Rhode Island Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Rhode Island does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, biometric data protections in the state come from the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent before processing.

Governor Daniel McKee signed House Bill 7787 into law on June 29, 2024, making Rhode Island one of the first 20 states to enact a comprehensive consumer data privacy law. The RIDTPPA took effect on January 1, 2026.

For an overview of Rhode Island's broader privacy framework, see the parent guide to Rhode Island Data Privacy Laws.

How the RIDTPPA Defines Biometric Data

The RIDTPPA defines biometric data under R.I. Gen. Laws 6-48.1-2 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video recording, or an audio recording is not biometric data unless that data is specifically processed to identify a particular individual.

This definition follows the approach used in Connecticut, Kentucky, and several other state comprehensive privacy laws. It is narrower than the definition found in Illinois's BIPA, which covers a broader set of biometric identifiers.

Sensitive Data Classification and Consent Requirements

Under the RIDTPPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under R.I. Gen. Laws 6-48.1-2 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sexual orientation
• Sex life
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data (within 1,750 feet)
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a customer's opt-in consent before processing sensitive data, including biometric data. Under R.I. Gen. Laws 6-48.1-4, a business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first obtaining your affirmative agreement.

This consent must be a "clear, affirmative act" that is freely given, specific, informed, and unambiguous. A buried clause in a terms-of-service agreement does not qualify. The statute specifically prohibits the use of dark patterns to obtain consent.

Consent revocation. Customers have the right to revoke their consent at any time. Once a customer withdraws consent, the controller must stop processing the biometric data as soon as practicable and no later than 15 days after receiving the revocation request.

Who Must Comply With the RIDTPPA

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and meet one of these thresholds:

• Process personal data of 35,000 or more Rhode Island customers during a calendar year (excluding data processed solely for payment transactions), or
• Process personal data of 10,000 or more Rhode Island customers and derive over 20% of gross revenue from the sale of personal data

The 35,000-customer threshold places Rhode Island at the lower end compared to states like Virginia and Colorado, which set their thresholds at 100,000 consumers. This means the RIDTPPA captures a broader range of businesses operating in the state.

Key Exemptions

The RIDTPPA carves out several categories of entities and data types from coverage:

Entity exemptions:

• Nonprofit organizations
• Government agencies and political subdivisions
• HIPAA-covered entities and their business associates
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Higher education institutions

Data exemptions:

• Healthcare information regulated under HIPAA
• Financial data governed by the GLBA
• Data covered by the Fair Credit Reporting Act (FCRA)
• Data under the Family Educational Rights and Privacy Act (FERPA)
• Data regulated under the Driver's Privacy Protection Act (DPPA)
• Employment-related data collected in a commercial or employment context

The employee data exemption is significant for biometric privacy. If your employer collects fingerprints for timekeeping or uses facial recognition for building access, the RIDTPPA does not regulate that activity.

Customer Rights Over Biometric Data

The RIDTPPA grants Rhode Island customers several rights regarding their personal data, including biometric data. Under R.I. Gen. Laws 6-48.1-5, you have the right to:

• Confirm and access whether a controller is processing your biometric data
• Correct inaccuracies in your personal data
• Delete your personal data, including biometric identifiers
• Obtain a portable copy of your data in a readily usable format
• Opt out of the processing of personal data for targeted advertising, sale of data, or profiling

Controllers must respond to these requests without unreasonable delay. The law also prohibits discrimination against customers who exercise their rights.

Data Protection Assessments for Biometric Processing

Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to customers. Under R.I. Gen. Laws 6-48.1-7, this includes:

• Processing sensitive data (which includes biometric data)
• Processing personal data for targeted advertising
• Selling personal data
• Certain types of profiling that create foreseeable risks of unfair treatment or substantial customer injury

The law does not provide detailed guidance on what factors a controller should consider during these assessments. Data protection assessments conducted under other applicable laws (such as the GDPR or other state privacy laws) satisfy the RIDTPPA requirement if they are reasonably similar in scope.

This obligation applies only to processing activities that begin on or after January 1, 2026. It is not retroactive.

