What happened?

On June 28, 2024, The Rhode Island legislature passed SB 2500 / HB 7787, or the Rhode Island Consumer Data Privacy Act, which became law without the governor’s signature.

What are the details?

General Bites:

• The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways:
  • The act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information.
  • The act does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.

Key Bites:

• Applicability and Exceptions: The act applies to for profit businesses in Rhode Island or those targeting its residents, if they, in the last year, either (1) handled the personal data of 35,000+ residents, or (2) handled 10,000+ residents’ data and made over 20% of their revenue from selling it. The law provides some exceptions.

• Privacy Notices: The Act requires commercial websites and ISPs managing Rhode Island customers’ data to provide a privacy notice detailing data types collected, potential third-party sales, and a contact method. Clear disclosure is needed if data is sold or used for targeted ads. However, the Act does not define “personally identifiable information,” leaving ambiguity about its application to entities that disclose but do not sell such data. The notice requirements apply to all controllers of such websites or ISPs.

• Data Minimization: The act does not contain a data minimization requirement. 

• Data Protection Assessments: The Act mandates controllers to conduct data protection assessments for high-risk data processing activities, such as targeted advertising, sale of personal data, certain types of profiling, and processing of sensitive data. However, the RIDTPPA does not provide specific guidelines on how these assessments should be conducted.

• Processor Obligations: The act mandates processors to follow the instructions of controllers and aid them in fulfilling their responsibilities. However, it does not specify that this support should encompass responding to consumer inquiries, safeguarding data, or supplying information for data protection assessments, as other laws do. Additionally, the act does not state that a processor failing to comply with a controller’s directives would be considered a controller.

• Enforcement: The act will be enforced by the state Attorney General, there is no private right of action and does not include a right to cure.

For additional information, visit here and here.

Business Considerations

• Entities should review if they fit into the thresholds of applicability of the law. If so, they should be prepared to create or update the necessary policies, practices, and procedures under the requirements of law.
• Covered entities should review their data privacy policies and incorporate the requirements of the Privacy Notice.
• Entities should examine their data collection practices, ensuring they are in line with the Act’s requirements.
• Employers could inspire themselves and use the law to enhance and better their data privacy policies, practices, and procedures.

Source References

• SB 2500 / HB 7787
• RI General Assembly Press Release
• Rhode Island Passes a Comprehensive Consumer Data Privacy Law ( Jackson Lewis P.C.)

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.