Rhode Island became the twentieth state in the United States to pass a consumer privacy bill with the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) on June 28, 2024. The law will take effect on January 1, 2026, giving businesses a year and a half to prepare for compliance.
We look at the RIDTPPA, how it protects consumers, and who must comply with its provisions.
What is the Rhode Island Data Transparency and Privacy Protection Act?
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is a regulation that aims to safeguard the privacy and personal data of Rhode Island’s million-plus residents. It establishes obligations for businesses that operate in the state or provide products and services to its residents, known as “customers” under the law, and process their personal data.
Under the RIDTPPA, a customer is an individual who is a Rhode Island resident and who is “acting in an individual or household context.” The definition explicitly excludes residents acting in a commercial or employment capacity. Customers under the Rhode Island law are referred to as “consumers” under other states’ consumer privacy laws.
Consistent with other US state-level data privacy laws, Rhode Island follows an opt-out consent model, so in many cases individuals’ consent is not required before data collection and processing. It does require businesses to enable individuals to opt out, as well as provide clear explanations to customers regarding:
- categories of personal data they collect
- third parties with whom the data may be shared
- whether the data is sold or processed for targeted advertising
Of note is that the RIDTPPA differs from many other US state-level data privacy laws in that it doesn’t require companies to inform customers about the purposes of data processing.
Definitions under the Rhode Island Data Transparency and Privacy Protection Act
The Rhode Island privacy law defines several key terms related to the data it protects and the data processing activities it regulates.
Personal data under the RIDTPPA
The RIDTPPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual and does not includede-identified data or publicly available information.”
The Rhode Island privacy law does not provide specific examples of what constitutes personal data. Common types that businesses collect include a customer’s name, Social Security number, email address, phone number, or driver’s license number.
Sensitive data under the RIDTPPA
Sensitive data is personal data that could harm customers if abused, and includes:
- racial or ethnic origin
- religious beliefs
- mental or physical health condition or diagnosis
- sexual orientation
- citizenship or immigration status
- processing of genetic or biometric data for the purpose of uniquely identifying an individual
- personal data collected from a known child (under 13 years of age)
- precise geolocation data that can accurately identify an individual’s specific location within a radius of 1,750 feet or 533.4 meters
Controller under the RIDTPPA
The Rhode Island privacy law defines a controller as “an individual who, or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.”
The law requires any commercial website or internet service provider that:
- conducts business in Rhode Island
- has customers in Rhode Island
- is otherwise subject to Rhode Island jurisdiction
to designate a controller.
Processor under the RIDTPPA
A processor under the RIDTPPA is “an individual who, or legal entity that, processes personal data on behalf of a controller.”
Sale of personal data under the RIDTPPA
Under the Rhode Island data privacy law, sale of personal data means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
The definition excludes:
- disclosure of personal data to a processor that processes it on the controller’s behalf
- disclosure of personal data to a third party for purposes of providing a product or service the customer requested
- disclosure or transfer of personal data to a controller’s affiliate
- disclosure of personal data where the customer directs the controller to disclose the data or intentionally uses the controller to interact with a third party
- disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience
- disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets
Targeted advertising under the RIDTPPA
The Rhode Island privacy law defines targeted advertising as “displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from that customer’s activities over time and across nonaffiliated Internet websites or online applications to predict such customer’s preferences or interests.”
The definition excludes:
- ads based on activities within a controller’s own Internet websites or online apps
- ads based on the context of a customer’s current search query, visit to the Internet website, or online app
- ads directed to a customer in response to their request for information or feedback
- processing of personal data for the sole purpose of measuring or reporting ad frequency, performance, or reach
Consent under the RIDTPPA
The RIDTPPA defines consent as “a clear, affirmative act signifying a customer has freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the customer.”
Consent includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
The definition excludes:
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
- hovering over, muting, pausing, or closing a given piece of content
- consent obtained through the use of dark patterns
Who must comply with the Rhode Island Data Transparency and Privacy Protection Act?
