Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Rhode Island: Bill for consumer data protection passes House of Representatives

On June 10, 2024, House Bill 7787 for the Rhode Island Data Transparency and Privacy Protection Act passed the Rhode Island House of Representatives following amendments.

What is the scope of the bill?

In particular, the bill outlines its application to for-profit entities that conduct business in Rhode Island or for-profit entities that produce products or services that are targeted to residents of Rhode Island, and that during the preceding calendar year:

  • controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

The bill clarifies that it does not apply to information and data including, among others:

  • protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
  • identifiable private information collected as part of human research pursuant to the good clinical practice guidelines;
  • personal data collected, processed, sold, or disclosed in accordance with the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act; and
  • data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

The bill further provides that it does not apply to any state body, non-profit organization, financial institution, or data subject to the Gramm-Leach-Bliley Act (GLBA).

What rights are provided for under the bill?

The bill details data subject rights, including the right to be informed, access, rectification, deletion, data portability, and to opt-out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

The bill outlines mechanisms for exercising customer rights. This includes a 45-day timeframe for responding to requests, that responses be given free of charge once per customer during any 12-month period, and circumstances where controllers may not comply with a request because they are unable to authenticate it.

What principles and obligations are covered under the bill?

The bill provides principles for the processing of personal data, including the establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices. The bill outlines controller obligations, such as not processing sensitive data without obtaining customer consent, not processing the sensitive data of a child without consent and in accordance with the Children's Online Privacy Protection Act (COPPA), and providing customers with a mechanism to grant and revoke consent where required.

Controllers must also create a privacy notice in their customer agreement, incorporated addendum, or another conspicuous location identifying:

  • all categories of data collected;
  • all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
  • how customers may exercise their data subject rights and appeal decisions related to them;
  • the purposes of processing;
  • an active email address or other mechanism that customers may use to contact the controller; and
  • if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt out of such processing.

Regarding vendor management, processors must adhere to the instructions of a controller, with a contract governing a processor's data processing procedures conducted on behalf of the controller. The bill further sets out required contents within such a contract, including the nature and purpose of processing, types of data subject to processing, and duration of processing.

Notably, the bill stipulates that controllers must conduct and document a Data Protection Assessment for the controller's processing activities that present a heightened risk of harm to a customer. The bill specifies circumstances that are considered high risk. A single Data Protection Assessment may address a comparable set of processing operations that include similar activities and be deemed to satisfy the requirements under the bill if the assessment is conducted to comply with another applicable law.

Finally, the bill notes alternative legal bases for the processing of personal data, including conducting internal research, effectuating product recall, and performing internal operations reasonably aligned with the expectations of the customer.

Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the provisions of the bill.

The bill now provides for its entrance into effect on January 1, 2026.

You can read the amended bill here and track its progress here.