On June 28, 2024, the Governor of Rhode Island approved the Rhode Island Data Transparency and Privacy Protection Act (the "Act"), making Rhode Island the 20th state to adopt a comprehensive data privacy law. The Act becomes effective on January 1, 2026.

Applicability

The Act applies to natural and legal persons that determine the means and purposes of processing personal data ("controllers"), who:

• Conduct business in Rhode Island; or 
• Produced products or services targeted to Rhode Island residents during the preceding calendar year; and 
  • Controlled or processed the personal data of at least 35,000 customers, except where the personal data was collected solely for completing a financial transaction; or
  • Controlled or processed the personal data of at least 10,000 customers and derived more than 20% of gross revenue from its sale.

The Act does not apply to nonprofits, governmental institutions, organizations regulated by the GLBA or HIPAA, or state-regulated insurance institutions. It does not apply to data regulated by federal privacy laws like FERPA. The Act also exempts personal data processed or maintained for certain employment purposes.

Key Requirements

Under the Act, controllers must:

• Implement administrative, technical, and physical data security practices;
• Obtain consent before processing sensitive personal data;
• Provide detailed privacy notices, including the types of data collected, to whom the data is disclosed, and how customers may exercise their rights;
• Disclose the current or future "sale" of personal data or processing of personal data for target advertising or profiling and provide an opportunity to opt-out of such sale or processing; and
• Conduct data protection impact assessments for any processing that presents a heightened risk of harm to consumers, such as sale or profiling.

Consistent with other state privacy laws, the Act gives consumers the right to request personal data access, correction, deletion, and portability. Conversely, the Act does not require controllers to utilize universal opt-out mechanisms. Processors are also subject to obligations under the Act, including cooperating with controllers to comply with the Act and allowing independent assessments as to the adequacy of the processor's security and other required measures.

Enforcement

The Rhode Island Attorney General is responsible for enforcing the Act. Violations for each intentional disclosure of personal information carry penalties between $100 and $500. Notably, the Act does not provide time to cure violations.

Companies should examine their data collection and privacy practices in light of these new obligations and other state privacy law regimes.