Skip to Navigation Skip to Content

🔥 BLACK FRIDAY: 30% off everything. Use code BLKFRI24 at checkout 🔥

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA), enacted on July 1, 2024, marks a significant advancement in data privacy legislation. As the nineteenth state to introduce comprehensive privacy laws, Rhode Island has set forth regulations that aim to enhance transparency and consumer control over personal data. The Act will come into effect on January 1, 2026, and imposes various obligations on businesses that handle the personal data of Rhode Island residents. 

This article provides a detailed analysis of the RI-DTPPA, including its scope, key provisions, and implications for businesses.

Generate your own Privacy Policy in under 5 minutes

Get Started

Scope & Applicability

The RI-DTPPA applies to a broad spectrum of entities, including any business that collects, stores, or processes personal data of Rhode Island residents. This encompasses both for-profit companies operating within Rhode Island and those outside the state that manage data belonging to Rhode Island residents. The Act is relevant to businesses of all sizes, from small enterprises to large corporations, as well as online service providers and brick-and-mortar establishments.

  1. Key Definitions:
    • Controller: A business that determines the purpose and means of processing personal data. For example, a retailer collecting customer data such as names and purchase histories.
    • Processor: An entity that processes personal data on behalf of a controller, such as a cloud services provider.
  2. Personal Data: The Act defines personal data as “any information that is linked or reasonably linked to an identified or identifiable individual.” This includes a wide range of information, from basic identifiers like names and email addresses to more sensitive data like social security numbers, IP addresses, and biometric data.
  3. Thresholds for Applicability:
    The Act applies to entities meeting at least one of the following criteria in the preceding calendar year:

    • Data Volume: Controlled or processed personal data of at least 35,000 Rhode Island residents.
    • Revenue from Data Sales: Controlled or processed personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data.

These thresholds ensure that the Act covers both large-scale data handlers and entities significantly engaged in the monetization of personal data.

Obligations Under the RI-DTPPA

1. Definitions and Scope

    • Personal Data: Broadly defined as information linked or reasonably linkable to an identified or identifiable individual. This includes names, addresses, email addresses, social security numbers, medical information, and biometric data.
    • Sale of Personal Data: Defined as the exchange of personal data for monetary or other valuable consideration.

2. Privacy Notice Requirements
One of the Act’s most notable provisions is its privacy notice requirement. It mandates that:

        • Commercial Websites and Internet Service Providers: Any entity that collects, stores, and sells personal data must provide a privacy notice. This notice must:
        • Disclose all categories of personal data collected.
        • Identify third parties to whom the data has been or may be sold.
        • Include an online mechanism for customers to contact the entity.

3. Transparency Requirements

Businesses must be transparent about their data collection practices. This involves:

    • Disclosing Types of Data Collected: Clearly state what personal data is collected.
    • Purpose of Data Collection: Explain why the data is collected and how it will be used.
    • Data Sharing Practices: Inform consumers about third parties with whom their data is shared or sold.

4. Consumer Rights

The Act grants Rhode Island residents several rights concerning their personal data:

    • Access: Consumers can request access to their personal data held by a controller.
    • Correction: Consumers can correct inaccuracies in their personal data.
    • Deletion: Consumers can request the deletion of their personal data.
    • Data Portability: Consumers have the right to obtain a copy of their personal data in a readable format.
    • Opt-Out: Consumers can opt out of data processing for targeted advertising, the sale of their data, and profiling.

Requests must be addressed within 45 days. If a request is deemed “manifestly unfounded or excessive,” the controller may charge a fee or decline the request after providing an explanation.

5. Consent and Sensitive Data

  • Explicit Consent: Businesses must obtain explicit consent from consumers before collecting, using, or sharing sensitive personal information.
  • Sensitive Data: This includes information revealing racial or ethnic origin, religious beliefs, health conditions, and biometric data.

6. Data Security and Breach Notifications

Businesses are required to implement robust data security measures to protect personal data from unauthorized access and breaches. In the event of a data breach, businesses must notify affected consumers and relevant authorities promptly, following specific timelines outlined in the Act.

7. Data Protection Assessments

Controllers must conduct data protection assessments for processing activities that present a heightened risk to consumer privacy. This includes processing for targeted advertising, selling personal data, and profiling.

8. Data Processing Agreements

Processors must enter into contracts with controllers that specify privacy provisions, including confidentiality obligations, data deletion or return requirements, and the right for the controller to assess the processor’s compliance.

Enforcement & Penalties

The Rhode Island Attorney General is responsible for enforcing the RI-DTPPA. The Act does not provide a private right of action, meaning individuals cannot sue directly for violations. Instead, violations are treated as deceptive trade practices under Rhode Island commercial law, potentially resulting in civil penalties up to $10,000 per violation. Additionally, intentional disclosures of personal data can incur fines ranging from $100 to $500 per disclosure.

Key Differences from Other State Privacy Laws

  • Broad Privacy Notice Requirements: Unlike some states, the RI-DTPPA applies its privacy notice requirements to all commercial websites and internet service providers, regardless of their size or data volume.
  • No Cure Period: The Act does not offer a remedy period for correcting violations before enforcement actions are taken.
  • No Universal Opt-Out Mechanism: Unlike some states, Rhode Island does not mandate a universal opt-out mechanism for data processing preferences.

Frequently Asked Questions (FAQs)

  1. When does the RI-DTPPA take effect?
    The Act will come into effect on January 1, 2026.
  2. Who must comply with the RI-DTPPA?
    The Act applies to any business that controls or processes personal data of Rhode Island residents, including those located outside the state.
  3. What are the key consumer rights under the RI-DTPPA?
    Consumers have the right to access, correct, delete, and obtain their personal data, as well as opt out of certain data processing activities.
  4. Are there any exemptions to the RI-DTPPA?
    Yes, the Act exempts state entities, nonprofits, educational institutions, and data covered by other federal regulations, such as HIPAA and GLBA.
  5. How are violations of the RI-DTPPA enforced?
    Violations are enforced by the Rhode Island Attorney General and can result in civil penalties and fines.

Wrapping Up

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) represents a significant step forward in enhancing consumer privacy and data protection. Businesses that handle personal data of Rhode Island residents must prepare for compliance by implementing robust data protection measures, ensuring transparency in their data practices, and adhering to the consumer rights and obligations outlined in the Act. Staying informed and proactive will be crucial for navigating the complexities of this new legislation and avoiding potential legal and financial repercussions.

For assistance with compliance or data protection strategies, consult with a privacy expert to ensure your business meets the requirements of the RI-DTPPA and safeguards against potential risks.

Generate your own Privacy Policy in under 5 minutes

Get Started