Rhode Island Legislature Passes Consumer Data Privacy Act

David Stauss
Husch Blackwell LLP
Contact
LinkedIn
Facebook
X
Send
Embed
 

Keypoint: While the act does not include many provisions found in the more recent consumer data privacy laws, it would expand privacy notice obligations in one significant way although the applicability and scope of that requirement is unclear due to the lack of an important definition.

On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 / HB 7787). The act will now move to Governor Daniel McKee for consideration. Assuming the act becomes laws, it will go into effect on January 1, 2026.

The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways. First, the act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information. However, the applicability and scope of that potentially onerous requirement is unclear because the act does not define personally identifiable information. Second, the act does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.

In the below article, we provide a summary of the act’s more notable provisions. As with prior bills, we have added the Rhode Island act to our chart providing a detailed comparison of laws enacted to date.

Applicability

With one exception we discuss in the next section, the act uses the traditional Washington Privacy Act applicability standard. Specifically, the act applies to for-profit entities that conduct business in Rhode Island or produce products or services that are targeted to state residents and that, during the prior calendar year, either (1) controlled or processed the personal data of at least 35,000 state residents or (2) controlled or processed the personal data of at least 10,000 state residents and derived more than 20% of their gross revenue from the sale of personal data.

Rhode Island’s population is approximately 1.096 million people meaning that the 35,000 threshold is approximately 3.19% of the state’s population. The act only applies to consumer personal data. It does not apply to employee or business-to-business personal data.

The act contains exemptions in three locations. The first two sets of exemptions are consistent with Connecticut’s law. For example, section 6-48.1.3(d) exempts, among other things, GLBA-regulated entities and data, HIPAA covered entities and business associates, non-profit organizations, institutions of higher education, and FERPA-regulated personal data. Section 6-48.1-7(o) exempts, among other things, processing personal data to comply with state or federal law and law enforcement investigations.

The final set of exemptions is found in section 6-48.1-10. That section includes, for example, a second GLBA entity-level exemption and HIPAA data level exemption. It appears the inclusion of this set of exemptions may be due to the fact that bill drafters combined a 2023 version of the bill (HB 5354), which did not follow the WPA model, with the Connecticut law and decided to retain all of the exemptions. Further, some of the exemptions found in this section apply to personally identifiable information which is not a defined term (as discussed further below).

Privacy Notice

Section 6-48.1-3 of the act – entitled “Information sharing practices” – applies more broadly than the act’s other sections. First, part (a) of that section states that any “commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.” It is unclear exactly what is intended by this provision, including how an entity should designate a controller. For reference, Oregon’s law requires entities to identify the controller in their privacy notice. The Rhode Island requirement could be interpreted similar to Oregon’s requirement.

Part (a) next states that if “a commercial website or Internet service provider collects, stores and sells customers’ personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: (1) Identify all categories of personal data that the controller collects through the website or online service about customers; (2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and (3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.” (Emphasis added.)

As shown by the emphasized language, the applicability of this section of the act is dependent on the entity collecting, storing and selling personally identifiable information. Further, part (1) of this section applies to personal data whereas part (2) applies to personally identifiable information. However, the act only defines personal data. It does not define personally identifiable information.

On the one hand, it could be argued that this is a drafting error and personally identifiable information should be interpreted the same as personal data. On the other hand, it could be argued that the two terms must mean different things or there would be no reason to use both. The latter argument is supported by one of the versions of the act proposed in the 2023 legislative session – HB 5354 – which defined personally identifiable information consistent with how the phrase is defined in data breach notification statutes, i.e., an individual’s first name or initial and last name combined with a specific data element such as a Social Security number or driver’s license number. That definition is much narrower than the definition of personal data.

The answer to this question is significant because, as noted, the act requires entities to identify all third parties to whom the controller has sold or may sell personally identifiable information. For some entities, the identification of all current and future third parties (not just categories of third parties) could be a difficult task. And, while it is true that Oregon requires entities to respond to consumer requests to identify third parties, Oregon does not require that such a disclosure be made in a privacy notice (it only requires category level disclosures in the privacy notice) and does not require the identification of third parties to whom the controller “may sell” personally identifiable information (which seems very challenging).

Ultimately, this may be an issue ripe for legislative clarification prior to the act’s effective date.

Further, part (b) of this section states that if “a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.” That requirement is not tied to any applicability threshold such that it requires any entity (presumably doing business in Rhode Island although that is not specifically stated) to make such a disclosure.

Finally, this is the only section of the Rhode Island act that requires privacy notice disclosures and it does not align with disclosure requirements found in other consumer privacy laws. For example, the requirement to identify the categories of personal data collected is limited to personal data collected through a website or online service. Therefore, it does not extend to offline collection. There also is no requirement to identify the purpose of the processing or the categories of personal data the controller shares with third parties.

Data Minimization

The act does not contain a data minimization requirement. Specifically, as compared to the Connecticut law, the act does not require controllers to limit their collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. The act also does not prohibit controllers from processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. This approach is consistent with the Utah and Iowa laws.

Sensitive Data

The act requires controllers to obtain opt-in consent for the processing of sensitive data. The act defines sensitive data consistent with how that term was defined in the initial version of the Connecticut law, prior to the Connecticut definition being expanded last year.

Children’s Data

The act does not include any additional restrictions on the processing of data from children between the ages of 13 and 17.

Opt-Out Link

The act does not require controllers to provide a website link to opt out of the sale of personal data or targeted advertising.

Universal Opt-Out Mechanisms

The act does not require controllers to recognize universal opt-out mechanisms.

Pseudonymous Data Exemption

The act’s pseudonymous data exemption does not carve-out consumer opt out rights like most other laws. Therefore, the rights to opt out of sale, targeted advertising, and profiling do not apply to pseudonymous data.

Processor Obligations

The act does not include the typical language requiring processors to assist controllers. Specifically, the act states that a processor shall adhere to a controller’s instructions and assist the controller in meeting its obligations; however, the act does not go on to include the specific language found in other laws, stating that such assistance shall include responding to consumer requests, securing data, and providing information necessary for the controller to complete data protection assessments. The act also does not include the typical language stating that a processor that does not adhere to a controller’s instructions shall become a controller.

Data Protection Assessments

The act requires controllers to conduct data protection assessments; however, the act does not include the paragraph found in most consumer privacy laws that states what a controller must take into account when conducting the assessments (e.g., identifying and weighing the benefits that may flow from the processing).

Enforcement

The act will be enforced by the state Attorney General. There is no private right of action. The act also is the first state consumer data privacy law to not include a right to cure. Violations of the act are enforceable under the state’s deceptive trade practice act. In addition, if an entity “intentionally discloses personal data” to a shell company or entity created to circumvent the act or in violation of any provision of the act, the entity shall pay a fine of between $100 and $500 for each such disclosure.

Effective Date

The act goes into effect January 1, 2026.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Husch Blackwell LLP

Written by:

Husch Blackwell LLP
Husch Blackwell LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide