Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I store personal information about my customers in Rhode Island? What are the requirements?

Storing Personal Information of Customers in Rhode Island

Rhode Island has specific requirements for storing personal information of customers. According to the Rhode Island Code of Regulations, a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship [1.1].

Annual Privacy Notice to Customers Required

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve (12) consecutive months during which that relationship exists. A licensee may define the twelve (12) consecutive-month period, but the licensee shall apply it to the customer on a consistent basis [1.1].

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in §§ 7.16 or 7.17 of this Part, the licensee’s disclosure and use of that information is limited [1.3].

Information To Be Included In Privacy Notices

The initial, annual and revised privacy notices that a licensee provides under §§ 7.5, 7.6 and 7.9 of this Part shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice [1.4]:

  1. The categories of nonpublic personal financial information that the licensee collects;
  2. The categories of nonpublic personal financial information that the licensee discloses;
  3. The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 7.16 and 7.17 of this Part;
  4. The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under §§ 7.16 and 7.17 of this Part;
  5. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 7.15 of this Part (and no other exception in §§ 7.16 and 7.17 of this Part applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
  6. An explanation of the consumer’s right under § 7.12(A) of this Part to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
  7. Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
  8. The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and
  9. Any disclosure that the licensee makes under § 7.7(B) of this Part.

Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information

Rhode Island has exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. The requirements for initial notice to consumers, opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction. The requirements also do not apply when a licensee discloses nonpublic personal financial information to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction, or to protect against or prevent actual or potential fraud or unauthorized transactions. Other exceptions include providing information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants, and auditors. Additionally, the requirements do not apply when a licensee discloses nonpublic personal financial information for purposes related to the replacement of a group benefit plan, a group health plan, or a group welfare plan [1.2][1.5].

Conclusion

Based on the above information, it is clear that Rhode Island has specific requirements for storing personal information of customers. A licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Additionally, the licensee’s disclosure and use of nonpublic personal financial information is limited. The licensee must also include specific information in its privacy notices. However, there are exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information.

Source(s):
Jurisdiction

Rhode Island