R.I. House Passes Privacy Bill; Senate Vote Imminent
Another comprehensive state privacy bill is moving quickly toward the finish line. The Rhode Island House voted 70-1 on Monday, approving H-7787 with some floor amendments. Meanwhile, the state's Senate Commerce Committee voted 7-1 to advance the similar S-2500. Tech industry groups supported the measure; however, a state senator and a consumer group said the Rhode Island legislation is too weak.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Nearly 20 states have adopted sweeping privacy laws including, just this year, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland and Minnesota. Gov. Phil Scott (R) has until Thursday to sign or veto a proposed privacy law that could make Vermont the first state with a broad private right of action.
H-7787 goes next to the Rhode Island Senate. Meanwhile, the Senate placed S-2500 on Wednesday’s floor calendar. Rep. Evan Shanley (D), the House bill’s sponsor, said Monday that he's “working closely” with S-2500 sponsor Sen. Louis DiPalma (D). Shanley expects the Senate will harmonize the bills and approve legislation Wednesday or Thursday. The lawmaker noted that he worked on the privacy bill with colleagues for seven years. DiPalma didn’t comment.
At the Senate Commerce hearing, however, state Sen. Samuel Bell (D) said he doesn’t think the privacy measure goes far enough. Privacy needs "regulation,” but proposed rules in S-2500 are “so weak that we’d actually be better off not doing it at all,” Bell, the committee’s lone nay vote, said. The bill’s lack of teeth is probably why industry supports it, he said.
Consumer Reports likely will write an opposition letter, Policy Analyst Matt Schwartz told us Monday. Rhode Island’s legislation “seems to be missing some critical components present in most baseline privacy laws at this point,” he said. For example, it would require that only websites and ISPs have privacy notices, Schwartz said. Also, it doesn’t support a global mechanism that would allow users to quickly opt out on all websites, he said.
The Computer & Communications Industry Association gives kudos to Rhode Island legislators for aligning "their efforts with the majority of existing state privacy laws, including regional neighbors like Connecticut and New Hampshire,” CCIA Regional Policy Manager Alex Spyropoulos said in a statement Tuesday. “If passed and signed into law, Rhode Island will be providing its residents with clear data privacy rights and protections and giving businesses operating in the state a straightforward path to compliance.” TechNet Executive Director-Northeast Chris Gilrein also applauded the legislation: "With the enactment of these bills, Rhode Island will join its New England neighbors in Connecticut and New Hampshire in empowering its residents with a robust suite of data privacy rights and protections, and providing businesses with a clear and actionable road map to compliance."
However, Rhode Island’s bill is inconsistent with other state laws that follow Connecticut’s approach in some ways, emailed Keir Lamont, Future of Privacy Forum director-U.S. legislation. As amended on the House floor, H-7787 “lacks certain rights and protections that are typically included in comprehensive state privacy laws, such as data minimization requirements, heightened protections for adolescent data, and a right to cure alleged violations.” In addition, it includes a penalty -- unique among states -- that would assess $100-$500 for each intentional wrongful disclosure of personal data that violates the proposed law, he said.
It could be challenging for websites to comply with another part of the bill that would require them to publicly identify and disclose all third parties to whom they have sold or may sell personally identifiable information, added Lamont. “A company may not know who it may seek to sell data to in the future.”