/>iRhode Island Governor Daniel McKee allowed the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) to pass on June 25, 2024 when he transmitted the bill back to the legislature without signature, making Rhode Island the 20th U.S. state to enact a comprehensive privacy law.
The RIDTPPA sailed through the Ocean State largely under the radar and was passed without much fanfare, political commentary, or local news coverage.
Several notable privacy advocate organizations including Consumer Reports, the Electronic Privacy Information Center (EPIC), and Restore the Fourth, opposed the RIDTPPA, claiming that it was not sufficient to protect Rhode Island residents’ personal information. While the RIDTPPA provides privacy rights to Rhode Islanders and imposes obligations on covered entities largely in line with several other U.S. state privacy laws, the RIDTPPA leans business-friendly.
TO WHOM DOES THE RIDTPPA APPLY?
The RIDTPPA takes a unique two-tiered applicability approach.
Tier One: Any commercial website or internet service provider that sells “personally identifiable information” is required to comply with certain transparency requirements under the RIDTPPA. However, the law does not define “personally identifiable information,” which differs from the term “Personal Data” that is more widely used in and defined under the law. Further legislative clarification is needed to resolve this discrepancy.
Tier Two: The remainder of requirements of the law apply to for-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year:
(1) controlled or processed personal data of at least 35,000 Rhode Island residents (excluding personal data processed solely for purposes of completing a payment transaction); or
(2) controlled or processed personal data of at least 10,000 Rhode Island residents and derive greater than 20% of their gross revenue from the sale of personal data.
WHAT CONSTITUTES “PERSONAL DATA?”
The RIDTPPA applies to “Personal Data,” which is defined broadly to include “any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified or publicly available information.”
WHAT ARE THE EXEMPTIONS?
Similar to other U.S. state privacy laws (other than California), the RIDTPPA does not apply to business-to-business personal data, or to personal data collected in an employment context.
The law also contains familiar entity-level exemptions, including for state agencies, nonprofit organizations, institutions of higher education, registered national securities organizations regulated by the Securities and Exchange Commission, financial institutions regulated by the Gramm-Leach-Bliley Act, and covered entities or business associates regulated by The Health Insurance Portability and Accountability Act (HIPAA).
Finally, the law contains data-level exemptions common to other U.S. state privacy laws, including with respect to protected health information subject to HIPAA, personal data regulated by the Fair Credit Reporting Act (FCRA), the Farm Credit Act, the Family Educational Rights and Privacy Act (FERPA), and others.
WHICH PRIVACY RIGHTS DO INDIVIDUALS HAVE?
The slate of privacy rights provided to individuals under the RIDTPPA does not chart new ground and follows other U.S. state privacy laws. Under the law, individuals have the following rights with respect to their personal data:
- Confirm whether or not a controller is processing their personal data.
- Access their personal data.
- Correct their personal data.
- Delete their personal data.
- Obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
- Opt-out of the processing of their personal data for purposes of targeted advertising, sale, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
Individuals also have the right to revoke any consent that they gave to a controller to process their sensitive data.
Individuals may designate authorized agents to exercise opt-out rights on their behalf, and parents and legal guardians may exercise rights on behalf of their children.
Requests may be made once during any twelve (12) month period.
HOW ARE PRIVACY RIGHTS REQUESTS HANDLED?
Privacy rights requests made pursuant to the RIDTPPA must be responded to within forty-five (45) days, but may be extended by an additional forty-five (45) day period where reasonably necessary under the law, provided that the individual is informed of such extension. No fees may be charged unless requests are manifestly unfounded, excessive, or repetitive.
If an entity declines to act on a request, it shall inform the individual, provide a justification for such refusal, and provide instructions for how to appeal the decision.
The law requires that requests (except opt-out requests) be authenticated by the business prior to acting on such requests.
ARE THERE TRANSPARENCY OBLIGATIONS?
Controllers that collect, store, and sell “personally identifiable information” are required to, in their customer agreements or in another conspicuous location on their websites or online service platforms where similar notices are customarily posted, provide the following information:
- All categories of personal data collected through the website or online service;
- All third parties to whom the controller has sold or may sell personally identifiable information; and
- Identification of an active email address or other online mechanism that may be used to contact the controller.
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing in a privacy notice.
Additionally, controller privacy notices must describe the means through which individuals can exercise their privacy rights under the law.
WHAT ARE THE OTHER COMPLIANCE REQUIREMENTS?
Consent: Consent must be obtained before processing “sensitive data” (personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data), and if the sensitive data relates to a child, consent must be obtained, and the information must be processed, in accordance with the Children’s Online Privacy Protection Act (COPPA). Individuals must be provided with a mechanism to revoke consent.
Appeals Process: Controllers must establish a process for individuals to appeal the controller’s refusal to comply with privacy rights requests.
Information Security: Controllers are required to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
Vendor Contracts: Contracts with third-party vendors and service providers that process personal data on behalf of controllers must be binding and clearly set forth instructions for processing the data, the nature and purpose of the processing, the type of data processed, duration of the processing, and the rights and obligations of each party. Contracts must also contain content specifically stated in the law, such as an obligation to return personal data, a right to object to subprocessors, regulation of subprocessors, and audit requirements.
Data Protection Assessments: The law requires controllers to conduct and document a data protection assessment for processing activities that present a “heightened risk of harm to a consumer” – which include: (i) processing of personal data for targeted advertising; (ii) sale of personal data; (iii) processing of personal data for the purposes of profiling where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on the consumer in certain circumstances; or (iv) processing of sensitive data.
De-Identified Data: The law specifically regulates de-identified data, including disclosure requirements, requirements to ensure that such data remains de-identified, and requirements to enter into specific contracts with recipients of de-identified data.
HOW IS THE LAW ENFORCED?
There is no private right of action under the RIDTPPA, and the Attorney General is the sole enforcement mechanism. Violations of the law constitute a deceptive trade practice under Rhode Island law. In addition, any entity that intentionally discloses personal data to a shell company or any entity that has been formed or established solely, or in part, for the purposes of circumventing the law, may be subject to fines between $100 and $500 per violation.
WHAT DOESN’T THE LAW INCLUDE?
Below are several common elements of other U.S. state privacy laws that are not included in the RIDTPPA:
- Data minimization requirements;
- Data retention limitations;
- Requirements to recognize user-selected universal opt-out mechanisms;
- Specific privacy notice requirements as broadly applicable as other similar laws; and
- Cure period for violations of the law.
WHEN DOES THE LAW TAKE EFFECT?
The RIDTPPA takes effect on January 1, 2026.
