npm - open-agreements - Versions diffs - 0.7.7 → 0.8.0 - Mend

open-agreements 0.7.7 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/skills/legal-explainers/data-privacy-law-explainer/content/oregon.md ADDED Viewed

@@ -0,0 +1,103 @@
+---
+jurisdiction: "Oregon"
+slug: oregon
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-05"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/oregon
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/oregon · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Oregon Consumer Privacy Law (OCPA)[^about]
+The Oregon Consumer Privacy Act gives Oregon consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General, carries civil penalties of up to $7,500 per violation, provides no private right of action, and as of January 1, 2026 no longer offers most businesses a mandatory right to cure.
+## At a glance
+| Question | Oregon |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus 25%-data-sale-revenue) threshold in Oregon, the OCPA requires a privacy notice with prescribed contents, opt-in consent to process sensitive data, recognition of a universal opt-out signal, and processor contracts — enforced by the Attorney General with civil penalties up to $7,500 per violation, no consumer lawsuits, and no general right to cure after January 1, 2026. |
+| **Main law** | Or. Rev. Stat. §§ 646A.570–646A.589 (Oregon Consumer Privacy Act) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Oregon (or targeting residents) that, in a calendar year, control or process the personal data of 100,000+ consumers, or 25,000+ while deriving 25% or more of annual gross revenue from selling personal data — no dollar revenue floor; nonprofits covered; GLBA financial institutions, insurers, and public bodies are exempt at the entity level, while HIPAA-regulated health data is exempt only at the data level (so HIPAA-covered businesses still comply for non-exempt data) |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Oregon Attorney General (exclusive) |
+## Does the OCPA apply to your business? {#does-ocpa-apply}
+**Short answer.** It turns on consumer volume, not dollar revenue. The OCPA applies to a person that conducts business in Oregon or provides products or services to its residents and that, during a calendar year, controls or processes the personal data of 100,000 or more consumers, or 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data [^stat-572-apply].
+There is no dollar revenue floor for the 100,000-consumer trigger. A consumer is an Oregon resident acting in a capacity other than a commercial or employment context, so workforce, applicant, and business-to-business data fall outside the statute [^stat-570-consumer]. Section 646A.572(2) mixes two kinds of exemption. Some carve-outs are entity-level: the OCPA does not apply to a public body, to a financial institution as defined in Oregon banking law (or such an institution's affiliate or subsidiary that is only and directly engaged in financial activities), or to insurers and insurance producers [^stat-572-exempt]. Other carve-outs are data-level: the OCPA exempts HIPAA protected health information, information processed under the Gramm-Leach-Bliley Act and the Family Educational Rights and Privacy Act, and activity carried out strictly under the Fair Credit Reporting Act [^stat-572-exempt-data]. The distinctive point worth flagging is that there is no blanket entity-level exemption for HIPAA-covered health-care entities — Oregon exempts the regulated health data rather than the entity, so a HIPAA-covered business must still comply with the OCPA for any personal data that falls outside the exempt categories. Nonprofits are now covered.
+## What must your Oregon privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear and meaningful privacy notice that lists the categories of personal data it processes, describes the purposes for processing, explains how a consumer may exercise and appeal rights, lists the categories of personal data shared with third parties, and describes the categories of those third parties [^stat-578-notice].
+Section 646A.578(4) is the content checklist for an Oregon privacy policy, and it is prescriptive. Beyond the items above, the notice must specify an actively monitored email address or other online contact method, identify the controller by its registered and assumed business names, give a clear and conspicuous description of any targeted advertising or qualifying profiling along with how to opt out, and describe the methods for submitting requests [^stat-578-notice-detail]. The controller must also limit collection to data that is adequate, relevant and reasonably necessary for the disclosed purposes [^stat-578-minimize]. A generic multistate notice that omits the appeal route, the third-party-sharing detail, or the request mechanics is the most common Oregon notice gap, so the policy should track section 646A.578(4) item by item.
+## What must your contracts with vendors and processors include? {#vendor-processor-contracts}
+**Short answer.** A processor must enter into a contract with the controller that governs how the processor processes personal data on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-581-contract].
