‘Consumer Privacy Protection Act’ Introduced in the Ocean State

Editor’s Note: This article was originally published on the Maurice Wutscher blog and is republished here with permission.

Rhode Island S 2430 is titled the “Consumer Privacy Protection Act” and has a number of provisions similar to the California Consumer Privacy Act, though the annual gross income threshold is much lower.

It would apply to any for-profit business that does business in Rhode Island and collects consumers’ personal information or has such information collected for it, or determines the purposes and means of processing such information, and:

  1. Has annual gross revenues in excess of $5 million (as opposed to $25 million under the CCPA);
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

An entity that either shares “common branding” or controls or is controlled by such a business would also be covered as a “business.”

The legislation would require a notice at collection, provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information. 

There is no exemption for personal information or businesses subject to the HIPAA, FCRA or GLBA. The bill’s restrictions on the sale of personal information, we believe, adversely impact usual and customary assignments and sales of consumer loans and other credit instruments. Because the bill does not include exemptions for information already protected by the HIPAA, FCRA, GLBA or other law, we believe it would further complicate compliance and likely lead to conflicts with existing law.

The legislation provides for a right to cure and a private right of action for a breach resulting from a failure to implement and maintain reasonable security measures, with damages limited to the greater of actual damages or $100 to $750 per consumer per incident.