The RIDTPPA applies to businesses that operate in the state and produce products or services targeted at Rhode Island residents, and during a calendar year:
- control or process the personal data of at least 35,000 customers, except if the personal data is controlled or processed only for the purpose of completing a payment transaction
or
- control or process the personal data of at least 10,000 customers and derive more than 20 percent of their gross revenue from the sale of personal data
The law applies to any business that meets these conditions, regardless of the business’s location. While the number thresholds are lower than in many other states, this reflects Rhode Island’s relatively small population.
Rhode Island’s privacy law distinguishes itself from some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), in that the RIDTPPA does not have a standalone revenue threshold. Businesses operating in Rhode Island must consider the volume of customer data they control or process, rather than just their financial metrics, to determine their obligations under the law.
However, any commercial website or internet service provider that:
- has appointed a controller as required by the law
and
- that collects, stores, or sells customers’ personally identifiable information
must comply with the RIDTPPA’s the information sharing requirements, even if it is not required to comply with the law’s other obligations, unless specifically exempted.
Exemptions to Rhode Island Data Transparency and Privacy Protection Act compliance
The RIDTPPA exempts certain entities from compliance, including:
- governmental entities
- nonprofit organizations
- higher education institutions
- national securities associations
- financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA)
- covered entities or business associates covered by the Health Insurance Portability and Accountability Act (HIPAA)
Data-level exemptions include:
- protected healthcare-related information, research data, and employment-related data
- data collected or maintained as emergency contact information for a natural person if used for administering benefits only
- data created for or collected under several federal laws, including, among others:
- HIPAA
- Fair Credit Reporting Act
- Driver’s Privacy Protection Act
- Family Educational Rights and Privacy Act
- Farm Credit Act
- Airline Deregulation Act
Customers’ rights under the Rhode Island Data Transparency and Privacy Protection Act
Customers have several rights under the RIDTPPA to protect their personal data and control its use.
- Right to access: customers have the right to confirm whether or not the controller is processing their personal data and to access their data, with some exceptions
- Right to correction: customers have the right to correct inaccuracies in their personal data provided by, or obtained about, them, taking into account the nature of the personal data and purposes of processing
- Right to deletion: customers can request the deletion of any personal data provided by, or obtained about, them, with exceptions
- Right to data portability: where the processing is carried out by automated means, customers can obtain a copy of their personal data in a readily usable format, with some exceptions
- Right to opt out: customers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
There is no private right of action, or right to directly sue a controller for a violation of the law, under the RIDTPPA.
Controllers’ obligations under the Rhode Island Data Transparency and Privacy Protection Act
Under the Rhode Island data privacy law, controllers are required to meet specific obligations to protect customers’ personal data.
Privacy policy under the RIDTPPA
While most other US state-level privacy laws require controllers to publish a privacy notice or privacy policy, the RIDTPPA does not have a specific privacy notice requirement. Instead, it requires commercial websites or Internet service providers that collect, store, and sell customers’ personally identifiable information to:
- identify all categories of personal data that the controller collects through the website or online service about customers
- identify all third parties to whom the controller has sold, or may sell, customers’ personally identifiable information
and
- identify an active email address or other online mechanism a customer may use to contact the controller
This information may be shared either in the controller’s customer agreement, incorporated addendum, or “another conspicuous location on its website or online service platform where similar notices are customarily posted.” Controllers may share this information in a privacy policy or privacy notice published on its website, usually through a link in the footer that makes it easy for customers to find.
The term “personally identifiable information,” however, is not defined under the law.
Rhode Island’s information sharing requirement differs from similar transparency requirements in other US states’ data privacy laws in several ways:
- it applies to any entity that has designated a controller as required by the law and that collects, stores, and sells personally identifiable information, regardless of the applicability threshold for compliance with other requirements, unless specifically exempted
- it is limited to personal data collected through a website or online service and does not extend to offline collection
- there is no requirement to identify either the purpose(s) of processing, or the categories of personal data the controller shares with third parties
The law also requires controllers that sell personal data to third parties, or process personal data for targeted advertising, to “clearly and conspicuously disclose” such processing. There is no regulated method for such disclosure, and controllers may disclose this information in their privacy notice as well.
