(27)  “Targeted advertising” means displaying advertisements to a customer where the advertisement is selected based
on personal data obtained or inferred from that customer’s activities over time and across nonaffiliated Internet
websites or online applications to predict such customer’s preferences or interests. “Targeted advertising” does
not include advertisements based on activities within a controller’s own Internet websites or online applications,
advertisements based on the context of a customer’s current search query, or current visit to an Internet website or
online application, advertisements directed to a customer in response to the customer’s request for information or
feedback, or processing personal data solely to measure or report advertising frequency, performance or reach.
(28) “Third party” means an individual or legal entity, such as a public authority, agency or body, other than the customer,
controller or processor or an affiliate of the processor or of the controller.
(29) “Trade secret” has the same meaning as § 6-41-1.
6-48.1-3. Information sharing practices.
(a)  Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island
or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service
provider collects, stores and sells customers’ personally identifiable information, then the controller shall, in its customer
agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where
similar notices are customarily posted:
(1)  Identify all categories of personal data that the controller collects through the website or online service about customers;
(2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and
(3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.
(b)  If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall
clearly and conspicuously disclose such processing.
(c)  Nothing in this chapter shall be construed to authorize the collection, storage or disclosure of information or data that is
otherwise prohibited or restricted by state or federal law.
(d)  This chapter does not apply to any body, authority, board, bureau, commission, district or agency of this state or any
political subdivision of this state; nonprofit organization; institution of higher education; national securities association
that is registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934, as amended from time to time; financial
institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; or covered entity or business
associate, as defined in 45 C.F.R. § 160.103.
(e)  The following information and data are exempt from the provisions of this chapter:
(1)  Protected health information under HIPAA;
(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2;
(3)  Identifiable private information for purposes of the federal policy for the protection of human research subjects under
45 C.F.R. §§ 46.101 through 46.124;
(4)  Identifiable private information that is otherwise information collected as part of human subjects research pursuant to
the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements
for Pharmaceuticals for Human Use;
377 | Rhode Island Data Transparency and Privacy Protection Act