House Bill No. 5354 for an Act relating to commercial law - general regulatory provisions - Rhode Island data transparency and privacy protection act was introduced, on 3 February 2023, to the Rhode Island House Legislature, and thereafter referred, on the same date, to the House Innovation, Internet, and Technology Committee. Subsequently, the Committee recommended, on 2 March 2023, that the bill be held for further study. In particular, the bill defines terms including 'personally identifiable information', 'precise geolocation data', 'processing', 'sale of personal data', and 'targeted advertising', among others.

Further, the bill provides that operators of commercial websites or online services that collect, store, and sell categories of personal information about individual customers residing in Rhode Island, must, in its customer agreement or incorporated addendum, or in another conspicuous location:

• identify all categories of personal information collected; and
• identify all third parties to whom personal information is disclosed.

Nonetheless, the bill also notes that controllers must establish a privacy notice, describing the categories of personal data processed, the purpose of processing, how data subjects may exercise their rights, and the categories of third parties with which data is shared, if any, among other things.

In addition, the bill provides that operators must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. On consent, the bill notes that operators must provide customers with a mechanism to grant and revoke consent, not process sensitive personal data without obtaining customer consent, and not process personal data for targeted advertising or sell data without the customers' consent. Likewise, the bill stipulates data protection principles including data minimisation and purpose limitation.

Notably, the bill provides for other controller obligations, including the requirement to conduct a data processing assessment for controllers' processing activities that present a heightened risk of harm to customers, and the need to conclude a binding contract between controllers and processors.

Further, the bill notes data subject rights including the right to access, rectification, deletion, portability, and not be discriminated against. Equally, the bill details the right to opt-out of processing for advertising, sale of personal data, or profiling in furtherance of automated decisions. More specifically, the bill provides that controllers must respond to customers' requests to exercise their rights within 45 days of receipt of the request, but may extend the response period by another 45 days where reasonably necessary.

However, the bill outlines a range of data processing operations exempt from the bill, including, among others:

• health information under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA');
• personal information collected as part of research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;
• personal information that has bearing on a customer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a customer reporting agency, furnisher, or user that provides information for use in a customer report; and
• personal information processed or maintained in the course of an individual applying to, employed by, or acting as a contractor of a controller, to the extent that the data is collected and used within the context of that role.

Notably, the bill is a companion to Senate Bill No. 754. 

You can read the bill here and track its progress here, using the search bar.