The connectivity developing within the U.S. state privacy law patchwork is a point of emphasis for consumers and businesses alike. While closing in on nearly half of U.S. states having their own privacy legislation, commonality remains key with no federal privacy law in place to garner uniformity.
What raises eyebrows nowadays is when states pass a law with a majority of provisions that don't align — for better or worse — with the rest of the patchwork.
Rhode Island is now among those outliers with its take on comprehensive privacy law.
The Rhode Island General Assembly granted final passage to an amended privacy proposal 13 June after a late-session revival of the original text, which laid dormant since March. The bill applies to entities that control or process the personal information of more than 35,000 state residents or more than 10,000 residents while generating 20% of gross revenue from personal data sales.
If enacted by the governor, the bill will take effect 1 Jan. 2026.
"It is the Wild West on the internet in regards to the data they have on all of us that people can do just about anything with,” state Sen. Louis DiPalma, D-R.I., said in a statement. DiPalma co-sponsored the bill with state Rep. Evan Shanley, D-R.I. "(The bill) allows Rhode Islanders to opt in to what data is collected. This protects our privacy when we’re all at risk, and it’s a long time coming.”
Rhode Island's bill carries a some common threads to other state privacy laws — data subject rights and required data protection assessments among them — but what state lawmakers omitted compared to other states is most notable. Recognition of universal opt-out mechanisms, enhanced children's privacy protections, a definition for personally identifiable information and the right to cure are among the most glaring items left out of the bill.
Stakeholders perplexed
Prior takes on comprehensive state privacy legislation do not exclusively align because state legislatures are passing laws in scattered fashion years before or after one another. In his statement on Rhode Island's bill, state Rep. Shanley referred to an importance and obligation to "keep up with changing trends and policies in the online world."
The initial reaction to Rhode Island's bill do not fall in line with lawmakers' intent. Stakeholders are leaning heavily toward opposition due in large to perceived ambiguity and a lack of clarity in the bill.
According to MediaPost, major advertising associations already wrote Gov. Daniel McKee, D-R.I., claiming the bill "contains unclear and confusing provisions and requirements that are significantly out-of-step with other state privacy laws that have been enacted to date." The groups also mentioned their interpretation of the bill "does not make clear what kind of data would be subject to regulation under its provisions."
The starting point for the confusion is the lack of a definition for personally identifiable information. Businesses will not be able to ascertain if the data they hold is covered or if they will be held to certain requirements based on their practices with that data.
One example of this impact shows up with Rhode Island's nuanced privacy notice requirement obliging companies to disclose the third parties they sell or "may sell" PII to. There is a direct mention of PII in the privacy notice provisions despite the missing definition, leaving covered entities to decide if their data is in fact covered under the bill.
The forecasting of potential data practices without a definition for PII is a compliance risk, but the general requirement to disclose future practices before they happen is burdensome alone.
"Unlike the requirement to identify 'categories of personal data' and other state laws that require a description of 'categories of third parties,' the phrasing here implies that a controller must know with specificity anyone to whom it 'may' ever sell to now or at any point in the future," Troutman Pepper Partner Kim Phan told the IAPP. "There is no time restriction on this disclosure requirement, such as limiting such future sales to those contemplated within the next 12 months, which might give companies more sense of short term deals or business relationships being developed."
Public Interest Research Group Don't Sell My Data Campaign Director R.J. Cross has mixed feelings over the privacy notice wrinkle. On the one hand, she told the IAPP consumers should have a better sense for knowing where data deletion requests need to be sent. On the other hand, the "crystal ball element" is "not as useful for consumers as it could be."
"Instead of the 'may' language, a clearer approach could be requiring companies to update their privacy notices every time they sell data to a new entity."
Other consumer advocates brought a string of concerns to Gov. McKee and Rhode Island General Assembly leaders before the bill cleared the legislature. They placed particular emphasis around how the bill treats pseudonymous data, arguing that it creates a "loophole" by exempting such data from user opt-outs and other data subject access requests.
"Online platforms and advertisers use pseudonymous identifiers (often mobile ad IDs or IP addresses) to track users across websites and apps, collecting extremely granular data about a user’s search history, usage, personal characteristics, and interests in order to serve them targeted advertisements or to create a profile they can sell to other interested third-parties," advocates wrote. "Though this is precisely the type of online tracking this bill ostensibly seeks to grant consumers more control over, this exemption would allow vast swaths of it to continue unabated."
Does divergence matter?
Cases have been made in other states for "doing something is better than nothing" as it relates to privacy legislation. The real impacts of alignment versus uniformity across states on privacy law has yet to be seen.
Troutman Pepper's Phan said the final judgment on the patchwork is likely to come to light down the road when if more divergence in provisions or definitions present themselves.
"The impact will likely be more long-term as these state laws start going into effect and we begin to see enforcement actions," she said. "When the language differs, it may be more difficult for business to look to other state interpretations as guidance for how to comply with Rhode Island’s law."
PIRG's Cross indicated uniformity might not be all that stakeholders are making it to be while supporting the notion that states must "test different approaches to regulation to find out what works and what doesn’t."
"If states all pass the same thing, you risk us fossilizing solutions that don’t solve the problems we need to solve," Cross added. "States need to innovate, otherwise we’re undermining our ability to protect people in a fast-changing world."
Joe Duball is the news editor for the IAPP.