On June 29, 2024, the legislature of Rhode Island passed the Rhode Island Data Transparency and Privacy Protection Act (DTPPA – RI HB 7787), enacting a comprehensive privacy law that will go into effect on January 1, 2026. This new privacy law will provide residents of Rhode Island with privacy laws and will require businesses to meet certain compliance requirements, such as the requirement to have a comprehensive and up to date Privacy Policy. In this article, we will discuss the following aspects of Rhode Island’s new privacy law so that you can ensure that you and your business are prepared for its implementation:
- Who needs to comply with the Rhode Island Data Transparency and Privacy Protection Act;
- The definition of “personal data” under this law;
- The privacy rights provided to residents of Rhode Island;
- The Privacy Policy requirements of Rhode Island’s new privacy law;
- Penalties for failure to comply; and
- How Termageddon will handle updates for the DTPPA.
Table of Contents
Who needs to comply with the Rhode Island Data Transparency and Privacy Protection Act?
Unlike other privacy laws, which can apply to larger businesses only, the requirement to have a Privacy Policy under this law will apply to any commercial website that does business in Rhode Island or with customers in Rhode Island. This means that any website that sells goods, services, or digital products to residents of the State will need to provide a Privacy Policy that complies with the requirements of this privacy law. This privacy law does specifically exempt nonprofit organizations so nonprofits will not need to comply with Rhode Island’s privacy law.
Other sections of this privacy law such as requirements to provide consumer privacy rights will apply to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of the State and, that during the preceding calendar year, did any of the following:
- Controlled or processed the personal data of not less than 35,000 residents of Rhode Island; or
- Controlled or processed the personal data of not less than 10,000 Rhode Island residents and derived more than 20% of their gross revenue from the sale of personal data.
Definition of “personal data”
Rhode Island’s privacy law defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual. This means that information commonly collected through websites such as names, emails, phone numbers or IP addresses will be considered “personal data” and will be covered under this privacy law.
Privacy rights provided to residents of Rhode Island
Rhode Island’s privacy law is enacted to provide privacy protections to residents of Rhode Island by providing them with the following privacy rights:
- Right to not be discriminated against based upon the exercise of privacy rights;
- Confirm whether or not a controller is processing the consumer’s personal data and access such personal data;
- Correct inaccuracies in personal data;
- Delete personal data;
- Obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller;
- Opt out of targeted advertising;
- Opt out of the sale of personal data;
- Opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Individuals may also designate an authorized agent to exercise privacy rights on their behalf. Businesses will have up to 90 days to respond to a privacy rights request and consumers may appeal a privacy rights decision.
Privacy Policy requirements of Rhode Island’s privacy law
All businesses that do business in Rhode Island (regardless of their size), will need to provide consumers with an up to date, accurate Privacy Policy that contains the following information:
- All categories of personal data collected;
- All third parties to whom the personal data has been sold or may be sold;
- An e-mail address or other online mechanism where the business may be contacted;
- Whether or not personal data is sold or processed for targeted advertising purposes.
Penalties for failure to comply
Rhode Island’s privacy law will be enforced by the State’s Attorney General who can impose fines of up to $10,000 per violation under the State’s deceptive trade practices law. This means that fines could add up very quickly for violations of this privacy law, even if a business has only a few dozen website visitors from Rhode Island.
How Termageddon will handle updates for the DTPPA
We have been tracking this privacy law since its inception and will continue to track it for any amendments, rules and regulations. We will email all customers prior to this privacy law’s effective date in order to make updates to their Privacy Policies.
