Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Rhode Island: Bill for consumer data protection act introduced to House of Representatives
On February 29, 2024, House Bill 7787 for the Rhode Island Data Transparency and Privacy Protection Act was introduced to the Rhode Island House of Representatives and thereafter referred, on the same date, to the House Innovation, Internet, and Technology Committee.
Definitions
The bill provides for definitions for terms including 'consent,' 'controller,' 'personal data,' 'process' or 'processing,' 'sale of personal data,' 'sensitive data,' and 'targeted advertising.'
Scope
The bill does not apply to:
- any body, authority, board, bureau, commission, district, or agency of Rhode Island or any political subdivision of Rhode Island;
- non-profit organizations;
- institutions of higher education;
- national securities associations registered under the Securities Exchange Act of 1934; or
- financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA).
The bill also does not apply to specific data, including:
- protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
- patient identifying information;
- identifiable private information;
- identifiable private information collected as part of human subjects research;
- the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a customer's credit; or
- data processed or maintained in the course of employment.
What principles and obligations are covered under the bill?
The bill provides principles for the processing of personal data including the establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices. Alongside not processing sensitive data without obtaining customer consent, not processing the sensitive data of a child without consent and in accordance with the Children's Online Privacy Protection Act (COPPA), and providing customers with a mechanism to grant and revoke consent where required.
Controllers must also create a privacy notice in its customer agreement or incorporated addendum or another conspicuous location, identifying:
- all categories of data collected;
- all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
- how customers may exercise their data subject rights and appeal decisions related to them;
- the purposes of processing;
- an active email address or other mechanism that customers may use to contact the controller; and
- if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt-out of such processing.
Regarding vendor management, processors must adhere to the instructions of a controller, with a contract governing a processor's data processing procedures conducted on behalf of the controller. The bill further sets out required contents within such a contract, including the nature and purpose of processing, types of data subject to processing, and duration of processing.
Notably, the bill stipulates that controllers must conduct and document a data protection assessment for the controller's processing activities that present a heightened risk of harm to a customer. The bill specifies circumstances that are considered high risk. A single data protection assessment may address a comparable set of processing operations that include similar activities and be deemed to satisfy the requirements under the bill if the assessment is conducted to comply with another applicable law.
Finally, the bill notes alternative legal bases for the processing of personal data, including conducting internal research, effectuating product recall, and performing internal operations reasonably aligned with the expectations of the customer.
What rights are provided for under the bill?
The bill details data subject rights, including the right to be informed, access, rectification, deletion, data portability, opt-out of processing for targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.
The bill outlines mechanisms for exercising customer rights. This includes a 45-day timeframe for responding to requests, that responses be given free of charge once per customer during any 12-month period, and circumstances where controllers may not comply with a request because they are unable to authenticate a request.
The bill also includes a provision allowing for designated authorized agents to exercise the right to opt out on their behalf.
Enforcement
The Rhode Island Attorney General has exclusive authority to enforce the provisions of the bill.
The bill provides for its entrance into effect on January 1, 2025.
You can read the bill here and track its progress here.
Update: June 11, 2024
Bill passes House of Representatives
On June 10, 2024, the bill passed the House following amendments.
What is the scope of the bill?
In particular, the bill outlines its application to for-profit entities that conduct business in Rhode Island or for-profit entities that produce products or services that are targeted to residents of Rhode Island, and that during the preceding calendar year:
- controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.
The bill clarifies that it does not apply to information and data including, among others:
- protected health information under HIPAA;
- identifiable private information collected as part of human research pursuant to the good clinical practice guidelines;
- the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a customer's credit worthiness, standing, capacity, or character to the extent such activity is regulated under the Fair Credit Reporting Act;
- personal data collected, processed, sold, or disclosed in accordance with the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act; and
- data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.
- The bill further provides that it does not apply to any state body, non-profit organization, or financial institution, or data subject to the GLBA.
The bill now provides for its entrance into effect on January 1, 2026.
You can read the amended bill here and track its progress here.
Update: June 14, 2024
Bill passed by Senate
On June 13, 2024, the bill was passed by the Rhode Island State Senate.
The bill must now proceed to the Governor of Rhode Island for signature.
You can read the bill here and track its progress here.
Update: June 27, 2024
Bill passed by Governor
On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 without signature.
The Act enters into force on January 1, 2026.
You can read the Governor's press release here, the Act here, and its legislative history here.