AN ACT RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- RHODE ISLAND DELETE ACT (Requires any entity that knowingly collects, shares or sells to third parties the personal data of a consumer to register with the department of business regulations and permits for the consumer to request deletion of the personal data.)

S2766

2026 -- S 2766
========
LC005693
========

STATE OF RHODE ISLAND
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2026
____________
A N A C T
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --
RHODE ISLAND DELETE ACT

Introduced By:
Senators Gu, DiPalma, Urso, Vargas, Zurier, Paolino, and Burke

Date Introduced:
March 04, 2026

Referred To:
Senate Commerce
It is enacted by the General Assembly as follows:
1
SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL
2
REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:
3
CHAPTER 48.2
4
RHODE ISLAND DELETE ACT
5

6-48.2-1. Short title.

6

This chapter shall be known and may be cited as the "Rhode Island Delete Act".
7

6-48.2-2. Definitions.

8

As used in this chapter, the following terms shall have the following meanings:
9

(1) The definitions of § 6-48.1-2 shall apply unless otherwise specified in this chapter.
10

(2) "Authorized agent" means a natural person or a business entity that a consumer has
11
authorized to act on their behalf.
12

(3) "Dark pattern" means a user interface designed or manipulated with the substantial
13
effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is
14
not limited to, any practice the federal trade commission refers to as a "dark pattern".
15

(4) "Data broker" means a business that knowingly collects, shares or sells to third parties
16
the personal data of a consumer with whom the business does not have a direct relationship. This
17
chapter shall not apply to any of the following:
18

(i) An entity to the extent that is covered by the federal Fair Credit Reporting Act, U.S.C §

1
1681 et seq.;
2

(ii) Personal data collected or processed subject to Title V of Gramm-Leach-Bliley Act, 15
3
U.S.C. § 6801 et seq., and implementing regulations;
4

(iii) Personal data collected or processed subject to the privacy, security, and breach
5
notification rules under the Health Insurance Portability and Accountability Act.
6

(5) "Department" means the Rhode Island department of business regulation.
7

(6) "Direct relationship" means that a consumer has intentionally interacted with a business
8
for the purpose of accessing, purchasing, using, requesting, or obtaining information about the
9
business’s products or services. A consumer does not have a "direct relationship" with a business
10
if the purpose of their engagement is to exercise any right described under § 6-48.1-6, or for the
11
business to verify the consumer’s identity. A business does not have a "direct relationship" with a
12
consumer simply because it collects personal data directly from the consumer. The consumer must
13
intend to interact with the business. A business is still a data broker and does not have a direct
14
relationship with a consumer as to personal data it sells about the consumer that it collected outside
15
of a first-party interaction with the consumer.
16

(7) "Personal data" means any information that is linked or reasonably linkable to an
17
identified or identifiable individual and does not include publicly available information.
18

(8) "Reproductive or sexual health care" means any health care-related services or products
19
rendered or provided concerning a consumer's reproductive system or sexual well-being including,
20
but not limited to, any such service or product rendered or provided concerning:
21

(i) An individual health condition, status, disease, diagnosis, diagnostic test or treatment;
22

(ii) A social, psychological, behavioral or medical intervention;
23

(iii) A surgery or procedure including, but not limited to, an abortion;
24

(iv) A use or purchase of a medication including, but not limited to, a medication used or
25
purchased for the purposes of an abortion;
26

(v) A bodily function, vital sign or symptom;
27

(vi) A measurement of a bodily function, vital sign or symptom; or
28

(vii) An abortion including, but not limited to, medical or nonmedical services, products,
29
diagnostics, counseling or follow-up services for an abortion.
30

(9) "Reproductive or sexual health data" means any personal data concerning an effort
31
made by a consumer to seek, or a consumer's receipt of, reproductive or sexual health care.
32

6-48.2-3. Data brokers’ registry fund.

33

There is created the "data brokers’ registry fund" ("the fund") into which shall be deposited
34
with the general treasurer of the state. The fund shall be administered by the department. All monies

LC005693 - Page 2 of 10
1
collected or received by the department pursuant to this chapter shall be deposited into the fund, to
2
be available for expenditure by the department, upon appropriation by the general assembly, to
3
offset all of the following costs:
4

(1) The reasonable costs of establishing and maintaining the informational internet website
5
described in § 6-48.2-5.
6

(2) The costs incurred by the judiciary and the department in connection with enforcing
7
this chapter, as specified in § 6-48.2-4.
8

(3) The reasonable costs of establishing, maintaining, and providing access to the
9
accessible deletion mechanism described in § 6-48.2-7.
10

6-48.2-4. Registration.

