There’s a problem with Rhode Island’s new privacy law: Who’s covered, and what’s required?

On 13 June 2024, Rhode Island joined the increasingly long list of states to pass a comprehensive law. But there’s an issue with the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) – it’s not clear who the law applies to, and what exactly they have to do. 

Here’s a look at some ambiguities and contradictions that could cause some serious confusion among businesses impacted by Rhode Island’s new privacy law. 

The RIDTPPA’s predecessor, HB 5354

The RIDTPPA has been enacted without a governor’s signature and takes effect on 1 January 2026.  

To explain why the RIDTPPA could cause significant confusion, we need to go back to last year when Rhode Island lawmakers considered another bill, HB 5354 (also called the RIDTPPA), that failed to pass. 

H5354 looked very different to S2500, this year’s successful version of the RIDTPPA. For example, H5354 focused on “personally identifiable information” (PII) – also called “personal information” in the bill – rather than “personal data”, which is the main focus of the new version of the law.  

Under H5354, PII meant an individual’s “first name or first initial” and last name “in combination with any one or more of the following data elements” (when both are unencrypted): 

• Social security number 
• Driver’s license number, passport number, Rhode Island ID card number, or tribal identification number 
• Account number, credit or debit card number, plus any security code that would enable access to the individual’s financial account 
• Medical or health insurance information 
• Email address with any security code that would enable access to an individual’s personal, medical, insurance, or financial account 
• Biometric data​ 

Among a few other provisions, the older bill required “commercial websites” and “internet service providers” who sell PII to post a privacy notice, as we’ll see below. 

Personally identifiable confusion

Like its predecessor H5354, this year’s RIDTPPA also mentions PII. The new law also protects “customers” rather than “consumers”. This language comes from the RIDTPPA’s predecessor but is absent in any other comprehensive privacy law across the US. 

But the new RIDTPPA doesn’t include the above definition of PII – or any other information about what PII is. 

Instead, the new RIDTPPA defines “personal data”: “Any information that is linked or reasonably linkable to an identified or identifiable individual”. Personal data is a much broader concept than PII, which is limited to certain types of data combined with a person’s name. 

The new RIDTPPA applies most of its rules to “personal data”. As in most states, Rhode Island requires businesses to uphold certain consumer rights requests in relation to personal data and put contracts in place when sharing it with a processor. 

But the new law’s privacy notice requirements only apply in the context of “PII.” 

Obligations on commercial websites and ISPs

Certain parts of the RIDTPPA apply to “any commercial website or internet service provider (ISP)” meeting one or more of the following three conditions: 

• It conducts business in Rhode Island  
• It has customers in Rhode Island or  
• It is otherwise subject to Rhode Island jurisdiction 

This language has been carried over to the new RIDTPPA from last year’s H5354. 

Here’s what such commercial website and ISPs have to do. 

Designating a controller

First, the law states that commercial websites and ISPs must “designate a controller”.  

“Controller” is defined in the usual way: An individual or legal entity that “alone or jointly with others determines the purpose and means of processing personal data.” 

It’s unclear what “designating” a controller means and the new law does not explain how a commercial website or ISP should meet this requirement. 

Posting a privacy notice

Unlike every other US privacy law, the RIDTPPA does not impose a general requirement for controllers to post a privacy notice. The obligation to post a privacy notice only applies to a commercial website or ISP that “collects, stores and sells customers’ PII”. 

If a commercial website or ISP meets this criteria, it must add a section or addendum to its “customer agreement” identifying: 

• All categories of personal data that the controller collects through the website or online service about customers 
• All third parties to whom the controller has sold or may sell customers’ PII, and 
• An active electronic mail address or other online mechanism that the customer may use to contact the controller.  

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must also “clearly and conspicuously disclose” this. 

There are also several problems with these privacy notice obligations: 

• Although the law requires the website or ISP to “designate a controller”, the website or ISP’s privacy notice must describe the personal data and PII collected and sold by the controller (rather than the website or ISP itself). 
• The privacy notice must identify every third party with whom the controller “has sold or may sell” PII. This appears to require the website or ISP to predict how it might behave in the distant future, which will normally be impossible. 
• Given that the law does not define “PII,” it is not clear which commercial websites and ISPs must fulfil this obligation, or what exactly they would need to disclose to customers. 

Other references to ‘personally identifiable information’

Most of the new RIDTPPA’s obligations apply to any for-profit entity doing business in Rhode Island or producing products and services targeted to Rhode Island residents that meets one or more of the following thresholds over the previous calendar year: 

• It controlled or processed the personal data of at least 35,000 Rhode Island “customers”, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. 
• It both:  
  • Processed the personal data of at least 10,000 customers, and  
  • Derived at least 20% of gross revenue from the sale of personal data. 

While most of the RIDTPPA’s PII obligations fall on “commercial websites and ISPs”, several references to PII have also made it into other parts of the law and are therefore binding on the above types of controllers. 

For example, the law states that it does not “mandate and/or require the retention or disclosure of any specific individual’s personally identifiable information.” It’s unclear whether this provision should be expanded to “personal data”. 

Certain exemptions also apply to PII, while others apply to personal data, meaning that the application of the RIDTPPA’s main obligations is also ambiguous. 

This RIDTPPA has been enacted, meaning that covered entities have around 18 months to prepare for it to take effect. In the meantime, businesses can only hope that Rhode Island authorities will provide some clarity about how this law is supposed to work.