Lawmakers spent years crafting legislation to set data-transparency guidelines and improve customers’ online privacy. Now that it has passed the General Assembly, businesses should be planning how they’re going to comply when the law takes effect a little more than a year from now.
The new law, called the Rhode Island Data Transparency and Privacy Protection Act, will set up a framework in which companies and online service providers conducting business in Rhode Island that collect and sell personal data will have to disclose what categories of information they are collecting and sharing.
They will have to say when the data might be shared with a third party, how it might be used and when customers can exercise their rights over this data and how to contact a designated “controller” of the information, the law says.
At the same time, the law does not outright prohibit the collection or sale of personally identifiable information.
“Everybody has a fundamental right to privacy,” said Rep. Evan P. Shanley, D-Warwick, who led the effort to develop the legislation. “Whenever you enter your information on a website, you should know if the administrators of that site are taking that information and selling it. If they are, then they should say so by posting it in an obvious and visible place on their homepage and give you an opportunity to opt out.”
Companies that will have to follow the data privacy requirements include those that have controlled or processed personal data of at least 35,000 Rhode Island customers in a calendar year, excluding those processing data “solely for the purpose of completing a financial transaction.”
The law also applies to businesses that have controlled or processed the personal data of 10,000 Rhode Island customers in a year and derived more than 20% of their gross revenue from the sale of personal data.
[caption id="attachment_478720" align="alignleft" width="229"]
Evan P. Shanley[/caption]
Shanley noted this allows consumers to track their information, but it also wouldn’t be overly burdensome on small businesses.
“Most businesses will not have to do anything,” he said. “They only have to post on their website in a conspicuous location the categories of information they collect, who they sell it to.”
The law goes into effect on Jan. 1, 2026, and comes with a fine of between $100 and $500 for each violation.
Meghan Hopkins, an attorney for Nixon Peabody LLP, said business owners should be taking the legislation seriously as there is no “cure period,” unlike data transparency laws in other states. This is a period given by authorities to allow organizations to “cure” or fix any violations of the law before it is enforced.
Also, it may be difficult for some companies to comply because some may not know who they’re going to sell data to in the future and haven’t kept track of what information has been sold, she said.
It’s been a long process of getting the law on the books.
Shanley first introduced legislation in 2017 that generally copied federal regulations that were set to go into effect that year.
The legislation would have required companies running commercial websites to allow customers to opt in or out of the collection of personal information online, but the bill hit a roadblock when the lawmakers received a rush of panicked feedback from the business community.
So, he changed the bill to become a study commission responsible for researching how to best form the legislation. This commission met from 2018 to 2021, taking input from all corners of the business community and assessing what laws other states had and how they were doing.
As the commission finally reached a compromise and was on the cusp of finalizing the legislation, Connecticut passed its own data transparency law leading to even more discussions.
“We didn’t want to throw that work away, there was a lot of good in it,” Shanley said. “We spent a lot of time combining what we did with Connecticut.”
Shanley says he was pleased with the bill – when it became a law without Gov. Daniel J. McKee’s signature – but it was difficult to get a consensus from the business community.
Many businesses got to a point where they weren’t opposed to the measure but weren’t going to advocate for it. By the end, many did support it because they liked the free-market framework where no one is stopped from collecting information; companies just have to disclose it, Shanley says.
He says it would be better to have a federal law so there wasn’t a patchwork of legislation from different states that businesses and service providers had to follow.
Organizations such as TechNet – a national network of technology CEOs and executives – support the federal standard, too. Chris Gilrein, TechNet’s executive director for Massachusetts and the Northeast, says a federal standard would be cheaper and more convenient for businesses so they wouldn’t have to spend money working to ensure they comply with each state’s laws.
But since there’s been little movement on a federal level, it’s important that state laws have some similarities, Gilrein says. Rhode Island’s data privacy law is similar to laws Connecticut and New Hampshire have passed, he adds.
Rhode Island is now one of 20 states to enact consumer data privacy laws, with several others that have proposed measures.
“There’s the beginning of a regional standard,” said Gilrein, who participated in discussions for Rhode Island’s study commission.
Massachusetts lawmakers proposed data privacy and transparency legislation in the most recent legislative session, but it did not pass. Gilrein believes it will be introduced again.
“I can confidently say that the conversation will continue in Massachusetts, Maine and Vermont,” Gilrein said.
