict personal aspects concerning an identified or identifiable consumer’s 22
economic situation, health, personal preferences, interests, reliability, behavior, location, or 23
movements. "Profiling" does not include the processing of information that does not result in an 24
assessment or judgment about a consumer. 25
(19) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other 26
valuable consideration by a covered entity to a third party. It does not include the following: 27
(i) The disclosure of personal data to a third party who processes the personal data on behalf 28
of the covered entity; 29
(ii) The disclosure of personal data to a third party with whom the consumer has a direct 30
relationship for purposes of providing a product or service requested by the consumer; 31
(iii) The disclosure or transfer of personal data to an affiliate of the covered entity; 32
(iv) The disclosure of data that the consumer intentionally made available to the general 33
public such that the consumer no longer maintains a reasonable expectation of privacy in the data; 34
LC002362 - Page 4 of 11
or 1
(v) The disclosure or transfer of personal data to a third party as an asset that is part of a 2
completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party 3
assumes control of all or part of the covered entity’s assets, provided the consumer has the 4
opportunity to opt out of the transfer. 5
(20) "Share" means sharing, renting, releasing, disclosing, disseminating, making 6
available, transferring, or otherwise communicating orally, in writing, or by electronic or other 7
means a consumer’s personal data by the covered entity to a third party for cross-context behavioral 8
advertising, whether or not for monetary or other valuable consideration, including transactions 9
between a covered entity and a third party for cross-context behavioral advertising for the benefit 10
of a covered entity in which no money is exchanged. 11
(21) "Third party" means a natural or legal person, public authority, agency, or body, other 12
than the consumer or the covered entity. 13
6-48.2-2. Scope - Exclusions. 14
(a) An entity is considered a covered entity for the purposes of this chapter if the entity: 15
(1) Collects consumers’ personal data or has individuals’ personal data collected on the 16
entity's behalf by a third party; 17
(2) Alone or jointly with others, determines the purposes and means of the processing of 18
individuals’ personal data; 19
(3) Operates in Rhode Island; and 20
(4) Satisfies one or more of the following thresholds: 21
(i) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as 22
adjusted every odd-numbered year to reflect the Consumer Price Index; 23
(ii) Alone or in combination, annually buys, receives for the covered entity’s commercial 24
purposes, sells, or shares for commercial purposes, alone or in combination, the personal data of 25
fifty thousand (50,000) or more individuals, households, or devices; or 26
(iii) Derives fifty percent (50%) or more of its annual revenues from selling individuals’ 27
personal data. 28
(b) This chapter shall not apply to: 29
(1) Protected health information that is collected by a covered entity or covered entity 30
associate governed by the privacy, security, and breach notification rules issued by the U.S. 31
Department of Health and Human Services, 45 C.F.R. Parts 160 and 164; 32
(2) A covered entity governed by the privacy, security, and breach notification rules issued 33
by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, to the extent 34
LC002362 - Page 5 of 11
the provider or covered entity maintains patient information in the same manner as medical 1
information or protected health information as described in subsection (b)(1) of this section; and 2
(3) Information collected as part of a clinical trial subject to the federal Policy for the 3
Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice 4
guidelines issued by the International Council for Harmonisation of Technical Requirements for 5
Pharmaceuticals for Human Use or pursuant to human subject protection requirements of the U.S. 6
Food and Drug Administration. 7
(c) Nothing in this chapter shall be interpreted to interfere with any obligation or 8
requirement under chapter 48.1 of title 6. The covered entity authorized pursuant to § 6-48.1-4 9
regarding sensitive data concerning known children shall have no additional obligation pursuant to 10
this chapter. 11
6-48.2-3. Heightened risk of harm to children -- Presumption -- Definitions. 12
(a) Each covered entity that offers any online service, product or feature to a consumer 13
whom such covered entity has actual knowledge, or willfully disregards is a child shall use 14
reasonable care to avoid any heightened risk of harm to children caused by such online service, 15
product or feature. In any enforcement action brought by the attorney general pursuant to § 6-48.2-16
7, there shall be a rebuttable presumption that a covered entity used reasonable care as required 17
under this section if the covered entity complied with the provisions of § 6-48.2-4 concerning data 18
protection assessments. 19
(b) As used in this chapter, “heightened risk of harm to children” means processing known 20
children’s personal data in a manner that presents any reasonably foreseeable risk of: 21
(1) Any unfair or deceptive treatment of, or any unlawful disparate impact on, children; 22
(2) Any financial or reputational injury to children; 23
(3) Any physical or other intrusion upon the solitude or seclusion, or the private affairs or 24
concerns, of children if such intrusion would be highly offensive to a reasonable person; or 25
(4) Discrimination against the child based upon race, color, religion, national origin, 26
disability, sex, sexual orientation, or gender identity or expression. 27
6-48.2-4. Covered entity obligations. 28
(a) A covered entity subject to this chapter shall: 29
(1) Complete a data protection impact assessment for an online service, product, or feature 30
that is reasonably likely to be accessed by children and maintain documentation of the data 31
protection impact assessment for as long as the online service, product, or feature is reasonably 32
