In the summer of 2024, Rhode Island became the 19th State to enact a version of a consumer data privacy statute entitled the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”).

In this article, the Consumer Data Privacy Compliance attorneys at Revision Legal discuss what businesses need to know about the RIDTPPA. As with all of these statutes, a portion of the RIDTPPA is “aimed” at protecting Rhode Island consumers and giving them certain rights vis-a-vis businesses that collect and process their data. This generally means providing privacy notices to consumers and obtaining consents from consumers in some circumstances related to what data can be collected, processed, and sold. Another large part of the RIDTPPA is “geared” towards directly imposing various duties and obligations on businesses that control and process data. An example here is the obligation to have state-of-the-art cybersecurity to protect consumer data from hacking, unauthorized access and/or exfiltration.

What businesses need to know about the RIDTPPA

In reviewing the various consumer data protection statutes enacted over the last few years, the RIDTPPA may be rightly termed the mildest version of these statutes passed. For example, many newer versions of these statutes say a controller SHALL not process data beyond what is “adequate, relevant and limited to what is necessary in relation to the specific purposes” of the processing. The RIDTPPA states that controllers MAY process data in such a limited manner. Section 6-48.1-7(s).

It seems that there is almost nothing that could be seen as unique or different about the RIDTPPA compared to similar statutes. Thus, in many respects, if your business is in compliance with the requirements of a consumer data protection statute passed by another State, likely, your business is easily in compliance with what is mandated in the RIDTPPA.

There is one notable exception, but even here, this statutory obligation was earlier made part of the Maryland consumer data privacy protection statute. That aspect requires a data controller to specifically identify all parties with whom the business sells or shares or will sell/share the consumer’s data. Depending on the business, that obligation could impose a significant administrative burden.

Here are the notable obligations imposed by the RIDTPPA on businesses:

• Provide consumer notice/disclosure (as indicated above) where the website collects, stores, and/or sells customer data identifying:
  • All categories of data collected
  • All third parties with whom the data has been sold or may be sold
  • An email address or other online mechanism customers can use to contact the controller
• Provide notice/disclosure for other consumer rights such as right to know what data is collected, right to correct, delete, portability, etc.
• Provide mechanism allowing consumers to opt out of the processing of their personal data “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer”
• Provide a mechanism for the consumer to appeal denial of requests by the controller (such as an opt-out request, a request to delete or correct data, etc.)
• Not process sensitive data unless the consumer specifically consents — controller must, therefore, provide an “opt-in” mechanism (and an easy opt-out mechanism) for permitting processing of sensitive data (data revealing, for example, race, religion, etc.)
• Have state-of-the-art cybersecurity to protect consumer data
• Not process sensitive data of a known child without parental consent
• Have non-discrimination policies in place for data processing
• Have proper contractual controls for data processors
• Not re-identify data that has been de-identified
• Conduct data protection impact assessments where data processing can create a “heightened risk of harm to the customer,” including a heightened risk of targeted advertising

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.