Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Rhode Island: Substitute bill for consumer data protection referred for passage in Senate

On June 10, 2024, Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act was referred for passage by the Rhode Island State Senate Commerce Committee. This follows the bill's introduction to the Senate on March 1, 2024. The bill is a companion bill to House Bill 7787 for the Rhode Island Data Transparency and Privacy Protection Act.

What is the scope of the bill?

In particular, the bill outlines its application to for-profit entities that conduct business in Rhode Island or for-profit entities that produce products or services that are targeted to residents of Rhode Island, and that during the preceding calendar year controlled or processed the personal data of not less than:

  • 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

The bill clarifies that it does not apply to information and data including, among others:

  • protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
  • identifiable private information collected as part of human research pursuant to the good clinical practice guidelines;
  • the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a customer's credit worthiness, standing, capacity, or character to the extent such activity is regulated under the Fair Credit Reporting Act;

  • personal data collected, processed, sold, or disclosed in accordance with the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act; and
  • data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

The bill further provides that it does not apply to any state body, non-profit organization, financial institution, or data subject to the Gramm-Leach-Bliley Act (GLBA).

What rights are provided for under the bill?

The bill details data subject rights, including the right to be informed, access, rectification, deletion, data portability, and to opt out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

However, the bill clarifies that data subject rights under its provisions do not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

The bill outlines mechanisms for exercising customer rights. This includes a 45-day timeframe for responding to requests, that responses be given free of charge once per customer during any 12-month period, and circumstances where controllers may not comply with a request because they are unable to authenticate it.

What principles and obligations are covered under the bill?

The bill provides for the establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices. The bill outlines that controllers must not process sensitive data without obtaining customer consent, not process the sensitive data of a child without consent and in accordance with the Children's Online Privacy Protection Act (COPPA), and provide customers with a mechanism to grant and revoke consent where required.

Controllers must also create a privacy notice in their customer agreement, incorporated addendum, or another conspicuous location identifying:

  • all categories of data collected;
  • all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
  • how customers may exercise their data subject rights and appeal decisions related to them;
  • the purposes of processing;
  • an active email address or other mechanism that customers may use to contact the controller; and
  • if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt out of such processing.

Regarding vendor management, processors must adhere to the instructions of a controller, with a contract governing a processor's data processing procedures conducted on behalf of the controller. The bill further sets out required contents within such a contract, including the nature and purpose of processing, types of data subject to processing, and duration of processing.

Notably, the bill stipulates that controllers must conduct and document a Data Protection Assessment for the controller's processing activities that present a heightened risk of harm to a customer. The bill specifies circumstances that are considered high risk. A single Data Protection Assessment may address a comparable set of processing operations that include similar activities and be deemed to satisfy the requirements under the bill if the assessment is conducted to comply with another applicable law.

Finally, the bill notes alternative legal bases for the processing of personal data, including conducting internal research, effectuating product recall, and performing internal operations reasonably aligned with the expectations of the customer.

Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the provisions of the bill.

The bill now provides for its entrance into effect on January 1, 2026.

You can read the bill here and track its progress here.

Update: June 14, 2024

Bill passed by Senate and House

On June 13, 2024, the bill was passed by the Rhode Island House of Representatives. This follows its passage, on June 12, 2024, the bill was passed by the Senate.

The bill must now proceed to the Governor of Rhode Island for signature.

You can read the bill here and track its progress here.

Update: June 27, 2024

Bill passed by Governor 

On June 25, 2024, the Governor of Rhode Island transmitted Senate Bill 2500 and House Bill 7787 without signature. 

The Act enters into force on January 1, 2026.

You can read the Governor's press release here, the Act here, and its legislative history here.