Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Rhode Island: RIDTPPA - FAQs

On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026. In this Insight article, OneTrust DataGuidance breaks down the key provisions and requirements of the RIDTPPA.

Craig Hastings/Moment via Getty Images

Scope, applicability, and key definitions

Who does the RIDTPPA apply to?

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products and services targeted towards Rhode Island residents and during the preceding calendar year:

  • controlled or processed personal data of at least 35,000 Rhode Island customers, excluding personal data controlled or processed solely for the purpose of completing a transaction; or
  • controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

Is certain data exempted from the application of the RIDTPPA?

The RIDTPPA provides for exclusions to entities, types of data, and processing activities, including:

  • state bodies, non-profit organizations, or financial institutions, or data subject to the Gramm-Leach-Bliley Act (GLBA);
  • protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
  • identifiable private information collected as part of human research pursuant to the good clinical practice guidelines;
  • patient-identifying information as provided;
  • the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a customer's creditworthiness, standing, capacity, or character to the extent such activity is regulated under the Fair Credit Reporting Act (FCRA);
  • personal data collected, processed, sold, or disclosed in accordance with the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act; and
  • data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, as the emergency contact information of an individual or that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information, used for the purposes of administering such benefits.  

How does the RIDTPPA define 'consumer'?

The RIDTPPA  does not provide a definition for 'consumer' but instead defines the term 'customer' as an individual residing in Rhode Island acting in an individual or household context. The definition does not include individuals acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role in the abovementioned organizations.

How does the RIDTPPA define 'consent'?

Consent means a clear, affirmative act signifying a customer has freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the customer. Importantly, consent may include a written statement, including by electronic means, or any other unambiguous affirmative action.

Consent, however, does not include:

  • acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • hovering over, muting, pausing, or closing a given piece of content; or
  • agreement obtained through the use of dark patterns.

How does the RIDTPPA define 'controller'?

A controller is defined as an individual who, or a legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

How does the RIDTPPA define 'processor'?

In contrast, a processor is defined as an individual or a legal entity processing personal data on behalf of a controller.

How does the RIDTPPA define 'processing'?

Processing means any set of operations performed on personal data, whether manually or through automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

How does the RIDTPPA define 'personal data'?

Personal data under the RIDTPPA is any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

How does the RIDTPPA define 'sensitive personal data'?

Sensitive data is a type of personal data that encompasses the following types of data:

  • racial or ethnic origin;
  • religious beliefs;
  • mental or physical health condition or diagnosis;
  • sex life;
  • sexual orientation;
  • citizenship or immigration status;
  • genetic or biometric data;
  • personal data of a known child; and
  • precise geolocation data.

How does the RIDTPPA define 'sale' of personal data?

The RIDTPPA defines the sale of personal data as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. However, the definition does not include:

  • the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • the disclosure to an affiliate of the controller;
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer;
  • personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
  • the disclosure of information that the consumer intentionally made available to the public via a mass media channel, and did not restrict to a specific audience; or
  • the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

Key provisions and requirements

Does the RIDTPPA provide for consumer rights?

The RIDTPPA provides for a number of customer rights, including:

  • the right to confirm whether their personal data is being processed by a controller;
  • the right to be informed;
  • the right to access;
  • the right to correct inaccuracies in their personal data;  
  • the right to deletion;
  • the right to data portability;
  • the right to opt-out of processing for the purposes of targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer; and
  • the right to revoke consent.

The RIDTPPA also allows customers to designate an authorized agent to exercise the right to opt-out on their behalf. In the case of a known child, parents or legal guardians may exercise customer rights on the child's behalf. Additionally, in the case of customers subject to a guardianship, conservatorship, or other protective arrangement, the guardian or conservator of the customer may exercise customer rights on their behalf.

Are there any obligations in relation to sensitive data?

Controllers must not process sensitive data without obtaining the customer's consent or process sensitive data of a known child unless consent is obtained and the data is processed in accordance with the Children's Online Privacy Protection Act (COPPA).

Moreover, a controller must conduct a documented Data Protection Assessment (DPA) prior to processing sensitive data.

What are the main obligations for data controllers?

The RIDTPPA sets out a number of obligations for controllers. These include:

  • establishing, implementing, and maintaining reasonable administrative, technical, and physical security practices;
  • only processing personal data that is reasonably necessary and proportionate in relation to the purposes for which such data is processed;
  • processing personal data that is adequate, relevant, and necessary for the purposes for which it is processed;
  • providing customers with a mechanism to grant and revoke consent and suspending the processing of data as soon as is practicable after the revocation of consent, but no longer than 15 days from receipt to effectuate the revocation;
  • providing a privacy notice which sets out the following:
    • all categories of data collected;
    • all categories of third parties to whom they may disclose personally identifiable data and the categories of data shared with such third parties, if any;
    • an active email address or other mechanism that customers may use to contact the controller;
    • if the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and the manner in which a customer may opt-out of such processing; and
    • how customers can exercise their rights; and
  • conducting and documenting a DPA for each of their processing activities that presents a 'heightened risk of harm' to a customer.

What are the main obligations for data processors?

Processors must adhere to a controller's instructions and assist the controllers in meeting their obligations under the RIDTPPA. The obligations of the processor are governed by a contract between the controller and processor and the same is discussed in the subsequent question.

Are vendor privacy relationships regulated under the RIDTPPA?

The contract between the controller and processor must outline the following:

  • instructions for processing data;
  • the nature of the purpose of processing;
  • the type of data subject to processing;
  • the duration of processing; and
  • the rights and obligations of both parties.

The contract must also require processors to:

  • ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • at the controller's discretion, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of personal data is required by law;
  • upon reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the RIDTPPA;
  • after providing the controller the opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  • allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified or independent assessor, to assess the processor's policies and the technical and organizational measures in place in support of the obligations under the RIDTPPA.

Are DPAs regulated under RIDTPPA?

DPAs must be conducted for activities presenting a 'heightened risk of harm' to customers, which include:

  • the processing of personal data for the purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for profiling when it presents a reasonably foreseeable risk of:
    • unfair, deceptive treatment, or unlawful disparate impact on customers;
    • financial, physical, or reputational injury to customers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person; or
    • other substantial injury to customers; and
  • the processing of sensitive data.

A single DPA may address a comparable set of processing operations that include similar activities. Additionally, a DPA for the purpose of complying with another applicable law would be deemed to satisfy the requirements of the RIDTPPA.

The DPA requirements will apply to processing activities created or generated after January 1, 2026, and are not retroactive.

Who is empowered to enforce the violations of the RIDTPPA?

The Attorney General has exclusive authority to enforce the provisions of the RIDTPPA. The RIDTPPA does not provide for a private right of action.  

What penalties are controllers and processors facing under the RIDTPPA?

Any violations of the RIDTPPA constitute a violation of the general regulatory provisions of commercial law in Title 6 of the Rhode Island General Laws and would be considered a deceptive trade practice. In the event that any individual or entity intentionally discloses personal data in violation of the RIDTPPA, that individual or entity must pay a fine of not less than $100 and no more than $500 for each disclosure.

Next steps

What is the legislative status of the RIDTPPA?

The RIDTPPA became law on June 25, 2024.

When will the RIDTPPA come into force?

The RIDTPPA will come into effect on January 1, 2026.

Lara Eguia Privacy Analyst
[email protected]