known to be used by children. The data protection impact assessment shall consist of a systematic 33
survey to assess compliance with the duty to use reasonable care to avoid any heightened risk of 34
LC002362 - Page 6 of 11
harm to known children and shall include a plan to ensure that all online products, services, or 1
features provided by the covered entity and known to be used by children are designed and offered 2
in a manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to 3
known children. The plan shall include a description of steps the covered entity has taken and shall 4
take to comply with the duty to use reasonable care to avoid any heightened risk of harm to known 5
children. 6
(2) Review and modify all data protection impact assessments as necessary to account for 7
material changes to processing pertaining to the online service, product, or feature within ninety 8
(90) days after any material changes. 9
(3) Within five (5) days after receipt of a written request by the attorney general, provide 10
to the attorney general a list of all data protection impact assessments the covered entity has 11
completed. 12
(4) Within seven (7) days after receipt of a written request by the attorney general, provide 13
the attorney general with a copy of a data protection impact assessment; provided that, the attorney 14
general may, in the attorney general’s discretion, extend beyond seven (7) days the amount of time 15
allowed for a covered entity to produce a data protection impact assessment. 16
(5) Configure all default privacy settings provided to known children by the online service, 17
product, or feature to settings that offer a high level of privacy, unless the covered entity can 18
demonstrate a compelling reason that a different setting is consistent with the duty to use reasonable 19
care to avoid any heightened risk of harm to children, as defined pursuant to the provisions of § 6-20
48.2-3(b). 21
(6) Provide any privacy information, terms of service, policies, and community standards 22
concisely, prominently, and using clear language suited to the age of children known to access that 23
online service, product, or feature. 24
(7) Provide prominent, accessible, and responsive tools to assist known children in a form 25
or manner required by the general attorney, or, if applicable, their parents or guardians, in the 26
exercise of their privacy rights and to report concerns. 27
(b) A data protection impact assessment required by this section shall: 28
(1) Identify the purpose of the online service, product, or feature; 29
(2) Disclose how it uses children’s personal data; and 30
(3) Determine whether the online service, product, or feature is designed and offered in a 31
manner consistent with the duty to use reasonable care to avoid any heightened risk of harm to 32
children and: 33
(i) Whether the design of the online service, product, or feature is reasonably expected to 34
LC002362 - Page 7 of 11
allow known children to be party to or exploited by a contract on the online service, product, or 1
feature that would result in reasonably foreseeable and material financial harm to the child; a highly 2
offensive intrusion on the reasonable privacy expectations of the child; or discrimination against 3
the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or 4
gender identity or expression; 5
(ii) Whether targeted advertising systems used by the online service, product, or feature 6
would result in reasonably foreseeable and material financial harm to the known child; a highly 7
offensive intrusion on the reasonable privacy expectations of the child; or discrimination against 8
the child based upon race, color, religion, national origin, disability, sex, sexual orientation, or 9
gender identity or expression; 10
(iii) Whether the online service, product, or feature uses system design features to increase, 11
sustain, or extend use of the online service, product, or feature by known children, including the 12
automatic playing of media, rewards for time spent, and notifications, that would result in 13
reasonably foreseeable and material financial harm to the child or a highly offensive intrusion on 14
the reasonable privacy expectations of the child; or discrimination against the child based upon 15
race, color, religion, national origin, disability, sex, sexual orientation, or gender identity or 16
expression; 17
(iv) Whether, how, and for what purpose the online product, service, or feature collects or 18
processes personal data of known children and whether those practices would result in reasonably 19
foreseeable and material financial harm to the child; a highly offensive intrusion on the reasonable 20
privacy expectations of the child; or discrimination against the child based upon race, color, 21
religion, national origin, disability, sex, sexual orientation, or gender identity or expression; and 22
(v) Whether and how product experimentation results for the online product, service, or 23
feature reveal data management or design practices that would result in reasonably foreseeable and 24
material financial harm to the known child; a highly offensive intrusion on the reasonable privacy 25
expectations of the child; or discrimination against the child based upon race, color, religion, 26
national origin, disability, sex, sexual orientation, or gender identity or expression. 27
(c) A data protection impact assessment conducted by a covered entity for the purpose of 28
compliance with any other law may be utilized to comply with the provisions of this chapter if the 29
data protection impact assessment meets the requirements of this chapter. 30
(d) A single data protection impact assessment may contain multiple similar processing 31
operations that present similar risk only if each relevant online service, product, or feature is 32
addressed separately. 33
(e) A covered entity may process only the personal data reasonably necessary to provide 34
LC002362 - Page 8 of 11
an online service, product, or feature with which a child is actively and knowingly engaged to 1
estimate age. 2
(f) A data protection impact assessment created pursuant to this section is exempt from 3
public disclosure and to the extent required to be disclosed to public officials shall not constitute a 4