+Section 646A.581(2) then fixes the required terms: clear processing instructions and the nature, purpose, type, and duration of processing; specification of each party's rights and obligations; a duty of confidentiality on everyone who processes the data; deletion or return of the data at the controller's direction or at the end of services; information the controller needs to verify compliance; a flow-down requirement binding subcontractors to the same obligations; and a right to assess the processor's safeguards [^stat-581-terms]. The processor also has an affirmative duty to help the controller respond to consumer requests and conduct data protection assessments. A compliant template data processing agreement tracks each of these.
+## When do you need consent, and must you honor a universal opt-out signal? {#sensitive-data-and-opt-out}
+**Short answer.** You need consent for sensitive data, and you must honor a universal opt-out signal. A controller may not process a consumer's sensitive data without first obtaining consent, and if it knows the consumer is a child it must instead follow the federal Children's Online Privacy Protection Act [^stat-578-consent]. Sensitive data includes data revealing race or ethnicity, religious beliefs, a mental or physical condition or diagnosis, sexual orientation, transgender or nonbinary status, crime-victim status, or citizenship or immigration status; a child's personal data; precise geolocation; and genetic or biometric data [^stat-570-sensitive].
+Consent must be a freely given, specific, informed and unambiguous affirmative act, and a consumer's inaction does not count as consent. Separately, the request methods a controller offers must let a consumer or authorized agent send a signal indicating a preference to opt out of the sale of personal data or targeted advertising, through a mechanism that requires an affirmative choice rather than a default setting [^stat-578-signal]. In practice that means the program has to recognize a browser- or device-level universal opt-out preference signal, not just an on-site opt-out link.
+## Who enforces the OCPA, and can consumers sue? {#enforcement-and-lawsuits}
+**Short answer.** The Attorney General enforces it, and consumers cannot sue. The Attorney General has exclusive authority to enforce the OCPA, and the statute provides no private right of action [^stat-589-exclusive]. The Attorney General may bring an action for a civil penalty of up to $7,500 for each violation, plus injunctive or other equitable relief [^stat-589-penalty].
+There is also no longer a general right to cure. The OCPA's pre-suit notice-and-cure provision sunset on January 1, 2026 for ordinary covered businesses; from that date the 30-day cure survived only for a controller that is a noncommercial educational broadcast station and that meets two further conditions — it receives Corporation for Public Broadcasting funding or is a designated emergency-alert primary entry point, and it distributes its journalism content without cost to recipients [^stat-589-cure]. Even that narrow carve-out is temporary: the legislature repealed the cure section in full effective July 1, 2026, after which no controller has a statutory right to cure [^stat-589-cure-repeal]. The practical takeaway is to build the notice, consent, contracting, and opt-out controls before a complaint arrives, because covered businesses no longer have a statutory window to fix a violation after the Attorney General identifies it. The Attorney General must bring an action within five years after the last act constituting the violation.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-05. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Oregon. This article synthesizes Oregon primary law and is not legal advice from a Oregon-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-572-apply]: **Or. Rev. Stat. § 646A.572** — "ORS 646A.570 to 646A.589 apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (A) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (B) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data." *Or. Rev. Stat. § 646A.572(1)(a).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-570-consumer]: **Or. Rev. Stat. § 646A.570** — "‘Consumer’ means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context." *Or. Rev. Stat. § 646A.570(7).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-572-exempt]: **Or. Rev. Stat. § 646A.572** — "(L) A financial institution, as defined in ORS 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on January 1, 2024;" *Or. Rev. Stat. § 646A.572(2)(a), (L), (n), (o).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-572-exempt-data]: **Or. Rev. Stat. § 646A.572** — "(b) Protected health information that a covered entity or business associate processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and regulations promulgated under the Act, as in effect on January 1, 2024;" *Or. Rev. Stat. § 646A.572(2)(b), (j), (k).