Guide on Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Rhode Island, the smallest US state makes a big impact by enacting its data privacy law. The law reaffirms the right to privacy and focuses on protecting citizens from cybercrimes and identity threats.

Rhode Island is the latest US state to implement a digital privacy protection law. The bill was passed on June 28, 2024. The RIDTPPA promotes transparency and accountability of businesses. 

Along with granting customer rights and imposing controller obligations, the law highlights its concern over third-party tracking. It also requires businesses to inform customers about the collection of personal data and whether they sell or share this information with third parties.

The penalties for violations may amount to $10,000, with intentional disclosure of personal data incurring fines of up to $500 for each disclosure.

The law applies in two layers for the privacy-disclosure practices and other obligations.

All requirements apply to for-profit entities conducting business in Rhode Island or targeting their products or services to the residents of the state, and met any of the following requirements in the preceding year:

• Controlled/processed the personal data of at least 35,000 customers, except for completing payment transactions.
• Controlled/processed the personal data of at least 10,000 customers and gained more than 20% of gross revenue from the sale of personal data.

Rhode Island replaces the word “consumer” with “customer,” while the meaning remains the same. A customer is an individual residing in Rhode Island acting in an individual/household context.

The information-sharing practices, which we will discuss later apply to:

Any commercial website or internet service provider conducting business in Rhode Island, with customers in Rhode Island, or otherwise subject to Rhode Island jurisdiction. These entities must designate a controller.

Similar to most US privacy laws, RIDTPPA provides exemptions, including:

• State agencies and political subdivisions
• Non-profit organizations
• Higher education institutions
• Data covered by federal laws such as the Gramm-Leach-Bliley Act or HIPAA
• Employment-related data, including emergency contacts used within that role.

The law defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual and does not include publicly available information or de-identified data.

• Publicly available information: Any information lawfully available through government records, widely distributed media or if the controller has a reasonable basis to believe that the customer has made it available to the public.

• De-identified data: Data that cannot be used to infer information about or link to an identifiable or identified individual or a device linked to the individual.

The law categorizes the following types of personal data as sensitive:

• Personal data that reveals:
  • Racial/ethnic origin
  • Religious beliefs
  • Mental/physical health condition or diagnosis
  • Sex life
  • Sexual orientation
  • Citizenship/immigration status

• Biometric/genetic data for identifying an individual
• Personal data collected from a known child
• Precise geolocation

The information-sharing practices apply to businesses regardless of the monetary threshold. Your privacy notice must contain the following information:

• Categories of personal data that the controller collects about customers
• Third parties to whom the controller sells/sold the personal data
• An active mail address/online mechanism to contact the controller
• Disclosure of any third-party data sharing
• Rights of customers and how to exercise them

 

The law imposes the following obligations on businesses:

Consent 

Consent under the Rhode privacy law is an affirmative action signifying a customer’s freely given, informed, specific and unambiguous agreement to the processing of personal data.

Do not rely on dark patterns to obtain customer consent.

Consent is necessary for processing customer’s sensitive data. Furthermore, to process the sensitive data of a known child, verifiable parental consent, in adherence to COPPA is necessary.

Security safeguards

Implement necessary security measures to protect the confidentiality, integrity and accessibility of personal data handled by you.

Non-discrimination

Do not engage in discriminatory practices against customers, such as denying goods or adjusting quality and prices in response to the exercise of their rights. Additionally, businesses should not process personal data in violation of the laws prohibiting unlawful discrimination. 

Consent revocation

Provide customers with convenient mechanisms to grant and withdraw consent. Businesses must stop processing personal data within 15 days of consent revocation by the customer.

Data protection assessments

Businesses must conduct impact assessments for the processing of personal data involving high risks such as sensitive data, and personal data used for profiling or sale.

Response to customer requests

Businesses must respond to the customer requests within 45 days. This can be extended to another 45 days if necessary considering the complexity and number of requests received. 

Similarly, the response period for appeals is 60 days and such process must be conspicuously available to the customers.

Also, you must provide the required information in response to a customer request, free of charge once a year per person.

Contractual relationship

Your privacy compliance also extends to those involved in the processing such as data processors and third parties. Therefore have a contractual relationship with them and ensure their compliance. The contract must determine the nature and types of data processed, duration of processing, rights of parties, etc.

The Rhode Island privacy law grants consumers with familiar rights that we will learn in this section:

Right to confirm

Customers can confirm whether a controller is processing their personal data as well as access such data.

Right to correct

RIDTPPA also allows customers to correct any inaccurate information in their personal data.

Right to delete

This right empowers Rhode Island customers to request the deletion of their personal data handled by businesses, taking into account the nature of personal data and the purpose of processing.

Right to opt-out

Similar to almost all US privacy laws, customers have the right to opt out of targeted advertising, profiling and sale of personal data.

Right to portability

The law permits customers to obtain a copy of their personal data in a portable and readily useable format, where the processing is carried out by automated means.

The Attorney General is the exclusive enforcement authority of the Rhode Island privacy law. There is no private right of action under the law.

Any violation of the law will be considered a deceptive trade practice and a penalty of up to $10,000 may be imposed. The RIDTPPA also prescribes a penalty between $100 to $500 for intentional disclosure of personal data.

• Limit the collection and processing of personal data to what is required for the disclosed purpose.
• Obtain consent for processing sensitive data.
• Provide privacy notice to customers.
• Implement reasonable and adequate security safeguards. 
• Have a contractual relationship with processors and third parties.
• Do not discriminate against customers for the exercise of customer rights.
• Conduct data protection assessments.
• Provide convenient mechanisms to grant and revoke customer consent.
• Respond to consumer requests promptly.