The Rhode Island Data Transparency and Privacy Protection Act

rhode-island-lighthouse
 

The Rhode Island Legislature passed a new comprehensive data privacy law in June 2024.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) has been criticized both by business groups for being confusing and poorly drafted, and by privacy advocates for allowing large loopholes. Here is a quick rundown on the RI-DTPPA, and the reasons for its unpopularity.

Basic Provisions

By and large, the RI-DTPPA follows a familiar structure borrowed from other state privacy laws.

  • The RI-DTPPA applies to for-profit entities that do business in the state (or target state residents) and (1) control or process the personal data of at least 35,000 state residents, or (2) control or process the personal data of at least 10,000 state residents and also derive 20% or more of revenue from the sale of personal data.
  • Excludes employee and B2B data.
  • Requires businesses to post privacy notices. Note: This requirement applies to all commercial websites and internet service providers subject to Rhode Island's jurisdiction, not just businesses that meet the thresholds listed above. However, this provision is controversial due to its confusing language (more on that below).
  • “Customers” (the RI-DTPPA uses this term in place of “consumers”) have the following data rights:
    • Right to Access
    • Right to Deletion
    • Right to Opt Out
    • Right to Correct
    • Right to Portability
    • Right to Non-Discrimination
  • Businesses must offer a way for customers to appeal any denial of a privacy request.
  • Businesses must obtain customer consent before processing “sensitive data.”
  • Certain “high-risk” processing activities trigger the need to carry out a data protection assessment.
  • Violations are considered a deceptive trade practice, punishable under Rhode Island law by civil penalties of up to $10,000 per violation.
    • Additionally—and somewhat confusingly—violations involving intentional disclosures of personal data are punishable by penalties of $100 to $500 per violation.
  • There is no private right of action.

The RI-DTPPA is set to take effect on January 1, 2026.

The Controversial Parts

Despite passing a law that mostly tracks legislation from other states, Rhode Island lawmakers have managed to upset both the business community and privacy advocates.

Criticisms from business groups mostly focus on the fact the bill is a confusing mess. By all appearances, lawmakers seem to have combined two competing versions of the bill and failed to fully reconcile them. 

The main offender is the use of the term “personally identifiable information” at key points in the bill, despite the term having no definition and the fact “personal data” (which is a defined term) is used in most other places. 

Consider this section (sec. 6-48.1-3) on privacy notice requirements: 

  1. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall […]:
    1. Identify all categories of personal data that the controller collects through the website 5 or online service about customers;
    2. Identify all third parties to whom the controller has sold or may sell customers'  personally identifiable information; and 
    3. Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.
  2. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing

Is there a difference between “personally identifiable information” and “personal data”? Normally we would ascribe different meaning to different terms, assuming a level of intent behind the lawmakers’ decisions. In this case, however, the safest interpretation is probably that this is a drafting error and we should just use the definition of “personal data” (which is quite broad).

Also, a privacy notice is only required if the website “collects, stores and sells customers’ personally identifiable information.” This suggests that websites that do not sell personal data do not need to post a privacy notice; is that really what lawmakers intended?

Another confusing requirement in this section is that businesses must identify all third parties to whom they “may sell” personally identifiable information. How far into the future must businesses predict this information? Is this provision even enforceable? 

So many questions.

Privacy advocates, on the other hand, are upset about the RI-DTPPA’s weaknesses, especially exempting pseudonymous information from opt-out requests. Much of the data that is used for targeted advertising (and that is otherwise sold online) could be considered pseudonymous data, so exempting it considerably undermines customers’ right to opt out of that practice.

Cross-Country Privacy Compliance

The pace of state privacy legislation has not let up. As we see from looking at the RI-DTPPA, even when these laws are modeled after each other, there can be significant variation. With each new law, compliance therefore becomes a little more complicated to manage, especially for businesses without in-house privacy experts. 

TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.

To learn more about how TrueVault US can help your business, contact our team today.

Schedule Call