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-578-notice]: **Or. Rev. Stat. § 646A.578** — "A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that: (a) Lists the categories of personal data, including the categories of sensitive data, that the controller processes; (b) Describes the controller’s purposes for processing the personal data;" *Or. Rev. Stat. § 646A.578(4).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-578-notice-detail]: **Or. Rev. Stat. § 646A.578** — "(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;" *Or. Rev. Stat. § 646A.578(4).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-578-minimize]: **Or. Rev. Stat. § 646A.578** — "Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;" *Or. Rev. Stat. § 646A.578(1)(b).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-581-contract]: **Or. Rev. Stat. § 646A.581** — "The processor shall enter into a contract with the controller that governs how the processor processes personal data on the controller’s behalf." *Or. Rev. Stat. § 646A.581(2).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-581-terms]: **Or. Rev. Stat. § 646A.581** — "(b) Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing; (c) Specify the rights and obligations of both parties with respect to the subject matter of the contract; (d) Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data; (e) Require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data; (f) Require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations the processor has under ORS 646A.570 to 646A.589; (g) Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations under the processor’s contract with the controller; and (h) Allow the controller, the controller’s designee or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations under ORS 646A.570 to 646A.589, and require the processor to cooperate with the assessment and, at the controller’s request, report the results of the assessment to the controller." *Or. Rev. Stat. § 646A.581(2)(b)-(h).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-578-consent]: **Or. Rev. Stat. § 646A.578** — "Process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq." *Or. Rev. Stat. § 646A.578(2)(b).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-570-sensitive]: **Or. Rev. Stat. § 646A.570** — "‘Sensitive data’ means personal data that: (A) Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (B) Is a child’s personal data;" *Or. Rev. Stat. § 646A.570(18)(a).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-578-signal]: **Or. Rev. Stat. § 646A.578** — "Allow a consumer or authorized agent to send a signal to the controller that indicates the consumer’s preference to opt out of the sale of personal data or targeted advertising under ORS 646A.574 (1)(d) by means of a platform, technology or mechanism that: (A) Does not unfairly disadvantage another controller; (B) Does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary and unambiguous choice to opt out;" *Or. Rev. Stat. § 646A.578(5)(c).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-589-exclusive]: **Or. Rev. Stat. § 646A.589** — "The Attorney General has exclusive authority to enforce the provisions of ORS 646A.570 to 646A.589. ORS 646A.570 to 646A.589, or any other laws of this state, do not create a private right of action to enforce a violation of ORS 646A.570 to 646A.589." *Or. Rev. Stat. § 646A.589(7).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-589-penalty]: **Or. Rev. Stat. § 646A.589** — "The Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation of ORS 646A.570 to 646A.589 or to enjoin a violation or obtain other equitable relief." *Or. Rev. Stat. § 646A.589(4)(a).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-589-cure]: **Or. Rev. Stat. § 646A.589** — "(a) Receives funding from the Corporation for Public Broadcasting or is a primary entry point, national primary or state primary, as defined in 47 C.F.R. 11.18, as in effect on the effective date of this 2025 Act; and (b) Distributes the noncommercial educational broadcast station’s journalism content without cost to recipients." *Or. Laws 2025, ch. 417, § 5(2).* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>
+[^stat-589-cure-repeal]: **Or. Laws 2025, ch. 417, § 6** — "Section 5 of this 2025 Act is repealed on July 1, 2026." *Or. Laws 2025, ch. 417, § 6.* <https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html>

package/skills/legal-explainers/data-privacy-law-explainer/content/pennsylvania.md ADDED Viewed

@@ -0,0 +1,99 @@
+---
+jurisdiction: "Pennsylvania"
+slug: pennsylvania
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-07"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/pennsylvania
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/pennsylvania · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Pennsylvania Consumer Privacy Law[^about]
+Pennsylvania has no comprehensive consumer-privacy statute. The operative state law is the Breach of Personal Information Notification Act (73 P.S. §§ 2301 et seq.), enforced exclusively by the Attorney General under the Unfair Trade Practices and Consumer Protection Law; the rest of a Pennsylvania privacy program rides the federal and sectoral overlay (FTC Act § 5, GLBA, HIPAA, COPPA).
