Rhode Island Passes Data Privacy Act; Vermont Privacy Act Vetoed by Governor
4 July 2024
Following our recent update regarding the passage of the new privacy bill by the Vermont state legislature, the governor of Vermont has decided to veto the act. This is the first time that one of the 19 comprehensive privacy laws enacted by US states legislatures in recent years was vetoed. The governor cited concerns over several aspects of the bill, including the provision of a private right of action, which is uncommon among US state privacy laws (except for in California). Additionally, according to the governor, the bill’s complexity, along with its unique and expansive definitions and provisions, would create significant and costly burdens and competitive disadvantages for small and mid-sized businesses. As a result, Vermont’s much-discussed bill will not be enacted into law at this time.
In parallel, the Rhode Island Data Transparency and Privacy Protection Act has been recently passed and enacted, making Rhode Island the 19th state in the US to enact a comprehensive legislation safeguarding consumer personal information. It will take effect on 1 January 2026.
Scope of Application
Rhode Island’s new act applies to for-profit entities conducting business in Rhode Island or targeting state residents, and who, in the previous calendar year, controlled or processed personal data of at least 35,000 state residents (excluding instances where controllers are processing data “solely for the purpose of completing a payment transaction”) or 10,000 state residents if more than 20% of their gross revenue is derived from the sale of personal data.
In addition, and differently from other US state privacy laws, the first section of the act, titled “Information Sharing Practices”, applies not only to the above defined controllers under the act, but to “any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction”.
The act does not apply to employee or business-to-business data. It exempts certain entities and data subject to federal laws such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, as well as state entities. In addition, similarly to other US state privacy laws, the new act excludes de-identified data and publicly available information.
Consumer Rights
The act provides consumers with personal data related rights which are largely consistent with the right provided by other US state privacy laws. The list of rights under the act includes: the right to confirm whether their personal data is being processed, correct inaccuracies, delete personal data, obtain a portable copy of the personal data and opt out of the processing of their personal data if for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.
Consumers can request to exercise their rights with a response time of 45 days (extendable by another 45 days for justified reasons).
Main Controllers Obligations
As mentioned above, the act’s obligations concerning information sharing practices, apply to “any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction”.
Such entities are required to “designate a controller” (an obligation that is not further explained in the act). In addition, if the website or internet service provider collects, stores, and sells customers’ “personally identifiable information” (a term that is not defined in the act, although used several times, while the term “personal data” is defined) it must, in its consumer agreement or other conspicuous location (e.g., privacy policy):
- Identify all categories of personal data the controller collects through the website or online service about customers;
- Identify all third parties to whom the controller “has sold or may sell” customers’ personally identifiable information; and
- Provide an email address or other online mechanism customers can use to contact the controller
Additional obligations imposed on controllers under the act include:
- Establishing, implementing and maintaining reasonable security measures to protect personal data;
- Not processing sensitive data without the consumer’s consent, or, in case of personal data of a known child, in accordance with the Children’s Online Privacy Protection Act (COPPA);
- Processing data in a non-discriminatory manner as defined under state and federal law;
- Providing consumers with a mechanism to grant and revoke consent, where required.
Data processing assessments are required before processing for activities posing “heightened risk”, such as targeted advertising, profiling, selling personal data, and processing sensitive data.
Processing personal data by a processor must be governed by a binding contract between the controller and processor that outlines certain privacy provisions set forth under the act.
Enforcement
The new act will be enforced by the Rhode Island Attorney General. It does not provide for a private right of action and does not include a right to cure for violations. Violations will be treated as deceptive trade practices, with fines of no less than $100 and up to $500 for intentional disclosures in violation of the act.
Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Rhode Island. Feel free to contact us if you have any questions regarding the new Act and its practical implications.