How New Rhode Island Privacy Law May Impact Businesses Across U.S.

Rhode Island businesses and any company with Rhode Island customers are officially on the clock. The Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA” or “the Act”) takes effect January 1, 2026, meaning compliance deadlines are quickly approaching. Unlike many other state privacy laws, the Act provides no right to cure violations before penalties apply. With potential fines of up to $10,000 per violation, businesses should begin compliance efforts now by reviewing data practices, updating privacy notices, and preparing consumer rights workflows before year-end.

Key Definitions: Controllers and Processors

The Act follows the same framework used in other state privacy laws and the European Union’s General Data Protection Regulation (GDPR) by distinguishing controllers and processors:

• Controller: The individual or business that decides why personal data is collected and how it will be used. For example, a retailer deciding to collect customer email addresses for marketing purposes is acting as a controller.
• Processor: The individual or business that handles personal data on behalf of a controller. For example, an email marketing platform that sends the retailer’s promotional emails is a processor.

Controllers carry the primary responsibility for complying with the Act. They must implement safeguards to protect personal data, obtain consent before processing sensitive data (defined to include data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship or immigration status, genetic or biometric identifiers, data collected from known children under 18, and precise geolocation data), honor consumer opt-out requests, and respond to data rights requests within the required timeline.

Who Must Comply with the RIDTPPA

The RIDTPPA applies to for-profit businesses that either conduct business in Rhode Island or offer products or services to Rhode Island residents. A business is covered if, during the previous calendar year, it:

• Controlled or processed the personal data of at least 35,000 Rhode Island residents (excluding data used solely to complete payment transactions), or
• Controlled or processed the personal data of at least 10,000 Rhode Island residents and derived 20 percent or more of its gross revenue from the sale of personal data.

These thresholds are lower than many other state privacy laws, which means that even small and mid-size companies may fall under the Act’s requirements. The Act also applies to commercial websites and internet service providers (ISPs) with Rhode Island customers, even if they do not meet these numerical thresholds.

Exemptions

The Act does not apply to:

• Rhode Island government agencies.
• Nonprofit organizations.
• Higher Education institutions.
• Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA).
• HIPAA-covered entities or business associates.

In addition, certain data is excluded, including:

• Data already regulated by GLBA, HIPAA, Family Educational Rights and Privacy Act (FERPA), or Fair Credit Reporting Act (FCRA).
• Data processed in the employment context (for example, data collected about job applicants, employees, or contractors).
• Data processed in a business-to-business (B2B) context, meaning data exchanged as part of providing goods or services to another business.

New Privacy Rights for Rhode Island Residents

One of the most significant features of the RIDTPPA is the set of rights it grants to Rhode Island residents, giving individuals greater control over how their personal data is used. Covered businesses must create secure, reliable, and easy-to-use processes that allow consumers to:

• Obtain a Copy: Request a copy of their personal data in a portable and readily usable format.
• Correct: Ask businesses to correct inaccuracies in their personal data.
• Delete: Request deletion of personal data, subject to legal or contractual limitations.
• Opt Out: Refuse the sale of personal data, targeted advertising, or certain profiling.

Controllers must respond within 45 days (with one 45-day extension allowed if reasonably necessary) and may not discriminate against consumers who exercise these rights. Controllers must also provide an appeals process in their privacy notice and explain the reason for any denial. Consumers whose appeals are denied may escalate their complaint to the Rhode Island Attorney General.

Transparency Requirements for Data Sellers

In addition to consumer rights, the RIDTPPA imposes specific disclosure requirements on commercial websites and ISPs. They must clearly state:

• Categories of Data Collected: All categories of personal data collected.
• Third Parties Receiving Data: The names or categories of all third parties to whom personal data has been or may be sold.
• Contact Information: An active email address or other online mechanism that consumers can use for inquiries.
• Targeted Advertising and Data Sales: Whether personal data is sold or used for targeted advertising.

Business Compliance Obligations

Covered businesses must also meet operational requirements, including:

• Limit Data Processing: Process only what is reasonably necessary and disclosed to the consumer.
• Implement Security Measures: Maintain reasonable administrative, technical, and physical safeguards.
• Honor Revocation of Consent: Cease processing within 15 days of receiving revocation.
• Obtain Consent for Sensitive Data: Controllers must obtain a consumer’s consent before processing sensitive data, as defined above.
• Conduct Data Protection Assessments: Document risk assessments for high-risk processing such as targeted advertising, data sales, and profiling.
• Review and Maintain Compliant Vendor Contracts: Include processing instructions, confidentiality obligations, deletion/return requirements, and audit rights in all processor agreements.

Processors must follow controller instructions, maintain confidentiality, and assist with compliance. If a processor begins determining the purposes of processing, it becomes a controller and assumes full obligations.

Enforcement and Penalties

The Rhode Island Attorney General has exclusive enforcement authority under the RIDTPPA. Violations are treated as deceptive trade practices and carry significant risks:

• Civil Penalties: Up to $10,000 per violation for noncompliance.
• Fines for Intentional Disclosures: $100 to $500 per violation.

Unlike many other state privacy laws, the Act provides no right to cure, so businesses must be compliant on day one to avoid immediate penalties.

Seven Steps to RIDTPPA Compliance

Businesses should prepare now to avoid penalties:

1. Perform a Data Inventory and Gap Analysis: Map all personal data collected, processed, stored, and shared. Identify legal bases for processing and compare current practices against the RIDTPPA’s requirements.
2. Update Privacy Notices: Include categories of data collected, identify third parties who may receive the data, and provide clear contact information for consumer inquiries.
3. Build Consumer Rights Workflows: Create intake, verification, and response processes for access, correction, deletion, and opt-out requests. Test workflows to ensure requests can be fulfilled within 45 days.
4. Review and Update Vendor Contracts: Confirm that controller-processor agreements include processing instructions, confidentiality obligations, deletion or return provisions, and audit rights.
5. Implement Security Measures: Test and document administrative, technical, and physical safeguards to protect personal data from unauthorized access or disclosure.
6. Conduct Data Protection Assessments: Document risk assessments for higher-risk processing activities such as targeted advertising, data sales, and profiling.
7. Train Employees: Educate staff handling consumer data on the new requirements and internal processes to ensure timely and compliant responses.

Conclusion

Preparation before January 1, 2026, is critical. The RIDTPPA reflects the ongoing expansion of consumer privacy rights across the United States. Companies that act now by mapping data, updating privacy notices, reviewing vendor agreements, and preparing consumer rights workflows will not only meet the Act’s requirements but also strengthen overall privacy governance and build consumer trust. Working with experienced counsel can help businesses anticipate compliance challenges, reduce risk, and implement practical solutions tailored to their operations.

[View source.]