Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA)

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) is a state law enacted on June 28, 2024, to enhance consumer privacy rights and data protection. It aims to give Rhode Island residents more control over their personal information and make data collection and usage practices more transparent. The law also requires businesses to follow strict data security measures when handling personal data. The Ri-DTPPA sets out what businesses must do when they collect, use, and share data. It also gives people specific rights to access, correct, and delete their data. The Act will come into effect on January 1, 2026.

Who is affected by the RI-DTPPA?

The RI-DTPPA affects businesses that collect, use, or keep personal information of people who live in Rhode Island. This rule includes companies in Rhode Island and those outside the state that handle information about Rhode Island residents.

Specifically, it affects businesses that:

• Controls or processes the personal data of at least 35,000 customers in the preceding year, or
• Controls or processes the personal data of at least 10,000 customers AND derived more than 20% of their gross revenue from the sale of personal data.

The act doesn’t apply to:

• State and local government bodies
• Nonprofit organizations
• Higher education institutions
• National securities association that is registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934
• Financial Institutions
• Entities covered by specific federal laws (e.g., HIPAA, Gramm-Leach-Bliley Act)

What is considered “personal data” under the law?

The Act defines “personal data” as “any information linked or reasonably linkable to an identified or identifiable individual”. This includes common data points collected through websites, such as names, email addresses, phone numbers, and IP addresses. However, the RI-DTPPA does exempt certain types of data and entities.

It does not apply to:

• Health information that is protected by the Health Insurance Portability and Accountability Act
• Information protected under specific federal regulations for drug and alcohol treatment (42 U.S.C. § 290dd-2).
• Identifiable private information protected under federal policies for the protection of human research subjects (45 C.F.R. §§ 46.101 through 46.124).
• Identifiable private information collected in human research
• Data regulated under the Fair Credit Reporting Act
• Personal data managed under the Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act
• Data processed in the course of employment, including emergency contact information or data necessary for administering benefits.
• Employment-related data and data processed for state bodies, non-profit organizations, or financial institutions under the GLBA

The Act also excludes de-identified data and publicly available information from its definition of personal data.

What rights does the RI-DTPPA grant to Rhode Island residents?

The RI-DTPPA grants Rhode Island residents several rights over their personal data:

1. Right to Access: Consumers can confirm whether a business is processing their personal data and access such data.
2. Right to Correction: Consumers can request to correct any inaccuracies in their personal data.
3. Right to Deletion: Consumers can request to delete their personal data.
4. Right to Data Portability: Consumers can obtain a copy of their personal data in a portable format that allows them to transmit the data to another business.
5. Right to Opt-Out of Targeted Advertising: Consumers can opt out from having their personal data used for targeted advertising purposes.
6. Right to Opt-Out of Sale of Personal Data: Consumers can opt out of the sale of their personal data to third parties.
7. Right to Opt-Out of Profiling: Consumers can opt out of having their personal data used for profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Businesses must respond to consumer requests to exercise these rights within 45 days, free of charge, once per 12-month period. Consumers can also designate authorized agents to exercise their rights on their behalf.

What are the Obligations under RI-DTPPA?

Obligations of Controllers

A controller is an entity that determines the purposes and means of processing personal data. The primary responsibilities of controllers include:

Privacy Policy Requirements: The RI-DTPPA requires businesses to provide consumers with clear and comprehensive privacy notices having all details as to how they collect data and their sharing practices.

These notices must include:

• Categories of personal information collected
• Third parties with whom data may be shared or sold
• Process for consumers to review and request changes to their data
• Process for notifying consumers of material policy changes
• Contact information for the operator

Consent: Obtain explicit consent from consumers for the collection and processing of sensitive data and for any data processing activities that go beyond the original purposes disclosed to the consumer.

Data Minimization: Collect and process personal data only for the purposes specified in the Privacy Notice and as consented to by the consumer.

Data Security: Implement appropriate technical and organizational measures to secure personal data against unauthorized access, breaches, and other threats. These include encryption, access controls, and regular security assessments.

Non-discrimination: Avoid discriminating against customers who exercise their privacy rights.

Opt-out Rights: Provide mechanisms for consumers to opt out of:

• Personal data processing for targeted advertising
• Sale of personal data
• Certain types of profiling

Data Protection Assessments: Conduct and document the protection assessments for high-risk processing activities that include- 

1. The processing for targeted advertising 
2. The sale of personal data
3. The processing for profiling
4. The processing of sensitive data

Third-Party Relationships: Ensure that any third parties with whom personal data is shared comply with similar data protection standards. This includes conducting due diligence and entering into data processing agreements that stipulate data protection requirements.

Obligations of Processors

A processor is an entity that processes personal data on behalf of a controller. The primary responsibilities of processors include:

• Process personal data only on the documented instructions of the controller, including with regard to data transfers to third countries or international organizations.
  
  
• Ensure that data processing is carried out strictly for the purposes defined by the controller.
  
  
• Notify the controller without undue delay after becoming aware of a data breach.
  
  
• Assist the controller in ensuring compliance with their obligations under the RI-DTPPA, particularly in relation to security measures, breach notifications, and data protection impact assessments.
  
  
• Obtain written authorization from the controller before engaging any sub-processors and also ensure that sub-processors are bound by the same data protection obligations as the processor through contractual agreements.

How will the RI-DTPPA be enforced?

The RI-DTPPA will be enforced exclusively by the Rhode Island Attorney General. The Attorney General is authorized to bring civil actions against businesses for violations of the Act and seek injunctive relief, actual damages, and a civil penalty.

The RI-DTPPA does not provide for a private right of action, which means that individual consumers cannot sue businesses directly for violations. 

What is the penalty for violation of RI-DTPPA?

Violation of this act is considered a deceptive trade practice, constituting a violation of the general regulatory provisions of commercial law in Title 6, thus liable for a civil penalty not exceeding $10,000 for each violation.

 If any individual or entity intentionally discloses personal data, they will be liable to pay a fine between $100 and $500 for each time they disclose the data.

What impact does the RI-DTPPA have on businesses operating in Rhode Island?

Businesses operating in Rhode Island or offering products and services to Rhode Island residents will need to make significant changes to their data practices due to the RI-DTPPA. Even small businesses with a website accessible to Rhode Island customers will be required to comply with the law’s requirements.

Businesses should review their data collection and sharing practices to ensure that they provide accurate and comprehensive privacy notices. Additionally, they should develop processes to respond to consumer requests to access, correct, delete, and download their data, as well as opt out of targeted advertising and data sales.

Implementing these processes may require significant time and resources, particularly for small businesses. Businesses must also ensure they are implementing reasonable security measures to protect personal data and avoid potential enforcement actions.

However, the RI-DTPPA could also create opportunities for businesses that prioritize data privacy. By demonstrating a commitment to protecting consumer data, businesses may be able to differentiate themselves in the market and attract customers who value privacy.

The Rhode Island Data Transparency and Privacy Protection Act represents an important step forward in the effort to protect consumer data in the digital age. By granting Rhode Island residents rights over their personal information and imposing obligations on businesses, the Act aims to enhance transparency and give consumers more control.