HB Ad Slot
HB Mobile Ad Slot
Rhode Island’s New Data Privacy Law
Thursday, July 11, 2024

Some writers (not from my great state of Rhode Island) act like Rhode Island has been behind the times when it comes to data privacy and security when discussing the state’s new privacy law. I feel a need to explain that this is just not so. Rhode Island is not a laggard when it comes to data privacy.

Rhode Island has had a data privacy law on its books for a long time, though it was not called a privacy law. It was the Rhode Island Identity Theft Protection Act, which was enacted in 2015. It was designed to protect consumers’ privacy and provide data breach notification. It was amended to include data security requirements in the footsteps of the then-novel Massachusetts data security regulations. It was a one-stop shop for data privacy, security, and breach notification, but it did not provide individuals the right to access or delete data and was not as robust as new data privacy laws. Rhode Island was an early state to include health information in its definition of personal information that requires breach notification in the event of unauthorized access, use, or disclosure of health information. Many states still do not include health information in the definition of breach notification.

But just so the record is clear, consumer protection has been in the DNA of Rhode Island’s laws for many years, and the new privacy law was an expansion of previous efforts to protect consumers.

The new privacy law in Rhode Island expands the privacy protections for consumers and is the latest in a wave of privacy laws being enacted in the U.S. As of this writing, 19 states have new privacy laws on the books, and Rhode Island makes 20.

All of the privacy laws are fairly similar, except for California, which is the only state to date that provides for a private right of action in the event of a data breach (with requirements prior to the filing of a lawsuit).

That said, for those readers who will fall under the Rhode Island law and are in my home state, here are the details of the law (the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)) of which you should be aware:

  • The law goes into effect on January 1, 2026
  • It does not apply to nonprofit organizations, institutions of higher education, registered national securities organizations regulated by the SEC, financial institutions regulated by Gramm-Leach-Bliley, covered entities or business associates regulated by HIPAA, or the state or state agencies.
    • This is consistent with other state data privacy laws (but some of the exceptions are questionable in this writer’s opinion).
  • It applies to any commercial website or internet service provider conducting business in RI, or which has customers in RI, or is subject to RI’s jurisdiction, as well as for-profit entities conducting business in RI, or which provide products or services targeted to RI residents (with minimum requirements).
  • It requires businesses to be transparent with customers on information sharing practices in its agreement with customers or conspicuously in its website privacy policy, including what data is being collected, how it is being collected, third parties to which the data is transferred, information on how customers can exercise their privacy rights, the purpose for the collection, whether the data is being sold, and how the customer can opt-out of the selling of data.
  • It requires businesses to only collect the data that is necessary to provide products and services to customers (data minimization) and prohibits businesses from processing personal data in a manner not reasonably necessary or compatible with what is disclosed to the customer.
  • It provides “customers” certain rights regarding their data. Customers do not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency” if the communication is in a business context.
    • This provision differs from the California privacy law that includes business contacts as consumers and is consistent with other state data privacy laws.
  • The definition of “personal data” that the statute applies to is very broad—much broader than other state laws’ definition of personal information—”any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.”
  • “Sensitive data” includes specific data elements, including “data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.”
    • This definition is consistent with other state laws.
  • Businesses are required to establish data security measures to protect personal data
  • Businesses are prohibited from processing sensitive data without consent, including consent of the parent if the individual is a child in accordance with COPPA.
  • It requires businesses to provide customers with the ability to grant and revoke consent for processing personal data.
  • Data controllers are prohibited from discriminating against customers or denying them products and services for exercising their rights.
  • Customers can request access to, correct inconsistencies in, request deletion of, and obtain a copy of the personal data in the controllers’ possession.
  • Controllers must respond to an authenticated customer’s request to exercise rights within forty-five (45) days of the request free of charge once a year, but controllers can charge for unreasonable requests.
  • There are some reasons why a controller can deny a request, but the controller must have an appeal process in place.
  • A controller must have contractual measures in place with processors with specific requirements and are required to “conduct and document” a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a customer after January 1, 2025, and the Attorney General has the authority to request the data assessment in any relevant investigation.
    • This is a specific provision in Rhode Island’s law that is different from other state laws and should be considered carefully. 
  • Controllers in possession of de-identified data shall “publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
    • Note there is no guidance on what “publicly commit” means.
  • A violation of the law will be deemed a deceptive trade practice with fines between $100 and $500 per violation, and the sole power of enforcement will be with the Attorney General.
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins