Skip to main content

Rhode Island Data Transparency and Privacy Protection Act

The Rhode Island Data Transparency and Privacy Protection Act grants standard consumer data rights and adds a distinctive requirement to disclose the categories of third parties receiving personal data. It took effect January 1, 2026 and is enforced by the Rhode Island Attorney General.

Jurisdiction
Rhode Island

Rhode Island Data Transparency and Privacy Protection Act

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), enacted as Senate Bill 2500 and House Bill 7787, is Rhode Island's comprehensive consumer privacy statute. It took effect on January 1, 2026. The law tracks the common state model but is notable for a transparency requirement that obliges controllers to identify, in their notices, the categories of third parties with which they share data and, for those that sell data, to specify the categories sold and the third parties involved.

Who It Applies To

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and that, during a calendar year, control or process the personal data of either 35,000 or more consumers, or 10,000 or more consumers while deriving more than 20 percent of gross revenue from the sale of personal data. HIPAA and Gramm-Leach-Bliley data are exempt.

Key Requirements

Controllers must publish a privacy notice that, distinctively, names the categories of personal data shared with third parties and the categories of those third parties. Any controller that sells personal data or processes it for targeted advertising must clearly disclose this and the means to opt out. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and significant profiling. Sensitive data requires opt-in consent. The law's drafting on assessments and universal opt-out signals is lighter than some peer statutes.

Penalties for Non-Compliance

The Rhode Island Attorney General has exclusive enforcement authority; there is no private right of action. Violations are deceptive trade practices, carrying civil penalties of between 100 and 500 dollars per violation, which can accumulate significantly across affected consumers.

How to Comply

Update privacy notices to disclose the specific categories of third parties receiving data, a requirement that exceeds many other states. Provide clear opt-out mechanisms for sale and targeted advertising. Operate consumer-request workflows within 45 days and build opt-in consent for sensitive data. Maintain reasonable data security and update processor agreements.

Relationship to Other Laws

Rhode Island's headline obligation is heightened transparency: notices must identify the categories of third parties receiving data, not just the categories of data. This pushes organizations to maintain accurate data-sharing inventories. Its per-violation penalty band is comparatively modest individually but can accumulate quickly across affected consumers. Organizations should prioritize accurate, well-maintained vendor and data-sharing records to satisfy the disclosure duty.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.