There is currently no comprehensive privacy law in Rhode Island. This year, Rhode Island lawmakers introduced two bills on the subject: S 754 and H 6236. The bills, also known as Data Transparency and Privacy Protection Acts, were introduced in March 2023 to each house, respectively, in Rhode Island.
The proposed Rhode Island privacy law was introduced with some noteworthy legislative findings that prompted the formation and style of the bill.
Legislative Findings
To quote the bill, “The general assembly hereby finds and declares that:”
- The right to privacy is a personal and fundamental right protected by the United States Constitution. As such, all individuals have a right to privacy in information pertaining to them. This state recognizes the importance of providing customers with transparency about how their personally identifiable information is processed and shared. This transparency is crucial for Rhode Island citizens to protect themselves and their families from cyber crimes and identity thieves.
- Furthermore, for free market forces to have a role in shaping privacy practices and for “opt-in” and “opt-out” remedies to be effective, customers must be more than vaguely informed that a business might share personally identifiable information with third parties. Customers must be better informed about what kinds of personally identifiable information are shared with other businesses. With these specifics, customers can knowledgeably choose to opt-in, opt-out, or choose among businesses that disclose personally identifiable information to third parties on the basis of how protective the business is of customers’ privacy.
- Businesses are now collecting personally identifiable information and disclosing it in ways not contemplated or properly covered by the current law. Some websites are installing tracking tools that record when customers visit webpages and send personally identifiable information, such as age, gender, race, income, health concerns, religion, and recent purchases, to third-party marketers and data brokers. Third-party data broker companies are buying and disclosing personally identifiable information obtained from mobile phones, financial institutions, social media sites, and other online and brick-and-mortar companies. Some mobile applications share personally identifiable information, such as location information, unique phone identification numbers, age, gender, and other personal details, with third-party companies.
- As such, customers need to know the ways that their personally identifiable information is being collected by companies and then shared or sold to third parties in order to properly protect their privacy, personal safety, and financial security.
Key Takeaways
Scope
The bill applies to any entity or organization that owns a website that is accessible via the Internet or an online service that, if used or visited for business purposes, collects and keeps track of personally identifiable data from a user residing in this state. It excludes any third party that manages, hosts, or processes data on behalf of the owner of a website or online service but is not the owner of such a website or service. The bill excludes small companies with fewer than ten employees.
Exemptions
The bill exempts a variety of organizations and information types, such as
- financial institutions, and data subject to GLBA
- protected health information governed by HIPAA
- information subject to the Fair Credit Reporting Act
- information governed by the Driver’s Privacy Protection Act
- personal data governed by the Family Educational Rights and Privacy Act (FERPA)
- personal data governed by the Farm Credit Act
- personal data governed by the Airline Deregulation Act
- personal data collected in relation to employment.
Consumer Rights
The bill gives consumers certain rights, such as the right to:
- confirm that a controller is processing personal data; access that data
- delete or correct any inaccuracies in that data
- obtain a portable copy of that consumer’s personal data
- choose not to have that data processed for the purposes of receiving targeted advertising or for sale.
