Rhode Island
What Is the RIDTPPA? Rhode Island Data Privacy Act
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), codified at R.I. Gen. Laws ch. 6-48.1, is Rhode Island's first comprehensive consumer data privacy law. It was enacted in 2024 through companion bills H 7787 and S 2500, became law in June 2024 without the governor's signature, and takes effect on January 1, 2026. The law gives Rhode Island residents rights to access, correct, delete, and port their personal data and to opt out of targeted advertising, data sales, and certain profiling.
As of 2026, the RIDTPPA is enforced exclusively by the Rhode Island Attorney General, with violations treated as deceptive trade practices under R.I. Gen. Laws ch. 6-13.1. There is no private right of action and no statutory right to cure, so a covered business does not get a guaranteed grace period to fix a violation before the Attorney General can act.
Jurisdiction scope: This covers Rhode Island's Data Transparency and Privacy Protection Act (R.I. Gen. Laws ch. 6-48.1). It is general legal information, not legal advice.
What the RIDTPPA is: statute, enactment, and effective date
The Rhode Island Data Transparency and Privacy Protection Act is Rhode Island's first omnibus consumer privacy statute. It is codified in the General Laws at chapter 6-48.1, and section 6-48.1-1 provides that the chapter "shall be known and may be cited as" the Rhode Island Data Transparency and Privacy Protection Act. The name itself signals the law's focus on transparency about data sharing.
The chapter was created during the 2024 legislative session through two companion bills, H 7787 in the House and S 2500 in the Senate. The legislation cleared the General Assembly in June 2024 and became law that month. Section 6-48.1-4 sets a single effective date of January 1, 2026, giving covered businesses roughly eighteen months to prepare before their obligations begin.
As of 2026, that effective date has arrived and the law is operative. Rhode Island joins a large group of states with omnibus privacy statutes loosely modeled on the framework first adopted in Virginia and Connecticut. The RIDTPPA shares much of that structure, including controller and processor roles, a consumer rights catalog, and opt-in consent for sensitive data. For the full controller and processor obligations, see the Rhode Island data privacy laws parent page.
Why the RIDTPPA is viewed as a lighter-touch law
Privacy practitioners widely describe the RIDTPPA as one of the more lightly drafted state privacy laws, and that nuance is worth stating plainly. The statute borrows the familiar rights catalog and the opt-in sensitive-data rule, but it omits several guardrails that newer laws include and uses looser drafting in places.
Two omissions stand out. First, the RIDTPPA does not require controllers to honor a universal opt-out preference signal such as the Global Privacy Control, a mechanism that Colorado, Connecticut, and a growing number of states now mandate. Section 6-48.1-6 describes how customers exercise their rights and permits authorized agents, but it contains no universal opt-out signal obligation. Second, the law provides no statutory right to cure, yet it also does not include the detailed data-minimization and contracting scaffolding that some sister statutes spell out at length.
The result is a law that grants real consumer rights but is generally seen as less prescriptive than the Connecticut or Colorado models. Businesses that already comply with a stricter state law will usually clear the Rhode Island bar with little additional work. The one place where Rhode Island asks for something distinctive is its website third-party disclosure duty, discussed next.
The signature feature: website third-party disclosure
The RIDTPPA's most distinctive requirement lives in section 6-48.1-3, titled "Information sharing practices." It applies to any commercial website or internet service application that operates in Rhode Island or serves Rhode Island customers and that collects personal data. That controller must, in its customer-facing disclosure, do three things.
It must identify all of the categories of personal data that the controller collects through the website or application. It must identify all third parties to whom the controller has sold or may sell customers' personally identifiable information. And it must provide an active means by which a customer can contact the controller about its data practices.
The second item is the quirk. Most state privacy laws ask only for the categories of third parties with whom a controller shares data. Rhode Island's text reaches further, requiring a controller to "identify all third parties" to whom it "has sold or may sell" personal data. Read literally, that is a broader naming duty than the category-level disclosures elsewhere, and it is the feature that gives the act its "transparency" name. Section 6-48.1-3 also requires a controller that sells personal data or processes it for targeted advertising to clearly and conspicuously disclose that processing.
