Privacy Bill Essentials: Rhode Island

A new data protection and privacy bill has been introduced in Rhode Island. The Rhode Island Transparency and Privacy Protection Act (TPPA) provides more narrow protections than privacy bills proposed in other states. If enacted, the bill would go into effect on January 1, 2022.

To whom would it apply?

The Rhode Island bill would apply to website operators that:

• Collect and maintain personally identifiable information from a customer who uses or visits the website or online service for a commercial purpose; and
• Employ more than 10 individuals.

In a departure from other bills, the TPPA defines the protected class of persons as "customers" instead of "consumers." A "customer" is an individual residing in Rhode Island who actively or passively provides personally identifiable information to any entity, "in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service, including advertising or any other content."

What types of information would it cover?

The bill defines personally identifiable information to include an individual's first name or first initial and last name combined with any one or more of the following, among others:

• Social security numbers;
• Driver's license, passport, state identification or triable identification numbers;
• Account numbers, credit card or debit card numbers;
• Medical or health insurance information; and
• Email addresses with any required password that would enable access to an individual's personal, medical, insurance, or financial information.

What rights would it create?

The Rhode Island bill would give customers the right to know:

• All categories of personally identifiable information that operators collect through their websites or online services; and
• All categories of third parties with whom the operators may share that personally identifiable information.

 What obligations would it impose?

The Rhode Island Bill would require all covered operators to post, either in the customer agreement, incorporated addendum, or other conspicuous location, all information related to the types of personally identifiable information collected and all categories of third parties with whom the operators may share this information.

How would it be enforced?

The law would be solely enforced by the Rhode Island Attorney General's Office. Any violations would be considered a deceptive trade practice, and businesses would face a $100 fine per disclosure. The bill would not create any private right of action on behalf of individual customers.

Where does it stand?

The bill was introduced on February 26, 2021 to the Rhode Island House of Representatives. A previous iteration of the bill in 2018—which had an opt-out provision and a wider definition of personally identifiable information—failed to garner the necessary support.