On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 for the Rhode Island Data Transparency and Privacy Protection Act and its companion Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively the Data Transparency and Privacy Protection Act) without signature. This follows the passage of House Bill 7787 and Senate Bill 2500 on June 10 and June 13, 2024, respectively by the Rhode Island State legislature.

What is the scope of the Data Transparency and Privacy Protection Act?

In particular, the Data Transparency and Privacy Protection Act outlines its application to for-profit entities that conduct business in Rhode Island or for-profit entities that produce products or services that are targeted to residents of Rhode Island, and that during the preceding calendar year:

• controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

The Data Transparency and Privacy Protection Act clarifies that it does not apply to information and data including, among others:

• protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
• identifiable private information collected as part of human research pursuant to the good clinical practice guidelines;
• the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a customer's creditworthiness, standing, capacity, or character to the extent such activity is regulated under the Fair Credit Reporting Act;
• personal data collected, processed, sold, or disclosed in accordance with the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act; and
• data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

The Data Transparency and Privacy Protection Act further provides that it does not apply to any state body, non-profit organization, or financial institution, or data subject to the GLBA.

Definitions

The Data Transparency and Privacy Protection Act provides definitions for terms including 'controller,' 'process' or 'processing,' 'sale of personal data,' and 'sensitive data.'

'Personal data' under the Data Transparency and Privacy Protection Act is defined as 'any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.'

Notably, the Data Transparency and Privacy Protection Act defines what activities are not considered 'targeted advertising' including:

• advertisements based on activities within a controller's own Internet websites or online applications;
• advertisements based on the context of a customer's current search query, or current visit to an Internet website or online application;
• advertisements directed to a customer in response to the customer's request for information or feedback; or
• processing personal data solely to measure or report advertising frequency, performance, or reach.

What principles and obligations are covered under the Data Transparency and Privacy Protection Act?

The Data Transparency and Privacy Protection Act provides principles for the processing of personal data including the establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices. Alongside not processing sensitive data without obtaining customer consent, not processing the sensitive data of a child without consent and in accordance with the Children's Online Privacy Protection Act (COPPA), and providing customers with a mechanism to grant and revoke consent where required.

Controllers must also create a privacy notice in their customer agreement or incorporated addendum or another conspicuous location, identifying:

• all categories of data collected;
• all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
• an active email address or other mechanism that customers may use to contact the controller; and
• if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt-out of such processing.

Regarding vendor management, processors must adhere to the instructions of a controller, with a contract governing a processor's data processing procedures conducted on behalf of the controller. The Data Transparency and Privacy Protection Act sets out required contents within such a contract, including the nature and purpose of processing, types of data subject to processing, and duration of processing.

Notably, the Data Transparency and Privacy Protection Act stipulates that controllers must conduct and document a data protection assessment for the controller's processing activities that present a heightened risk of harm to a customer. The Data Transparency and Privacy Protection Act specifies circumstances that are considered high risk. A single data protection assessment may address a comparable set of processing operations that include similar activities and be deemed to satisfy the requirements under the Data Transparency and Privacy Protection Act if the assessment is conducted to comply with another applicable law.

Finally, the Data Transparency and Privacy Protection Act notes alternative legal bases for the processing of personal data, including conducting internal research, effectuating product recall, and performing internal operations reasonably aligned with the expectations of the customer.

What rights are provided for under the Data Transparency and Privacy Protection Act?

The Data Transparency and Privacy Protection Act details data subject rights, including the right to be informed, access, rectification, deletion, data portability, opt-out of processing for targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

The Data Transparency and Privacy Protection Act outlines mechanisms for exercising customer rights. This includes a 45-day timeframe for responding to requests, that responses be given free of charge once per customer during any 12-month period, and circumstances where controllers may not comply with a request because they are unable to authenticate a request.

The Data Transparency and Privacy Protection Act also includes a provision allowing for designated authorized agents to exercise the right to opt-out on their behalf.

Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the provisions of the Data Transparency and Privacy Protection Act.

The Data Transparency and Privacy Protection Act enters into effect on January 1, 2026.

You can read the Governor's press release here, access House Bill 7787 here and its legislative history here, and Senate Bill 2500 here and its legislative history here.