Rhode Island Data Privacy Laws: RIDTPPA Consumer Rights Guide (2026)

Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA), codified at R.I. Gen. Laws Chapter 6-48.1, took effect January 1, 2026. The law gives Rhode Island residents the right to access, correct, delete, and opt out of personal data processing, and carries civil penalties up to $10,000 per violation with no cure period.

Rhode Island has built one of the most distinctive data privacy frameworks among U.S. states. The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), codified as R.I. Gen. Laws Chapter 6-48.1, took effect on January 1, 2026. Governor Daniel McKee transmitted the legislation into law without signature on June 25, 2024, making Rhode Island the twentieth state to enact a comprehensive consumer data privacy statute. The law passed through two companion bills during the 2024 legislative session: House Bill H7787 and Senate Bill S2500.

The RIDTPPA stands apart from other state privacy laws in several important ways. It provides no cure period for businesses found in violation, requires disclosure of potential future data recipients, and sets lower applicability thresholds that reflect Rhode Island's smaller population. The law joined Indiana's Consumer Data Protection Act and Kentucky's Consumer Data Protection Act as the trio of comprehensive state privacy statutes that all took effect on January 1, 2026.

Rhode Island has also enacted complementary protections: the state's Identity Theft Protection Act governs data breaches, and a 2025 deepfake law adds criminal penalties for distributing synthetic intimate imagery. The federal TAKE IT DOWN Act, signed May 19, 2025, layered additional platform obligations that entered FTC enforcement on May 19, 2026.

This guide covers every major provision of Rhode Island's data privacy laws, what rights you have as a consumer, what businesses must do to comply, and the penalties for noncompliance.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

The RIDTPPA is Rhode Island's comprehensive consumer data privacy law. It regulates how businesses collect, use, store, disclose, sell, and process personal data belonging to Rhode Island consumers. The law is structured across ten sections covering definitions, information sharing practices, processing requirements, customer rights, enforcement, and exemptions. No rulemaking authority was included in the statute, so no implementing regulations exist; the statutory text is the operative document.

Rhode Island is one of three states whose comprehensive privacy law took effect on January 1, 2026. Indiana's Consumer Data Protection Act (INCDPA) and Kentucky's Consumer Data Protection Act (KCDPA) share that effective date, though both are modeled more closely on Virginia's law and include 30-day cure periods that Rhode Island deliberately omits.

Who the RIDTPPA Applies To

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and that, during the previous calendar year, met either of these thresholds:

• Controlled or processed personal data of at least 35,000 Rhode Island residents (excluding data processed solely for completing payment transactions), or
• Controlled or processed personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data

These thresholds are notably lower than those in most other state privacy laws, which reflects Rhode Island's population of approximately 1.1 million. Virginia and Colorado set their thresholds at 100,000 consumers; Indiana and Kentucky set theirs at 100,000 consumers or 25,000 with 50% revenue from sales. Rhode Island's lower bar means a broader range of businesses handling Rhode Island resident data must comply.

The privacy notice requirements under Section 6-48.1-3 apply even more broadly. Any controller of a commercial website or internet service provider that collects, stores, and sells personal information about Rhode Island residents must comply with the transparency disclosure rules, regardless of whether they meet the processing thresholds above.

Exempt Entities

The RIDTPPA exempts several categories of entities from its requirements under Section 6-48.1-10:

• State agencies and local units of government, including their contractors and subcontractors
• Nonprofit organizations recognized as tax-exempt under the Internal Revenue Code
• Institutions of higher education that are licensed or accredited
• Financial institutions governed by Title V of the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA)
• Registered national securities organizations regulated by the Securities and Exchange Commission

Exempt Data Categories

Beyond entity-level exemptions, the RIDTPPA also carves out specific categories of data already regulated under federal law:

• Protected health information (PHI) subject to HIPAA
• Personal data regulated by the Fair Credit Reporting Act (FCRA)
• Data governed by the Family Educational Rights and Privacy Act (FERPA)
• Data regulated by the Farm Credit Act
• Information covered by the Driver's Privacy Protection Act
• De-identified data that cannot reasonably be linked to an identifiable individual
• Publicly available information from government records or widely distributed media

Key Definitions Under the RIDTPPA

Understanding Rhode Island's data privacy framework requires familiarity with the definitions established in Section 6-48.1-2.

Customer means a Rhode Island resident acting in a personal or household context. People acting in a commercial or employment capacity are not considered customers under the law.

Personal data is defined as information linked or reasonably linkable to an identified or identifiable individual. This excludes de-identified data and publicly available information.