+## At a glance
+| Question | Pennsylvania |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Pennsylvania has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statute is the Breach of Personal Information Notification Act, which requires notice of a data breach without unreasonable delay and is enforced solely by the Attorney General. Everything else in a Pennsylvania-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those and to the Breach Act, and the program auto-upgrades if Pennsylvania later enacts an omnibus law. One state-law exposure does demand attention now — Pennsylvania's all-party-consent wiretap statute (WESCA) has become the basis for website session-replay and tracking-pixel class actions, so obtain visitor consent before running third-party tracking. |
+| **Main law** | Pennsylvania Breach of Personal Information Notification Act, 73 P.S. §§ 2301 et seq. — Pennsylvania has no comprehensive consumer-privacy law; the Breach Act plus a federal and sectoral overlay is the operative framework |
+| **Privacy policy required?** | No comprehensive Pennsylvania statute mandates a consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive), the UTPCPL, and the GLBA, HIPAA, and COPPA rules where the business is in scope |
+| **Who does it cover?** | Any entity — a sole proprietorship, partnership, corporation, association, or other group, for profit or not — doing business in Pennsylvania that maintains, stores, or manages computerized personal information of Pennsylvania residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the Breach Act — the Attorney General has exclusive UTPCPL enforcement authority; but Pennsylvania's all-party-consent wiretap law (WESCA, 18 Pa.C.S. § 5725) provides a private cause of action that drives website session-replay class actions |
+| **Who enforces it?** | Pennsylvania Office of Attorney General |
+## Which privacy laws apply to your business in Pennsylvania? {#which-privacy-laws-apply}
+**Short answer.** There is no comprehensive Pennsylvania consumer-privacy law. The operative state statute is the Breach of Personal Information Notification Act, which applies to any entity — defined as a State agency, a political subdivision, or an individual or a business doing business in the Commonwealth — that maintains, stores, or manages computerized personal information of Pennsylvania residents [^stat-2302-entity]. It carries no revenue or consumer-volume threshold, and it governs breach response rather than day-to-day data handling [^stat-2329-apply].
+Unlike California, Virginia, or Colorado, Pennsylvania has not enacted an omnibus privacy statute, so its residents do not have general rights to access, delete, correct, or opt out of the sale of their personal data under state law, and businesses are not subject to state notice-at-collection, consent, or data-protection-assessment duties. What fills the gap is a layered framework: the Breach Act sets the one statewide data-security duty, and the rest of a Pennsylvania privacy program rides a federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; the Children's Online Privacy Protection Act governs services directed to children under 13; and CAN-SPAM and the TCPA govern email and SMS marketing. Pennsylvania's own Wiretapping and Electronic Surveillance Control Act (WESCA) — an all-party-consent wiretap statute — sits alongside the Breach Act as state law and has become the main engine of website session-replay and tracking-pixel litigation against businesses, a point developed in the consumer-lawsuit prong below. None of those federal regimes is a Pennsylvania statute, but together with WESCA and the Breach Act they are what actually shapes a compliant Pennsylvania-facing program today. This note is written to stay durable: if Pennsylvania later enacts a comprehensive law, the program built to this overlay upgrades rather than restarts.
+## What must your Pennsylvania privacy policy contain? {#privacy-policy-contents}
+**Short answer.** No Pennsylvania statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the privacy policy is governed not by a state checklist but by the rule that whatever you publish has to be true: under Section 5 of the FTC Act and Pennsylvania's Unfair Trade Practices and Consumer Protection Law, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice [^fed-ftc5-deceptive]. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice].
+In practice this means the drafting question in Pennsylvania is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. There is no Pennsylvania-mandated source to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+## What must your contracts with vendors say? {#vendor-contracts}
+**Short answer.** Pennsylvania has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. Vendor data terms are instead driven by the sectoral regimes that apply to your business and by contract best practice.
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards]; HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information [^fed-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Pennsylvania statute compels them. The Breach Act touches vendors only narrowly: a vendor that holds data on another entity's behalf must notify that entity after discovering a breach, leaving the entity responsible for notifying residents. That is a breach-response duty, not a general DPA mandate, so there is no Pennsylvania source to cite for omnibus vendor terms.
+## When must you notify people of a data breach in Pennsylvania? {#breach-notification}
+**Short answer.** An entity that maintains, stores, or manages computerized personal information must notify any Pennsylvania resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person [^stat-2303-notice]. The notice must be made without unreasonable delay [^stat-2303-notice]. A reportable breach is the unauthorized access and acquisition of computerized data that materially compromises personal information and causes, or is reasonably believed to cause, loss or injury to a resident [^stat-2302-breach]. When notice goes to more than 500 persons at one time, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay [^stat-2305-cra].
+This is the one prong where Pennsylvania imposes a hard, statutory clock, so it is the center of any Pennsylvania incident-response plan. Personal information under the Act is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, financial-account or card number with its access code, certain medical or health-insurance information, or online-account credentials. Encryption and redaction are safe harbors — a breach of properly encrypted data generally does not trigger notice unless the key was also compromised. Public entities face fixed, shorter clocks the Act spells out separately (State agencies and certain local entities measured in business days), and the Attorney General must be notified concurrently once a breach reaches more than 500 Pennsylvania residents. An entity that follows its own breach-notification procedures under an information privacy or security policy consistent with the Act is deemed compliant, and a financial institution that meets the federal interagency notice guidance is likewise deemed compliant.
