Comprehensive Privacy Anchors in the Ocean State

On June 25, 2024, Governor McKee transmitted without signature H 7787 and S 2500, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), making Rhode Island the nineteenth state overall and the seventh state in 2024 to enact a comprehensive privacy law. The law will take effect on January 1, 2026, and the majority of its substantive provisions will apply to entities that control or process personal data of either 35,000+ Rhode Islanders or 10,000+ Rhode Islanders if the entity derives 20% or more of its gross revenue from selling personal data. As another iteration of the Washington Privacy Act (WPA) framework, this law includes familiar terminology and core obligations, such as: controller/processor responsibilities allocated by role; the core individual data rights of access, correction, deletion, portability, and opt-out; and opt-in consent for processing sensitive data.

In this blog post, we highlight 3 notable aspects of the RIDTPPA: The law includes a unique, prescriptive privacy notice requirement that applies to a different set of entities than many of its other substantive provisions; in key places, the law is weaker than many other iterations of the WPA framework; and the law’s civil penalties are higher than what is typical under comparable laws. 

1.  No General Privacy Notice Requirement, but Prescriptive Notice of “Information Sharing Practices” Obligation for a Narrow Set of Businesses

The RIDTPPA includes a unique, prescriptive privacy notice obligation, which has two subcomponents. First, any “commercial website” or internet service provider (ISP) who (1) conducts business in Rhode Island, (2) has customers in Rhode Island, or (3) is otherwise subject to Rhode Island jurisdiction must “designate a controller.” The law does not define or cross-reference existing definitions of “commercial website” or “internet service provider.” The law defines controller as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Although this definition is typical of state comprehensive privacy laws, the law does not elaborate on what it means to “designate a controller.” 

Second, the designated controller of a website or ISP that “collects, stores and sells customers’ personally identifiable information” (PII) must disclose certain information within either the controller’s customer agreement, an addendum to that agreement, or “in another conspicuous location on its website or online service platform.” The controller must provide: 

1. “all categories of personal data that the controller collects through the website or online service about customers”;
2. “all third parties to whom the controller has sold or may sell customers’ personally identifiable information”; and
3. an active email address or other online mechanism to contact the controller.

Additionally, if a controller processes personal data for targeted advertising or sells personal data to third parties, they must “clearly and conspicuously disclose” as much. 

This requirement is ambiguous in several ways. Some requirements concern personal data, whereas others, including the threshold for applicability, concern personally identifiable information, which is undefined. As identified by David Stauss, the term “personally identifiable information” could be a holdover from a prior draft, which would have defined the term more narrowly than “personal data,” implying that the two terms are intended to have distinct meanings. On the other hand, a later provision regarding how to construct the law states, “This chapter is intended to apply only to covered entities that choose to collect, store, and sell or otherwise transfer or disclose personally identifiable information.” Given that each section establishes the law’s applicability in terms of processing of personal data, this could imply that the terms are synonymous. 

Furthermore, the requirement to identify all third parties to whom the controller may sell PII raises operational questions given that controllers do not have clairvoyant insight as to whom they might sell PII to in the future. There is a practical question as to what happens if controllers begin selling PII to a new third party. It is currently unclear if the controller would be categorically prohibited from selling previously collected PII to that new third party or able to do so with notice and affirmative consent. Additionally, providing a long list of current third parties recipients of personal data could make privacy notices longer and less intelligible, unless that information is provided in an addendum, which nevertheless places additional burden on individuals to seek out that information. A contrasting approach is that taken in the Oregon Consumer Privacy Act, which requires controllers to provide the list of specific third party recipients of personal data upon request.

Notably, this is the only privacy notice requirement in the law, and it only applies to commercial websites and ISPs who collect, store, and sell personally identifiable information. This is a sharp contrast to the majority approach in state comprehensive privacy laws, which typically require all controllers who meet the applicability thresholds to provide “a reasonably accessible, clear and meaningful privacy notice” that includes information such as categories of personal data processed, processing purposes, how to exercise consumer rights and appeal decisions, categories of personal data shared with third parties, and contact information. Despite not having a general privacy notice obligation, a later provision of the law specifies that a controller must establish a secure and reliable means for customers to exercise their individual data rights as “described to the customer in the controller’s privacy notice.” 

