On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 / HB 7787). The act, which now awaits Governor Daniel McKee’s consideration, is expected to go into effect on January 1, 2026. The Rhode Island privacy legislation aims to protect citizens’ personal information in an increasingly digital world. Let’s dive into the key aspects of this new legislation and what it means for residents and businesses alike.
Key Points of RIDTPPA
- Transparency Requirements: The law imposes transparency requirements specifically on websites and ISPs that sell personal data, without exemptions for small businesses.
- Privacy Notices: Controllers are required to identify all third parties to whom they have sold or may sell personal information in the future.
- Omissions: Unlike other state privacy laws, RIDTPPA lacks heightened protections for adolescents, general data minimization requirements, default consumer rights exercises through Universal Opt-Out Mechanisms, and a right to cure alleged violations.
Legislative Process
- The Rhode Island legislative session will adjourn on June 30th.
- The Senate companion bill, S2500, has passed the commerce committee and is scheduled for floor consideration.
Penalties
The act links violations to the state Unfair and Deceptive Acts and Practices (UDAP) statute, which provides for civil penalties of up to $10,000. Additionally, a $500 penalty is applied per wrongful disclosure of personal data.
Looking Ahead
If enacted, RIDTPPA will make Rhode Island one of the states with comprehensive privacy laws, adding to the growing number of states implementing data privacy protections.