Articles
State guides
Rhode Island Data Transparency and Privacy Protection Act: Everything businesses need to know
State guides
new

Rhode Island Data Transparency and Privacy Protection Act: Everything businesses need to know

Published  

3/31/2026

by 

Patrick Austin

8
min read

Published  

March 31, 2026

by 

Patrick Austin

10 min read
Summary

On June 28, 2024, Rhode Island joined the growing number of states enacting comprehensive customer data privacy legislation. The Rhode Island Data Transparency and Privacy Protection Act  (RIDTPPA) took effect on January 1, 2026, establishing a comprehensive regulatory framework for the processing and handling of customer data. The law provides a set of statutory rights for Rhode Island residents and imposes compliance obligations for businesses that process personal data. 

The RIDTPPA generally aligns with the data privacy laws enacted in Virginia, Indiana, Minnesota, and other jurisdictions. The “Virginia model” of state data privacy laws is generally characterized by the controller/processor distinction, a slate of statutory customer rights, opt-in consent for sensitive data, broad exemptions for certain types of entities and data, no private right of action, and Attorney General enforcement. 

Nevertheless, the Rhode Island law also introduces several distinctive features that set it apart and merit careful attention from covered entities.

Didomi outlines the RIDTPPA’s key provisions, including who the law applies to, how it differs from other state data privacy regulations, what businesses must do to comply, what rights are afforded to Rhode Island residents, and what penalties may be imposed for non-compliance.

Who does the RIDTPPA apply to?

The RIDTPPA applies to for-profit companies that conduct business in Rhode Island or offer products and services targeting Rhode Island residents. To fall within the law's primary scope, a business must, during the preceding calendar year, have either: 

  1. controlled or processed the personal data of at least 35,000 Rhode Island residents, excluding data processed solely to complete a payment transaction; or 
  2. controlled or processed the personal data of at least 10,000 Rhode Island residents while deriving 20 percent or more of its gross revenue from the sale of personal data.

These thresholds are notably lower than those found in other state data privacy laws. For example, the Virginia Consumer Data Protection Act applies to businesses that process data on at least 100,000 consumers, or at least 25,000 consumers if more than 50 percent of gross revenue comes from the sale of personal data, both of which are higher thresholds than Rhode Island's.

The RIDTPPA's lower thresholds mean that small and mid-size businesses may find themselves subject to the law's requirements.

Does the RIDTPPA exempt certain entities or types of data?

Yes, the law carves out several categories of entities and data types from its reach. Exempted entities include: 

  • Rhode Island state and local government bodies
  • Nonprofit organizations
  • Institutions of higher education
  • Financial institutions regulated under the Gramm-Leach-Bliley Act
  • HIPAA-covered entities and their business associates. 

On the data side, the RIDTPPA excludes categories of regulated data under various federal frameworks, including: 

  • Data governed by the Health Insurance Portability and Accountability Act (HIPAA) 
  • Data governed by the Family Educational Rights and Privacy Act (FERPA)
  • Data governed by the Fair Credit Reporting Act (FCRA) 
  • Data governed by the Gramm-Leach-Bliley Act (GLBA).
  • Data processed in the employment context, such as information about job applicants, employees, and contractors.

Businesses that fall within any of these exemptions, whether at the entity or data level, should document that status carefully, as the burden of demonstrating exemption typically rests with the controller.

What sets the RIDTPPA apart from other state data privacy laws?

There are a number of notable provisions that set the RIDTPPA apart from other state data privacy laws. Such notable provisions include the following:

Broad and distinctive privacy notice obligations

One of the most distinctive features of the RIDTPPA is its privacy notice framework. Unlike most state privacy laws, which tie disclosure obligations to the same applicability thresholds that govern the rest of the statute, the RIDTPPA imposes notice requirements on any "commercial website" or internet service provider conducting business in Rhode Island or with Rhode Island customers, regardless of whether they otherwise meet the 35,000- or 10,000-resident thresholds described above. 

The law also requires covered commercial websites to specifically designate a "controller" and make that information publicly available, though it does not define the term "commercial website" or provide guidance on what the designation must entail, creating some interpretive uncertainty for compliance teams.

No universal opt-out signal requirement

The RIDTPPA also diverges from a growing trend by not requiring businesses to recognize universal opt-out preference signals, which are browser-level or device-level signals that allow customers to automatically exercise their opt-out rights across all websites without acting site by site. 

States such as Colorado and California have adopted such requirements, which ease the opt-out process for customers. Rhode Island's omission of this requirement means that customers must affirmatively exercise opt-out rights on a per-business basis.

Transparency around data sales

Privacy notices under the RIDTPPA must identify not only the categories of personal data a business sells or discloses to third parties, but also the categories of third parties to whom that data may be sold or disclosed. 

This requirement to identify potential downstream recipients is atypical among state privacy laws and reflects Rhode Island's particular emphasis on transparency around data-sharing practices.

What are the compliance obligations for businesses subject to the RIDTPPA?

The RIDTPPA allocates compliance responsibilities between controllers and processors. For context, controllers are entities that determine the purposes and means of processing personal data (typically the businesses operating in Rhode Island). Processors are entities tasked with specifically processing personal data on behalf of controllers. 

Controller obligations

Controllers bear the primary compliance burden under the Rhode Island law. Under the RIDTPPA, controllers must: 

  • Limit data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes
  • Implement reasonable administrative, technical, and physical data security safeguards.
  • Obtain opt-in consent before processing sensitive data
  • Honor customer rights requests within the required timeframes (more on this below)
  • Avoid processing that constitutes unlawful discrimination.

