Blog

Rhode Island strengthens privacy with new Data Transparency and Privacy Protection Act

Rhode Island becomes the 20th state to enact a privacy law, joining the growing list of states prioritizing consumer data protection

Keshawna Campbel
Privacy Research Manager, OneTrust Center of Excellence
June 28, 2024

Scope and application of the Act
Exclusions from the Act
Key definitions
Principles and obligations
Unique privacy notice requirements
Consumer rights
Enforcement and timeline
Next steps for businesses

On June 25, 2024, Rhode Island took a significant step toward enhancing data privacy with the passage of House Bill 7787 and Senate Bill 2500, collectively known as the Data Transparency and Privacy Protection Act. Passed by the state legislature earlier in June, this new law sets out clear guidelines for businesses operating in the state to ensure transparency and protect consumer data.

Scope and application of the Act

The Data Transparency and Privacy Protection Act mainly targets for-profit businesses operating in Rhode Island or those offering products or services to Rhode Island residents. It applies to companies that, in the previous calendar year:

Controlled or processed personal data of at least 35,000 customers, excluding data processed solely for payment transactions.
Controlled or processed personal data of at least 10,000 customers and derived over 20% of their gross revenue from selling personal data.

Exclusions from the Act

The Act doesn't cover specific types of information, such as:

Protected health information under HIPAA.
Identifiable private information collected in human research.
Data regulated under the Fair Credit Reporting Act.
Personal data managed under the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act.
Employment-related data and data processed for state bodies, non-profit organizations, or financial institutions under the GLBA.

Key definitions

The Act defines several terms to clarify its scope, including controller, process, sale of personal data, and sensitive data. It defines personal data as “any information linked or reasonably linkable to an identifiable individual, excluding de-identified data or publicly available information.”

The Act also defines what activities are not considered 'targeted advertising' including:

Advertisements based on activities within a controller's own Internet websites or online applications;
advertisements based on the context of a customer's current search query, or current visit to an Internet website or online application;
advertisements directed to a customer in response to the customer's request for information or feedback; or
processing personal data solely to measure or report advertising frequency, performance, or reach.

Notably, the Act does not have a definition for personally identifiable information. 

Principles and obligations

The Act outlines principles for processing personal data, including implementing reasonable security practices and obtaining customer consent for processing sensitive data. Controllers are required to:

Create a privacy notice detailing data collection categories, third-party disclosures, customer rights, and contact information.
Clearly disclose if they sell personal data or use it for targeted advertising.

Processors must follow controllers' instructions and have contracts governing data processing. Controllers must also conduct data protection assessments for high-risk processing activities and document these assessments to comply with applicable laws.

Unique privacy notice requirements

The Act adopts a unique approach to privacy notices. Broader than the Act's general scope of application the information sharing provisions require commercial websites or internet service providers that collect, store and sell customers' personally identifiable information to disclose third parties to whom they sell or "may sell" such information. The scope of this requirement is unclear as the Act does not define "personally identifiable information." This ambiguity could pose challenges for businesses as they strive to comply.

Consumer rights

The Act grants consumers several rights, including:

The right to be confirm, access, correct, delete, and data portability.
The right to opt-out of targeted advertising, profiling in furtherance of automated decisions with significant effects.
The right to use authorized agents for opt-out requests.

Controllers must respond to consumer requests within 45 days, free of charge once per 12-month period, with provisions for authentication.

Enforcement and timeline

The Rhode Island Attorney General has exclusive authority to enforce the Act, which will come into effect on January 1, 2026.

