On June 28, 2024, Rhode Island joined the ranks of other US states to pass a comprehensive data protection law. The Rhode Island Data Transparency and Privacy Protection Act, or Rhode Island Data Privacy Act will become effective as of January 1, 2026.
The law aims to ensure that individuals have transparency about how their personally identifiable information (PII) is collected, used, shared, and sold by businesses and it emphasizes the right to privacy as a fundamental right, aiming to protect individuals and their families from cyber-crimes and identity theft. When compared to other US laws, it stands out through several differences:
- It does not mandate the use of UOOMs;
- It doesn’t impose on controllers an obligation to limit the collection of personal data to only that which is reasonably necessary;
- It imposes on controllers an obligation to disclose not just third parties to which they currently sell personal information, but also those to whom it may sell personal data.
Other key points include the following:
- It defines ‘Personal Data’ as any information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data or publicly available information;
- Sensitive Data refers to data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data for unique identification, data from a known child, or precise geolocation data.
- It applies to for-profit entities conducting business in Rhode Island or producing products or services targeted at Rhode Island residents, specifically if they control or process the personal data of at least 35,000 customers; or control or process the personal data of at least 10,000 customers and derive more than 20% of their gross revenue from the sale of personal data;
- It exempts government agencies and political subdivisions; nonprofit organizations; institutions of higher education; entities regulated by specific federal laws (e.g., HIPAA, Gramm-Leach-Bliley Act); and personal data used for certain exempted activities such as public health, credit reporting, and scientific research.
- Controllers have to: provide transparency regarding the categories of personal data collected and third parties with whom data is shared or sold; implement reasonable data security practices; obtain customer consent before processing sensitive data; allow customers to opt-in and opt-out of data collection and processing for targeted advertising or sale; and establish and maintain a mechanism for customers to exercise their rights.
- Consumers have the right to confirm whether a controller is processing their personal data; to access; to correct; to delete; to data portability; and to opt-out of processing for targeted advertising, sale of personal data, or profiling.
- Consumer requests have to be handled without undue delay, within 45 days, extendable by an additional 45 days if necessary, with requests first having to be authenticated to prevent fraud.
- Violations of the act are considered deceptive trade practices under commercial law and are enforceable by the Attorney General. Penalties include fines ranging from $100 to $500 for each violation, and there is no cure period available to controllers.