Sensitive data receives heightened protection and includes personal data revealing race or ethnicity, religious beliefs, health conditions or diagnoses, sexual orientation, citizenship or immigration status, genetic data, biometric data used for identification, data collected from a known child, and precise geolocation data.

Biometric data covers automatic measurements of biological characteristics such as fingerprints, voiceprints, and iris patterns used for identification. It does not include photographs or recordings unless specifically used to identify an individual.

Precise geolocation data means technology-derived location data accurate within a radius of 1,750 feet. Data from communications infrastructure or utility networks is excluded.

Consent requires a clear, affirmative act signifying agreement. General terms of use acceptance, hovering over content, or other passive behaviors do not qualify. The law specifically prohibits dark patterns, defined as user interfaces designed to subvert or impair user autonomy, decision-making, or choice.

Sale of personal data means exchanging personal data for monetary consideration to a third party. Transfers to processors acting on a controller's behalf, affiliate transfers, customer-directed disclosures, and merger or acquisition transfers are excluded from this definition.

Targeted advertising means displaying advertisements based on personal data obtained or inferred from a customer's activities over time across nonaffiliated websites. It does not include contextual advertising, search-based advertising, or advertising based on activities within the controller's own websites.

Information Sharing and Transparency Requirements

One of the most distinctive aspects of the RIDTPPA is its approach to transparency. Section 6-48.1-3 requires controllers to designate a responsible party and make three key disclosures in customer agreements, website addendums, or other conspicuous locations.

First, the controller must identify all categories of personal data it collects through its website or online service about customers.

Second, the controller must identify all third parties to whom it has sold or may sell customers' personally identifiable information. This forward-looking requirement is unique among state privacy laws. Most states only require disclosure of current data recipients. Rhode Island requires businesses to anticipate and disclose potential future recipients as well.

Third, the controller must provide an active email address or other online mechanism that customers can use to make contact.

Controllers that engage in the sale of personal data or targeted advertising must clearly and conspicuously disclose such processing to customers.

Why the Future Recipients Requirement Matters

The obligation to identify third parties to whom a controller "may sell" personal data creates significant operational challenges for businesses. Unlike any other state privacy law, Rhode Island demands that businesses look ahead and predict their potential data sharing relationships. This requirement forces a more comprehensive and forward-thinking approach to data governance practices.

Processing Requirements and Data Security

The RIDTPPA sets clear rules for how businesses must handle personal data under Section 6-48.1-4.

Data Security Standards

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The law does not prescribe specific security measures, leaving businesses flexibility to choose appropriate safeguards based on their circumstances.

Sensitive Data and Consent

Controllers cannot process sensitive customer data without first obtaining consent. For personal data collected from children under 13, controllers must comply with the federal Children's Online Privacy Protection Act (COPPA). Entities that follow COPPA's parental consent requirements are deemed compliant with Rhode Island's requirements for children's data.

Consent Revocation and the 15-Day Rule

Controllers must provide mechanisms allowing customers to grant and revoke consent where consent is required. When a customer revokes consent, the controller must suspend processing of that customer's data as soon as practicable, but no later than 15 days after receiving the revocation request. This specific timeline provides clarity that many other state privacy laws lack.

Non-Discrimination in Data Processing

The RIDTPPA prohibits processing personal data in ways that violate state and federal anti-discrimination laws. This provision ensures that data-driven decisions do not produce unlawful discriminatory outcomes.

Consumer Rights Under the RIDTPPA

Rhode Island consumers gain a comprehensive set of data privacy rights under Section 6-48.1-5. These rights allow individuals to understand and control how businesses use their personal information.

Right to Confirm and Access

Customers may confirm whether a controller is processing their personal data and access that data. The right to access does not extend to information that would reveal trade secrets.

Right to Correct

Customers may request correction of inaccuracies in their personal data. Controllers must consider the nature of the data and the purpose of processing when responding to correction requests.

Right to Delete

Customers may request deletion of personal data provided by them or obtained about them. This applies to data the customer directly provided as well as data the business collected through observation or inference.

Right to Data Portability

Customers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows transmission to another controller without undue delay, provided the processing was conducted through automated means. Trade secrets are excluded.

