Rhode Island Data Privacy Laws: RIDTPPA Consumer Rights Guide (2026)

Rhode Island has enacted one of the most distinctive data privacy frameworks among U.S. states. The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), codified as R.I. Gen. Laws Chapter 6-48.1, took effect on January 1, 2026. It was enacted through two companion bills during the 2024 legislative session: House Bill H7787 and Senate Bill S2500.

The RIDTPPA stands apart from other state privacy laws in several ways. It has no cure period for businesses found in violation, requires disclosure of potential future data recipients, and sets lower applicability thresholds that reflect Rhode Island's smaller population. Combined with the state's Identity Theft Protection Act governing data breaches, Rhode Island has built a privacy framework that demands close attention from any business handling personal data of its residents.

This guide covers every major provision of Rhode Island's data privacy laws, what rights you have as a consumer, what businesses must do to comply, and the penalties for noncompliance.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

The RIDTPPA is Rhode Island's comprehensive consumer data privacy law. It regulates how businesses collect, use, store, disclose, sell, and process personal data belonging to Rhode Island consumers. The law is structured across ten sections covering definitions, information sharing practices, processing requirements, customer rights, enforcement, and exemptions.

Governor Daniel McKee signed the legislation in June 2024, making Rhode Island the nineteenth state to enact a comprehensive data privacy statute.

Who the RIDTPPA Applies To

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and that, during the previous calendar year, met either of these thresholds:

• Controlled or processed personal data of at least 35,000 Rhode Island residents (excluding data processed solely for completing payment transactions), or
• Controlled or processed personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data

These thresholds are notably lower than those in many other state privacy laws. Given Rhode Island's population of approximately 1.1 million, the 35,000-resident threshold captures a proportionally larger segment of businesses than comparable thresholds in more populous states.

The privacy notice requirements under Section 6-48.1-3 apply even more broadly. Any controller of a commercial website or internet service provider that collects, stores, and sells personal information in Rhode Island must comply with the transparency disclosure rules, regardless of whether they meet the processing thresholds above.

Exempt Entities

The RIDTPPA exempts several categories of entities from its requirements under Section 6-48.1-10:

• State agencies and local units of government, including their contractors and subcontractors
• Nonprofit organizations recognized as tax-exempt under the Internal Revenue Code
• Institutions of higher education that are licensed or accredited
• Financial institutions governed by Title V of the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA)
• Registered national securities organizations regulated by the Securities and Exchange Commission

Exempt Data Categories

Beyond entity-level exemptions, the RIDTPPA also carves out specific categories of data that are already regulated under federal law:

• Protected health information (PHI) subject to HIPAA
• Personal data regulated by the Fair Credit Reporting Act (FCRA)
• Data governed by the Family Educational Rights and Privacy Act (FERPA)
• Data regulated by the Farm Credit Act
• Information covered by the Driver's Privacy Protection Act
• Customer reporting agency activities
• De-identified data that cannot reasonably be linked to an identifiable individual
• Publicly available information from government records or widely distributed media

Key Definitions Under the RIDTPPA

Understanding Rhode Island's data privacy framework requires familiarity with the definitions established in Section 6-48.1-2.

Customer means a Rhode Island resident acting in a personal or household context. People acting in a commercial or employment capacity are not considered customers under the law.

Personal data is defined as information linked or reasonably linkable to an identified or identifiable individual. This excludes de-identified data and publicly available information.

Sensitive data receives heightened protection and includes personal data revealing race or ethnicity, religious beliefs, health conditions or diagnoses, sexual orientation, citizenship or immigration status, genetic data, biometric data used for identification, data collected from a known child, and precise geolocation data.

Biometric data covers automatic measurements of biological characteristics such as fingerprints, voiceprints, and iris patterns used for identification. It does not include photographs or recordings unless they are specifically used to identify an individual.

Precise geolocation data means technology-derived location data accurate within a radius of 1,750 feet. Data from communications infrastructure or utility networks is excluded.

Consent requires a clear, affirmative act signifying agreement. General terms of use acceptance, hovering over content, or other passive behaviors do not qualify. The law specifically prohibits the use of dark patterns, defined as user interfaces designed to subvert or impair user autonomy, decision-making, or choice.

