September 6, 2024
Protect Your Business from CIPA Lawsuits
California Invasion of Privacy Act (CIPA) demand letters have become the scourge of many businesses. Find out how to avoid becoming a target for litigation.
The Rhode Island Legislature passed a new comprehensive data privacy law in June 2024.
The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) has been criticized both by business groups for being confusing and poorly drafted, and by privacy advocates for allowing large loopholes. Here is a quick rundown on the RI-DTPPA, and the reasons for its unpopularity.
By and large, the RI-DTPPA follows a familiar structure borrowed from other state privacy laws.
The RI-DTPPA is set to take effect on January 1, 2026.
Despite passing a law that mostly tracks legislation from other states, Rhode Island lawmakers have managed to upset both the business community and privacy advocates.
Criticisms from business groups mostly focus on the fact the bill is a confusing mess. By all appearances, lawmakers seem to have combined two competing versions of the bill and failed to fully reconcile them.
The main offender is the use of the term “personally identifiable information” at key points in the bill, despite the term having no definition and the fact “personal data” (which is a defined term) is used in most other places.
Consider this section (sec. 6-48.1-3) on privacy notice requirements:
Is there a difference between “personally identifiable information” and “personal data”? Normally we would ascribe different meaning to different terms, assuming a level of intent behind the lawmakers’ decisions. In this case, however, the safest interpretation is probably that this is a drafting error and we should just use the definition of “personal data” (which is quite broad).
Also, a privacy notice is only required if the website “collects, stores and sells customers’ personally identifiable information.” This suggests that websites that do not sell personal data do not need to post a privacy notice; is that really what lawmakers intended?
Another confusing requirement in this section is that businesses must identify all third parties to whom they “may sell” personally identifiable information. How far into the future must businesses predict this information? Is this provision even enforceable?
So many questions.
Privacy advocates, on the other hand, are upset about the RI-DTPPA’s weaknesses, especially exempting pseudonymous information from opt-out requests. Much of the data that is used for targeted advertising (and that is otherwise sold online) could be considered pseudonymous data, so exempting it considerably undermines customers’ right to opt out of that practice.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