+## Can a consumer sue your business in Pennsylvania over privacy? {#consumer-lawsuit}
+**Short answer.** Not under the Breach Act. A violation of the Act is deemed an unfair or deceptive practice under the Unfair Trade Practices and Consumer Protection Law [^stat-2308-utpcpl], and the Office of Attorney General has exclusive authority to bring that action — so the Breach Act gives consumers no private right of action [^stat-2308-exclusive]. Other Pennsylvania law is a different story. The Wiretapping and Electronic Surveillance Control Act (WESCA) makes it a third-degree felony to intentionally intercept any wire, electronic, or oral communication without all parties' consent [^wesca-5703], and it gives any person whose communication is intercepted a private civil cause of action — with liquidated and punitive damages and fees [^wesca-5725]. The Third Circuit held in Popa v. Harriet Carter Gifts that this framework reaches ordinary website tracking, so third-party session-replay or pixel code can be an unlawful interception unless the visitor consented [^case-popa].
+Enforcement of Pennsylvania's one statewide data-security duty is therefore a public matter: the Attorney General, through the Bureau of Consumer Protection, brings UTPCPL actions for failures to notify or to secure data, seeking injunctions, restitution, and civil penalties. That does not mean a Pennsylvania business faces no litigation exposure — it means the exposure comes from other doors. Plaintiffs routinely plead common-law theories such as negligence and breach of implied contract after a breach, though those face steep standing hurdles absent actual misuse of the data. The fastest-growing exposure is WESCA: after Popa, plaintiffs' firms have filed waves of class actions treating third-party session-replay, chat, and advertising-pixel code as an unlawful two-party-consent interception, and the practical defense is to obtain the visitor's consent to that tracking before it runs. The durable takeaway: the Breach Act itself is AG-enforced only, but a Pennsylvania privacy program still has to manage real private-suit exposure under the wiretap law.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-07. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Pennsylvania. This article synthesizes Pennsylvania primary law and is not legal advice from a Pennsylvania-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-2302-entity]: **73 P.S. § 2302** — "‘Entity.’ A State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth." *73 P.S. § 2302.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2302/>
+[^stat-2329-apply]: **73 P.S. § 2329** — "This act shall apply to the determination or notification of a breach of the security of the system that occurs on or after the effective date of this section." *73 P.S. § 2329.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2329/>
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4.* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504.* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,and%20a%20business%20associate%20must>
+[^stat-2303-notice]: **73 P.S. § 2303** — "An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following determination of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person." *73 P.S. § 2303(a).* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2303/>
+[^stat-2302-breach]: **73 P.S. § 2302** — "The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth." *73 P.S. § 2302.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2302/>
+[^stat-2305-cra]: **73 P.S. § 2305** — "When an entity provides notification under this act to more than 500 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices." *73 P.S. § 2305.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2305/>
+[^stat-2308-utpcpl]: **73 P.S. § 2308** — "A violation of this act shall be deemed to be an unfair or deceptive act or practice in violation of the act of December 17, 1968 (P.L. 1224, No. 387)," *73 P.S. § 2308.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2308/>
+[^stat-2308-exclusive]: **73 P.S. § 2308** — "The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act." *73 P.S. § 2308.* <https://codes.findlaw.com/pa/title-73-ps-trade-and-commerce/pa-st-sect-73-2308/>
+[^wesca-5703]: **18 Pa.C.S. § 5703** — "Except as otherwise provided in this chapter, a person is guilty of a felony of the third degree if he: (1) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication;" *18 Pa.C.S. § 5703.* <https://codes.findlaw.com/pa/title-18-pacsa-crimes-and-offenses/pa-csa-sect-18-5703/>
+[^wesca-5725]: **18 Pa.C.S. § 5725** — "Any person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of this chapter shall have a civil cause of action against any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication;" *18 Pa.C.S. § 5725(a).* <https://codes.findlaw.com/pa/title-18-pacsa-crimes-and-offenses/pa-csa-sect-18-5725/>
+[^case-popa]: **Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022)** — "Thus if someone consents to the interception of her communications with a website, the WESCA does not impose liability." *Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022).* <https://www.courtlistener.com/opinion/8403630/ashley-popa-v-harriet-carter-gifts-inc/#:~:text=Thus%20if%20someone%20consents%20to,WESCA%20does%20not%20impose%20liability.>

package/skills/legal-explainers/data-privacy-law-explainer/content/rhode-island.md ADDED Viewed

@@ -0,0 +1,93 @@
+---
+jurisdiction: "Rhode Island"
+slug: rhode-island
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/rhode-island
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/rhode-island · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Rhode Island Consumer Privacy Law (RIDTPPA)[^about]
+The Rhode Island Data Transparency and Privacy Protection Act, effective January 1, 2026, sets information-sharing-practices disclosure duties for commercial websites and broader controller obligations — sensitive-data consent and processor contracts — on for-profit entities above defined customer thresholds, enforced exclusively by the Attorney General with no private right of action.