Sale of personal data means exchanging personal data for monetary consideration to a third party. Transfers to processors acting on a controller's behalf, affiliate transfers, customer-directed disclosures, and merger or acquisition transfers are excluded from this definition.

Targeted advertising means displaying advertisements based on personal data obtained or inferred from a customer's activities over time across nonaffiliated websites. It does not include contextual advertising, search-based advertising, or advertising based on activities within the controller's own websites.

Information Sharing and Transparency Requirements

One of the most distinctive aspects of the RIDTPPA is its approach to transparency. Section 6-48.1-3 requires controllers to designate a responsible party and make three key disclosures in customer agreements, website addendums, or other conspicuous locations.

First, the controller must identify all categories of personal data it collects through its website or online service about customers.

Second, the controller must identify all third parties to whom it has sold or may sell customers' personally identifiable information. This forward-looking requirement is unique among state privacy laws. Most states only require disclosure of current data recipients. Rhode Island requires businesses to anticipate and disclose potential future recipients as well.

Third, the controller must provide an active email address or other online mechanism that customers can use to make contact.

Controllers that engage in the sale of personal data or targeted advertising must clearly and conspicuously disclose such processing to customers.

Why the Future Recipients Requirement Matters

The obligation to identify third parties to whom a controller "may sell" personal data creates significant operational challenges for businesses. Unlike any other state privacy law, Rhode Island demands that businesses look ahead and predict their potential data sharing relationships. This requirement forces businesses to maintain a more comprehensive and forward-thinking approach to their data governance practices.

Processing Requirements and Data Security

The RIDTPPA sets clear rules for how businesses must handle personal data under Section 6-48.1-4.

Data Security Standards

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The law does not prescribe specific security measures, leaving businesses flexibility to choose appropriate safeguards based on their circumstances.

Sensitive Data and Consent

Controllers cannot process sensitive customer data without first obtaining consent. For personal data collected from children under 13, controllers must comply with the federal Children's Online Privacy Protection Act (COPPA). Entities that follow COPPA's parental consent requirements are deemed compliant with Rhode Island's requirements for children's data.

Consent Revocation and the 15-Day Rule

Controllers must provide mechanisms allowing customers to grant and revoke consent where consent is required. When a customer revokes consent, the controller must suspend processing of that customer's data as soon as practicable, but no later than 15 days after receiving the revocation request. This specific timeline provides clarity that many other state privacy laws lack.

Non-Discrimination in Data Processing

The RIDTPPA prohibits processing personal data in ways that violate state and federal anti-discrimination laws. This provision ensures that data-driven decisions do not produce unlawful discriminatory outcomes.

Consumer Rights Under the RIDTPPA

Rhode Island consumers gain a comprehensive set of data privacy rights under Section 6-48.1-5. These rights allow individuals to understand and control how businesses use their personal information.

Right to Confirm and Access

Customers may confirm whether a controller is processing their personal data and access that data. The right to access does not extend to information that would reveal trade secrets.

Right to Correct

Customers may request correction of inaccuracies in their personal data. Controllers must consider the nature of the data and the purpose of processing when responding to correction requests.

Right to Delete

Customers may request deletion of personal data that was provided by them or obtained about them. This applies to data the customer directly provided as well as data the business collected through observation or inference.

Right to Data Portability

Customers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. This allows transmission of the data to another controller without undue delay, provided the processing was conducted through automated means. Trade secrets are excluded.

Right to Opt Out

Customers may opt out of personal data processing for three purposes:

• Targeted advertising based on tracking across nonaffiliated websites
• Sale of personal data to third parties for monetary consideration
• Profiling that produces legal or similarly significant effects on the customer

Non-Discrimination Protection

Controllers cannot discriminate against customers who exercise their rights. A business shall not deny goods or services, charge different prices, or provide a different level of quality based on a customer's decision to opt out. However, bona fide loyalty programs, rewards programs, premium features, discounts, and club card programs that customers voluntarily join may offer differentiated pricing or service levels.

Authorized Agents and Parental Rights

Customers may designate authorized agents to submit opt-out requests on their behalf. Parents and guardians may exercise rights on behalf of children or individuals under legal guardianship.

