Can I use third-party customer service tools that collect personal information in Rhode Island? What are the requirements?

Third-Party Customer Service Tools and Personal Information in Rhode Island

If you are using third-party customer service tools that collect personal information in Rhode Island, you must comply with the state’s data protection laws. Specifically, you must implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of your organization, the nature of the information, and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information ^[1.1].

Additionally, if you disclose personal information about a Rhode Island resident to a nonaffiliated third party, you must require by written contract that the third party implement and maintain reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information, and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure ^[1.1].

If you experience a breach of the security of computerized unencrypted data that poses a significant risk of identity theft, you must send a disclosure of the breach to the Rhode Island Department of Business Regulation in the most expedient time possible and without unreasonable delay consistent with the disclosure required in the Rhode Island Identity Theft Protection Act of 2015 ^[6.1].

If you are unsure whether your use of third-party customer service tools complies with Rhode Island’s data protection laws, you should consult with a legal professional.

Exceptions to Notice and Opt-Out Requirements

Exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions are outlined in 230 RICR 20-60-7.16 ^[3.3]. However, this regulation pertains specifically to financial information and may not be applicable to personal information collected by third-party customer service tools.

Third-Party use of merchant trademarks and likeness.

A third-party delivery service may not use the likeness, registered trademark, or any intellectual property belonging to the merchant to falsely suggest sponsorship or endorsement by, or affiliation with the merchant ^[2.1].

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in §§ 7.16 or 7.17 of this Part, the licensee’s disclosure and use of that information is limited ^[3.1].

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

A licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless certain conditions are met ^[3.2].

If you have any further questions or concerns, it is recommended that you consult with a legal professional.

^[1.1]: R.I. Gen. Laws § 11-49.3-2 ^[2.1]: RIGL 6-58-2 ^[3.1]: 230 RICR 20-60-7.13 ^[3.2]: 230 RICR 20-60-7.12 ^[3.3]: 230 RICR 20-60-7.16

Source(s):

• [1.1] Risk-based information security program.
• [2.1] Third-Party use of merchant trademarks and likeness.
• [3.1] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
• [3.2] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
• [6.1] Notification of Breach of Security System
• [3.3] Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions

Jurisdiction

Rhode Island

• Privacy