Rhode Island Data Transparency and Privacy Protection Act: An Overview
On June 28, 2024, the Rhode Island Data Transparency and Privacy Protection Act (the RIDTPPA) became law after being transmitted by Rhode Island governor Daniel McKee without signature, making Rhode Island the nineteenth state in the U.S. to enact comprehensive data privacy legislation (together with the RIDTPPA, the State Data Privacy Laws). The RIDTPPA is the seventh law enacted in 2024, adding to the flurry of new laws passed in the last few months. The law takes effect on January 1, 2026. This article summarizes key provisions of the RIDTPPA.
Scope and Applicability
The RIDTPPA applies to any entity that conducts business in the state or produces products or services targeted at Rhode Island residents (referred to in the statute as "customers," which generally has the same meaning as the term "consumers" under other State Data Privacy Laws) and, during the preceding calendar year, controlled or processed personal data of:
- Thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Ten thousand (10,000) customers and derived over twenty percent (20%) of gross revenue from the sale of personal data.
These thresholds are lower than those in other State Data Privacy Laws, perhaps due to the state's comparatively low population.
The RIDTPPA aligns with other State Data Privacy Laws in what is becoming the standard set of entity-level and data-level exemptions. The entities the law exempts from its scope include state agencies and political subdivisions; nonprofit organizations; institutions of higher education; financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Additionally, the law does not apply to protected health information (PHI) under HIPAA; health records; certain other kinds of patient and health data (including data collected for clinical trials); credit data covered under the Fair Credit Reporting Act (FCRA); personal data covered by the Driver's Privacy Protection Act; personal data covered by the Family Educational Rights and Privacy Act; personal data processed in compliance with the federal Farm Credit Act; emergency contact information; and data processed in relation to price, route, or service by an air carrier subject to the Airline Deregulation Act.
In keeping with the majority of other State Data Privacy Laws (other than California), the RIDTPPA does not apply to personal data collected and processed in the employment or commercial (business-to-business) context.
Controller and Processor Obligations
Similar to other State Data Privacy Laws (as well as other privacy laws like the EU General Data Protection Regulation), the RIDTPPA's regulatory framework distinguishes roles and responsibilities between controllers and processors. The RIDTPPA defines a "controller" as a person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as a person who processes personal data on behalf of a controller.
Most of the primary privacy responsibilities under the RIDTPPA fall on controllers. The law requires these entities to have a conspicuous privacy notice that:
- Identifies the categories of personal data collected
- Identifies all third parties to whom the controller has sold or may sell personal data
- Identifies an email address or other mechanism to receive customer contacts
- Clearly and conspicuously discloses the practice of selling to third parties or using personal data for targeted advertising.
Notably, these notice obligations may be broader than those under other State Privacy Laws as they apply to all commercial website and internet service providers that conduct business in Rhode Island or with customers in Rhode Island, or that are otherwise subject to Rhode Island's jurisdiction, regardless of whether they are subject to the RIDTPPA's other requirements.
Like other State Data Privacy Laws, the RIDTPPA also imposes limits and obligations on the personal data processing activities of controllers, including:
- Limiting personal data collection and processing to what is adequate, relevant, and reasonably necessary for the disclosed purposes
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect personal data
- Avoiding data processing that violates federal laws prohibiting unlawful discrimination
- Collecting consent before processing sensitive data.
With respect to consent, the law specifically notes that the use of dark patterns (i.e., user interfaces designed with the substantial effect of subverting or impairing user autonomy) is improper and inadequate as a means of obtaining consent. Additionally, controllers must provide customers with the ability to revoke consent, and controllers must process this revocation within fifteen (15) days.
Additionally, the law requires controllers to perform data protection assessments that weigh the benefits of the processing activities against potential risks to the rights of the customers whose data is being processed. This must be done before a controller undertakes any data processing that presents a heightened risk of harm to customers. The statute specifically lists several such types of processing, including processing for targeted advertising, sale, and certain kinds of profiling, as well as processing of sensitive data (defined below). To avoid creating duplicative burdens, the KYCDPA provides that this requirement can be satisfied with an assessment conducted for compliance with under other State Data Privacy Laws obligations. The law provides that data protection assessments are only necessary for processing activities occurring on or after January 1, 2026, meaning the requirement is not retroactive and starts when the law comes into effect.
The RIDTPPA also puts in place express requirements for processors, including adhering to the instructions of a controller and assisting controllers in meeting their obligations under the statute (such as responding to rights requests, protecting personal data, notifying customers in the event of a breach, and providing information necessary for data protection assessments). Additionally, controllers and processors are required to have contracts in place that govern a processor's data processing procedures. Similar to other State Data Privacy Laws, the RIDTPPA requires that such contracts include provisions that address or describe the following:
- Clear processing instructions
- The nature and purpose of processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties
- Confidentiality obligations for the processor's employees
- A requirement to delete or return all personal data once the service is completed
- A requirement for processors to provide all information necessary to demonstrate compliance with the RIDTPPA
- Cooperation obligations for assessments by the controller
- The controller's right to object to subprocessors
- Requirements that subprocessors are bound by written contracts with similar obligations.
Customer Rights and Requests
In line with similar rights found in most other State Data Privacy Laws, the RIDTPPA provides state residents with the right to:
- Confirm processing (right to know)
- Correct inaccuracies
- Request deletion of personal data
- Obtain a portable copy of personal data (data portability)
- Opt out of processing for targeted advertising, sale, or profiling.
