In recent years, the landscape of data privacy regulation in the United States has rapidly evolved, with numerous states enacting their own comprehensive privacy laws. Rhode Island has joined this growing list with the passage of the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), signed into law on June 29, 2024, and set to take effect on January 1, 2026. This law represents the nineteenth state comprehensive privacy law in the U.S. and imposes a range of obligations on businesses handling personal data of Rhode Island residents.

While the RIDTPPA follows the general framework of other non-California state privacy laws, it introduces unique provisions that companies must understand to remain compliant. Notably, the Act broadens the scope of privacy notice requirements, mandates comprehensive disclosures about data sales, and does not provide a cure period for violations. This blog explores key aspects of the RIDTPPA, highlighting what businesses need to know as they prepare for compliance.

Key Takeaways from the RIDTPPA

The RIDTPPA aligns with many elements seen in other state privacy laws, yet it stands out in several critical areas:

Broad Applicability of Privacy Notice Requirements

• Scope: Unlike other state privacy laws, the RIDTPPA’s privacy notice requirements apply broadly to any commercial website or internet service provider conducting business in Rhode Island or targeting Rhode Island customers. This is independent of other thresholds based on the amount of data processed.
• Implications: This provision means that even smaller businesses or those not meeting other applicability criteria must comply if they handle personally identifiable information (PII).

Extensive Disclosure Requirements for Third-Party Data Sales

• Requirement: The Act mandates that controllers disclose all third parties to whom they have sold or may sell PII. However, the term “personally identifiable information” is not defined, leading to potential ambiguity in what data must be disclosed.
• Challenges: Companies engaged in substantial data sales may face significant burdens in tracking and disclosing all potential third-party buyers, particularly when broad definitions or interpretations of PII are considered.

Absence of a Cure Period

• Enforcement: The RIDTPPA does not include a cure period, meaning the Rhode Island Attorney General (AG) can enforce penalties immediately upon finding a violation. This lack of a grace period emphasizes the need for proactive compliance measures by companies.
• Consequences: Without the opportunity to correct violations before enforcement actions, businesses must ensure that they meet all requirements from the outset to avoid potentially costly penalties.

Key Provisions of the RIDTPPA

Definitions and Applicability

• “Customer” Definition: The Act uses the term “customer” akin to “consumer” in other laws but excludes individuals acting in commercial or employment contexts.
• Applicability Thresholds: The RIDTPPA generally applies to for-profit entities conducting business in Rhode Island or targeting Rhode Island residents, provided they meet certain data processing thresholds (e.g., processing data for 35,000 or more Rhode Island residents, or processing data for 10,000 residents and deriving over 20% of revenue from data sales).

Privacy Notices

• Notice Requirements: Controllers must provide a privacy notice detailing categories of personal data collected, third parties to whom data has been or may be sold, and include contact mechanisms for customers.
• Ambiguities: The Act does not define “personally identifiable information,” leading to potential uncertainties about the extent of required disclosures.

Data Rights for Customers

• Standard Rights: Similar to other state laws, Rhode Island customers have rights to:
  • Confirm if their data is being processed and access it.
  • Correct inaccuracies.
  • Delete personal data.
  • Data portability.
  • Opt-out of targeted advertising, data sales, or profiling activities.
• Obligations for Controllers: Controllers must respond to customer rights requests within 45 days, with possible extensions if justified. Responses must be provided free of charge once per 12-month period.

Data Protection and Processing Obligations

• Consent for Sensitive Data: Controllers must obtain explicit consent for processing sensitive data, including racial or ethnic information, health conditions, or precise geolocation data.
• Data Protection Assessments: For data processing posing heightened risks, such as targeted advertising or sensitive data processing, controllers must conduct data protection impact assessments.
• Processing Agreements: Data processing by third-party processors must be governed by contracts ensuring compliance with the Act’s provisions, including data security and confidentiality obligations.

Enforcement and Penalties

• Authority: The Rhode Island AG has exclusive enforcement authority, and there is no private right of action under the Act.
• Penalties: Violations can result in civil penalties up to $10,000 per infraction, with additional fines between $100 and $500 for intentional disclosures of personal data.

The Rhode Island Data Transparency and Privacy Protection Act introduces comprehensive and robust privacy requirements that will significantly impact businesses operating in or targeting Rhode Island residents. Its unique provisions, such as the broad applicability of privacy notice requirements and lack of a cure period, highlight the importance of thorough and immediate compliance efforts.

Companies must review their data handling practices, update privacy notices, and implement necessary data protection measures to meet the RIDTPPA’s standards by its effective date of January 1, 2026. Staying informed on the latest developments in state privacy laws and consulting with legal experts will be crucial for businesses navigating this evolving regulatory landscape.