By: Linda L. Goodman
The Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act on June 13, 2024, and Governor Daniel McKee will now review the legislation.
The act will apply to for-profit entities in Rhode Island that conduct business in Rhode Island or produce products or services that are targeted to state residents and that, during the prior calendar year, either: (1) controlled or processed the personal data of at least 35,000 state residents; or (2) controlled or processed the personal data of at least 10,000 state residents and derived more than 20% of their gross revenue from the sale of personal data.
The act only applies to consumer personal data and excludes employee or business-to-business data. Exemptions exist for GLBA-regulated entities, HIPAA-covered entities, non-profit organizations, institutions of higher education, and FERPA-regulated personal data. Processing personal data for compliance with state or federal law and law enforcement investigations is also covered.
In a departure from other state privacy laws, the act does not contain a data minimization requirement. Which means the act does not require controllers to limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer, and it does not prohibit processing personal data for purposes not compatible with the disclosed purposes unless consent is obtained from the consumer.
The act requires controllers to obtain opt-in consent before processing sensitive data but does not impose additional restrictions on data from children aged 13-17. Sensitive data is defined as personal information that refers to an individual’s: race, ethnic origin, marital status, age, color, affiliations (religious, philosophical, or political), health, education, genetic or sexual life; or government agencies identifications peculiar to an individual (e.g., social security number, previous or current health records, licenses).
It does not require controllers to recognize universal opt-out mechanisms and does not require a controller to provide a website link for individuals to opt out of personal data sale or targeted advertising. The act mandates controllers to conduct data protection assessments, but does not specify the factors they must consider, such as determining potential benefits from processing.
The act requires commercial websites or internet service providers conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.
The act mandates that if a commercial website or internet service provider collects, stores, and sells customers’ personally identifiable information, the controller must post a privacy notice identifying all categories of personal data that the controller collects through the website or online service about customers, all third-parties to whom the controller has sold or may sell customers’ personally identifiable information, and provide an active electronic mail address or other online mechanism that the customer may use to contact the controller. Also, if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.
The act will be enforced by the Rhode Island Attorney General. There is no private right of action and there is no right to cure period. Violations of the act are enforceable under the state’s deceptive trade practice act. Notably, a business shall pay a fee of between $100 and $500 for each instance in which it “intentionally discloses personal data” to a shell corporation or entity established to bypass the act, or in contravention of any provision of the act.
If the Governor signs the act, then it will go into effect January 1, 2026.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments and it is not intended to be and should not be relied on as legal advice for any particular matter. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2024 TGLF, A.P.C.