Data Privacy

Rhode Island Governor Vetoes Consumer Data Privacy Act

On June 25th, Rhode Island Governor Daniel McKee transmitted without signature (effectively a pocket veto) the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 HB 7787).

The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways. First, the act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information. However, the applicability and scope of that potentially onerous requirement is unclear because the term “personally identifiable information” is not defined in the bill. Second, the bill does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.

In mid-June, major advertising associations urged Governor McKee to veto the legislation contending that the bill “contains unclear and confusing provisions and requirements that are significantly out-of-step with other state privacy laws that have been enacted to date.”  The groups also mentioned their interpretation of the bill “does not make clear what kind of data would be subject to regulation under its provisions.”

The starting point for the confusion is the lack of a definition for “personally identifiable information.” Businesses will not be able to ascertain if the data they hold is covered or if they will be held to certain requirements based on their practices with that data.

One example of this impact shows up with Rhode Island’s nuanced privacy notice requirement obliging companies to disclose the third parties they sell or “may sell personal identifiable information.” The legislation essentially would leave covered entities to decide if their data is in fact covered under the bill creating a compliance risk.

The advertising industry also took issue with the requirement that data controllers “identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information” noting that this requirement “is extraordinarily burdensome, as controllers change business partners frequently, and companies regularly merge with others and change names.”

Although the bills passed by wide margins in both the House and Senate, it is not known at this time whether a veto override effort will be mounted.

For questions or further information on state privacy laws, please contact Jim Potter, CHC Executive Director.