11

(a) On or before January 31 following each year in which a business meets the definition
12
of data broker as defined in § 6-48.2-2, the business shall register with the department pursuant to
13
the requirements of this section.
14

(b) In registering with the department, as set forth in subsection (a) of this section, a data
15
broker shall do all of the following:
16

(1) Pay a registration fee in an amount determined by the department not to exceed the
17
reasonable costs of establishing and maintaining the informational internet website described in §
18
6-48.2-5 and the reasonable costs of establishing, maintaining, and providing access to the
19
accessible deletion mechanism described in § 6-48.2-7. Registration fees shall be deposited in the
20
data brokers’ registry fund pursuant to § 6-48.2-3, and used for the purposes specified in this
21
section.
22

(2) Provide the following information:
23

(i) The name of the data broker and its primary physical, email, and internet website
24
addresses;
25

(ii) The metrics compiled pursuant to § 6-48.2-6(a)(1) and (a)(2);
26

(iii) Whether the data broker collects the personal data of minors;
27

(iv) Whether the data broker collects consumers’ names, dates of birth, ZIP codes, email
28
addresses, or phone numbers;
29

(v) Whether the data broker collects consumers’ account login or account number in
30
combination with any required security code, access code, or password that would permit access to
31
a consumer’s account with a third party;
32

(vi) Whether the data broker collects consumers’ drivers’ license number, Rhode Island
33
identification card number, tax identification number, social security number, passport number,
34
military identification number, or other unique identification number issued on a government

LC005693 - Page 3 of 10
1
document commonly used to verify the identity of a specific individual;
2

(vii) Whether the data broker collects consumers’ mobile advertising identification
3
numbers, connected television identification numbers, or vehicle identification numbers (VIN);
4

(viii) Whether the data broker collects consumers’ citizenship data, including immigration
5
status;
6

(ix) Whether the data broker collects consumers’ union membership status;
7

(x) Whether the data broker collects consumers’ sexual orientation data;
8

(xi) Whether the data broker collects consumers’ gender identity and gender expression
9
data;
10

(xii) Whether the data broker collects consumers’ biometric data;
11

(xiii) Whether the data broker collects consumers’ precise geolocation;
12

(xiv) Whether the data broker collects consumers’ reproductive or sexual health care data;
13

(xv) Whether the data broker has shared or sold consumers’ data to a foreign actor in the
14
past year;
15

(xvi) Whether the data broker has shared or sold consumers’ data to the federal government
16
in the past year;
17

(xvii) Whether the data broker has shared or sold consumers’ data to other state
18
governments in the past year;
19

(xviii) Whether the data broker has shared or sold consumers’ data to law enforcement in
20
the past year, unless that data was shared pursuant to a subpoena or court order;
21

(xix) Whether the data broker has shared or sold consumers’ data to a developer of a GenAI
22
system or model in the past year;
23

(xx) Up to three (3), but no fewer than one, of the most common types of personal
24
information that the data broker collects, if the data broker does not collect the information
25
described in subsections (b)(2)(iv) and (b)(2)(vii) of this section;
26

(xxi) Beginning January 1, 2029, whether the data broker has undergone an audit as
27
described in § 6-48.2-7(e), and, if so, the most recent year that the data broker has submitted a
28
report resulting from the audit and any related materials to the department;
29

(xxii) A link to a page on the data broker’s internet website that does both of the following:
30

(A) Details how consumers may exercise their privacy rights to:
31

(I) Delete personal data, as described in § 6-48.1-5(e)(2);
32

(II) Correct inaccurate personal data, as described in § 6-48.1-5(e)(2);
33

(III) Learn what personal data is being processed, as described in § 6-48.1-5;
34

(IV) Learn how to access that personal data, as described in § 6-48.1-5;

LC005693 - Page 4 of 10
1

(V) Learn how to opt out of the sale or sharing of personal data, as described in § 6-48.1-
2
5; and
3

(B) Does not make use of any dark patterns.
4

(xxiii) Whether and to what extent the data broker or any of its subsidiaries is regulated by
5
any of the following:
6

(A) The federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.;
7

(B) The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and implementing regulations;
8

(C) The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
9

(xxiv) Any additional information or explanation the data broker chooses to provide
10
concerning its data collection practices.
11

(c) A data broker that fails to register as required by this section is liable for administrative
12
fines and costs in an administrative action brought by the department as follows:
13