Right to Opt Out

Customers may opt out of personal data processing for three purposes:

• Targeted advertising based on tracking across nonaffiliated websites
• Sale of personal data to third parties for monetary consideration
• Profiling that produces legal or similarly significant effects on the customer

Non-Discrimination Protection

Controllers cannot discriminate against customers who exercise their rights. A business shall not deny goods or services, charge different prices, or provide a different level of quality based on a customer's decision to opt out. However, bona fide loyalty programs, rewards programs, premium features, discounts, and club card programs that customers voluntarily join may offer differentiated pricing or service levels.

Authorized Agents and Parental Rights

Customers may designate authorized agents to submit opt-out requests on their behalf. Parents and guardians may exercise rights on behalf of children or individuals under legal guardianship.

How to Exercise Your Rights

Section 6-48.1-6 establishes the procedures for exercising consumer rights under the RIDTPPA.

Response Timeline

Controllers must respond to customer requests within 45 days. If the complexity of the request warrants additional time, the controller may extend the response period by an additional 45 days, for a total of 90 days. The controller must inform the customer of any extension within the initial 45-day period and explain the reason.

Free Responses

Information provided in response to a customer request must be free of charge, once per customer during any 12-month period. Controllers may charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.

Authentication

Controllers may require reasonable authentication to verify a customer's identity before processing a request. Controllers are not required to authenticate opt-out requests. They may deny an opt-out request only if they have a reasonable and documented belief that the request is fraudulent.

Appeals Process

Controllers must establish a process for customers to appeal a refusal to act on a request. The controller has 60 days from receipt of an appeal to provide a written explanation of its decision. If the appeal is denied, the customer may submit the matter to the Rhode Island Attorney General.

Handling Third-Party Data

When a controller receives a deletion request for personal data obtained from a third-party source, it may comply by either retaining a record of the deletion request and refraining from further use of the data, or by opting the customer out of further processing.

Controller and Processor Responsibilities

Section 6-48.1-7 establishes the duties that controllers and their processors must fulfill.

Contract Requirements

Contracts between controllers and processors must specify processing instructions, data types covered, processing purposes, duration, and the rights and obligations of both parties. Processor contracts must require:

• Staff handling data to maintain confidentiality
• Deletion or return of data upon request, unless legally required to retain it
• Controller access to compliance-related information upon reasonable request
• Written subcontracts requiring subcontractors to meet the same standards as processors
• Independent assessments using recognized frameworks to verify compliance

Data Protection Assessments

Controllers must conduct and document data protection assessments for processing activities that present heightened risk. These assessments are required for:

• Targeted advertising
• Sale of personal data
• Profiling that creates a risk of unfair treatment or disparate impact
• Processing of sensitive data

The Rhode Island Attorney General may require controllers to disclose these assessments during investigations. Assessments are confidential and exempt from public records disclosure. Attorney-client privilege protections are preserved.

Processor Liability

If a processor independently determines the purposes and means of processing personal data beyond the controller's instructions, it becomes a controller for that processing and is subject to enforcement accordingly.

De-Identified Data Protections

Controllers possessing de-identified data must take reasonable measures to ensure the data cannot be associated with an individual. They must publicly commit to maintaining that separation. Any entity receiving de-identified data must contractually agree to comply with these provisions.

Enforcement and Penalties: No Cure Period

The RIDTPPA's enforcement provisions under Section 6-48.1-8 set it apart from most other state privacy laws.

Attorney General Exclusive Enforcement

The Rhode Island Attorney General has exclusive authority to enforce the RIDTPPA. There is no private right of action. Consumers cannot sue businesses directly for violations. Instead, they must file complaints with the Attorney General's office.

No Cure Period

Unlike the majority of state privacy laws that provide businesses a 30-day or 60-day cure period to fix violations before penalties apply, Rhode Island offers no cure period. The Attorney General can pursue enforcement action immediately upon determining a violation has occurred. Indiana and Kentucky, which share the January 1, 2026 effective date, both provide 30-day cure periods. Rhode Island provides none.

Penalty Structure

Violations of the RIDTPPA constitute deceptive trade practices under Rhode Island's commercial law. This subjects violators to:

• Civil penalties of up to $10,000 per violation under the deceptive trade practices framework
• Additional fines of $100 to $500 per disclosure for intentional unauthorized disclosure of personal data to shell companies or entities formed to circumvent the law

These penalties can accumulate rapidly. A single data processing operation affecting thousands of consumers could generate penalties in the millions of dollars.

No Private Right of Action

Section 6-48.1-8 explicitly states that nothing shall be construed to authorize any private right of action. All enforcement flows through the Attorney General.

