News Summary
Rhode Island has implemented the Data Transparency and Privacy Protection Act (DTPPA), set to take effect on January 1, 2026. This law aims to enhance privacy protections for residents by enforcing compliance from all commercial websites and internet service providers interacting with Rhode Island customers. The DTPPA outlines specific requirements for privacy policies and empowers the Rhode Island Attorney General to enforce penalties for violations. It features exemptions for certain entities and mandates timely responses to customer data requests, highlighting its significance in the landscape of consumer privacy legislation.
Providence, Rhode Island – A new data privacy law, the Rhode Island Data Transparency and Privacy Protection Act (DTPPA), has been enacted and is set to take effect on January 1, 2026. This legislation aims to strengthen privacy protections for residents of Rhode Island by requiring compliance from any commercial website or internet service provider that engages with customers in the state.
Governor Daniel McKee transmitted the DTPPA back to the state legislature without signing it on June 25, 2024. The law creates specific privacy policy requirements that affect all businesses operating within the state, irrespective of their size.
The DTPPA establishes a two-tier applicability threshold. First, operators of commercial websites or internet service providers working with Rhode Island customers must adhere to privacy policy disclosure mandates. Secondly, for-profit entities targeting Rhode Island residents are subject to the full spectrum of the DTPPA’s requirements, with consideration given to their actions in the previous calendar year. A customer is defined as a resident of Rhode Island acting in an individual capacity, excluding employment or commercial contexts.
Key Definitions and Enforcement
Under the DTPPA, personal data is classified as information that can be linked to an identifiable individual, while data that has been de-identified or is publicly available is excluded. The law grants exclusive enforcement authority to the Rhode Island Attorney General. Companies that violate the terms of the DTPPA could face penalties of up to $10,000 per violation as stipulated by Rhode Island’s unfair and deceptive trade practices statute.
Exemptions within the DTPPA
Several exemptions are outlined within the DTPPA, which include:
- Government entities
- Nonprofit organizations
- Institutions of higher education
- Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA)
- National securities associations
- Entities handling protected health information under HIPAA
Additionally, the law provides data-level exemptions related to several regulations, such as the Fair Credit Reporting Act, GLBA, and more.
Privacy Policy Requirements
Companies subject to the DTPPA must maintain a comprehensive privacy policy on their websites. This policy should include:
- All categories of personal information collected
- Information regarding third parties to whom personal information may be sold
- A contact mechanism for consumers, such as an active email address
- Disclosures if the company engages in targeted advertising
Customer Rights and Data Requests
The DTPPA mandates that businesses, referred to as controllers, must respond to customer data requests within 45 days, with the possibility of a 45-day extension. If a customer’s request is denied, they can appeal the decision, and the determination on the appeal is required to be issued within 60 days. In cases where an appeal is denied, customers have the option to submit complaints to the Rhode Island Attorney General.
Furthermore, the law requires businesses to conduct data protection assessments for specific actions to ensure compliance with its provisions. Unlike various other state privacy laws, the DTPPA lacks a provision that would give companies a “cure period” to fix violations before penalties are imposed.
Conclusion
The DTPPA aligns with emerging trends in consumer privacy legislation across the United States. However, its broad applicability and transparency requirements, particularly concerning the sale of personal data, set it apart from similar state laws. As the effective date approaches, businesses operating in or engaging with Rhode Island consumers will need to prepare for compliance with this comprehensive privacy law.
Deeper Dive: News & Info About This Topic
- WilmerHale: Rhode Island Enacts Nation’s Nineteenth Comprehensive Privacy Law
- White & Case: Rhode Island Enacts Data Transparency and Privacy Protection Act
- Inside Privacy: Minnesota and Rhode Island Pass Comprehensive Privacy Legislation
- MWE: Rhode Island Enacts Consumer Data Privacy Law
- Wikipedia: Privacy Law in the United States
