Rhode Island passed their own data privacy law this summer and joined the ever growing list of states to have done so. Now bringing the total to nearly 40% of U.S. states having passed their own data privacy laws. As the number continues to climb it continues to bring the need for a national data privacy law further to the forefront even if such developments are unlikely in this Congress. Before election season heats up and we turn our heads towards the 2025 legislative sessions, let’s take a look at the newest state data privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA).
Set to go into effect on January 1st, 2026 the RIDTPPA mirrors many other state data privacy laws we’ve seen over the years, but is an outlier in many ways that further raise the complexity for organizations that operate across the United States. RIDTPPA has similar data privacy rights and Data Protection Assessment requirements as other state laws, but lacks many other staples of state data privacy laws we’ve seen over the years. Two of the more glaring omissions are the lack of updated child privacy protections and a lack of a definition for Personally Identifiable Information (PII). Mosty data privacy laws have sought to build on top of the Children’s Online
Privacy Protection Act (COPPA) and other child privacy laws. While the law does define important terms such as “sensitive data”, “identifiable individual”, and “personal data” it makes reference to PII without ever fully defining it.
In addition to the omission there are points of concern and confusion about some of the provisions provided in this law. A provision about the selling of personal data requires a controller to , “identify all third parties to whom the controller has sold or may sell customers' personally identifiable information,” which may leave businesses confused as to how they are supposed to know who they may sell personal data to in the future. Another concern raised by some is that the exemptions for pseudonymous data do not allow consumers the control over their personal data that this bill seeks to provide. The exemptions to pseudonymous data allow businesses to collect data on consumers and track their online behavior with no recourse if it has been pseudonymized.
While these differences continue to complicate the data privacy landscape for businesses they provide real protections for consumers. Ultimately a national data privacy law will be the best way to reduce complexity for businesses while still providing consumers their privacy rights. Until that can be achieved and data privacy rights and application can be standardized across the nation, more state data privacy laws will continue to add complexities that over time will likely erode the overall effectiveness of the data privacy ecosystem. Smaller businesses will struggle to comprehend the breadth of the legislation and many more will simply fall out of compliance. A superseding federal law to streamline the data privacy landscape will ultimately be in the common interest of consumers and businesses. Until then, the best bet for navigating the data privacy landscape is to consult knowledgeable professionals to help guide you through the growing complexities.