Senior Content Marketing Manager II
July 19, 2024â˘5 min read
The Rhode Island Data Transparency and Privacy Protection Act applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted at Rhode Island residents. To fall under the law's scope, a business must meet one of the following thresholds during the preceding calendar year:
Itâs important to note that while these thresholds determine the lawâs applicability, the privacy notice requirements are broader and apply more generally.
The RIDTPPA imposes several key compliance requirements on businesses:
Businesses must fulfill consumer requests for access, confirmation of processing, correction, deletion and data transfer. Additionally, though consumers can opt out of targeted advertising, data sales, and profiling, the RIDTPPA does not require businesses to honor universal opt-out signals.
Rhode Islandâs privacy law requires businesses to handle sensitive data, including that of users under 13, in compliance with the Childrenâs Online Privacy Protection Act (COPPA). For processing sensitive data, targeted advertising, data sales, and profiling, businesses must obtain consumersâ opt-in consent.
The RIDTPPA mandates that any commercial website or online service that collects, stores, and sells customers' personally identifiable information (PII) must provide a detailed notice. This notice must:
The inclusion of "may sell" or "may use" in the disclosure requirements introduces complexity for compliance. The distinction between "personal data" and "PII" under the law is also unclear, which could impact how businesses determine their disclosure obligations.
Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA) shares some common ground with other state privacy laws, but does introduce several distinctive features:
The RIDTPPA employs a two-tiered approach for determining applicability:
Websites and online services must disclose not only third parties to whom they have sold personally identifiable information, but also those to whom they "may sell" such information. The scope of this requirement is somewhat ambiguous due to the undefined nature of "personally identifiable information."
In contrast to other state privacy laws, the RIDTPPA does not include:
For businesses operating in Rhode Island or targeting Rhode Island residents, compliance with the RIDTPPA is crucial. Hereâs a checklist to help you navigate the requirements:
Start by carefully evaluating your company's data practices to see if they fall under the Vermont Data Privacy Act. Check if you meet the applicability criteria specified in the law, which are determined by the number of Vermont residents whose personal data you handle or process.
Start by developing a detailed inventory of the personal data your business collects, processes, and stores. Clearly outline the types of data, the processing activities involved, and the legal grounds for each. This inventory will be essential for performing a gap analysis to evaluate your compliance risks.
Businesses need to update their privacy policies or customer agreements to include:
Develop processes to handle consumer requests for access, correction, deletion, and portability of their data, and ensure compliance with opt-out requests.
Starting January 1, 2026, businesses must perform impact assessments for processing activities that pose higher risks, such as targeted advertising, profiling, data sales, and processing of sensitive data.
Businesses must seek customer consent before processing sensitive data and comply with COPPA regulations for data related to children.
Businesses must create binding agreements with data processors that:
By following these steps, businesses can navigate the requirements of the Rhode Island Data Transparency and Privacy Protection Act and maintain compliance with the state's privacy regulations.
Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facingâincluding getting you ready for new state privacy laws like SB 332.
From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II