Next steps for businesses

With the Data Transparency and Privacy Protection Act set to take effect in January 2026, businesses need to start preparing now to ensure compliance. Here are some things to consider:

Review data practices: Audit your current data collection, processing, and sharing practices to ensure they align with the new requirements. Pay particular attention to the categories of personal data collected and how this data is shared with third parties.
Update privacy notices: Given the Act’s unique privacy notice requirements, businesses should update their privacy policies to clearly disclose third parties to whom they sell or may sell personal data. Clarify any ambiguities around the term "personally identifiable information."
Implement security measures: Establish and maintain robust administrative, technical, and physical data security practices. Ensure that sensitive data processing adheres to consent requirements.
Develop consumer rights protocols: Create and implement processes for consumers to exercise their rights under the Act, including the right to access, correction, deletion, and opt-out of data processing for targeted advertising.
Conduct Data Protection Assessments: Identify and document high-risk data processing activities. Regularly conduct data protection assessments to mitigate potential risks to consumer data.
Train your team: Educate your teams about the new requirements and the importance of data privacy and security. Ensure that everyone understands their role in maintaining compliance.
Monitor for updates: Stay informed about any legislative clarifications or amendments to the Act that may arise before the effective date. This is especially important given the ambiguity around certain definitions and requirements. For the latest updates and expert analysis, visit OneTrust DataGuidance.

By taking these steps, businesses can better navigate the complexities of the Data Transparency and Privacy Protection Act and ensure they’re well-prepared for its implementation.

Request a demo to learn more about how OneTrust can help with your US privacy compliance efforts.

Blog

Rhode Island strengthens privacy with new Data Transparency and Privacy Protection Act

Table of contents

Scope and application of the Act

Exclusions from the Act

Key definitions

Principles and obligations

Unique privacy notice requirements

Consumer rights

Enforcement and timeline

Next steps for businesses

You may also like

Privacy Automation

Global regulatory update: Recent privacy developments and compliance trends

Join us for a webinar on the latest updates and emerging trends in global privacy regulations.

September 12, 2024

Privacy Management

Preparing for child data protection laws in the US

Join DataGuidance and a panel of experts as we discuss US privacy laws the protection of minors' data.

August 07, 2024

Privacy Management

The road to 50 states: Rhode Island joins the US privacy landscape with a new law

Rhode Island has become the 20th US State to pass a privacy law. On June 25, 2024, the Governor of Rhode Island transmitted the Data Transparency and Privacy Protection Act (RIDTPPA) without signature allowing the Act to become law. Join the webinar to learn more.

July 16, 2024

Privacy Management

Preparing for the future of privacy in healthcare: Going beyond HIPAA compliance

Join us for a discussion on preparing your organization for healthcare privacy compliance that goes beyond HIPAA.

July 11, 2024

Privacy Management

The road to 50 states: Minnesota and Vermont join the US privacy landscape

In this webinar, OneTrust DataGuidance and expert contributors unpack the MCPA and VDPA, examining the requirements, exceptions, and practical implications of the legislations on the data controllers and processors.

June 17, 2024

Privacy Management

From legislation to operation: How to prepare for the new wave of US Privacy laws

Prepare your organization for the new wave of US privacy laws.

June 06, 2024

Third-Party Risk

TPRM privacy compliance: Questions to ask when working with third parties

Download this checklist to learn what questions to ask when designing a third-party risk management program that enables privacy compliance.

May 31, 2024

Comparing US state privacy law requirements

Download our infographic and compare the many US state privacy law requirements that have been enacted or will soon come into effect.

May 14, 2024

Privacy Management

Federal US privacy bill on the horizon? Exploring the draft APRA & new state privacy legislation

Join OneTrust DataGuidance and expert contributors for an overview of the Kentucky Consumer Privacy Act (KCPA), Maryland's Senate Bill 0541, and the draft American Privacy Rights Act and explore how a federal bill could shape the US privacy landscape.

April 23, 2024

Privacy Management

US state privacy laws timeline

View our timeline to understand the progression of current US state privacy laws and key dates.

April 23, 2024

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Privacy Management

The road to 50 states: New Jersey and New Hampshire join the US privacy landscape

oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.

February 01, 2024

Privacy Automation

Embedding Privacy by Design through PIA Automation

Join us for a webinar on Embedding Privacy by Design through PIA Automation.

January 11, 2024

Privacy Management

Automating fulfillment of subject rights requests in the US

Learn how Privacy Rights Automation helps to fully automate privacy rights requests.

December 06, 2023

Privacy Management

December's deadline: Ensuring compliance with Utah's privacy regulation

Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.

November 14, 2023

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Privacy Management