The Rhode Island Legislature enacted its comprehensive data privacy law on July 1, 2024. The Data Transparency and Privacy Protection Act (H 7787, or the “RI-DTPPA”) was enacted in response to growing concerns about data privacy and security in the digital age. The RI-DTPPA follows the lead of other states with similar – though not identical – data protection laws and creates new obligations and risks to Rhode Island companies. This post contains the key provisions.

Summary of the RI-DTPPA

The RI-DTPPA codifies the Legislature’s concern with providing citizens with transparency about how their personally identifiable information is shared by businesses. The law applies to a broad range of businesses, as explained below, including businesses that collect information from visitors to their websites.

The newly enacted legislation aims to provide protections for personal data by ensuring transparency in data collection and giving consumers greater control over their information. Key provisions of the law include requirements for clear privacy policies, consumer rights to access and delete their data, and stringent data security measures. The law also mandates that businesses obtain explicit consent before collecting or sharing sensitive personal information and imposes strict guidelines for data breach notifications. The law goes into effect on January 1, 2026.

Who the Law Affects

The RI-DTPPA affects a broad range of businesses, including any entity that collects, stores, or processes personal data of Rhode Island residents. This encompasses for-profit companies operating within the state and those outside of Rhode Island that handle data belonging to Rhode Island residents. Small businesses, large corporations, online service providers, and brick-and-mortar establishments all fall under the jurisdiction of this law if they engage in data collection activities.

The law applies to any business that “controls” or “processes” personal data of members of the public. A “controller” is a business that “determines the purpose and means of processing personal data.” For example, a controller can be a retailer that collects names, email addresses, and purchase histories from its customers. A “processor” is an entity that stores, analyzes, or modifies personal data on behalf of a controller. For example, a controller might retain the services of a processor, such as a cloud services company or other vendor, to store or analyze its data.

“Personal Data” is a broad term. The RI-DTPPA defines it as “any information that is linked or reasonably linked to an identified or identifiable human.” In practice, “personal data” includes anything from names, addresses, email addresses, and phone numbers to social security numbers, IP addresses, bank account information, medical information, and biometric and geolocation data.

The law specifically creates obligations for companies that, in the preceding year, (1) controlled or processed the personal data of at least 35,000 customers; or (2) controlled or processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data. While 35,000 may seem like a large number, companies should bear in mind that the term “customers” may include visitors to a business’s website.

New Obligations

Under the RI-DTPPA, companies must fulfill several critical obligations:

• Transparency: Clearly disclose data collection practices, including the types of data collected, purposes for collection, and third parties with whom the data is shared.
• Consumer Rights: Provide mechanisms for consumers to access, correct, and delete their personal data. Implement procedures for consumers to easily opt-out of data collection and sharing. Any customer can request at any time that a company provide a copy of the customer’s personal data, which triggers a 45-day response deadline.
• Consent: Obtain explicit, informed consent from consumers before collecting, using, or sharing their sensitive personal information. This includes providing clickable authorizations on business websites.
• Data Security: Implement comprehensive data security measures to protect personal information from unauthorized access, breaches, and other security threats. Such measures should comply with the RI-DTPPA as well as any other applicable state or federal regulations.
• Breach Notification: Promptly notify affected consumers and relevant authorities in the event of a data breach, following the specific timelines and requirements outlined in the law.

New Risks

Non-compliance with the RI-DTPPA can lead to significant risks for businesses, including:

• Financial Penalties: Companies found in violation of the law may face substantial fines and penalties imposed by the Rhode Island Attorney General. According to the law, a violation “shall constitute a deceptive trade practice in violation of chapter 13.1 of title 6,” and shall incur fines between $100 and $500 per disclosure. For example, accidental disclosure or a data breach of 35,000 customers’ personal data could result in fines reaching into the millions of dollars.
• Legal Actions: Though not addressed in the RI-DTPPA, non-compliance can result in lawsuits from affected consumers and potential class-action litigation, leading to costly legal battles and settlements. The law does specifically allow customers to designate an agent to act on their behalf with respect to the law’s opt-out provisions.
• Reputational Damage: Failing to adhere to data protection standards can severely damage a company’s reputation, resulting in loss of consumer trust and potential business.
• Operational Disruptions: Compliance issues can lead to operational disruptions, including increased scrutiny from regulators and the need to allocate resources to address compliance deficiencies.

Conclusion

The Rhode Island Data Transparency and Privacy Protection Act represents a significant step towards strengthening consumer privacy rights and data security. Businesses operating in or interacting with Rhode Island residents must stay informed and compliant with the RI-DTPPA to avoid legal, financial, and reputational risks. The RI-DTPPA is the latest in the patchwork of state and federal laws regulating data privacy, including those of many New England states, each of which imposes different obligations and compliance requirements.