Publications

Rhode Island Joins Group of Northeast States with Data Privacy Laws

On June 28, 2024, the Rhode Island Data Transparency and Privacy Protection Act (the “Act”) was enacted into law, despite not obtaining the Rhode Island Governor’s signature. The Act will take effect on January 1, 2026, making Rhode Island the nineteenth state to enact a comprehensive privacy law.

Applicability

The Act generally applies to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of Rhode Island, and during the preceding calendar year either:

  1. controlled or processed the personal data of at least 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. controlled or processed the personal data of at least 10,000 customers and derived more than 20% of gross revenue from the sale of personal data.

Aside from the above applicability thresholds, the Act's privacy policy disclosure requirements apply to any operator of a commercial website or internet service provider conducting business in Rhode Island or with Rhode Island customers or otherwise subject to Rhode Island jurisdiction, regardless of the size of the business or the amount of personal data it processes.

Unlike some other recently enacted state comprehensive privacy laws, there is no carve out in the Act exempting small businesses. Notably, the Act does not apply to non-profit organizations and institutions of higher education. Currently, state comprehensive privacy laws are split on whether they apply to non-profit organizations, with states recently trending towards including them. This split may create unique challenges for non-profit organizations, especially if they decide to bifurcate compliance efforts on a state-by-state basis.

In addition, the Act does not apply to certain other entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, national securities associations registered under the Securities Exchange Act of 1934, and HIPAA-covered entities and business associates. It also includes exemptions similar to those found in other state comprehensive privacy laws for certain types of information, such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, personal data processed under the Driver’s Privacy Protection Act, and personal data regulated by the Family Educational Rights and Privacy Act. 

Key Definitions

Although the Act uses the term “customer” where other state comprehensive privacy laws use the term “consumer,” similar to the vast majority of other such laws’ definitions of “consumer,” the Act narrowly defines “customer” to mean an individual who is a Rhode Island resident acting only in an individual or household context, excluding individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business data are not within the scope of the Act.

Also, like other state comprehensive privacy laws, the Act governs customers’ “personal data” in addition to a special category of personal data known as “sensitive data.” “Sensitive data” is defined as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. Businesses that are controllers under the Act should take note of the scope of “sensitive data” because the Act requires controllers to obtain consent from customers prior to processing sensitive data or, in the case of processing of sensitive data of a known child, to process such data in accordance with the federal Children’s Online Privacy Protection Act (COPPA).

Under the Act, the “sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party, which aligns with a majority of other state comprehensive privacy laws. The Act also includes broad exceptions to the definition of “sale of personal data” that are similar to exceptions in other state comprehensive privacy laws. These exclude from the Act’s requirements many ordinary business activities such as disclosure of personal data to a processor who processes the personal data on behalf of a controller; transfers of personal data to an affiliate of a controller; and disclosure of personal data to a third party for the purpose of providing a product or service requested by the customer.

Compliance

The Act requires any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction to designate a data controller. Further, any such commercial website or internet service provider who collects, stores, and sells customers’ personal data must identify all categories of personal data that the controller collects about customers online, all third parties to whom the controller has sold or may sell customers’ personal data, and an active email address or other online mechanism that the customer may use to contact the controller. Such identification must be made in a “conspicuous location on its website or online service platform,” such as its privacy policy. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing. The requirement for disclosure of “all third parties” to whom information may be sold is a unique aspect of the Act in comparison to other state comprehensive privacy laws, especially given its broad application to businesses of any size that operate a website in Rhode Island and are subject to Rhode Island jurisdiction.

The Act also requires that controllers enter into contracts with processors that process personal data on their behalf. The Act requires such controllers to conduct and document data protection assessments of any processing activities that present a “heightened risk of harm” to customers. These activities include the processing of personal data for the purpose of targeted advertising, the sale of personal data, the processing of sensitive data, or the processing of personal data for the purpose of profiling (in certain instances).

Consumer Rights and Requests

The Act grants customers the right to request a controller to (1) confirm whether the controller is processing the customer’s personal data and to access such personal data, unless it would require the controller to reveal a trade secret; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purpose of processing such data); (3) delete their personal data (taking into account the nature of the personal data and the purpose of processing such data); (4) provide a copy of their personal data; and (5) opt out of the processing of the customer’s personal data for targeted advertising, the sale of personal data, or certain types of profiling. These rights are consistent with the rights granted to customers under other state comprehensive privacy laws. In addition, a customer may designate an authorized agent to exercise the right to opt out on their behalf.

The Act grants a controller 45 days to respond to customer requests. The response time may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the customer’s requests, provided that the controller informs the customer of any extension within the initial 45-day response period, together with the reason for the extension. Additionally, a controller must provide a customer with an appeals process if it denies a customer’s request, and a controller has 60 days to respond to an appeal. Such an appeal process is now common, although not uniform.

Additionally, the Act requires controllers to provide customers with a mechanism to grant and revoke consent where consent is required, such as for the processing of sensitive data. Upon receipt of revocation, the controller must suspend the processing of data as soon as practicable, but not later than 15 days from receipt of revocation.

Enforcement

Like most other state comprehensive privacy laws, the Act has no private right of action. Rather, the Rhode Island Attorney General has exclusive authority to enforce violations of the Act. Violating the Act constitutes a deceptive trade practice in violation of Rhode Island’s Commercial Law, which allows for up to $10,000 in civil penalties per violation. Additionally, the Act provides that any individual or entity that intentionally discloses personal data in violation of the Act may be fined up to $500, but no less than $100, for each such disclosure. Unlike other state comprehensive privacy laws, the Act provides no opportunity to cure.

Conclusion

The number of state comprehensive privacy laws continues to increase, and businesses’ compliance efforts will need to continue to evolve, including reviewing applicability and updating internal policies and procedures as needed to maintain compliance as new laws come on board. Although these laws contain many similarities, businesses should be mindful of their differences. Developing and maintaining compliance efforts with the state comprehensive privacy laws is important for all covered businesses. 

If you would like assistance with, or have any questions about, complying with the Act or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.

Special thanks to Sarah Olsen for her contributions to this article.