In a significant move to enhance online privacy and data transparency, the Rhode Island General Assembly has passed the Rhode Island Data Transparency and Privacy Protection Act (2024-H 7787A, 2024-S 2500). This legislation aims to establish robust guidelines for online service providers and commercial websites that handle personally identifiable information, marking a critical step forward for the state in the realm of digital privacy.
Key Provisions of Rhode Island’s Data Transparency and Privacy Protection Act
The legislation mandates comprehensive disclosure requirements for any entity collecting, storing, and selling personal data. Under the new law, these entities must clearly identify:
- All categories of personal data that is collected through a website or online service
- All categories of third parties to whom the controller may disclose that personally identifiable information
- How customers may exercise their consumer rights, including how a customer may appeal a controller’s decision with regard to the customer’s request
- The purposes for processing a customer’s personal data
The legislation also limits entities to collect only personal data that is “adequate, relevant, and reasonably necessary in relation to the purposes for which data is processed, as disclosed to the customer.”
“Everybody has a fundamental right to privacy,” said Representative Evan Shanley (D-Dist. 24, Warwick, East Greenwich). “Whenever you enter your information on a website, you should know if the administrators of that site are taking that information and selling it. If they are, then they should say so by posting it in an obvious and visible place on their home page, and give you an opportunity to opt out. It is imperative that consumers understand how their information — especially information relating to their children — is shared by businesses.”
“It is the Wild West on the internet in regards to the data they have on all of us that people can do just about anything with,” said Senator DiPalma (D-Dist. 12, Middletown, Little Compton, Newport, Tiverton), who chairs the Senate Finance Committee. “It allows Rhode Islanders to opt in to what data is collected. This protects our privacy when we’re all at risk, and it’s a long time coming.”
Entities that control or process personal data of not less than 35,000 customers or at least 10,000 customers and derive more than 20% of gross revenue from the sale of personal data would be subject to additional disclosure requirements and must allow customers the right to opt out of the collection of personally identifiable information.
While the legislation would not prohibit the collection or sale of personally identifiable information, it would provide penalties for any intentional disclosure of personal information in violation of the act. Such violations would be punishable by a fine of not less than $100 nor more than $500 per disclosure. As the legislation contains no private right of action, sole enforcement of these provisions would be vested in the office of the Attorney General under the state’s deceptive trade practice act.
Rhode Island’s data privacy act may not feature as many robust provisions as states like California – particularly in lacking a right to private action or a right to cure – but it’s still encouraging to see more states taking data privacy seriously by strengthening protections.
WBE is a leader in data privacy litigation, including cases against retailers like Amazon and Mariano’s.
0 Comments