Processors operating under a Rhode Island-covered controller should ensure their contractual arrangements reflect these requirements.

Processor obligations

Processors are required to act only on documented instructions from the controller. The law requires that processor-controller relationships be governed by written contracts specifying processing instructions, confidentiality obligations, data deletion or return requirements upon termination, and audit rights. If a processor begins independently determining the purposes for processing personal data, it assumes the full obligations of a controller under the statute.

Requirement to conduct data protection assessments

In addition to data processing agreements, companies may need to conduct data protection assessments for certain data processing activities. 

Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling activities, and the processing of sensitive data. These assessments must be made available to the Rhode Island Attorney General upon request. 

Notably, the law does not specify which factors a controller must consider when conducting such an assessment, creating a gap that may require businesses to look to comparable requirements in other applicable laws for guidance. Assessments already conducted for compliance with similar requirements under other state or federal law are deemed to satisfy the RIDTPPA's requirement.

Data subject rights under the RIDTPPA

The RIDTPPA grants Rhode Island “customers” (defined as individuals residing in the state who act in a personal or household context) a set of statutory rights over their personal data that mirror those found in most other comprehensive state privacy laws. 

These customer rights include:

  • The right to confirm whether a controller is processing their personal data and to access that data
  • The right to correct inaccuracies in their personal data
  • The right to delete personal data the customer has provided or that has been obtained about them
  • The right to obtain a portable copy of their personal data in a format that allows transfer to another service 
  • The right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling activities that could result in significant decisions affecting the customer.

Controllers must be prepared to honor each of these rights within the timeframes the law prescribes.

Responding to customer requests under the RIDTPPA

Companies must respond to customer rights requests within 45 calendar days of receipt. This period can be extended by an additional 45 days where reasonably necessary, provided the controller notifies the customer of the extension and the reason for it. 

If a company declines to honor a request, it must provide customers with an appeals mechanism. If the appeal is also denied, the controller must respond within 60 days with a written explanation and provide the customer with a means to submit a complaint to the Rhode Island Attorney General's Office.

What are the penalties for failing to comply with the RIDTPPA?

A violation of the RIDTPPA constitutes a deceptive trade practice under Rhode Island's customer protection laws and carries a civil penalty of up to $10,000 per violation. 

Intentional unauthorized disclosures of personal data can result in an additional fine of between $100 and $500 per disclosure, a range that can compound quickly depending on the volume of records involved.

Enforcement authority

Enforcement authority under the RIDTPPA rests exclusively with the Rhode Island Attorney General. There is no private right of action under the statute, meaning individual customers cannot sue businesses directly for violations.

No cure period

Critically, the RIDTPPA contains no cure period, a mechanism found in many other state privacy laws that gives businesses an opportunity to remediate violations before penalties are imposed. This makes Rhode Island's enforcement posture comparatively strict. In sum, businesses cannot rely on receiving a warning or notice from the Attorney General before facing fines. Compliance must be achieved from day one.

How can Didomi help businesses comply with the Rhode Island Data Transparency and Privacy Protection Act?

The Rhode Island Data Transparency and Privacy Protection Act imposes new compliance obligations on businesses operating in or serving Rhode Island residents. Its lower applicability thresholds, broad notice obligations, absence of a cure period, and transparency requirements regarding data sales make it a notable statute in the broader U.S. customer data privacy context. 

Businesses operating in Rhode Island or serving Rhode Island residents should assess their data collection and processing protocols, implement necessary changes, and maintain ongoing compliance with Rhode Island law. 

Keeping up with the pace and scope of these new data privacy regulations adds compliance complexity and risk to your business operations. Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, and discuss your challenges and how Didomi could help with one of our experts.

{{us-map-link}}

Rhode Island Data Transparency and Privacy Protection Act: Frequently Asked Questions (FAQs)

When did the RIDTPPA go into effect?

The law went into effect on January 1, 2026. This means covered companies must comply with the RIDTPPA now.

How does the Rhode Island data privacy law define personal data?

The RIDTPPA defines “personal information” as any information that is linked or reasonably linkable to an identified or identifiable individual but excludes de-identified data or publicly available information. 

Does the Rhode Island law treat sensitive data differently?

Yes. Like other state privacy laws, the RIDTPPA treats certain categories of personal data as "sensitive" and requires opt-in consent before processing. Sensitive data under the statute includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation or gender identity, citizenship or immigration status, genetic data, biometric data used for identification, and precise geolocation data. 

Is there a private right of action under the Rhode Island law?

No. Individuals cannot sue a company for alleged violations of the RIDTPPA. Enforcement authority is exclusively granted to the Rhode Island Attorney General’s Office. 

The author
The authors
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile
Access author profile

Related Articles

State guides
Nebraska Data Privacy Act: Everything you need to know
March 10, 2026
Read article
State guides
Minnesota Consumer Data Privacy Act: Everything you need to know
February 26, 2026
Read article
State guides
Maryland Online Data Privacy Act (MODPA): Everything you need to know
February 16, 2026
Read article
State guides
California Invasion of Privacy Act (CIPA): The essential guide
January 16, 2026
Read article
State guides
Indiana Consumer Data Protection Act (INCDPA): Everything you need to know
January 15, 2026
Read article
State guides
Data protection in the United States: June 2025 update
June 11, 2025
Read article