2.  Little Rhody, Little Rights

The RIDTPPA is an outlier amongst states adhering to the WPA framework, in that many of that framework’s privacy rights and protections are missing or weakened in the RIDTPPA. Notwithstanding the novel privacy notice requirement, this law is close to the weakest iterations of the WPA framework, particularly Iowa and Utah. The law contains broad entity- and data-level exemptions—including for GLBA regulated entities (twice), nonprofits, and institutions of higher education—while several common privacy protections are conspicuously absent.

• No General Data Minimization Requirement: Data minimization is a common and important feature of privacy and data protection regimes. The majority of state privacy laws enacted in recent years include what can be considered a procedural data minimization rule: Controllers must limit the collection and processing of personal data to what is “adequate, relevant, and reasonably necessary” to achieve the purposes that are disclosed to a data subject, and controllers must obtain affirmative, express consent for any unnecessary or incompatible secondary uses of personal data. Recently, states have begun experimenting with heightened data minimization requirements, and Maryland broke new ground this year by enacting a substantive data minimization rule which limits collection of personal data to what is reasonably necessary to provide or maintain a requested product or service. In contrast, the RIDTPPA does not include a data minimization requirement or similar restriction on secondary use of personal data. Previously, Iowa and Utah were the only such state laws to not impose a data minimization requirement. 
• Absence of Opt-out Signal Preferences: Rhode Island bucks a trend in recent years of requiring controllers to recognize universal opt-out preference signals, which allow individuals to exercise their rights to opt-out of targeted advertising and data sales on a default-basis rather than a website-by-website basis. 
• The Opt-out Right Does Not Apply to Pseudonymous Data: Laws following the WPA framework typically do not require controllers to comply with some of the individual data rights (e.g., access) in situations involving pseudonymous data, which is personal data that cannot be attributed to a “specific individual” without additional information that is kept separately and subject to technical and organizational measures that ensures the personal data is not attributable to “an identified or identifiable individual.” The RIDTPPA appears to follow the Tennessee Information Protection Act in extending the pseudonymous data exception to the right to opt-out of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. This deprives individuals of key privacy protections in several ways. First, it weakens or even nullifies the right to opt-out of targeted advertising because the targeted advertising ecosystem largely relies on pseudonymous identifiers, such as hashed persistent identifiers or mobile advertising identifiers. Second, pseudonymous data, as compared to deidentified data, does not have the same kind of backend technical and legal requirements to prevent reidentification through cross-referencing data sets. Controllers who disclose pseudonymous data are required to exercise reasonable oversight to monitor compliance with any contractual commitments, but the RIDTPPA does not create an  underlying requirement to impose such contractual commitments in the first place.
• No Guidance for Data Protection Assessments: Like most state comprehensive privacy laws, the RIDTPPA requires controllers to conduct data protection assessments for certain processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, processing sensitive data, and profiling that presents a reasonably foreseeable risk of certain substantial injuries. However, the law omits any language as to what a data protection assessment entails. 
• No Heightened Protections for Teens: As is typical of laws following the WPA framework, the RIDTPPA treats the personal data of a known child (under 13) as sensitive data and requires opt-in consent for processing that data. Breaking a recent trend, however, the RIDTPPA does not include any heightened protections for teenagers. In the last two years, many new comprehensive privacy laws have required controllers to get opt-in consent from individuals ages 13 to 15 or 16 for targeted advertising, sale of personal data, and profiling in furtherance of legal or similarly significant decisions.

3.  Little Rhody, Big Penalties

The RIDTPPA’s substantive provisions might be weaker than many other state privacy laws, but the law’s enforcement provisions arguably are stronger than elsewhere. Like many state comprehensive privacy laws, violations of the RIDTPPA constitute violations of the state’s prohibition on deceptive trade practices, which carry a fine of up to $10,000 per violation. That figure alone is high compared to many other states, but the RIDTPPA adds an additional monetary penalty for intentional disclosures of personal data either (1) to a shell company or other entity created for the purpose of circumventing the law’s requirements or (2) in violation of any provisions of the RIDTPPA. Such intentional disclosures carry a penalty of $100-500 “for each disclosure.” However, this penalty enhancement is ambiguous in at least two critical ways. First, it does not specify whether the intent requirement applies to the disclosure itself or the unlawful nature of the disclosure. Second, it does not specify what constitutes a disclosure and how such claims accrue. It could be one violation per person, repeat violations per person, or, in the most extreme case, tied to communication of individual data points. Regardless of how these questions are resolved, this provision could generate significant fines for controllers who are improperly disclosing individuals’ personal data.