RIDTPPA Consumer Rights in Rhode Island Explained

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), R.I. Gen. Laws ch. 6-48.1, gives Rhode Island residents five core data rights as of its January 1, 2026 effective date: the right to confirm and access their personal data, correct inaccuracies, delete data, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and certain profiling. These rights live in section 6-48.1-5, and the process for exercising them is in section 6-48.1-6.

A controller must respond to a rights request within 45 days, with one possible 45-day extension, and must provide the information free of charge once per 12-month period. If a controller refuses a request, the customer can appeal, and the controller has 60 days to respond to that appeal. Enforcement is handled solely by the Rhode Island Attorney General; there is no private right of action under section 6-48.1-8.

Jurisdiction scope: This covers Rhode Island's Data Transparency and Privacy Protection Act (R.I. Gen. Laws ch. 6-48.1). It is general legal information, not legal advice.

The five core consumer rights under the RIDTPPA

Section 6-48.1-5 sets out the rights that Rhode Island customers can exercise against a covered controller. The statute uses the term "customer," defined in section 6-48.1-2 as an individual residing in Rhode Island acting in an individual or household context. Data about people acting in a commercial or employment context is generally outside that definition.

The first right is confirmation and access. A customer may confirm whether a controller is processing the customer's personal data and access that data. This is the entry point for the other rights, because it lets a person see what a business holds before deciding what to do about it.

The second and third rights are correction and deletion. A customer may correct inaccuracies in the customer's personal data, taking into account the nature of the data and the purposes of processing, and may delete personal data "provided by, or obtained about," the customer. The deletion right reaches both data a customer supplied directly and data the controller gathered from other sources.

The fourth right is data portability. A customer may obtain a copy of personal data the controller processes in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without hindrance.

The opt-out rights: advertising, sale, and profiling

The fifth right under section 6-48.1-5 is the opt-out, and it has three parts. A customer may opt out of the processing of personal data for purposes of targeted advertising. A customer may opt out of the sale of personal data. And a customer may opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

The definition of "sale" matters for the second opt-out. Under section 6-48.1-2, a sale is the exchange of personal data for monetary or other valuable consideration by the controller to a third party. The "other valuable consideration" language means a sale is not limited to cash transactions, though the statute lists exclusions for transfers to processors, affiliates, and certain transactions.

Profiling that triggers the third opt-out is narrow. It applies to solely automated decisions that produce legal or similarly significant effects, the kind of automated decision-making that determines access to things like credit, housing, employment, insurance, or essential services. Routine personalization that does not produce a legally significant effect falls outside this opt-out.

Rhode Island differs from several newer state laws in one respect: it does not require controllers to honor a universal opt-out preference signal. Section 6-48.1-6 allows a customer to use an authorized agent to submit an opt-out request, but the statute does not mandate recognition of a browser-level signal such as the Global Privacy Control. Customers exercise opt-outs through whatever mechanism the controller provides.

How to exercise your rights: the request process

Section 6-48.1-6 governs how a customer submits a request and how a controller must respond. A controller must establish a secure and reliable means for customers to submit requests, and that method must take into account the ways customers normally interact with the controller and the need for secure authentication.

A controller must respond to a request without undue delay, but not later than 45 days after receipt. The controller may extend the response period by 45 additional days when reasonably necessary, taking into account the complexity and number of requests, and must tell the customer about any extension within the initial 45-day window along with the reason for the delay.

Information provided in response to a request must be free of charge once per customer during any 12-month period. If requests from a customer are manifestly unfounded, excessive, or repetitive, the controller may either charge a reasonable fee to cover administrative costs or decline to act, but the controller bears the burden of demonstrating that the request meets that standard.

Authentication is built into the process. If a controller cannot authenticate a request using commercially reasonable efforts, it is not required to comply and may ask the customer to provide additional information. One exception is important: a controller is not required to authenticate an opt-out request, which keeps the opt-out low-friction.

The appeal right

If a controller declines to act on a request, the customer is not without recourse. Section 6-48.1-6 requires a controller to establish a process for a customer to appeal the controller's refusal to take action within a reasonable period after the customer receives the decision. The appeal process must be conspicuously available and similar to the process for submitting the original request.

Not later than 60 days after receipt of an appeal, the controller must inform the customer in writing of any action taken or not taken in response, along with a written explanation of the reasons supporting the decision. If the controller denies the appeal, it must provide the customer with an online mechanism or other method to contact the Rhode Island Attorney General to submit a complaint.

This appeal-to-regulator pathway is how individual complaints reach the enforcer. Because there is no private right of action under section 6-48.1-8, the Attorney General complaint channel is the practical route for a customer who believes a controller mishandled a request.

The transparency disclosures consumers can rely on

Beyond the request rights, Rhode Island customers benefit from the RIDTPPA's distinctive transparency duty in section 6-48.1-3. Any commercial website or internet service application that operates in Rhode Island or serves Rhode Island customers and collects personal data must publish three things customers can read before deciding whether to exercise their rights.

The controller must identify all of the categories of personal data it collects through the site or application. The controller must identify all third parties to whom it has sold or may sell customers' personally identifiable information. And the controller must provide an active means for a customer to contact it about its data practices.

The second disclosure is unusual. Most state privacy laws ask only for the categories of third parties a controller shares data with. Rhode Island's text requires the controller to "identify all third parties" to whom it has sold or may sell data, a more granular disclosure that gives customers a clearer picture of where their information may go. A controller that sells personal data or processes it for targeted advertising must also clearly and conspicuously disclose that processing under section 6-48.1-3.

Sensitive data and consent rights

Customers also have consent-based protection for sensitive data. Under section 6-48.1-4, a controller may not process a customer's sensitive data without obtaining the customer's consent, and may not process the sensitive data of a known child except with consent and in accordance with the federal Children's Online Privacy Protection Act.

Sensitive data is defined broadly in section 6-48.1-2. It includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data used to identify a person, data collected from a known child, and precise geolocation data.

Consent must be revocable. Section 6-48.1-4 requires a controller to provide customers with a mechanism to grant and revoke consent that is at least as easy as the mechanism by which consent was given, and the controller must stop processing within 15 days of receiving a revocation. That makes the sensitive-data consent right a continuing one rather than a one-time choice.

Related guides

• Rhode Island data privacy laws parent hub
• What is the RIDTPPA?
• RIDTPPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources