Why data privacy matters more than ever
In an era where data breaches and privacy concerns dominate the headlines, protecting customer information has never been more critical. Enter the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), set to take effect January 1, 2026.
Delve into the RIDTPPA’s key aspects, explaining why it matters, what it means for your business, and how you can turn compliance into a competitive advantage.
What the Rhode Island Data Privacy Act means for your business
Understanding the scope and applicability of the RIDTPPA
The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or offer products or services to state residents. Specifically, it targets businesses that control or process personal data of at least 35,000 customers (excluding payment transaction data) or 10,000 customers if over 20% of their gross revenue comes from selling personal data.
If your business falls into these categories, it’s time to start preparing for compliance.
Additionally, the RIDTPPA applies to commercial websites or Internet service providers that collect, store, and sell customers’ personally identifiable information (PII). These entities must designate a data controller and identify all categories of personal data collected and third parties to whom the PII has been or may be sold. Compliance with these requirements ensures transparency and protects consumer privacy.
Exemptions and special cases
The RIDTPPA exempts specific types of information, such as protected health information under HIPAA, data regulated by the Fair Credit Reporting Act, and employment-related data used solely for benefits administration.
The exemptions structure is unique to Rhode Island which are divided into two primary categories:
- Commercial Websites and Internet Service Providers (ISPs) that collect, store, and sell customers’ PII hav obligations, such as designating a data controller; identifying collected personal data categories; disclosing third-party data sales; and providing an active email or online contact for customers. Exemptions from these obligations include higher education institutions, nonprofit organizations, National Security Agency (NSA), government bodies, financial institutions, and covered entities.
- For-profit businesses that meet specific thresholds must comply with obligations, including conducting a DPIA, documenting data protection policies, and ensuring transparency in data processing and consumer rights. Exemptions from these broader obligations, include financial institutions and government contractors or agents in their government roles.
Key provisions of the RIDTPPA: A closer look
Empowering consumers: A new era of data rights
The RIDTPPA grants Rhode Island residents several rights regarding their personal data. These include the right to:
- Confirm if their data is being processed.
- Access and obtain copies of their data.
- Correct inaccuracies and delete their data.
- Opt-out of data processing for targeted advertising, data sales, or profiling.
Businesses must respond to these requests within 45 days, with a possible extension of an additional 45 days if necessary, ensuring a swift and transparent process.
The power of consent: Handling sensitive data
One of the significant aspects of the RIDTPPA is its emphasis on obtaining explicit consent for processing sensitive data, which includes racial or ethnic origin, religious beliefs, health data, and more. Unique to the RIDTPPA, businesses are required to stop processing consumers’ data within 15 days of receiving a request to revoke consent. This rapid response is designed to ensure that consumer preferences are respected promptly, further strengthening data privacy protections.
For children’s data, businesses must comply with the Children’s Online Privacy Protection Act (COPPA) and obtain parental consent. This measure is crucial for safeguarding vulnerable populations.
Implementing the RIDTPPA: Steps for success
Conducting Data Protection Impact Assessments (DPIAs)
Businesses must conduct DPIAs for processing activities that pose a high risk to customer privacy. This includes processing sensitive data or data for targeted advertising. DPIAs help identify and mitigate potential privacy risks, ensuring that businesses comply with the RIDTPPA’s requirements.
Ensuring non-discrimination and transparency
Under the RIDTPPA, businesses cannot discriminate against customers who exercise their privacy rights. This means not denying goods or services or charging different prices based on a customer’s decision to opt out of data processing. Clear communication and accessible mechanisms for customers to exercise their rights are critical for compliance.
Building robust security practices
The RIDTPPA mandates that businesses implement robust security measures to protect personal data. This includes reasonable administrative, technical, and physical safeguards. Businesses must also ensure that data processors adhere to these standards, with contractual agreements outlining the responsibilities of both parties.
Establishing a website notice
Commercial websites and internet service providers that collect, store, and sell customers’ PII must post a clear and conspicuous notice on their websites. This notice should identify all categories of personal data collected, the third parties to whom the data may be sold, and provide an active email address or online contact mechanism for customers.
What’s missing from the RIDTPPA?
The RIDTPPA has notable omissions compared to other state privacy laws. It lacks explicit data minimization requirements, which means businesses are not mandated to collect only the data necessary for specific purposes.
The Act also does not address secondary purposes, allowing businesses to use collected data for different purposes without obtaining new consent.
Additionally, RIDTPPA does not provide enhanced protections for adolescents, unlike other states that offer specific rights and safeguards for teenagers.
Navigating the challenges and opportunities
Preparing for the RIDTPPA’s enforcement
The RIDTPPA will be enforced by the Rhode Island Attorney General, with no private right of action allowed under the law.
Violations can result in penalties of up to $10,000 per violation; higher than most states that impose penalties of up to $7,500 for each violation, making it crucial for businesses to prepare adequately. This preparation includes updating privacy policies, training staff, and conducting regular audits to ensure compliance.
Leveraging the RIDTPPA for competitive advantage
Beyond legal compliance, adhering to the RIDTPPA can enhance a business’s reputation and build consumer trust. By demonstrating a commitment to data privacy, companies can differentiate their brand in a crowded market. It’s not just about following the law—it’s about creating a positive customer experience.
Moving forward with confidence
As the digital landscape evolves, so too does the importance of data privacy. The RIDTPPA represents a significant step in protecting consumers’ personal data and ensuring businesses adhere to high standards of data security. By understanding and implementing the RIDTPPA’s requirements, businesses can not only avoid legal repercussions, but also gain a competitive edge in today’s data-driven world.
Nymity Research
Get detailed insights and tools to help you navigate the RIDTPPA and other privacy regulations.
Start today
More Regulations
Maintain continuous compliance on global regulations, laws, and standards on data privacy and security globally.
Visit Now