Enforcement Status: Early Stage

The RIDTPPA took effect January 1, 2026. As of May 2026, the Attorney General's office has not announced any formal enforcement actions under the statute. The office has focused on education and compliance guidance for businesses in the initial months. Because no cure period exists, any formal investigation could proceed directly to penalty proceedings without advance warning.

AG Peter Neronha has maintained an active consumer protection posture in related areas. In 2026, his office joined a multistate coalition suing to block a federal agency's attempt to compel student data disclosures from colleges and universities, a case that demonstrates the office's willingness to use litigation as a data-protection tool.

Rhode Island Data Breach Notification Law

Separate from the RIDTPPA, Rhode Island's Identity Theft Protection Act of 2015, codified as R.I. Gen. Laws Chapter 11-49.3, governs how businesses must respond to data breaches.

Who Must Comply

Any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data containing personal information must comply with breach notification requirements.

Notification Timelines

Entities must provide notification in the most expedient time possible, subject to these maximum deadlines:

• State and municipal agencies: No later than 30 calendar days after confirmation of the breach
• All other entities: No later than 45 calendar days after confirmation of the breach

Large Breach Requirements

When a breach affects more than 500 Rhode Island residents, the entity must notify:

• The Rhode Island Attorney General
• Major credit reporting agencies

These notifications must not delay notice to affected residents.

Required Notification Content

Breach notifications must include:

• A description of the incident and the number of individuals affected
• The types of personal information that were compromised
• The date or estimated date range of the breach
• The date the breach was discovered
• Information about remediation services, including contact details
• Instructions for filing police reports, placing security freezes, and any related fees

Remediation Requirements for Government Agencies

State and municipal agencies must provide identity theft protection services:

• Adults: A minimum of 5 years of coverage
• Minors: Coverage through age 18, plus at least 2 additional years

Law Enforcement Exception

Notification may be delayed if law enforcement determines it would impede a criminal investigation. Once the agency determines notification is safe, disclosure must occur as soon as practicable.

Breach Notification Penalties

Under Section 11-49.3-5, penalties for failing to comply with breach notification requirements include:

• Reckless violations: Up to $100 per record affected
• Knowing and willful violations: Up to $200 per record affected

The Rhode Island Attorney General has authority to initiate legal action whenever there is reasonable cause to believe a violation occurred and prosecution serves the public interest.

Rhode Island Deepfake and Synthetic Imagery Law (2025)

Rhode Island enacted additional protections against nonconsensual intimate imagery in 2025. Governor Daniel McKee signed H5046 and its companion bill S0136 into law on July 2, 2025, expanding the state's existing unauthorized dissemination law to cover AI-generated and digitally altered content.

The 2025 law criminalizes creating or distributing synthetic intimate images of a real person without their consent. Penalties are structured by offense:

• First offense: a misdemeanor, punishable by up to 1 year in prison and/or a fine of up to $1,000
• Subsequent offenses: a felony, punishable by up to 5 years in prison and/or a fine of up to $5,000

The legislation was signed into law amid a national wave of state deepfake statutes. Civil liberties groups raised concerns during the legislative process about overbreadth, particularly regarding satire and content involving public figures. Rhode Island courts have not yet addressed these questions in reported decisions.

Federal Privacy Laws That Apply in Rhode Island

Several federal privacy statutes apply to businesses operating in Rhode Island alongside state law.

TAKE IT DOWN Act (2025)

President Trump signed the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (TAKE IT DOWN Act), Pub. L. 119-12, on May 19, 2025. The criminal prohibition on publishing nonconsensual intimate imagery took effect immediately on signing. Covered platforms had one year to establish compliant notice-and-removal systems, making the platform compliance obligation effective May 19, 2026.

The FTC enforces the platform obligations under the Act. Covered platforms that receive a valid takedown request must remove the content and any known identical copies within 48 hours. Platforms that fail to comply face civil penalties of $53,088 per violation. Covered platforms include social media, messaging services, image and video sharing platforms, and gaming services. The TAKE IT DOWN Act applies nationwide, including in Rhode Island, and complements the state's own 2025 deepfake law.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA governs how covered entities and business associates handle protected health information. Healthcare providers, health plans, and healthcare clearinghouses in Rhode Island must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Entities regulated by HIPAA are exempt from the RIDTPPA.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Banks, credit unions, insurance companies, and securities firms in Rhode Island must comply with GLBA provisions. Financial institutions regulated by the GLBA are exempt from the RIDTPPA.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to commercial websites and online services directed at children under 13 that collect personal information. The RIDTPPA requires controllers to process children's data in accordance with COPPA and deems compliance with COPPA's parental consent provisions as meeting Rhode Island's requirements for children's data.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records. Schools and educational institutions in Rhode Island must comply with FERPA's requirements for handling student data. Educational records governed by FERPA are exempt from the RIDTPPA.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. Consumer reporting agencies and entities that use credit reports must comply with FCRA provisions. Data regulated by the FCRA is carved out from RIDTPPA coverage.

