(d)  Nothing in this chapter shall be construed to mandate and/or require the retention or disclosure of any specific individual’s
personally identifiable information.
(e)  Nothing in this chapter shall prohibit or restrict the dissemination or sale of product sales summaries or statistical
information or aggregate customer data which may include personally, identifiable information.
(f)  Nothing in this chapter shall be construed to apply to any personally identifiable information or any other information
collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f). Provided,
further, nothing in this chapter shall be construed to require any entity to collect, store or sell personally identifiable
information, and furthermore, nothing in this chapter shall be construed to require a controller to provide a good or service
that requires the personal data of a customer that the controller does not collect or maintain. This chapter is intended to
apply only to covered entities that choose to collect, store, and sell or otherwise transfer or disclose personally identifiable
information. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by
the controller or processor with this chapter would violate an evidentiary privilege under the law of this state. Nothing in
this chapter shall be construed to prevent a controller or processor from providing personal data concerning a customer to
a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.
SECTION 3. This act shall take effect on January 1, 2026.
EXPLANATION BY THE LEGISLATIVE COUNCIL OF AN ACT RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY
PROVISIONS -- RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT
This act would create the Rhode Island Data Transparency and Privacy Protect Act for data privacy protections for the personal
data of the citizens of Rhode Island, requiring any person or entity that processes personal data to identify all categories of
information the controller collects, when the controller may disclose such information, how a customer may exercise their
customer rights, the purpose for processing the personal data, categories of personal data share with a third party, and
means to contact the controller. Entities that control or process personal data of not less than 35,000 customers or at least
10,000 customers and derive more than twenty percent (20%) of gross revenue from the sale of personal data are subject to
additional disclosure requirements and must allow customers the right to opt out of the collection of personally identifiable
information. Any violation of this act would constitute a violation of the general regulatory provisions of commercial law and
constitute a deceptive trade practice. A fine would be imposed for each violation of not less than one hundred dollars ($100)
and no more than five hundred dollars ($500).
This act would take effect on January 1, 2026.
386 | Rhode Island Data Transparency and Privacy Protection Act