How to Exercise Your Rights

Section 6-48.1-6 establishes the procedures for exercising consumer rights under the RIDTPPA.

Response Timeline

Controllers must respond to customer requests within 45 days. If the complexity of the request warrants additional time, the controller may extend the response period by an additional 45 days, for a total of 90 days. The controller must inform the customer of any extension within the initial 45-day period and explain the reason.

Free Responses

Information provided in response to a customer request must be free of charge, once per customer during any 12-month period. Controllers may charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.

Authentication

Controllers may require reasonable authentication to verify a customer's identity before processing a request. However, controllers are not required to authenticate opt-out requests. They may deny an opt-out request only if they have a reasonable and documented belief that the request is fraudulent.

Appeals Process

Controllers must establish a process for customers to appeal a refusal to act on a request. The controller has 60 days from receipt of an appeal to provide a written explanation of its decision. If the appeal is denied, the customer may submit the matter to the Rhode Island Attorney General.

Handling Third-Party Data

When a controller receives a deletion request for personal data obtained from a third-party source, it may comply by either retaining a record of the deletion request and refraining from further use of the data, or by opting the customer out of further processing.

Controller and Processor Responsibilities

Section 6-48.1-7 establishes the duties that controllers and their processors must fulfill.

Contract Requirements

Contracts between controllers and processors must specify processing instructions, data types covered, processing purposes, duration, and the rights and obligations of both parties. Processor contracts must require:

• Staff handling data to maintain confidentiality
• Deletion or return of data upon request, unless legally required to retain it
• Controller access to compliance-related information upon reasonable request
• Written subcontracts requiring subcontractors to meet the same standards as processors
• Independent assessments using recognized frameworks to verify compliance

Data Protection Assessments

Controllers must conduct and document data protection assessments for processing activities that present heightened risk. These assessments are required for:

• Targeted advertising
• Sale of personal data
• Profiling that creates a risk of unfair treatment or disparate impact
• Processing of sensitive data

The Rhode Island Attorney General may require controllers to disclose these assessments during investigations. Assessments are confidential and exempt from public records disclosure. Attorney-client privilege protections are preserved.

Processor Liability

If a processor independently determines the purposes and means of processing personal data beyond the controller's instructions, it becomes a controller for that processing and is subject to enforcement accordingly.

De-Identified Data Protections

Controllers possessing de-identified data must take reasonable measures to ensure the data cannot be associated with an individual. They must publicly commit to maintaining that separation. Any entity receiving de-identified data must contractually agree to comply with these provisions.

Enforcement and Penalties: No Cure Period

The RIDTPPA's enforcement provisions under Section 6-48.1-8 set it apart from most other state privacy laws.

Attorney General Exclusive Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the RIDTPPA. There is no private right of action. Consumers cannot sue businesses directly for violations. Instead, they must file complaints with the Attorney General's office.

No Cure Period

Unlike the majority of state privacy laws that provide businesses a 30-day or 60-day cure period to fix violations before penalties apply, Rhode Island offers no cure period. The Attorney General can pursue enforcement action immediately upon determining a violation has occurred. This makes Rhode Island one of the strictest states for data privacy enforcement in the country.

Penalty Structure

Violations of the RIDTPPA are classified as deceptive trade practices under R.I. Gen. Laws Chapter 6-13.1. This subjects violators to:

• Civil penalties of up to $10,000 per violation under the deceptive trade practices framework
• Additional fines of $100 to $500 per disclosure for intentional unauthorized disclosure of personal data to shell companies or entities formed to circumvent the law

These penalties can accumulate rapidly. A single data processing operation affecting thousands of consumers could generate penalties in the millions of dollars.

No Private Right of Action

The statute explicitly states that nothing shall be construed to authorize any private right of action. This means consumers cannot bring individual or class-action lawsuits to enforce the RIDTPPA. All enforcement flows through the Attorney General.

Rhode Island Data Breach Notification Law

Separate from the RIDTPPA, Rhode Island's Identity Theft Protection Act of 2015, codified as R.I. Gen. Laws Chapter 11-49.3, governs how businesses must respond to data breaches.

Who Must Comply

Any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data containing personal information must comply with breach notification requirements.

