On February 29, 2024, House Bill 7787 for the Rhode Island Data Transparency and Privacy Protection Act was introduced to the Rhode Island House of Representatives and thereafter referred, on the same date, to the House Innovation, Internet, and Technology Committee.

Definitions

The bill provides for definitions for terms including 'consent,' 'controller,' 'personal data,' 'process' or 'processing,' 'sale of personal data,' 'sensitive data,' and 'targeted advertising.'

Scope

The bill does not apply to:

• any body, authority, board, bureau, commission, district, or agency of Rhode Island or any political subdivision of Rhode Island;
• non-profit organizations;
• institutions of higher education;
• national securities associations registered under the Securities Exchange Act of 1934; or
• financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA).

The bill also does not apply to specific data, including:

• protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
• patient identifying information;
• identifiable private information;
• identifiable private information collected as part of human subjects research;
• the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a customer's credit; or
• data processed or maintained in the course of employment.

What principles and obligations are covered under the bill?

The bill provides principles for the processing of personal data including the establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices. Alongside not processing sensitive data without obtaining customer consent, not processing the sensitive data of a child without consent and in accordance with the Children's Online Privacy Protection Act (COPPA), and providing customers with a mechanism to grant and revoke consent where required.

Controllers must also create a privacy notice in its customer agreement or incorporated addendum or another conspicuous location, identifying:

• all categories of data collected;
• all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
• how customers may exercise their data subject rights and appeal decisions related to them;
• the purposes of processing;
• an active email address or other mechanism that customers may use to contact the controller; and
• if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt-out of such processing.

Regarding vendor management, processors must adhere to the instructions of a controller, with a contract governing a processor's data processing procedures conducted on behalf of the controller. The bill further sets out required contents within such a contract, including the nature and purpose of processing, types of data subject to processing, and duration of processing.

Notably, the bill stipulates that controllers must conduct and document a data protection assessment for the controller's processing activities that present a heightened risk of harm to a customer. The bill specifies circumstances that are considered high risk. A single data protection assessment may address a comparable set of processing operations that include similar activities and be deemed to satisfy the requirements under the bill if the assessment is conducted to comply with another applicable law.

Finally, the bill notes alternative legal bases for the processing of personal data, including conducting internal research, effectuating product recall, and performing internal operations reasonably aligned with the expectations of the customer.

What rights are provided for under the bill?

The bill details data subject rights, including the right to be informed, access, rectification, deletion, data portability, opt-out of processing for targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

The bill outlines mechanisms for exercising customer rights. This includes a 45-day timeframe for responding to requests, that responses be given free of charge once per customer during any 12-month period, and circumstances where controllers may not comply with a request because they are unable to authenticate a request.

The bill also includes a provision allowing for designated authorized agents to exercise the right to opt out on their behalf.

Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the provisions of the bill.

The bill provides for its entrance into effect on January 1, 2025.

You can read the bill here and track its progress here.