+## At a glance
+| Question | Rhode Island |
+| --- | --- |
+| **Law coverage** | Limited-scope law |
+| **Summary** | If your commercial website sells Rhode Island customers' personal information, RIDTPPA requires an information-sharing-practices notice; meeting the 35,000-customer (or 10,000-plus-20%-data-sale) threshold adds opt-in consent for sensitive data and binding processor contracts — all enforced by the Attorney General, with no consumer lawsuits. |
+| **Main law** | R.I. Gen. Laws ch. 6-48.1 (Rhode Island Data Transparency and Privacy Protection Act), effective January 1, 2026 |
+| **Privacy policy required?** | Yes — a commercial website or ISP that collects, stores, and sells customers' personal information must conspicuously disclose data categories, the third parties it sells to, and a contact mechanism |
+| **Who does it cover?** | Two tracks: any commercial website or internet service provider that collects, stores, and sells customers' personal information must post information-sharing disclosures; the broader controller duties reach for-profit entities that control or process the data of 35,000+ Rhode Island customers, or 10,000+ while deriving over 20% of gross revenue from data sales. Financial institutions, GLBA/HIPAA data, nonprofits, and government bodies are exempt. |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — the statute expressly forbids any private right of action; the Attorney General is the sole enforcer |
+| **Who enforces it?** | Rhode Island Attorney General (sole enforcement authority) |
+## Does the Rhode Island privacy law apply to your business? {#does-ridtppa-apply}
+**Short answer.** It depends which duty you are asking about, because RIDTPPA runs on two tracks. The disclosure duty reaches any commercial website or internet service provider doing business in Rhode Island that collects, stores, and sells customers' personally identifiable information [^stat-3-apply]. The broader controller duties apply only to for-profit entities that, in the preceding year, controlled or processed the data of at least 35,000 Rhode Island customers, or at least 10,000 customers while earning more than 20% of gross revenue from selling personal data [^stat-4-apply].
+A customer here is an individual residing in Rhode Island acting in an individual or household context, so employees and business contacts do not count toward the thresholds. The split structure is the practical surprise: a small site that sells customer data can owe the disclosure obligations even if it never approaches the 35,000-customer floor that triggers the consent and contracting duties. Financial institutions and GLBA-regulated data, HIPAA-covered entities, nonprofits, and state and local government bodies sit outside the chapter entirely.
+## What must your Rhode Island privacy notice contain? {#privacy-policy-contents}
+**Short answer.** If your commercial website or service collects, stores, and sells customers' personally identifiable information, you must — in the customer agreement, an incorporated addendum, or another conspicuous location — identify the categories of personal data you collect, identify the third parties you have sold or may sell that data to, and give an email address or other online way for the customer to reach you [^stat-3-notice]. If you sell personal data or process it for targeted advertising, you must also disclose that clearly and conspicuously [^stat-3-targeted].
+Rhode Island frames this as an information-sharing-practices notice rather than the all-purpose privacy policy other states require, and it is keyed to the act of selling data. The three required disclosures are the content checklist for a compliant Rhode Island notice. Note that the statute uses the term personally identifiable information in this section while using personal data elsewhere, so a notice that maps the data you actually collect and sell is the safer posture.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A contract between a controller and a processor must govern how the processor handles data on the controller's behalf, so a data processing agreement is a statutory requirement, not a best practice [^stat-7-contract]. That contract has to set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and each party's rights and obligations, and it must bind the processor to specific duties [^stat-7-terms].
+The required processor duties are a confidentiality obligation for everyone handling the data, deletion or return of data at the controller's direction, making compliance information available on request, binding any subcontractor by written contract to the same obligations after giving the controller a chance to object, and cooperating with reasonable assessments [^stat-7-terms]. A compliant template tracks each of these. A processor that starts deciding the purposes and means of processing becomes a controller and can itself face enforcement.
