Privacy Bill Essentials: Rhode Island

March 5, 2021
Hinshaw Privacy & Cyber Bytes

A new data protection and privacy bill has been introduced in Rhode Island. The Rhode Island Transparency and Privacy Protection Act (TPPA) provides more narrow protections than privacy bills proposed in other states. If enacted, the bill would go into effect on January 1, 2022.

To whom would it apply?

The Rhode Island bill would apply to website operators that:

In a departure from other bills, the TPPA defines the protected class of persons as "customers" instead of "consumers." A "customer" is an individual residing in Rhode Island who actively or passively provides personally identifiable information to any entity, "in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service, including advertising or any other content."

What types of information would it cover?

The bill defines personally identifiable information to include an individual's first name or first initial and last name combined with any one or more of the following, among others:

What rights would it create?

The Rhode Island bill would give customers the right to know:

 What obligations would it impose?

The Rhode Island Bill would require all covered operators to post, either in the customer agreement, incorporated addendum, or other conspicuous location, all information related to the types of personally identifiable information collected and all categories of third parties with whom the operators may share this information.

How would it be enforced?

The law would be solely enforced by the Rhode Island Attorney General's Office. Any violations would be considered a deceptive trade practice, and businesses would face a $100 fine per disclosure. The bill would not create any private right of action on behalf of individual customers.

Where does it stand?

The bill was introduced on February 26, 2021 to the Rhode Island House of Representatives. A previous iteration of the bill in 2018—which had an opt-out provision and a wider definition of personally identifiable information—failed to garner the necessary support.