Press "Enter" to skip to content

‘Consumer Privacy Protection Act’ Introduced in the Ocean State

Rhode Island Consumer Privacy Protection ActRhode Island S 2430 is titled the “Consumer Privacy Protection Act” and has a number of provisions similar to the California Consumer Privacy Act, though the annual gross income threshold is much lower.

It would apply to any for-profit business that does business in Rhode Island and collects consumers’ personal information or has such information collected for it, or determines the purposes and means of processing such information, and:

  1. Has annual gross revenues in excess of $5 million (as opposed to $25 million under the CCPA);
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

An entity that either shares “common branding” or controls or is controlled by such a business would also be covered as a “business.”

The legislation would require a notice at collection, provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information. 

There is no exemption for personal information or businesses subject to the HIPAA, FCRA or GLBA. The bill’s restrictions on the sale of personal information, we believe, adversely impact usual and customary assignments and sales of consumer loans and other credit instruments. Because the bill does not include exemptions for information already protected by the HIPAA, FCRA, GLBA or other law, we believe it would further complicate compliance and likely lead to conflicts with existing law.

The legislation provides for a right to cure and a private right of action for a breach resulting from a failure to implement and maintain reasonable security measures, with damages limited to the greater of actual damages or $100 to $750 per consumer per incident.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.