public record pursuant to the provisions of chapter 2 of title 38 (“access to public records”). 5
6-48.2-5. Covered entity prohibitions. 6
A covered entity that provides an online service, product, or feature to known children shall 7
not: 8
(1) Process the personal data of any known child in a way that is inconsistent with the duty 9
to use reasonable care to avoid any heightened risk of harm to children, as defined pursuant to the 10
provisions of § 6-48.2-3(b); 11
(2) Profile a known child by default unless both of the following criteria are met: 12
(i) The covered entity can demonstrate it has appropriate safeguards in place to ensure that 13
profiling is consistent with the duty to use reasonable care to avoid any heightened risk of harm to 14
known children; and 15
(ii) Profiling is necessary to provide the online service, product, or feature requested and 16
only with respect to the aspects of the online service, product, or feature with which a known child 17
is actively and knowingly engaged; 18
(3) Process any personal data that is not reasonably necessary to provide an online service, 19
product, or feature with which a known child is actively and knowingly engaged; 20
(4) If the end user is a known child, process personal data for any reason other than a reason 21
for which that personal data was collected; 22
(5) Process any precise geolocation information of known children by default, unless the 23
collection of that precise geolocation information is strictly necessary for the covered entity to 24
provide the service, product, or feature requested and then only for the limited time that the 25
collection of precise geolocation information is necessary to provide the service, product, or 26
feature; 27
(6) Process any precise geolocation information of a known child without providing a 28
conspicuous sign to the child for the duration of that collection that precise geolocation information 29
is being collected; 30
(7) Use dark patterns to cause known children to provide personal data beyond what is 31
reasonably expected to provide that online service, product, or feature to forego privacy protections, 32
or to take any action that the covered entity knows, or has reason to know, is not consistent with 33
the duty to use reasonable care to avoid any heightened risk of harm to children; or 34
LC002362 - Page 9 of 11
(8) Allow a known child’s parent or any other consumer to monitor the child’s online 1
activity or track the child’s location, without providing a conspicuous signal to the child when the 2
child is being monitored or tracked. 3
6-48.2-6. Impact assessments non-public information. 4
(a) A data protection impact assessment collected or maintained by the attorney general 5
pursuant to this chapter shall not be deemed public for purposes of chapter 2 of title 38 ("access to 6
public records"). 7
(b) To the extent any information contained in a data protection impact assessment 8
disclosed to the attorney general includes information subject to attorney-client privilege or work 9
product protection, disclosure pursuant to this chapter does not constitute a waiver of that privilege 10
or protection. 11
6-48.2-7. Enforcement. 12
(a) The attorney general may seek the imposition of an injunction and a civil penalty of not 13
more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation 14
of this chapter, or not more than seven thousand five hundred dollars ($7,500) per affected child 15
for each intentional violation of this chapter, plus costs and reasonable attorneys’ fees for each 16
violation. 17
(b) Any penalties, fees, and expenses recovered in an action brought under this chapter 18
shall be deposited in a restricted receipt account and are to be appropriated to the attorney general 19
and utilized pursuant to the provisions of subsection (c) of this section. 20
(c) All fees collected by the office of the attorney general in accordance with subsection 21
(b) of this section shall be placed into a restricted receipt account to support the personnel costs, 22
operating costs and capital expenditure necessary to carry out the enforcement provisions of this 23
section; provided, however, that any fees charged shall be in addition to and not substituted for 24
funds appropriated for the office by the state or federal government. 25
(d) If a covered entity is in substantial compliance with the requirements of this chapter, 26
the attorney general shall, before initiating a civil action pursuant to the provisions of this chapter, 27
provide written notice to the covered entity identifying the specific provisions of this chapter that 28
the attorney general alleges have been or are being violated. If a covered entity satisfies the 29
provisions of § 6-48.2-4 before offering any new online product, service, or feature reasonably 30
likely to be accessed by children to the public, the covered entity shall have ninety (90) days to 31
fully comply with all provisions specified in the notice from the attorney general. If the covered 32
entity cures all noticed violations and provides the attorney general a written statement that the 33
alleged violations have been cured, and sufficient measures have been taken to prevent future 34
LC002362 - Page 10 of 11
violations, the covered entity shall not be liable for a civil penalty for any violation cured within 1
the ninety (90) day period. 2
(e) No individual entitlement or private right of action is created by this section. 3
SECTION 2. This act shall take effect on January 1, 2026. 4
========
LC002362
========
LC002362 - Page 11 of 11
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO COMMERCI AL LAW -- GENERAL REGULATORY PROVISIONS -- AGE-
APPROPRIATE DESIGN CODE
***
This act would require that any covered entity that develops and provides online services, 1
products, or features that children are reasonably likely to access shall consider the best interest of 2
children when designing and developing such online service, product, or feature. The provisions of 3
this chapter may be enforced by the attorney general and violators are subject to civil penalties. 4
This act would take effect on January 1, 2026. 5
========
LC002362
========