Rhode Island Data Transparency and Privacy Protection Act  (RIDTPPA)

How does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) define Personal Information and what are other key definitions?

Rhode Island’s data privacy law defines ‘personal data’ as any information linked or reasonably linkable to an identified or identifiable individual, which excluded de-identified data or publicly available information. Sensitive personal data is “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.”

When referring to ‘biometric data’ the RIDTPPA understand this to mean “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual,” which doesn’t include “a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.”

Consent has to be “a clear, affirmative act signifying a customer has freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the customer” which may include “a written statement, including by electronic means, or any other unambiguous affirmative action,” but does not include “acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing or closing a given piece of content, or agreement obtained through the use of dark patterns.”

Unlike other US privacy laws, Rhode Island’s data privacy act does not use the word ‘consumer’ but rather ‘customer’ which it defines as “an individual residing in this state acting in an individual or household context” but which does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.”

Similar to other privacy laws, it defines controllers and processors as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data” for the former and “an individual who, or legal entity that processes personal data on behalf of a controller” for the latter.

Last but not least, the RIDTPPA defines the ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” which excludes the following: 

• “the disclosure of personal data to a processor that processes the personal data on behalf of the controller, 
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer, 
• the disclosure or transfer of personal data to an affiliate of the controller, 
• the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, or
• the disclosure of personal data that the customer:
  • Intentionally made available to the general public via a channel of mass media; and 
  • Did not restrict to a specific audience, or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.”

Who does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) apply to?

The Rhode Island Data Transparency and Privacy Protection Act applies to “for-profit entities 

for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

• Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
• Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.”

The RIDTPPA mandates that “any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller” and if it “collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted:

• Identify all categories of personal data that the controller collects through the website or online service about customers;
• Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and
• Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.

In addition to this, controllers have the following obligations: 

• if they sell personal data to third parties or process personal data for targeted advertising, they have to clearly and conspicuously disclose such processing;
• establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
• do not process sensitive data concerning a customer without obtaining customer consent 
• do not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA;  
• do not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers;
• provide customers with a mechanism to grant and revoke consent where consent is required and upon receipt of revocation suspend the processing of data as soon as is practicable, but no later than 15 days;
• do not discriminate against a customer for exercising their customer rights;
• have a contract in place for any data processing done by a processor on their behalf which “shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties;”
• for processing activities created or generated after January 1, 2026, conduct and document “a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes:
  • the processing of personal data for the purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers; and 
  • the processing of sensitive data.
• if they are in possession of de-identified data:
  • take reasonable measures to ensure that the data cannot be associated with an individual;
  • publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
  • contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.
• Establish and maintain a mechanism for customers to exercise their data subject rights.

As regards processors’ obligations, they have to adhere to the instructions of a controller and assist the controller in meeting the controller's obligations of this chapter.