Controllers must provide customers with at least one (1) method to submit a request to exercise their rights. Such methods must take into account the ways in which the controllers normally interact with their customers (e.g., providing an online mechanism if the controller maintains a website).
As mentioned above, the RIDTPPA also specifically restricts processing of sensitive data, requiring controllers to obtain consent before doing so—in effect creating an "opt-in" regime for sensitive data processing similar to that found in the majority of other State Data Privacy Laws.
The RIDTPPA defines "sensitive data" to include personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed for the purpose of uniquely identifying a customer
- Personal data collected from a known child (defined as an individual under the age of thirteen (13))
- Precise geolocation data (within 1,750 feet).
With regards to children's data, the RIDTPPA adopts the verifiable parental consent processes and requirements set out in the Children's Online Privacy Protection Act (COPPA).
Controllers are not permitted to discriminate against customers for making rights requests (although this does not restrict offers of discounts, loyalty programs, or other incentives that are reasonably related to the value of the personal data). However, if a customer opts out of data collection, a controller is not required to provide any service that requires such data collection.
Under the RIDTPPA, controllers must respond to verified requests within forty-five (45) days of receipt, with an additional forty-five (45) day extension available upon notice to the customer if reasonably necessary for complex or numerous requests.
Right to Appeal
Like with most other State Data Privacy Laws, the RIDTPPA requires controllers to establish a process to allow customers to appeal a denial of their request to exercise a privacy right. If a controller denies a customer's rights request, it must provide the customer with justification for such denial and conspicuously available instructions on how to appeal in a manner similar to the original process for submitting the rights request. Once the controller receives an appeal, it must respond within sixty (60) days with the result of the appeal, including a written explanation of the rationale for the controller's decision. If the appeal also denies the customer's rights request, then the controller must provide a mechanism through which the customer may submit a complaint to the Rhode Island Attorney General.
Definition of "Sale"
The RIDTPPA defines the "sale" of personal data as the "exchange" of personal data for "monetary or other valuable consideration," adopting the slightly broader formulation of the definition found in other State Data Privacy Laws. Similarly, the RIDTPPA provides the standard set of exceptions to the "sale" of personal data, including a controller's disclosure of personal data:
- To a processor that processes personal data on behalf of the controller
- To a third party for purposes of providing a product or service requested by the customer
- To the controller's affiliates
- To third parties upon the data subject's instructions
- That the customer intentionally made available to the general public and did not restrict to a specific audience
- To a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or similar transaction.
As noted above, controllers must provide customers with the ability to opt-out of the selling of their personal data. However, unlike many other State Data Privacy Laws, the RIDTPPA does not impose obligations on controllers to recognize universal opt-out or browser signals to effectuate opt-out of the sale of personal data.
Definition of "Targeted Advertising"
The RIDTPPA defines "targeted advertising" similarly to the way the term is defined into other State Data Privacy Laws: "displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from the customer's activities over time and across nonaffiliated Internet websites or online applications to predict such customer's preferences or interests." Notably, however, the definition expressly excludes activities that are:
- Based on activities within a controller's own web sites or online applications
- Based on the context of a customer's current search query, visit to a web site, or online application
- Directed to a customer in response to the customer's request for information or feedback
- Used to measure or report the performance, reach, or frequency of an advertisement.
The RIDTPAA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data, including not imposing obligations for controllers to implement universal opt-out or browser signal technologies.
De-identified and Pseudonymous Data
Like other State Data Privacy Laws, the RIDTPPA includes definitions for "de-identified data" and "pseudonymous data" that expressly exclude such data from "personal data." Data is "de-identified" if it cannot reasonably be used to infer information about, or otherwise be linked to an identified or identifiable individual, or a device linked to such an individual. The "infer" language means that the definition is slightly more nuanced—and possibly narrower—than similar definitions found in other State Data Privacy Laws, potentially making it more difficult for companies to de-identify data under the statute.
On the other hand, the definition of "pseudonymous data"—data that cannot be attributed to a specific resident without the use of additional information (provided the additional information is kept separate and subject to appropriate technical and organizational measures preventing its use to reidentify the data)—aligns more closely to the definitions found in other State Data Privacy Laws.
The RIDTPPA requires controllers to put reasonable measures in place to ensure that the data cannot be associated with an individual. Controllers in possession of de-identified data are required to publicly commit to maintaining and using de-identified data without attempting to reidentify it. Controllers must have contracts in place with terms that require all recipients of such data to comply with the RIDTPPA. Controllers must also monitor such third parties for compliance and take appropriate steps to address any breaches of relevant contractual commitments.
Enforcement and Penalties
The RIDTPPA will be enforced solely by the Rhode Island State government through the Rhode Island Attorney General. A violation of the law constitutes a deceptive trade practice in violation of the state's general consumer protection laws and subject to a penalty of $10,000. The statute also provides for a penalty in an amount between $100–$500 for each unauthorized disclosure of personal data. While the penalty is a lower amount than penalties under other State Data Privacy Laws, the aggregate sum can accumulate quickly depending on the number of data subject records involved in a violation. Notably, there is no cure period for violations, meaning companies will need to be vigilant and come into compliance quickly. On the other hand, there is no private right of action like under other State Data Privacy Laws, limiting the potential reach of any award or settlement in the context of litigation relating to a RIDTPPA violation.