(2)  Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than
twenty percent (20%) of their gross revenue from the sale of personal data.
(b)  The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security
practices to protect the confidentiality, integrity and accessibility of personal data.
(c)  The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not
process sensitive data of a known child unless consent is obtained and the information is processed in accordance with
COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online
Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent
under this chapter.
(d)  The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful
discrimination against customers.
(e)  The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon
receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have
no longer than fifteen (15) days from receipt to effectuate the revocation.
6-48.1-5. Customer rights.
(a)  This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products
or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
(1)  Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal
data controlled or processed solely for the purpose of completing a payment transaction.
(2)  Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than
twenty percent (20%) of their gross revenue from the sale of personal data.
(b) No controller shall discriminate against a customer for exercising their customer rights.
(c)  No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level
of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts
out of data collection, the covered entity is not required to provide a service that requires this data collection.
(d)  Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium
features, discount or club card programs that customers voluntarily participate.
(e) A customer shall have the right to:
(1)  Confirm whether or not a controller is processing the customer’s personal data and access such personal data, unless
such confirmation or access would require the controller to reveal a trade secret;
(2)  Correct inaccuracies in the customer’s personal data and delete personal data provided by, or obtained about, the
customer, taking into account the nature of the personal data and the purposes of the processing of the customer’s
personal data;
(3)  Obtain a copy of the customer’s personal data processed by the controller, in a portable and, to the extent technically
feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay,
where the processing is carried out by automated means; provided such controller shall not be required to reveal any
trade secret; and
379 | Rhode Island Data Transparency and Privacy Protection Act