Who the RIDTPPA covers: applicability thresholds
The applicability test sits in section 6-48.1-4. The law reaches a person that conducts business in Rhode Island, or that produces products or services targeted to Rhode Island residents, and that during a calendar year controlled or processed the personal data of either of two groups.
The first trigger is 35,000 or more customers, "excluding personal data controlled or processed solely for the purpose of completing a payment transaction." The payment carve-out means a retailer does not count routine card transactions toward the threshold when the only data involved is what is needed to complete that single purchase.
The second trigger is 10,000 or more customers, but only when the business "derived more than twenty percent (20%) of their gross revenue from the sale of personal data." This lower headcount captures data-driven businesses whose revenue depends on selling personal information. The 20 percent figure is notable, because several other state laws set the comparable revenue test at 25 percent, so Rhode Island's data-sale trigger is slightly easier to meet.
A defined term matters here. The statute uses "customer" rather than "consumer," and section 6-48.1-2 defines a customer as an individual residing in Rhode Island acting in an individual or household context. Data about people acting in a commercial or employment context is generally outside that definition.
Sensitive data and the opt-in consent rule
Sensitive data sits at the center of the RIDTPPA because processing it requires opt-in consent. Under section 6-48.1-4, a controller "shall not process sensitive data concerning a customer without obtaining customer consent," and may not process the sensitive data of a known child except with consent and in accordance with the federal Children's Online Privacy Protection Act. Consent must be a clear affirmative act, not a pre-checked box or inferred from inaction.
The definition of sensitive data in section 6-48.1-2 is broad. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data processed to uniquely identify an individual, personal data collected from a known child, and precise geolocation data.
Because sensitive data triggers an opt-in gate, the breadth of the definition has operational weight. A business that processes health information, immigration status, biometric identifiers, or precise location must obtain affirmative consent before that processing begins. Section 6-48.1-4 also requires a controller to give customers a way to grant and revoke consent, and to honor a revocation within 15 days of receipt.
RIDTPPA vs. CCPA: the key differences
Rhode Island's RIDTPPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the RIDTPPA and California's CCPA stand out.
| Feature | Rhode Island RIDTPPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 35,000 customers, or 10,000 plus 20% of revenue from data sales; no dollar floor | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Third-party disclosure | Must identify all third parties sold or may sell to (6-48.1-3) | Categories of third parties disclosed |
| Sensitive data | Opt-in consent required (6-48.1-4) | Right to limit use; opt-out model |
| Universal opt-out signal | Not required | Required (GPC recognized) |
| Private right of action | None (6-48.1-8) | Limited, for certain data breaches |
The most consequential difference is the coverage net. Rhode Island's 35,000-customer threshold and the absence of a dollar-revenue floor pull in companies that California's $25 million revenue trigger would leave out, even though California's law is often described as the strictest in the country on other dimensions.
The two laws also differ on the universal opt-out signal and on sensitive data. California requires recognition of opt-out preference signals such as the Global Privacy Control and uses a "right to limit" the use of sensitive personal information. Rhode Island does not mandate a universal opt-out signal and instead requires opt-in consent before sensitive data may be processed. Where Rhode Island goes further than California is its named third-party disclosure duty under 6-48.1-3.
Related guides
- Rhode Island data privacy laws parent hub
- RIDTPPA consumer rights
- RIDTPPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- R.I. Gen. Laws Chapter 6-48.1: Rhode Island Data Transparency and Privacy Protection Act (Section Index)(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-1: Short title(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-2: Definitions(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-3: Information sharing practices(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-4: Processing of information(rilegislature.gov).gov
- R.I. Gen. Laws 6-48.1-8: Violations(rilegislature.gov).gov
- Rhode Island Office of the Attorney General(riag.ri.gov).gov