American Privacy Rights Act (APRA)

A federal comprehensive privacy bill, the American Privacy Rights Act, advanced through Congress in 2024 but did not pass. A revised version circulated in the 2025 legislative session. As of May 2026, no federal comprehensive privacy law has been enacted. Rhode Island's RIDTPPA remains the operative framework for covered businesses.

How Rhode Island Compares to Other State Privacy Laws

Rhode Island's approach to data privacy includes several features that distinguish it from peer statutes, including the two other laws that share its January 1, 2026 effective date.

January 1, 2026 State Privacy Law Comparison

No Cure Period

Most state privacy laws give businesses 30 to 60 days to fix violations before penalties apply. Rhode Island skips this step entirely. The Attorney General can take enforcement action immediately without providing any opportunity to cure.

Future Data Recipients Disclosure

While other states require businesses to disclose the third parties they currently share data with, Rhode Island goes further by requiring disclosure of third parties to whom the controller "may sell" personal information in the future. This forward-looking requirement creates additional compliance burdens not found in comparable laws.

Lower Applicability Thresholds

Rhode Island's threshold of 35,000 residents (or 10,000 with 20% revenue from data sales) is substantially lower than most other states, capturing a proportionally larger share of businesses given the state's smaller population.

Broad Privacy Notice Requirements

The transparency requirements under Section 6-48.1-3 apply to any commercial website or internet service provider collecting and selling personal information in Rhode Island, extending well beyond the processing thresholds that govern most other provisions of the law.

Deceptive Trade Practice Classification

By classifying violations as deceptive trade practices, Rhode Island can leverage its existing consumer protection enforcement infrastructure. This gives the Attorney General well-established legal tools and precedent for pursuing violators.

Practical Compliance Steps for Businesses

Businesses that handle personal data of Rhode Island residents should take the following steps if they meet the applicability thresholds:

1. Audit your data inventory. Identify all categories of personal data you collect from Rhode Island residents, including through website analytics, purchase records, and account information.
2. Update your privacy notice. Disclose all third parties to whom you currently sell personal data and all third parties to whom you may sell it in the future. This is the most operationally distinctive requirement of the RIDTPPA.
3. Build a rights-request process. Establish a mechanism for consumers to submit access, correction, deletion, portability, and opt-out requests. You must respond within 45 days.
4. Create a consent mechanism for sensitive data. If you process sensitive data categories (health, biometric, precise geolocation, children's data, etc.), you need opt-in consent before processing begins.
5. Implement consent revocation. Provide a mechanism for consumers to revoke consent, and suspend processing within 15 days of receiving a revocation.
6. Establish an appeals process. Set up a procedure for consumers to appeal denied requests, with written responses required within 60 days.
7. Execute processor contracts. If you use vendors who process personal data on your behalf, ensure your contracts include the elements required by Section 6-48.1-7.
8. Conduct data protection assessments. Document assessments for high-risk processing activities: targeted advertising, data sales, profiling, and sensitive data processing.
9. Prepare for immediate enforcement. Because no cure period exists, treat compliance as a day-one obligation, not a correctable later failure.

In-depth guides

• What Is the RIDTPPA? Rhode Island Data Transparency and Privacy Protection Act
• RIDTPPA Consumer Rights: Your Data Privacy Rights
• RIDTPPA Compliance Checklist for Businesses (2026)

More Rhode Island Laws

• Rhode Island AI Meeting Recording Laws
• Rhode Island Alimony Laws
• Rhode Island At-Will Employment Laws
• Rhode Island Car Accident Laws
• Rhode Island Car Seat Laws
• Rhode Island Child Custody Laws
• Rhode Island Child Support Laws
• Rhode Island Common Law Marriage Laws
• Rhode Island Deepfake Laws
• Rhode Island Divorce Laws
• Rhode Island Dog Bite Laws
• Rhode Island Emancipation Laws
• Rhode Island Expungement Laws
• Rhode Island Hit and Run Laws
• Rhode Island Landlord-Tenant Laws
• Rhode Island Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently and enforcement interpretations evolve over time. Consult a licensed attorney in Rhode Island for advice about your specific situation. Information verified May 2026.