Rhode Island
RIDTPPA Compliance Checklist for Rhode Island
Complying with the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), R.I. Gen. Laws ch. 6-48.1, comes down to a short list of concrete steps: confirm you are covered under the section 6-48.1-4 thresholds, publish the website third-party disclosure required by section 6-48.1-3, build a privacy notice and a rights-request workflow, get opt-in consent before processing sensitive data, and put processor contracts in place. The law took effect January 1, 2026, so these obligations are live as of 2026.
The signature compliance item is the section 6-48.1-3 transparency duty: a commercial website or internet service application that collects personal data must list the categories of data it collects and identify all third parties to whom it has sold or may sell that data. Enforcement is handled solely by the Rhode Island Attorney General under section 6-48.1-8, violations are treated as deceptive trade practices, and there is no statutory right to cure, so building compliance before a complaint arrives matters.
Jurisdiction scope: This covers Rhode Island's Data Transparency and Privacy Protection Act (R.I. Gen. Laws ch. 6-48.1). It is general legal information, not legal advice.
Step 1: Confirm whether you are covered
Start with the applicability test in section 6-48.1-4. The law applies to a person that conducts business in Rhode Island, or that produces products or services targeted to Rhode Island residents, and that during a calendar year controlled or processed the personal data of either of two groups.
The first trigger is 35,000 or more customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. The second trigger is 10,000 or more customers combined with deriving more than 20 percent of gross revenue from the sale of personal data.
Two things to map carefully. First, the statute uses "customer," defined in section 6-48.1-2 as an individual residing in Rhode Island acting in an individual or household context, so business-context and employment-context data generally does not count toward the thresholds. Second, several categories of entities and data sit outside the law under the exemptions in section 6-48.1-3, including government bodies, certain Gramm-Leach-Bliley financial institutions, HIPAA-covered health entities, and Fair Credit Reporting Act data. Map both your entity status and your data sets against those exemptions before concluding you are covered.
Step 2: Build the website third-party disclosure (the signature step)
If you operate a commercial website or internet service application that collects personal data, the most distinctive Rhode Island requirement applies to you. Section 6-48.1-3 requires that disclosure to do three specific things, and this is the item most likely to be missed by businesses that have copied a generic privacy policy from another state.
First, identify all of the categories of personal data the controller collects through the website or application. Second, identify all third parties to whom the controller has sold or may sell customers' personally identifiable information. Third, provide an active means by which a customer can contact the controller about its data practices.
The second element is the one to handle with care. Most state privacy laws ask for categories of third parties; Rhode Island's text says "identify all third parties" to whom you have sold or may sell data. Plan to maintain a current list of those third parties rather than a generic category statement. If you sell personal data or process it for targeted advertising, section 6-48.1-3 also requires you to clearly and conspicuously disclose that processing.
Step 3: Write a compliant privacy notice and rights workflow
Stand up a privacy notice and a request-handling process keyed to sections 6-48.1-5 and 6-48.1-6. Customers can confirm and access their data, correct inaccuracies, delete data, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling, so your intake form should let a customer select each of those rights.
The timing rules are concrete. Under section 6-48.1-6, you must respond to a request without undue delay and no later than 45 days after receipt, with one possible 45-day extension when reasonably necessary, communicated within the first 45 days. Information must be free of charge once per customer in any 12-month period. You may decline or charge for a request only if you can demonstrate it is manifestly unfounded, excessive, or repetitive.
Build an appeal channel too. If you refuse a request, you must offer a conspicuous appeal process and respond in writing within 60 days, and if you deny the appeal you must give the customer a way to file a complaint with the Rhode Island Attorney General. Note that you may not require authentication for an opt-out request, so keep the opt-out path low-friction.
Step 4: Get opt-in consent for sensitive data
Identify any sensitive data you process and gate it behind consent. Under section 6-48.1-4, you may not process a customer's sensitive data without the customer's consent, and you may not process the sensitive data of a known child except with consent and in accordance with the federal Children's Online Privacy Protection Act.
Sensitive data is defined broadly in section 6-48.1-2. It includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status, plus genetic or biometric data used to identify a person, data collected from a known child, and precise geolocation data.
Make consent revocable. Section 6-48.1-4 requires you to provide a mechanism to grant and revoke consent and to honor a revocation within 15 days of receipt. Audit your data flows so you know where sensitive data enters your systems and confirm an opt-in gate exists at each entry point.
Step 5: Put processor contracts and assessments in place
If you use vendors that process personal data on your behalf, section 6-48.1-7 requires a written contract. The contract must set out instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
The processor must also be bound to duties of confidentiality, to delete or return data at the end of the engagement, to make information available to demonstrate compliance, to flow down requirements to subcontractors, and to cooperate with assessments. Inventory your vendors and confirm each contract carries these terms before processing begins.
Section 6-48.1-7 also requires a data protection assessment for higher-risk processing. You must conduct and document an assessment for each processing activity that presents a heightened risk of harm, which the statute identifies as targeted advertising, the sale of personal data, profiling that carries certain risks, and the processing of sensitive data. Keep these assessments on file, because the Attorney General may request them in an investigation.
Step 6: Understand enforcement and penalties
Enforcement under the RIDTPPA is straightforward and entirely public. Section 6-48.1-8 gives the Rhode Island Attorney General sole enforcement authority, and it expressly states that nothing in the section authorizes a private right of action. A customer cannot sue a business directly; the enforcement route is a complaint to the Attorney General.
Violations are treated as deceptive trade practices in violation of R.I. Gen. Laws ch. 6-13.1, which is Rhode Island's Deceptive Trade Practices Act and supplies the Attorney General's enforcement toolkit. Section 6-48.1-8 also sets a specific penalty for one kind of violation: a person who intentionally discloses personal data in violation of the chapter, or to a shell company formed to circumvent it, faces a civil penalty of not less than $100 and not more than $500 for each such disclosure.
Two compliance realities follow. First, the per-disclosure structure means penalties can scale quickly when many records are involved. Second, unlike several other state privacy laws, the RIDTPPA does not provide a statutory right to cure, so a covered business should not count on a grace period to fix a problem after the Attorney General identifies it. Building the controls above before launch, rather than after a complaint, is the safer posture.
RIDTPPA compliance at a glance
| Obligation | Statute | Key requirement |
|---|---|---|
| Coverage check | 6-48.1-4 | 35,000 customers, or 10,000 plus 20% revenue from data sales |
| Website disclosure | 6-48.1-3 | List data categories and identify all third-party recipients |
| Privacy notice and rights | 6-48.1-5, 6-48.1-6 | 45-day response, 12-month free, 60-day appeal |
| Sensitive data | 6-48.1-4 | Opt-in consent; honor revocation within 15 days |
| Processor contracts | 6-48.1-7 | Written terms and data protection assessments |
| Enforcement | 6-48.1-8 | AG only; $100 to $500 per intentional disclosure; no cure |
Related guides
- Rhode Island data privacy laws parent hub
- What is the RIDTPPA?
- RIDTPPA consumer rights
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- R.I. Gen. Laws 6-48.1-3: Information sharing practices(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-4: Processing of information(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-5: Customer rights(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-6: Exercising customer rights(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-7: Controller and processor responsibilities(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-8: Violations(rilegislature.gov).gov
- Rhode Island Office of the Attorney General(riag.ri.gov).gov