Press "Enter" to skip to content

‘Consumer Privacy Protection Act’ Introduced in the Ocean State

Rhode Island Consumer Privacy Protection ActRhode Island S 2430 is titled the “Consumer Privacy Protection Act” and has a number of provisions similar to the California Consumer Privacy Act, though the annual gross income threshold is much lower.

It would apply to any for-profit business that does business in Rhode Island and collects consumers’ personal information or has such information collected for it, or determines the purposes and means of processing such information, and:

  1. Has annual gross revenues in excess of $5 million (as opposed to $25 million under the CCPA);
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

An entity that either shares “common branding” or controls or is controlled by such a business would also be covered as a “business.”

The legislation would require a notice at collection, provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information. 

There is no exemption for personal information or businesses subject to the HIPAA, FCRA or GLBA. The bill’s restrictions on the sale of personal information, we believe, adversely impact usual and customary assignments and sales of consumer loans and other credit instruments. Because the bill does not include exemptions for information already protected by the HIPAA, FCRA, GLBA or other law, we believe it would further complicate compliance and likely lead to conflicts with existing law.

The legislation provides for a right to cure and a private right of action for a breach resulting from a failure to implement and maintain reasonable security measures, with damages limited to the greater of actual damages or $100 to $750 per consumer per incident.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.