Rhode Island Senate Bill 2500, the “Rhode Island Data Transparency and Privacy Protection Act,” was enacted on June 28 without Gov. Dan McKee’s signature. The Act will go into effect Jan. 1, 2026.
This makes Rhode Island the 19th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, and Minnesota.Information Sharing Practices
The Act begins with a section titled “Information Sharing Practices,” which broadly applies to any commercial website (undefined) or internet service provider conducting business in Rhode Island or with customers in the state. Despite the title, this section has little to do with “sharing.” If such an entity collects, stores and ss customers’ “personally identifiable information” (undefined), its controller must, in its customer agreement or on its website, “identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information,” among other things.
This poses several problems. First, it would be almost impossible for a controller to predict every specific third party to whom it may sell personally identifiable information at any time in the future.
Second, and moreover, the term “personally identifiable information,” is undefined yet referred to 10 times in the Act, plus one reference to undefined “personally identifiable data.” While “personal data” is defined, it is not clear that these are all one in the same.
Curiously, this section contains a lengthy list of entities and information that are exempt from the Act that differs from the shorter list provided in a separate section titled “Construction” summarized below, though there is some overlap.
Applicability
Apart from the “Information Sharing Practices” section, the Act applies to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.
Oddly, these same thresholds are repeated in the sections titled “Customer Rights,” “Exercising Customer Rights,” and “Controller and Processor Responsibilities.”
Exemptions
In addition to the list of exemptions contained in the “Information Sharing Practices” section, the “Construction” section provides the Act does not apply to:
- A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act and its implementing regulations;
- Information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- Personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f);
- Any entity recognized as a tax exempt organization under the Internal Revenue Code;
- A contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.
Additionally, the definition of “customer” excludes “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.”
Customer Rights
The Act provides a customer with the right to:
- Confirm whether their personal data is being processed;
- Correct inaccuracies;
- Delete personal data provided by, or obtained about, the consumer;
- Obtain a portable copy of the personal data processed;
- Opt out of the processing of their personal data if for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.
Sensitive Data
A controller is prohibited from processing sensitive data without a customer’s consent.
“Sensitive data” is defined as “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.”
Contract Requirements
A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:
- Ensure that each person processing personal data is subject to a duty of confidentiality;
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations of the Act;
- After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures in support of the obligations of the Act.
Data Protection Assessments
A controller must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a customer, including:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers;
- The processing of sensitive data.
Enforcement
A violation constitutes a deceptive trade practice, and an intentional disclosure of personal data in violation of the Act may result in a fine of not less than $100 and no more than $500 for each such disclosure. The Attorney General has sole authority to enforce the Act, which contains no cure provision.
Impression
While similar in many respects to some of the post-California comprehensive data privacy laws, this legislation appears to have been cobbled together in a hasty and haphazard fashion, which may create compliance issues for those trying to align its compliance requirements with those of other states. Like California, it is anticipated that this act will undergo numerous corrective amendments in the next legislative session. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.