Rhode Island Data Transparency and Privacy Protection Act (DTPPA)


The Rhode Island Data Transparency and Privacy Protection Act, passed on June 25th, 2024, ensures businesses handle Personal Information responsibly and transparently. It aims to give Rhode Island residents more control over their data by setting strict rules for data collection, processing, and sharing.

Rhode Island is the 20th State in the US to implement a comprehensive privacy law, but what does it mean for your business?

In this article, we'll cover what the Rhode Island Data Transparency and Privacy Protection Act is, what you need to do to comply, and the penalties for not following the rules.

What is the Rhode Island Data Transparency and Privacy Protection Act?

The Rhode Island Data Transparency and Privacy Protection Act is a law designed to improve data privacy and transparency for residents of Rhode Island. It requires businesses to clearly disclose their data collection practices, obtain explicit consent from users, and provide individuals with the right to access, correct, or delete their personal data. It is due to come into effect on January 1st, 2026.

Who Does the Data Transparency and Privacy Protection Act Apply to?

The Data Transparency and Privacy Protection Act applies to profit-based businesses that either operate in Rhode Island or offer products or services to Rhode Island residents. This means if your business deals with customers in Rhode Island or targets its products or services at people living there, you need to comply with this law.

To fall under this Act, your business must have, during the preceding calendar year, met one of the following criteria:

  • Controlled or processed the personal data of at least 35,000 Rhode Island residents
  • Controlled or processed the personal data of at least 10,000 Rhode Island residents and derived more than 20% of their gross revenue from the sale of personal data

It is worth noting however, that Privacy Notices need to be provided by all internet service providers and commercial websites who sell, collect, and store personally identifiable information. This is regardless of whether they meet the criteria above.

The scope of this rule isn't entirely clear because the Act does not specify what counts as personally identifiable information.

Who is Exempt from the Data Transparency and Privacy Protection Act?

All non-profit companies and organizations are exempt from the Data Transparency and Privacy Protection Act.

It also excludes several specific types of data including:

Protected Health Information under HIPAA

This type of data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). It includes medical records, health insurance information, and other health-related data.

For example, a patient's medical history held by a hospital or clinic is protected under HIPAA and is not covered by the Data Transparency and Privacy Protection Act.

Identifiable Private Information Collected in Human Research

Data collected during human research activities is exempt from the Act if it follows federal regulations for protecting human subjects.

An example here would be Personal Data collected during clinical trials or academic research involving human participants, which is subject to strict confidentiality protocols.

Data Regulated under the Fair Credit Reporting Act (FCRA)

The FCRA governs how consumer credit information is collected, used, and shared. This includes credit reports and credit scores maintained by credit reporting agencies.

For example, a consumer's credit report generated by Experian or Equifax is regulated under the FCRA and not the Data Transparency and Privacy Protection Act.

Personal Data Managed under the Driver's Privacy Protection Act (DPPA)

This act protects the privacy of Personal Information collected by state Departments of Motor Vehicles (DMVs).

Examples include a driver's license number, vehicle registration details, and address information held by the DMV.

Data Regulated by the Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records. This includes grades, transcripts, and other academic records held by educational institutions.

For example, a student's report card and enrollment records maintained by a school are governed by FERPA.

Employment-related Data

Information related to employment, such as employee records, performance evaluations, and payroll data, is exempt.

For example, an employee's personnel file containing job performance reviews and salary details is not covered by the Data Transparency and Privacy Protection Act.

Data Processed for State Bodies, Non-profit Organizations, or Financial Institutions under the GLBA

The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions handle customer information. This includes data processed by banks, insurance companies, and investment firms.

An example is a bank managing a customer's account details and transaction history, which is regulated under the GLBA and exempt from the Data Transparency and Privacy Protection Act. These exclusions are in place because these types of data are already protected under specific federal regulations, ensuring they are managed according to established privacy standards.

What Does the Data Transparency and Privacy Protection Act Require?

To comply with the Rhode Island Data Transparency and Privacy Protection Act, your business will need to:

  • Create or update a Privacy Policy
  • Obtain explicit Consent
  • Give consumers access to their data
  • Provide an easy way for consumers to opt out
  • Protect all personal data collected
  • Provide timely breach notifications

How to Comply with the Data Transparency and Privacy Protection Act

To comply with the Rhode Island Data Transparency and Privacy Protection Act, you'll need to follow a few crucial steps.

Here's a simple guide to help you stay on track:

Step 1: Create or Update your Privacy Policy

Start by writing a clear and simple Privacy Policy. This should explain what personal data you collect, how you use it, and who you share it with.