+## Do you need consent to process sensitive data? {#sensitive-data}
+**Short answer.** Yes. A covered controller may not process a customer's sensitive data without obtaining the customer's consent, and it may not process the sensitive data of a known child unless it gets consent and handles the data under the federal Children's Online Privacy Protection Act [^stat-7-consent]. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify someone; data from a known child; and precise geolocation [^stat-2-sensitive].
+This is an opt-in model: consent must be a clear, affirmative act and cannot be obtained through dark patterns or buried in a broad terms-of-use document. Controllers also have to give customers a way to grant and revoke consent, and must act on a revocation within fifteen days. Processing sensitive data is one of the activities that triggers a documented data protection assessment under the same section.
+## Can a customer sue your business under the Rhode Island privacy law? {#consumer-lawsuit}
+**Short answer.** No. The statute expressly says nothing in it authorizes a private right of action [^stat-8-nopra]. Enforcement rests solely with the Attorney General, who may proceed under the chapter itself or under the general regulatory provisions of commercial law [^stat-8-ag].
+A violation of the chapter is treated as a violation of the general regulatory provisions of commercial law and as a deceptive trade practice under Rhode Island law. The statute adds a targeted penalty for bad actors: anyone who intentionally discloses personal data to a shell company set up to circumvent the chapter, or otherwise discloses it in violation of the chapter, pays a fine of $100 to $500 per disclosure [^stat-8-fine]. Because there is no statutory cure period written into the section, the practical posture is to build the disclosure, consent, and contracting controls before a complaint reaches the Attorney General.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Rhode Island. This article synthesizes Rhode Island primary law and is not legal advice from a Rhode Island-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-3-apply]: **R.I. Gen. Laws § 6-48.1-3** — "Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller." *R.I. Gen. Laws § 6-48.1-3(a).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-3.htm>
+[^stat-4-apply]: **R.I. Gen. Laws § 6-48.1-4** — "This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data." *R.I. Gen. Laws § 6-48.1-4(a).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-4.htm>
+[^stat-3-notice]: **R.I. Gen. Laws § 6-48.1-3** — "(1) Identify all categories of personal data that the controller collects through the website or online service about customers; (2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and (3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller." *R.I. Gen. Laws § 6-48.1-3(a).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-3.htm>
+[^stat-3-targeted]: **R.I. Gen. Laws § 6-48.1-3** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing." *R.I. Gen. Laws § 6-48.1-3(b).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-3.htm>
+[^stat-7-contract]: **R.I. Gen. Laws § 6-48.1-7** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller." *R.I. Gen. Laws § 6-48.1-7(c).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-7.htm>
+[^stat-7-terms]: **R.I. Gen. Laws § 6-48.1-7** — "The contract shall be binding and clearly set forth instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (2) At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations of this chapter; (4) After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (5) Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor" *R.I. Gen. Laws § 6-48.1-7(c).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-7.htm>
+[^stat-7-consent]: **R.I. Gen. Laws § 6-48.1-4** — "The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA." *R.I. Gen. Laws § 6-48.1-4(c).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-4.htm>
+[^stat-2-sensitive]: **R.I. Gen. Laws § 6-48.1-2** — "‘Sensitive data’ means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data." *R.I. Gen. Laws § 6-48.1-2(26).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-2.htm>
+[^stat-8-nopra]: **R.I. Gen. Laws § 6-48.1-8** — "Nothing in this section shall be construed to authorize any private right of action to enforce any provision of this chapter, any regulation hereunder, or any other provisions of law." *R.I. Gen. Laws § 6-48.1-8(c).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-8.htm>
+[^stat-8-ag]: **R.I. Gen. Laws § 6-48.1-8** — "The attorney general shall have sole enforcement authority of the provisions of this chapter and may enforce a violation of this chapter pursuant to:" *R.I. Gen. Laws § 6-48.1-8(b).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-8.htm>
+[^stat-8-fine]: **R.I. Gen. Laws § 6-48.1-8** — "A violation of this chapter constitutes a violation of the general regulatory provisions of commercial law in this title and shall constitute a deceptive trade practice in violation of chapter 13.1 of this title" *R.I. Gen. Laws § 6-48.1-8(a).* <https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-8.htm>