On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), which became law in late June. The Act aims to protect the personal information of Rhode Island residents and contains similar concepts to other states’ recently-enacted comprehensive privacy laws. Businesses subject to the Act must comply by January 1, 2026.
Applicability
Generally, the Act applies to for-profit businesses that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and that, during the prior calendar year, either: (i) controlled or processed the personal data of at least 35,000 Rhode Island residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (ii) controlled or processed the personal data of at least 10,000 Rhode Island residents and derived over 20% of their gross revenue from the sale of personal data (the “Consumer Data Threshold”). “Personal data” is broadly defined to mean “any information that is linked or reasonably linkable to an identified or identifiable individual….” The Act does not cover publicly available information or information about an individual acting in a commercial or employment capacity.
Certain provisions of the Act also apply to commercial websites and internet service providers conducting business in Rhode Island, with customers in Rhode Island, or that are otherwise subject to Rhode Island jurisdiction (“Covered Websites and ISPs”), even if they do not satisfy the Consumer Data Threshold, as discussed in further detail below.
Certain entities are exempt under the Act, including Rhode Island governmental entities, nonprofit organizations, higher education institutions, national securities associations, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, and covered entities or business associates under the Health Insurance Portability and Accountability Act (“HIPAA”). The Act also exempts certain types of information and data from the Act, including data subject to Title V of the Gramm-Leach-Bliley Act and protected health information under HIPAA.
Customer Rights
Customers of businesses covered under the Act are granted certain rights relating to their personal data. Customers generally have the right to:
- Confirm whether a business is processing their personal data;
- Access their personal data;
- Correct inaccuracies in their personal data;
- Delete personal data provided by, or obtained about, them;
- Obtain a copy of their personal data in a portable format; and
- Opt out of the use of personal data for targeted advertising and certain types of profiling and most sales of personal data.
Businesses are prohibited from discriminating against any customer for exercising their rights under the Act.
Responding to Customers Exercising Their Rights
Customers must be able to exercise their rights under the Act via a secure and reliable process that is described in a business’s privacy notice, and the Act sets forth specific requirements for how businesses must respond to customers who exercise their rights under the Act. More specifically, businesses must respond to a customer request without undue delay, and not more than 45 days after receiving a request (although this time period may be extended under certain circumstances). If a customer’s request is denied, then such denial must be communicated to the customer and the customer must be informed of a process for appealing the denial. Generally, businesses must respond to customer requests for information without charge once every 12 months.
Other Business Responsibilities
Businesses covered by the Act must, among other things, (i) process personal data only to the extent that such processing is reasonably necessary for the purposes for which such data is processed, as disclosed to customers; (ii) establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data; (iii) comply with specific requirements relating to biometric data, precise geolocation data, data relating to minors and other sensitive data; (iv) provide customers with a mechanism to grant and revoke consent when required; and (v) conduct data protection assessments with respect to data processing that presents a heightened risk of customer harm (such as sales of personal data, sensitive data processing, and processing for targeted advertising and certain types of profiling).
Each Covered Website and ISP that collects, stores and sells any personally identifiable information of Rhode Island customers must, in a customer agreement or another conspicuous location on its website or online service platform, identify all categories of personal data collected, identify all third parties to whom it may sell or has sold personally identifiable information, provide an email address or other online mechanism by which the customer can contact it, and disclose whether it sells personal data to third parties or processes personal data for targeted advertising. These disclosure requirements apply even if the Covered Website or ISP does not meet the Consumer Data Threshold and, as such, is not otherwise subject to the Act. If any such Covered Website or ISP meets the Consumer Data Threshold, however, then it is also obligated to comply with the other provisions of the Act.
Vendor Relationships
The Act also governs the relationship between businesses and their vendors and other third parties that process personal data on their behalf (“processors”). Among other things, the Act requires that a business enter into a binding contract with each of its processors that addresses the processor’s data processing procedures and contains certain enumerated provisions.
Enforcement
The Act does not create a private right of action for customers. Instead, the Rhode Island Attorney General has sole enforcement authority under the Act. A violation of the Act constitutes a violation of Rhode Island’s general regulatory provisions of commercial law and a deceptive trade practice under Rhode Island law. Notwithstanding the foregoing, nothing in the Act’s enforcement provisions is intended to authorize any private right of action.
Concluding Thoughts
While the Act contains similar provisions to other states’ comprehensive privacy laws, businesses should familiarize themselves with the specific requirements of the Act. Any business that is subject to the Act should carefully review and update its policies and practices to ensure compliance with the Act by January 1, 2026.
This article is only a summary of the Act and the text of the statute should be consulted for further information.