(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails
14
to register as required by this section.
15

(2) An amount equal to the fees that were due during the period it failed to register.
16

(3) Expenses incurred by the department in the investigation and administration of the
17
action as the court deems appropriate.
18

(d) A data broker required to register under this chapter that fails to comply with the
19
requirements of § 6-48.2-7 is liable for administrative fines and costs in an administrative action
20
brought by the department as follows:
21

(1) An administrative fine of two hundred dollars ($200) for each deletion request for each
22
day the data broker fails to delete information as required by § 6-48.2-7; and
23

(2) Reasonable expenses incurred by the department in the investigation and administration
24
of the action.
25

(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under
26
subsections (c) or (d) of this section, shall be deposited in the data brokers’ registry fund, created
27
pursuant to § 6-48.2-3, with the intent that they be used to fully offset costs incurred by the judiciary
28
and the department in connection with this chapter.
29

6-48.2-5. Public access to information.

30

The department shall create a page on its internet website where the registration
31
information provided by data brokers described in § 6-48.2-4(b)(2) and the accessible deletion
32
mechanism described in § 6-48.2-7 shall be accessible to the public.
33

6-48.2-6. Disclosure.

34

(a) On or before July 1 following each calendar year in which a business meets the

LC005693 - Page 5 of 10
1
definition of a data broker as defined in § 6-48.2-2, the business shall do all of the following:
2

(1) Compile the number of requests pursuant to §§ 6-48.1-5 and 6-48.2-7(c) that the data
3
broker received, complied with in whole or in part, and denied during the previous calendar year;
4

(2) Compile the median and the mean number of days within which the data broker
5
substantively responded to requests pursuant to §§ 6-48.1-5 and 6-48.2-7(c) that the data broker
6
received during the previous calendar year; and
7

(3) Disclose the metrics compiled within the data broker’s privacy policy posted on their
8
internet website and accessible from a link included in the data broker’s privacy policy.
9

(b) In its disclosure pursuant to subsection (a)(3) of this section, regarding requests made
10
pursuant to § 6-48.2-7(c) a data broker shall disclose the number of requests that the data broker
11
denied in whole or in part because of any of the following:
12

(1) The request was not verifiable;
13

(2) The request was not made by a consumer or a consumer's authorized agent;
14

(3) The request called for information exempt from deletion.
15

(4) The request was denied on other grounds.
16

(c) In its disclosure pursuant to subsection (a)(3) of this section, a data broker shall specify
17
the number of requests in which deletion was not required in whole, or in part, due to an exemption
18
under this chapter, §§ 6-48.1-3(d) or (e), or 6-48.1-7(o) or (p).
19

6-48.2-7. Deletion.

20

(a) By January 1, 2027, the department shall establish an accessible deletion mechanism
21
that does all of the following:
22

(1) Implements and maintains reasonable security procedures and practices including, but
23
not limited to, administrative, physical, and technical safeguards appropriate to the nature of the
24
information and the purposes for which the personal data will be used and to protect consumers’
25
personal data from unauthorized use, disclosure, access, destruction, or modification;
26

(2) Allows a consumer, through a single verifiable consumer request, to request that every
27
data broker that maintains any personal data delete any personal data related to that consumer held
28
by the data broker or associated service provider or contractor;
29

(3) Allows a consumer to selectively exclude specific data brokers from a request made
30
under subsection (a)(2) of this section; and
31

(4) Allows a consumer to make a request to alter a previous request made under this section
32
within forty-five (45) days since the consumer last made a request under this section.
33

(b) The accessible deletion mechanism established pursuant to subsection (a) of this
34
section, shall meet all of the following requirements:

LC005693 - Page 6 of 10
1

(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all
2
personal data related to that consumer through a single deletion request;
3

(2) The accessible deletion mechanism shall permit a consumer to securely submit
4
information in one or more privacy-protecting ways determined by the department to aid in the
5
deletion request;
6

(3) The accessible deletion mechanism shall allow data brokers registered with the
7
department to determine whether an individual has submitted a verifiable consumer request to
8
delete the personal data related to that consumer as described in subsection (b)(1) of this section,
9
and shall not allow the disclosure of any additional personal data when the data broker accesses the
10
accessible deletion mechanism unless otherwise specified in this chapter;
11

(4) The accessible deletion mechanism shall allow a consumer to make a request described
12
in subsection (b)(1) of this section, using an internet service operated by the department;
13

