On June 25, 2024, the governor of Rhode Island transmitted without signature a comprehensive privacy bill, the Rhode Island Data Transparency and Privacy Protection Act (DTPPA), back to the state legislature, which is still in session. This means that the DTPPA will take effect January 1, 2026. For many companies, the DTPPA will look familiar, but for smaller companies, there is a twist: The DTPPA has privacy policy requirements that apply to any commercial website conducting business or offering products and services to Rhode Island residents.

IN DEPTH

WHO DOES THE DTPPA APPLY TO?

Unlike other consumer privacy laws, Rhode Island’s DTPPA has a two-tier applicability threshold:

First, any operator of a commercial website or internet service provider conducting business in Rhode Island or with Rhode Island customers or otherwise subject to Rhode Island jurisdiction is subject to the privacy policy disclosure requirements of the DTPPA. This applies regardless of the size of the company.

Second, all other requirements of the DTPPA apply to any for-profit entities that conduct business in Rhode Island or provide products or services that are targeted to Rhode Island residents and, during the immediately preceding calendar year, either:

1. Controlled or processed the personal data of at least 35,000 Rhode Island customers (excluding that personal data controlled or processed solely for the purpose of completing a payment transaction); or
2. Controlled or processed the personal data of at least 10,000 Rhode Island customers and derive more than 20% of their gross revenue from the sale of personal data.

WHO IS A “CUSTOMER”?

The DTPPA follows the majority of other states and defines a customer to be an individual who is a resident of Rhode Island acting only in the individual context (i.e., excluding employment or commercial actors).

WHAT IS “PERSONAL DATA”?

The definition of “personal data” should look familiar as well. The term applies to information that is linked or reasonably linkable to an identified or identifiable individual but excludes de-identified data or publicly available information. In other words, the DTPPA tracks the majority of state consumer privacy laws.

WHO CAN ENFORCE?

Rhode Island’s attorney general has exclusive enforcement power. Penalties can be up to $10,000 per violation under Rhode Island’s unfair and deceptive trade practices statute.

WHO IS EXEMPT?

The DTPPA includes what has now become a standard list of entity-level exemptions, including for government entities, nonprofit organizations, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), national securities associations, and covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA).

The DTPPA also includes a standard list of data-level exemptions, including exemptions for data subject to HIPAA, the Fair Credit Reporting Act, the GLBA, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act, among others.

WHAT OBLIGATIONS ARE IMPOSED?

All companies that are subject to the DTPPA and subject to jurisdiction in Rhode Island (i.e., because they operate a commercial website that offers products and/or services to Rhode Island residents) must provide a website privacy policy in a “conspicuous location on its website or online service platform” that includes (1) all categories of personal information that are collected; (2) all third parties to whom personal information has or may be sold; (3) an active email address or other mechanism for a consumer to contact the company; and (4) if the company engages in targeted advertising, disclosures about that processing. The requirement to disclose “all third parties” to whom information may be sold is a unique aspect of the DTPPA, especially given that it applies to companies of any size that operate a website in Rhode Island (and that are subject to jurisdiction in Rhode Island).

In addition to these privacy policy requirements, for entities that meet the size threshold of the DTPPA, there is what has become a standard set of additional obligations, including but not limited to:

1. Limiting the collection of personal data to what is reasonably necessary in relation to the purposes for which the data is processed and disclosed to the customer;
2. Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices (to protect the confidentiality, integrity and accessibility of personal data);
3. Not processing sensitive data without prior customer consent; and
4. Not discriminating against customers.

WHAT CUSTOMER RIGHTS ARE CREATED BY THE DTPPA?

The DTPPA provides Rhode Island customers with customer rights that should look familiar:

1. The right to confirm whether or not the controller is processing the customer’s personal data and to access that data, if being processed, unless that would reveal a trade secret;
2. The right to correct and delete personal data, taking into account the nature of the data and the purposes of the processing of that data;
3. The right to data portability when data processing is done through automated means, again provided it does not reveal a trade secret;
4. The right to opt out of the processing of personal information for targeted advertising, the sale of personal data and profiling, where profiling is being performed by automated means that produce legal or similarly significant effects concerning a customer; and
5. The right to appeal rights requests that have not been fulfilled.

SENSITIVE DATA

The DTPPA has a list of sensitive data that generally tracks with other state customer privacy laws:

1. Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
2. The processing of biometric or genetic information for the purpose of unique identification;
3. Personal data of a known child (under 13); or
4. Precise geolocation data (excluding communications generated by or connected to utility metering infrastructure).

RESPONSE TO CUSTOMER REQUESTS

Following the same framework as most states, under the DTPPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. If denied, the controller must provide a method to appeal the denial of a request and make the process conspicuously available. A decision on the appeal must be provided within 60 days of receipt of the customer’s appeal. If an appeal is denied, the customer may submit a complaint to the Rhode Island attorney general.

DATA PROTECTION ASSESSMENTS

The DTPPA also requires controllers to conduct a data protection assessment for each of the following activities:

1. Processing personal data for targeted advertising;
2. Selling personal data;
3. Processing sensitive data; and
4. Processing personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of (1) unfair or deceptive treatment; (2) unlawful disparate impact; (3) financial, physical or reputational injury; (4) a physical or other intrusion on the private affairs of a customer where such intrusion would be offensive to a reasonable person; or (5) other substantial injury to a customer.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

WHEN DOES THE DTPPA TAKE EFFECT?

The DTPPA will go into effect on January 1, 2026.

***

The plethora of unique state privacy laws is becoming more challenging as each new version is introduced. In addition to implementing comprehensive privacy programs, organizations need to ensure they are reviewing applicability and updating internal policies and procedures as needed to maintain compliance.