Notification Timelines

Entities must provide notification in the most expedient time possible, subject to these maximum deadlines:

• State and municipal agencies: No later than 30 calendar days after confirmation of the breach
• All other entities: No later than 45 calendar days after confirmation of the breach

Large Breach Requirements

When a breach affects more than 500 Rhode Island residents, the entity must notify:

• The Rhode Island Attorney General
• Major credit reporting agencies

These notifications must not delay notice to affected residents.

Required Notification Content

Breach notifications must include:

• A description of the incident and the number of individuals affected
• The types of personal information that were compromised
• The date or estimated date range of the breach
• The date the breach was discovered
• Information about remediation services, including contact details
• Instructions for filing police reports, placing security freezes, and any related fees

Remediation Requirements for Government Agencies

State and municipal agencies must provide identity theft protection services:

• Adults: A minimum of 5 years of coverage
• Minors: Coverage through age 18, plus at least 2 additional years

Law Enforcement Exception

Notification may be delayed if law enforcement determines it would impede a criminal investigation. Once the agency determines notification is safe, disclosure must occur as soon as practicable.

Breach Notification Penalties

Under Section 11-49.3-5, penalties for failing to comply with breach notification requirements include:

• Reckless violations: Up to $100 per record affected
• Knowing and willful violations: Up to $200 per record affected

The Rhode Island Attorney General has authority to initiate legal action whenever there is reasonable cause to believe a violation occurred and prosecution serves the public interest.

Federal Privacy Laws That Apply in Rhode Island

Several federal privacy statutes apply to businesses operating in Rhode Island alongside the RIDTPPA.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA governs how covered entities and business associates handle protected health information. Healthcare providers, health plans, and healthcare clearinghouses in Rhode Island must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Entities regulated by HIPAA are exempt from the RIDTPPA.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Banks, credit unions, insurance companies, and securities firms in Rhode Island must comply with GLBA provisions. Financial institutions regulated by the GLBA are exempt from the RIDTPPA.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to commercial websites and online services directed at children under 13 that collect personal information. The RIDTPPA requires controllers to process children's data in accordance with COPPA and deems compliance with COPPA's parental consent provisions as meeting Rhode Island's requirements.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records. Schools and educational institutions in Rhode Island must comply with FERPA's requirements for handling student data. Educational records governed by FERPA are exempt from the RIDTPPA.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. Consumer reporting agencies and entities that use credit reports must comply with FCRA provisions. Data regulated by the FCRA is carved out from RIDTPPA coverage.

How Rhode Island Compares to Other State Privacy Laws

Rhode Island's approach to data privacy includes several features that distinguish it from most other states.

No Cure Period

Most state privacy laws give businesses 30 to 60 days to fix violations before penalties apply. Rhode Island skips this step entirely. The Attorney General can take enforcement action immediately without providing any opportunity to cure.

Future Data Recipients Disclosure

While other states require businesses to disclose the third parties they currently share data with, Rhode Island goes further by requiring disclosure of third parties to whom the controller "may sell" personal information in the future. This forward-looking requirement creates additional compliance burdens.

Lower Applicability Thresholds

Rhode Island's threshold of 35,000 residents (or 10,000 with 20% revenue from data sales) is lower than many other states, reflecting the state's smaller population. For comparison, Virginia and Colorado set their thresholds at 100,000 consumers.

Broad Privacy Notice Requirements

The transparency requirements under Section 6-48.1-3 apply to any commercial website or internet service provider collecting and selling personal information in Rhode Island. This extends well beyond the processing thresholds that govern most other provisions of the law.

Deceptive Trade Practice Classification

By classifying violations as deceptive trade practices, Rhode Island can leverage its existing consumer protection enforcement infrastructure. This gives the Attorney General's office well-established legal tools for pursuing violators.

More Rhode Island Laws

• Rhode Island Hit and Run Laws
• Rhode Island Lemon Laws
• Rhode Island Recording Laws
• Rhode Island Whistleblower Laws
• Rhode Island Sexting Laws
• Rhode Island Child Support Laws
• Rhode Island Car Seat Laws
• Rhode Island Dog Bite Laws

Sources and References

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Rhode Island for advice about your specific situation. Last reviewed: March 2026.