News Summary

Rhode Island has enacted the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), aimed at enhancing consumer data rights and protecting privacy, particularly regarding genetic data. Approved on June 29, 2024, the law establishes new obligations for companies handling personal data and empowers consumers to request deletion of their data. The law’s implementation date is set for January 1, 2026, amidst growing concerns over genetic data security highlighted by the bankruptcy of 23andMe.

Rhode Island Enacts New Data Transparency and Privacy Law Amid Growing Concerns Over Genetic Data Safety

Rhode Island has officially enacted the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), a significant legislation aiming to enhance consumer data rights and privacy protections, particularly in light of increasing worries regarding the safety of genetic data. The Act was approved on June 29, 2024, following its transmittal back to the legislature by Governor Daniel McKee without a signature. The provisions of the RIDTPPA are set to come into effect on January 1, 2026.

Key Provisions of the RIDTPPA

The RIDTPPA establishes a framework applicable to various entities, though it provides specific exemptions. Notably exempted are financial institutions and data covered by the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, and certain airlines processing personal data.

Under the Act, companies, referred to as ‘controllers,’ are required to meet several obligations to protect consumer data. These include:

• Conducting data protection impact assessments.
• Obtaining user consent for processing sensitive data.
• Executing contracts with data processors.
• Providing a comprehensive privacy notice.
• Identifying all third parties to whom they have sold or may sell consumers’ personally identifiable information (PII).

Consumer Rights Under RIDTPPA

The legislation grants consumers critical rights concerning their personal information. Consumers will now be able to:

• Request the deletion of their personal data.
• Receive a response to their rights requests within 45 days, with a possible extension of 45 additional days.

However, the law does not provide individuals with a private right of action. Enforcement will be exclusively handled by the Rhode Island Attorney General, with penalties for violations ranging from $100 to $500 per offense.

Concerns Over Genetic Data Safety

The enactment of the RIDTPPA comes amid heightened concerns surrounding the security of genetic data following the recent bankruptcy of the genetic testing company 23andMe. The company, previously valued at $6 billion, filed for bankruptcy in March 2024, affecting the genetic data of over 15 million customers. In light of this situation, attorneys general from over a dozen states have advised 23andMe users to delete their data due to privacy fears.

Despite 23andMe’s assurances that bankruptcy will not impact how it manages sensitive information, experts warn that a potential new ownership could lead to changes in data privacy policies, raising the risk of data misuse. Current federal protections for genetic data are deemed insufficient, particularly as they do not cover direct-to-consumer companies like 23andMe.

Legal Framework for Genetic Data Protection

The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, protects against discrimination based on genetic information but does not extend to non-health-related entities like life insurance companies. While recent state laws aim to regulate consent for the use or sharing of genetic data and allow for rights to delete data, experts argue that these measures fall short of effective consumer protection.

As of now, at least 14 states have passed laws that regulate direct-to-consumer genetic testing companies. Although these laws introduce various improvements, concerns regarding their comprehensiveness and enforcement persist. States like California have established more robust genetic privacy laws which offer protections beyond those provided by GINA. Florida has specifically made it a felony to use genetic information without consent.

Future of Data Privacy Legislation

The legislative landscape surrounding genetic data privacy is evolving. Ongoing efforts aimed at tightening protections reflect a growing public awareness and concern over data security. As technological advancements continue, state lawmakers are increasingly focused on enhancing regulations to safeguard personal data in all its forms.

Deeper Dive: News & Info About This Topic

• Rhode Island Current: 23andMe Users’ Genetic Data at Risk
• White & Case: US Data Privacy Guide
• WilmerHale: Rhode Island Enacts Comprehensive Privacy Law
• Wikipedia: Data Privacy
• GoLocalProv: New Record Hospital Data Breach Hits Rhode Island
• Encyclopedia Britannica: Data Privacy
• Cybersecurity Dive: Rhode Island Ransomware Attack