Transparency and Disclosure Requirements

The RIDTPPA imposes specific transparency obligations on controllers. Under R.I. Gen. Laws 6-48.1-3, businesses must:

• Identify all categories of personal data collected, including biometric data
• Disclose all third parties that receive personal data
• Clearly and conspicuously disclose when personal data is sold or used for targeted advertising
• Provide contact mechanisms for customer inquiries
• Make this information available in their customer agreement or another conspicuous location on their website

One notable and atypical feature of the RIDTPPA is the requirement to identify third parties to whom personally identifiable information has been sold or may be sold. Most state privacy laws only require disclosure of categories of third parties, not specific entities.

Enforcement and Penalties

The Rhode Island Attorney General holds exclusive enforcement authority under R.I. Gen. Laws 6-48.1-8. Key enforcement details include:

• Civil penalties up to $10,000 per violation, treated as deceptive trade practices under R.I. Gen. Laws Chapter 6-13.1
• $100 to $500 per violation for intentional disclosure of personal data
• No private right of action. Individual consumers cannot file lawsuits under the RIDTPPA
• No mandatory cure period. Unlike many other state privacy laws, the RIDTPPA does not give businesses an opportunity to fix violations before penalties apply

The absence of a cure period is a significant departure from the approach taken by states like Virginia and Indiana, which provide 30-day or 60-day windows for businesses to remedy violations. Rhode Island's approach gives the Attorney General more flexibility to pursue enforcement actions immediately.

To file a complaint about potential biometric data violations, contact the Rhode Island Attorney General's Office.

Breach Notification Requirements for Biometric Data

Separate from the RIDTPPA, Rhode Island's Identity Theft Protection Act (R.I. Gen. Laws 11-49.3) requires notification when a security breach compromises unencrypted personal information.

Notification timelines:

• Private entities: No later than 45 calendar days after confirmation of the breach
• State and municipal agencies: No later than 30 calendar days after confirmation of the breach
• Attorney General notification: Required when 500 or more Rhode Island residents are affected
• Law enforcement reporting: State and municipal agencies must report cybersecurity incidents to Rhode Island State Police within 24 hours

Encryption standard. The law defines encryption as the transformation of data through the use of a 128-bit or higher algorithmic process into a form with a low probability of assigning meaning without use of a confidential process or key. Data protected by 128-bit or higher encryption is not considered "unencrypted" and does not trigger notification obligations if the encryption key was not also compromised.

Required notification content:

• Description of the incident, including how the breach occurred and the number of affected individuals
• Type of information compromised
• Date of breach or estimated timeframe
• Date the breach was discovered
• Description of remediation services offered
• Contact information for credit agencies, the Attorney General, and relevant service providers
• Information about filing police reports and obtaining security freezes

Remediation services for government breaches. When a state or municipal agency is responsible for a breach, it must provide affected adults with a minimum of five years of credit monitoring and identity theft protection coverage. For minors, coverage must extend until age 18, plus a minimum of two additional years.

How Rhode Island Compares to Other States

Rhode Island's biometric data protections fall into the "comprehensive privacy law" category alongside states like Connecticut, Colorado, and Virginia. Here is how the RIDTPPA stacks up on key provisions:

Feature	Rhode Island	Illinois (BIPA)	Texas (CUBI)
Law type	Comprehensive privacy	Standalone biometric	Standalone biometric
Consent required	Opt-in for sensitive data	Written informed consent	Informed consent
Private right of action	No	Yes	No
Cure period	None	N/A	30 days
Penalties	Up to $10,000/violation	$1,000-$5,000/violation	Up to $25,000/violation
Enforcement	AG only	Private + AG	AG only
Employee data covered	No	Yes	Yes

The most significant gap in Rhode Island's framework compared to states with standalone biometric laws is the exclusion of employee data. Illinois's BIPA and Texas's CUBI both cover biometric data collected in the workplace, while the RIDTPPA exempts employment-context data entirely.

More Rhode Island Laws

• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Data Privacy Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws

Sources and References

This article references Rhode Island statutes and official state government publications. For the full text of the RIDTPPA, visit the Rhode Island General Assembly website. For the Identity Theft Protection Act, see R.I. Gen. Laws Chapter 11-49.3. For guidance on filing complaints, visit the Rhode Island Attorney General.

This article provides general legal information about Rhode Island biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Rhode Island government sources.