Rhode Island Enacts the Data Transparency and Privacy Protection Act, Joining the US Data Privacy Landscape

Rhode Island became the latest state to enact comprehensive data privacy legislation, when the Rhode Island Data Transparency and Privacy Protection Act (the "Rhode Island Data Privacy Act") passed into law on June 28, 2024. The law will take effect on January 1, 2026. In this latest in our series of articles on US State Data Privacy Laws, we have summarized below its key components.

To Whom does the Rhode Island Data Privacy Act apply?

Rhode Island's new data privacy regime imposes obligations on "controllers" – individuals or legal entities that determine the purpose and means of processing personal data – who conduct business in Rhode Island, or produce products or services targeted to residents of Rhode Island, within the preceding calendar year, and who:

controlled or processed personal data of at least 35,000 Rhode Island customers, excluding instances where controllers are processing data "solely for the purpose of completing a financial transaction"; or
controlled or processed personal data of 10,000 Rhode Island customers and derived more than 20 percent of their gross revenue from the sale of personal data.

Like other US State Data Privacy Laws, the Rhode Island Act defines "personal data" as any information that is "linked or reasonably linkable to an identified or identifiable individual" and excludes de-identified data and publicly available information.

The Rhode Island Act contains a provision that requires "[a]ny commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction" to "designate a controller" If the website or internet service provider "collects, stores, and sells customers' personally identifiable information," the controller must then conspicuously, on its website (e.g., its privacy policy) or customer agreement:

identify all categories of personal data the controller collects through the website or online service about customers;
identify all third parties to whom the controller "has sold or may sell" customers' personally identifiable information; and
provide an email address or other online mechanism customers can use to contact the controller.

The Rhode Island Act does not apply to state or local government entities, nonprofit organizations, institutions of higher learning, financial institutions or affiliates and data regulated by the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, or state-regulated insurance institutions.

The Act also exempts numerous categories of data and information, including HIPAA-protected health information, consumer credit-reporting data, and personal data collected, processed or disclosed in compliance with the federal Driver's Privacy Protection Act, Airline Deregulation Act, Family Educational Rights and Privacy Act, Farm Credit Act, or in connection with federal regulations on the protection of human subjects. Finally, the Rhode Island law exempts data processed or maintained during individuals' employment with or employment applications to a controller where the data is necessary for that employment or benefits administration or use for emergency contact purposes.

What rights does the Rhode Island Data Privacy Act give to customers?

The Rhode Island law provide customers, defined as individuals residing in the state acting in an individual or household context, rights that are largely consistent with other US State Data Privacy Laws. Customers may:

confirm whether a controller processes their personal data and access such data, unless a trade secret would be revealed;
obtain a copy of their personal data held by the controller in – where feasible – a "readily usable format" (i.e., data portability);
correct inaccuracies in their personal data;
delete their personal data; and
opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Similar to a few other US State Data Privacy Laws, the sale of personal data includes the provision of personal data for monetary or other valuable consideration by a controller to a third party. However, selling personal data does not include disclosing personal data to a processor or the controller's affiliate.

Controllers who receive a request from a customer seeking to exercise these rights must respond to the customer within 45 days unless it is reasonably necessary to extend that time and the controller notifies the customer of the extension within 45 days. The controller must provide the information requested free of charge, once per customer per 12-month period. If a controller deems a customer request to be "manifestly unfounded, excessive, or repetitive" they must demonstrate why that is so but then may either charge the customer a fee for administering the request or decline to act on it.

What obligations does the Rhode Island Data Privacy Act impose on controllers and processors?

Controllers must:

establish and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
not process "sensitive data" without the customer's express consent, or in the case of a known child, in accordance with COPPA. Sensitive data is defined as personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; citizenship or immigration status; genetic or biometric data used to identify an individual; data collected from a known child; and precise geolocation data;
process data in a non-discriminatory manner as defined under state and federal law;
provide a mechanism for a customer to revoke consent to process personal data where consent was required and to cease processing the data within 15 days of revocation of consent;
provide a privacy notice that identifies all the categories of personal data it collects, identify all third parties the controller sells (or may sell) the customers' personally identifiable information, and provide an active email address or other mechanism for the customer to contact the controller; and
conduct a data protection impact assessment on the processing of personal data that presents a heightened risk of harm to the customer, including targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment or disparate impact on customers, financial or physical injury to customers, or an intrusion offensive to a reasonable customer upon their "solitude or seclusion, or the private affairs, or concerns." The data assessment requirement is not retroactive, so will only apply to data processing activity from January 1, 2026 onward. Notably, data protection assessments conducted to comply with laws of similar scope and effect would also comply with the Rhode Island Data Privacy Act.

Unlike some other states, Rhode Island will not require controllers to allow customers to opt out of processing their personal data by using a user-selected universal opt-out mechanism ("UOOM").

The Rhode Island Data Privacy Act also imposes requirements on "processors" (a person or entity who processes personal data on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding customer rights requests and security of data processing. Processing must be governed by a contract between the controller and processor that outlines relevant privacy provisions set forth under the act. The contract must ensure that each person processing personal data is subject to a duty of confidentiality, require the processor to delete or return all personal data if requested by the controller, provide the controller an opportunity to object to the processor's subcontractors, and allow the controller to, or the processor to arrange an independent assessor to, assess the adequacy of the processors measures to meet its obligations under the Rhode Island Data Privacy Act.

Enforcement

The state Attorney General will have exclusive enforcement authority, and there is no private right of action available under this act. The Rhode Island Data Privacy Act states that violations of that Act will constitute violations of Title 6 of Rhode Island's Commercial Law, under which each violation can incur civil penalties of up to $10,000. The Attorney General may also bring an action for injunctive relief to curb identified violations. Additionally, the Rhode Island Data Privacy Act provides that any individual or entity that intentionally discloses personal data may be fined up to $500, but no less than $100, for such disclosures.

Key Aspects of the Rhode Island Data Privacy Act

No limitation on personal data collected. Unlike many other US State Data Privacy Laws, the Rhode Island Data Privacy Act does not include a provision limiting the collection of personal data to what is "reasonably necessary" for the purposes for which that data is used.
Obtain Consent. Similar to other state laws, the Rhode Island Data Privacy Act requires that a controller obtain consent before processing customers' sensitive data.
Disclosing Third Parties. The Rhode Island Data Privacy Act requires controllers to disclose third parties to which it may sell personal data, in addition to the third parties to which it currently sells personal data.
No Mandated Use of UOOMs. Unlike a number of other states that have passed comprehensive data privacy laws, Rhode Island has opted not to require controllers to allow customers to communicate their privacy preferences automatically, through the use of online UOOMs.
No Cure Period. Unlike other US State Data Privacy Laws, the Act does not provide controllers an opportunity to remedy alleged violations before an enforcement action.
Civil Penalties. The potential of civil penalties of up to $10,000 per violation could lead to substantial fines for controllers or processors, in addition to the up to $500 dollars per intentional disclosure of personal data.

White & Case's Data, Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide for general steps to take to comply with US State Data Privacy Laws.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}