(5) The accessible deletion mechanism shall not charge a consumer to make a request
14
described in subsection (b)(1) of this section;
15

(6) The accessible deletion mechanism shall allow a consumer to make a request described
16
in subsection (b)(1) of this section in any language spoken by any consumer for whom personal
17
data has been collected by data brokers;
18

(7) The accessible deletion mechanism shall be readily accessible and usable by consumers
19
with disabilities;
20

(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized
21
agents to aid in the deletion request;
22

(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent,
23
to verify the status of the consumer’s deletion request; and
24

(10) The accessible deletion mechanism shall provide a description of all of the following:
25

(i) The deletion permitted by this section including, but not limited to, the actions required
26
by subsections (c) and (d) of this section;
27

(ii) The process for submitting a deletion request pursuant to this section; and
28

(iii) Examples of the types of information that may be deleted.
29

(c)(1) Beginning August 1, 2027, a data broker shall access the accessible deletion
30
mechanism established pursuant to subsection (a) of this section, at least once every forty-five (45)
31
days and do all of the following:
32

(i) Within forty-five (45) days after receiving a request made pursuant to this section,
33
process all deletion requests made pursuant to this section and delete all personal data related to the
34
consumers making the requests consistent with the requirements of this section;

LC005693 - Page 7 of 10
1

(ii) In cases where a data broker denies a consumer request to delete under this chapter
2
because the request cannot be verified, process the request as an opt-out of the sale or sharing of
3
the consumer’s personal data, as provided for under § 6-48.1-5(e)(4);
4

(iii) Direct all processors associated with the data broker to delete all personal data in their
5
possession related to the consumers making the requests described in subsection (c)(1)(i) of this
6
section;
7

(iv) Direct all processors associated with the data broker to process a request described by
8
subsection (c)(1)(ii) of this section, as an opt-out of the sale or sharing of the consumer’s personal
9
data, as provided for under § 6-48.1-5(e)(4);
10

(2) Notwithstanding subsection (c)(1) of this section, a data broker shall not be required to
11
delete a consumer’s personal data if it is reasonably necessary for the data broker to maintain the
12
personal data to fulfill a purpose described in § 6-48.1-7(o) or (p);
13

(3) Personal data described in subsection (c)(2) of this section, shall only be used for the
14
purposes described in subsection (c)(2) of this section, and shall not be used or disclosed for any
15
other purpose including, but not limited to, marketing purposes.
16

(d)(1) Beginning August 1, 2027, after a consumer has submitted a deletion request and a
17
data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all
18
personal data of the consumer at least once every forty-five (45) days pursuant to this section unless
19
the consumer requests otherwise or the deletion is not required pursuant to subsection (c)(2) of this
20
section;
21

(2) Beginning August 1, 2027, after a consumer has submitted a deletion request and a data
22
broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or
23
share new personal data of the consumer unless the consumer requests otherwise.
24

(e)(1) Beginning January 1, 2028, and every three (3) years thereafter, a data broker shall
25
undergo an audit by an independent third party to determine compliance with this chapter;
26

(2) For an audit completed pursuant to subsection (e)(1) of this section, the data broker
27
shall submit a report resulting from the audit and any related materials to the department within
28
five (5) business days of a written request from the department;
29

(3) A data broker shall maintain the report and materials described in subsection (c)(2) of
30
this section, for at least six (6) years.
31

(f)(1) The department may charge an access fee to a data broker when the data broker
32
accesses the accessible deletion mechanism pursuant to subsection (d) of this section, that does not
33
exceed the reasonable costs of providing that access;
34

(2) A fee collected by the department pursuant to subsection (f)(1) of this section, shall be

LC005693 - Page 8 of 10
1
deposited in the data brokers’ registry fund pursuant to § 6-48.2-3.
2

6-48.2-8. Rules and regulations.

3

The department may promulgate rules and regulations to implement and administer this
4
chapter.
5
SECTION 2. This act shall take effect upon passage.
========
LC005693
========

LC005693 - Page 9 of 10
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --
RHODE ISLAND DELETE ACT
***
1
This act would create the Rhode Island Delete Act, requiring any entity that knowingly
2
collects, shares or sells to third parties the personal data of a consumer with whom the business
3
does not have a direct relationship, to register with the department of business regulation.
4
Consumers may request that their personal information be deleted through an appropriate deletion
5
mechanism as established by the department of business regulation.
6
This act would take effect upon passage.
========
LC005693
========

LC005693 - Page 10 of 10