As in Indiana and Kentucky, the start of 2026 brought into effect Rhode Island's comprehensive consumer privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). This statute is not simply a replica of what has come before it.
While much of its terminology and mechanics will feel familiar to organizations already operating under multiple state privacy regimes, it also includes elements such as general applicability thresholds at the lower end of the typical range and broad privacy notice requirements. The similarities and distinctions make RIDTPPA easy to place within the broader U.S. privacy landscape, while also presenting a few compliance gray areas that merit closer attention.
Which Entities Are Covered?
In general, RIDTPPA covers for-profit entities that conduct business in Rhode Island or target Rhode Island residents and, during the preceding calendar year, either:
- Controlled or processed the personal data of 35,000 or more Rhode Island residents; or
- Controlled or processed the personal data of 10,000 or more Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data.
Rhode Island joins some of its Northeast neighbors with a lower 35,000-consumer applicability threshold, while other states have applicability thresholds of 100,000. This means smaller businesses may find themselves in scope of the law in Rhode Island even if they have not been subject to similar laws in other states.
RIDTPPA also contains provisions applicable to certain commercial websites and internet service providers. Those that do business in Rhode Island or with Rhode Island customers must designate a controller (discussed in more detail below), and those that "collect, store, and sell customers' personally identifiable information" must comply with specific privacy notice requirements (also discussed further below). Notably, while the statute defines "personal data" as information linked or reasonably linkable to an identified or identifiable individual, it does not define the term "personally identifiable information." Although companies may look to definitions of "personally identifiable information" in other laws and in the industry for guidance, the statute itself is not clear in what the Rhode Island legislature intended it to encompass, creating uncertainty as to the precise scope of the notice obligations.
Like other state privacy laws, RIDTPPA contains a series of entity-level and data-level exemptions that are generally consistent with other state privacy laws. The statute excludes certain governmental entities, nonprofits, institutions of higher education, financial institutions, and those entities subject to the Health Insurance Portability and Accountability Act (HIPAA). It also carves out categories of data already regulated under sector-specific federal laws, including, among others, protected health information (PHI) subject to HIPAA and information otherwise governed by the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Family Educational Rights and Privacy Act (FERPA).
What Constitutes "Personal" and "Sensitive" Data?
As discussed above, RIDTPPA defines "personal data" as any information that is linked or reasonably linkable to an identified or identifiable individual. The definition also expressly excludes the following information:
- De-Identified Data: Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual; and
- Publicly Available Information: Information lawfully made available through government records or widely distributed media, as well as information a controller reasonably believes a customer has lawfully made available to the general public.
Like other state laws, RIDTPPA also establishes a category of "sensitive data," the processing of which is subject to heightened requirements, including opt-in consent. "Sensitive data" under RIDTPPA includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sex life, sexual orientation, citizenship or immigration status, genetic and biometric data used for unique identification, precise geolocation data (within 1,750 feet), and personal data collected from a known child under the age of 13.
What Rights Does RIDTPPA Provide?
RIDTPPA provides Rhode Island "customers," individuals residing in Rhode Island and acting in an individual or household context, with the following familiar set of rights that largely mirrors those found in other state privacy laws:
- Confirm and Access: The right to confirm whether or not a controller is processing the customer's personal data and access such personal data;
- Correct: The right to correct inaccuracies in the customer's personal data;
- Delete: The right to delete personal data provided by, or obtained about, the customer;
- Portability: The right to obtain a copy of the customer's personal data processed by the controller; and
- Opt Out: The right to opt out of the processing of the customer's personal data for the purposes of targeted advertising, the sale of personal data, or profiling.
Controllers must respond to customer requests within 45 calendar days of receipt (with an optional 45-day extension where reasonably necessary) and provide an appeal process for any refusal to act on a request. Controllers must respond to such appeals within 60 calendar days.
What are Controller and Processor Obligations Under RIDTPPA?
In addition to the requirements relating to the handling of consumer rights requests detailed above, RIDTPPA imposes a number of additional obligations on controllers, including:
- Implementing reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data;
- Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to customers;
- Obtaining customer consent before processing sensitive data and providing an effective mechanism for customers to revoke that consent;
- Conducting any processing of personal data of known children under the age of 13 in accordance with the Children's Online Privacy Protection Act ("COPPA");
- Entering into contracts with processors that govern the processing of personal data on the controller's behalf and include provisions addressing, among other things, scope of processing, confidentiality, and deletion or return of data at the end of services; and
- Conducting and documenting data protection assessments for certain processing activities (as discussed in further detail below).
Processors must follow the instructions of the applicable controller and assist the controller in meeting its obligations under RIDTPPA.
As mentioned above, RIDTPPA also imposes separate controller-designation and privacy notice obligations on certain commercial websites and internet service providers. Those entities must designate a controller, although the law provides little guidance on how that designation is to be made or what, beyond general responsibility, it entails. Where such entities "collect, store, and sell customers' personally identifiable information," they must also provide a privacy notice that:
- Identifies the categories of personal data collected through the website or online service;
- Identifies the third parties to whom personally identifiable information has been sold or may be sold;
- Discloses whether the entity sells personal data or shares personal data for purposes of targeted advertising; and
- Includes an email address or other online mechanism to contact the entity.
As discussed above, RIDTPPA does not contain a definition of "personally identifiable information" but the use of such term instead of personal data in specific provisions appears deliberate. Additionally, the requirement to identify potential downstream recipients of sold data, is a notable and atypical feature when compared to other state privacy laws, and it underscores Rhode Island's emphasis on transparency around data-sharing practices.
When are Data Protection Assessments Required?
Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to customers, including:
- Targeted advertising;
- Sale of personal data;
- Certain profiling activities with legal or similarly significant effects; and
- Processing of sensitive data.
Such data protection assessments must be made available to the Rhode Island Attorney General upon request. RIDTPPA further provides that data protection assessments conducted for the purpose of complying with another reasonably similar requirement under applicable law will be deemed to satisfy the RIDTPPA requirement.
How is RIDTPPA Enforced?
The statute does not provide a private right of action. Rather, like many state laws, enforcement authority under RIDTPPA rests exclusively with the Rhode Island Attorney General. Notably, unlike some state privacy laws, RIDTPPA does not include a mandatory right-to-cure period (sunset or otherwise).
What Does RIDTPPA Mean for Businesses?
Rhode Island's comprehensive privacy law largely fits within the now-familiar framework adopted by many states, but its lower applicability threshold and uniquely framed notice and controller-designation requirements set it apart in meaningful ways. While much of RIDTPPA will feel routine for organizations already navigating multi-state privacy compliance, these stand-out elements warrant closer attention as companies assess scope and update their privacy programs and policies. As with any new entrant to the state privacy landscape, early attention to these nuances will be key to managing compliance risks and avoiding surprises as enforcement activity begins to take shape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