Here's an example taken from Starbucks:

Starbucks Privacy Notice excerpt

What Starbucks has done well here is personalization. It has tailored its privacy notice to reflect the unique tone of its brand. It is simple, clear, and enjoyable to read.

In your Privacy Policy, make sure to add a section that specifically references how you adhere to the Rhode Island Data Transparency and Privacy Protection Act. Include information about how long you keep the data, and the rights people have over their information.

You also need to make sure your Privacy Policy is easy to read and find on your website. Most businesses, like Macy's, add a link to their privacy policy on the footer of their website:

Macys website footer with privacy notice highlighted

Other places you can link to your Policy include your website's cookie banner, sign up forms, and FAQ where relevant.

Step 2: Obtain explicit consent

Before collecting any Personal Data, you'll need to get clear permission from the consumer. Tell them exactly what data you're collecting and why.

Now when we say, 'explicit consent,' this means the consumer must actively give their consent for their data to be collected, stored, and processed.

You will need to have them agree by checking a box or clicking an "I agree" button. This is known as the Clickwrap method.

Here's an example of the Clickwrap method in action on the FedEx cookie banner:

FedEx cookie banner

It clearly explains what the cookies are used for and gives users the option to agree to analytical and tracking cookies.

Step 3: Give consumers access to their data

Let people see the data you've collected about them. Set up an easy way for them to request access to their data, correct any mistakes, and ask for their data to be deleted.

This could be a simple form or a section on your website where they can manage their information.

So, if a user does request access to their data, your business has 45 days to respond. Each person is entitled to one free data request per year.

It is possible to deny a request if you feel it is unreasonable, but you must have an appeals process in place.

Step 4: Provide an easy way for consumers to opt out

Make it simple for consumers to opt out of data collection. Offer a clear "opt-out" option in your communications or on your website. Ensure that opting out is hassle-free and doesn't affect their access to your main services.

For example, the Nortek Group gives its users an option to change their consent via a link included in the footer of its website:

Nortek Group website footer with consent link highlighted

Step 5: Protect all Personal Data collected

Use strong security measures to protect the Personal Data you collect. This means encrypting data, storing it securely, and limiting who can access it.

Regularly update your security practices to keep up with new threats and keep data safe.

Step 6: Provide timely breach notifications

If there's a data breach, let the affected individuals and authorities know right away. Tell them what happened, what data was affected, and what you're doing to fix it. Quick notifications help maintain trust and meet legal requirements.

By following these steps, your business can easily comply with the Rhode Island Data Transparency and Privacy Protection Act and keep Personal Data safe and secure.

Penalties for Not Complying with the Data Transparency and Privacy Protection Act

From financial fines to reputational damage, let's run through the penalties if you fail to comply with the Rhode Island Data Transparency and Privacy Act:

Financial Fines

Non-compliance can result in large financial fines. The amount of the fine can total as much as $10,000 per violation, with additional fines in accordance with the Rhode Island Data privacy Act.

The latter can impose fines from $100 to $500 per violation.

These fines can add up quickly and significantly impact your business's bottom line, especially for repeated or severe breaches of the Act.

Reputational Damage

Not adhering to the Act can damage your business's reputation. Customers expect their Personal Data to be handled responsibly and securely.

If your business is found to be non-compliant, it can lead to a loss of trust and credibility among your customers, potentially resulting in a decline in customer loyalty and sales.

Increased scrutiny

Failing to comply with the Act can put your business under increased scrutiny from Regulatory Bodies. This can lead to more frequent audits and inspections, adding to your administrative burden and increasing the risk of discovering additional non-compliance issues.

Potential loss of business opportunities

Non-compliance can result in the loss of business opportunities. Potential partners and customers may be hesitant to engage with a business that does not follow Data Protection Regulations. This can limit your ability to expand and grow your business in the future.

Summary

The Rhode Island Data Transparency and Privacy Protection Act comes into force on January 1st, 2026, giving your business plenty of time to ensure compliance.

It applies to for-profit entities that handle significant amounts of personal data and outlines stringent requirements to ensure the protection of this data.

To comply with the Act, businesses must:

  • Create a clear and accessible privacy notice
  • Obtain explicit consent from users before collecting their data
  • Provide users with access to their data
  • Offer an easy opt-out option
  • Implement robust data protection measures
  • Provide timely notifications in the event of a data breach

Failing to comply with the Act can result in substantial financial fines, legal action, reputational damage, operational disruptions, increased regulatory scrutiny, and the loss of business opportunities.

By following these steps and understanding the importance of compliance, your business can protect itself and its customers, fostering trust and maintaining smooth operations.