Data Points: Privacy & Data Security Blog

On June 29, 2024, Rhode Island’s governor signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) into law. The RIDTPPA will go into effect January 1, 2026. The law generally aligns with other comprehensive data privacy laws, with a few notable exceptions, such as no cure period for violations disclosure requirements for third-party data sales, and the broad applicability of privacy notice requirements.

Applicability

The RIDTPPA applies to entities that conduct business in Rhode Island or target products or services to Rhode Island and that, in the previous calendar year either (1) controlled or processed personal data of at least 35,000 Rhode Island residents; or (2) controlled or processed personal data of at least 10,000 Rhode Island Resident and derived more than 20% of gross revenue from the sale of personal data.

The law does not apply to nonprofits; higher education institutions; state entities; national securities associations; entities and data regulated by GLBA; HIPAA covered entities, business associates, protected health information, or other information subject to HIPAA; information governed by FCRA, the Drivers Privacy Protection Act, the Farm Credit Act, FERPA, or the Fair Credit Reporting Act; and certain employment-related information. Additionally, personal data in the employment or business-to-business context is not covered under the law. 

Key Definitions

Customer – The RIDTPPA defines “customers” (typically referred to as “consumers” in similar laws) as Rhode Island residents acting in an “individual household context” and excludes individuals acting in a “commercial or employment context.”

Biometric Data – Under the RIDTPPA, biometric data does not include digital or physical photographs or audio or video recordings.

Sale – Like the CCPA, the RIDTPPA defines “sale” of personal data broadly as the “exchange of personal data for monetary or other valuable consideration.”

Privacy Notices

One of the most unique aspects of the law is its requirements (and ambiguities) regarding privacy notices. The law provides that “[a]ny commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.” If that “commercial website or Internet service provider collects, stores, and sells customers' personally identifiable information,” then its designated controller must provide a privacy notice with certain information.

On the one hand, this language requires entities to provide privacy notices even if those entities do not meet the applicability thresholds above. On the other hand, the law only requires entities to not only collect and store personal data but also sell that personal data to provide a privacy notice. What’s more, the law does not clarify what is means to “designate a controller.”

While the law may be murky on these details, it is clear that a privacy notice must include: all third parties to whom the entity has sold or may sell personal data; all categories of personal data collected; an email address or other mechanism for customers to communication; and disclosure of whether the entity sells to third parties or uses personal data for targeted advertising.

Customer Rights

The RIDTPPA provides consumers with the right to: confirm what personal data a controller is processing and access that personal data; correct inaccurate personal data; delete personal data; and data portability.

Opt-ins and Opt-outs

Customers also have the right to opt out of processing of personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effect concerning the consumer.” The definition of “profiling” is broad and covers “any form of automated processing” to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Unlike in other states, human oversight and input into the outcome of the processing will not remove it from the definition of profiling.

As noted above, a “sale” of personal data includes a transfer of personal data for “other valuable consideration” in addition to money. Thus, controllers in Rhode Island should give customers the right to opt-out of transfers of their data to third parties when the controller reaps bargained benefits for sharing the data, even if those benefits are non-monetary, such as analytics. However, under the RIDTPPA, a “sale” only occurs if the data is exchanged with a third party – transfers to affiliates of the controller or a processor NDPA are excluded.

Customers must also consent to the processing of their sensitive personal data.

De-identified Data

Like many of its sister laws, the RIDTPPA requires a controller in possession of de-identified data to (i) take reasonable measures to ensure that the data cannot be associated with an individual; (ii) publicly commit to maintain and use the de-identified data without attempting to re-identify the data; and (iii) contractually obligate any recipients of the de-identified data to comply with the RIDTPPA.

Data Protection Assessments

Controllers also must conduct a data protection assessment for processing that “presents a heightened risk of harm to a customer,” including processing personal data for the purposes of targeted advertising, processing personal data for certain types of profiling, processing sensitive data, and the sale of personal data. The RIDTPPA is silent on what factors a controller should consider when conducting this assessment.

Enforcement and Steep Penalties

The RIDTPPA will be enforced solely by the Rhode Island Attorney General and does not give customers the right to sue directly.  Unlike many states, the RIDTPPA does not provide an opportunity for an entity to “cure” a violation of the law.

The law treats violations as a deceptive trade practice under Rhode Island’s general consumer protection law, which are subject to a penalty of $10,000 per violation. Additionally, intentional disclosures of personal information are subject to a penalty of between $100-$500 per violation.  of Rhode Island commercial law and is considered a deceptive trade practice.