Rhode Island Passes Comprehensive Data Privacy Law

News Summary

Rhode Island has officially enacted the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), making it the nineteenth state privacy law in the U.S. Approved on June 13, 2024, and effective from January 1, 2026, this legislation imposes obligations on data controllers and processors. It grants consumers significant rights regarding their personal data while outlining enforcement measures, including penalties for non-compliance. The RIDTPPA emphasizes transparency in data handling, reflecting a nationwide trend towards enhanced consumer data protection.

Rhode Island has officially passed a comprehensive data privacy law known as the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). The legislation was approved by the Rhode Island legislature on June 13, 2024, and signed into law by the governor on June 29, 2024. This law will become effective on January 1, 2026, marking it as the nineteenth comprehensive state privacy law in the United States.

The RIDTPPA places obligations on “controllers,” defined as individuals or entities that decide how personal data is processed. This law applies to businesses that either conduct activities in Rhode Island or specifically target Rhode Island residents, provided they engaged in relevant business activities in the previous calendar year.

Under the RIDTPPA, “personal data” encompasses any information that can be linked or is reasonably linkable to an identified or identifiable individual. However, this does not include de-identified data or information that is publicly available. Commercial websites and internet service providers operating in Rhode Island will be required to designate a controller responsible for collecting, storing, and selling consumers’ personally identifiable information (PII).

Key Consumer Rights

The Act grants consumers specific rights concerning their personal data, including the rights to access, correct, delete, and obtain information about their personal data. Controllers are mandated to respond to consumer requests within a 45-day period. If they cannot meet this deadline, they may extend the response time by notifying the consumer within the original timeframe. Furthermore, consumers can request information related to their personal data free of charge once per year.

In instances where a controller believes that a consumer’s request is excessive or unreasonable, they are obliged to justify their position. They have the option to charge a fee or decline to fulfill the request based on this justification.

Unlike several other state laws, the RIDTPPA does not include a universal opt-out mechanism that customers can use to refuse data processing. Instead, it requires companies to be transparent about how they sell or process personal data for targeted advertising.

Processor Responsibilities

Entities known as processors, who handle data on behalf of controllers, are required to assist controllers in complying with their obligations under the RIDTPPA. These processors are bound by contracts that specifically outline the methods and requirements for data processing.

The RIDTPPA specifies that state or local government entities, nonprofit organizations, certain educational institutions, financial institutions governed by the Gramm-Leach-Bliley Act, and health data regulated by HIPAA are exempt from this law.

Enforcement and Penalties

The enforcement of the RIDTPPA will fall under the jurisdiction of the Rhode Island Attorney General, who holds exclusive authority to impose penalties. Importantly, there is no private right of action available for individuals pursuing claims under this law. Violations can result in civil penalties of up to $10,000 per violation, alongside fines ranging from $100 to $500 for intentional disclosures of personal data.

Moreover, the law mandates that controllers conduct data protection assessments for processes that are considered to pose a heightened risk of harm to consumers. In addition, it prohibits discrimination against customers for exercising their rights under the RIDTPPA, ensuring that consumers are not unfairly penalized for engaging with their data privacy rights.

The introduction of the RIDTPPA demonstrates Rhode Island’s commitment to enhancing data privacy protections for its residents, aligning the state with a growing trend among U.S. states to strengthen consumer rights in data handling practices.

Deeper Dive: News & Info About This Topic

• WilmerHale: Rhode Island Enacts Nation’s Nineteenth Comprehensive Privacy Law
• Nixon Peabody: Rhode Island Enacts Data Privacy Law
• Rhode Island Current: 23andMe Users’ Genetic Data is at Risk, State AGs Warn
• Hunton: Rhode Island General Assembly Passes State Privacy Bill
• Wikipedia: Data Privacy