Customer rights requests under the RIDTPPA
The RIDTPPA does not specify a minimum number of secure and reliable methods controllers must provide for customers to exercise their rights.
Controllers must respond to customer requests within 45 days after receipt of the request. This period can be extended by another 45 days if necessary, provided they notify the customer before the initial 45-day period concludes.
Where a controller cannot reasonably verify a customer’s identity, they may either request further verification or deny the request. If a request is denied, the controller must inform the customer within 45 days of receiving the request, providing the reason for the denial and outlining the appeal process.
Controllers must respond to appeals within 60 days. There is no provision under the law to extend this period. If an appeal is denied, the controller must inform the customer in writing with reasons for denial and explain how to submit a complaint to the Attorney General.
Purpose limitation under the RIDTPPA
The RIDTPPA requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the personal data is processed.
Data security under the RIDTPPA
The Rhode Island privacy law requires personal data to be subject to reasonable administrative, technical, and physical measures to:
- protect its confidentiality, integrity, and accessibility
- reduce reasonably foreseeable risks of harm to customers relating to their data’s collection, use, or retention
Data protection assessments under the RIDTPPA
The Rhode Island privacy law requires controllers to conduct data protection assessments where processing activities present a heightened risk of harm to a customer. This includes:
- processing of personal data for the purposes of targeted advertising
- sale of personal data
- processing for purposes of profiling, if the profiling results in:
- a reasonably foreseeable risk of unfair or deceptive treatment
- financial, physical, or reputational injury
- physical or other intrusion into customers’ private affairs
- other substantial injury to customers
- processing of data that is categorized as “sensitive data”, including children’s data
Data protection assessments are also known as “data protection impact assessments” under some regulations like the European Union’s General Data Protection Regulation (GDPR).
The Attorney General may require a controller to disclose a data protection assessment during its investigations into any alleged violations, and the controller must comply.
Data protection assessments conducted for compliance with other regulations are considered valid under the RIDTPPA if the assessments have a reasonably similar scope and effect.
Data protection assessments will be required for data processing activities created or generated after the law comes into effect on January 1, 2026.
Consent requirements under the RIDTPPA
Rhode Island primarily adopts an opt-out model for personal data processing, enabling businesses to collect and process personal data without obtaining prior customer consent in most cases.
However, explicit consent is required before handling sensitive personal data, and controllers must provide customers with a mechanism to grant and revoke consent. Where consent is revoked, the controller must suspend data processing within a maximum of 15 days.
Businesses are also required to provide mechanisms for customers to opt out of the sale of personal data and its use for targeted advertising or profiling.
Regarding children’s data, Rhode Island aligns with the Children’s Online Privacy Protection Act (COPPA). This requires businesses to obtain consent from a parent or guardian before processing personal data of children under 13 years old, as all such data is considered sensitive data under Rhode Island privacy law.
Unlike some other states, Rhode Island will not require controllers to offer customers the option to opt out of processing their personal data through a universal opt-out mechanism like the Global Privacy Control (GPC).
Nondiscrimination under the RIDTPPA
The RIDTPPA prohibits controllers from discriminating against customers for exercising their rights under the law. Businesses cannot deny customers goods or services, charge different prices, or provide varying levels of quality based on whether a customer chooses to exercise their rights. For example, a website cannot deny access to a customer who opts out of allowing their personal data to be collected, processed, or sold.
However, if specific website features require certain cookies to operate properly and a customer opts out of these cookies, the affected features may not work as intended. This is not considered discrimination under the Rhode Island law.
Controllers must also comply with state and federal anti-discrimination laws and cannot process personal information in a way that violates these regulations.
The RIDTPPA allows controllers to offer different prices or service conditions through voluntary programs such as loyalty, rewards, premium features, discount or club card programs. These incentives must be reasonable and proportionate to ensure they are seen as optional rather than coercive.
Data processing agreement (DPA) under the RIDTPPA
Controllers must enter into contracts with processors to regulate data processing activities. While the Rhode Island privacy law does not explicitly use the term “data processing agreement,” this contract serves a similar function to data processing agreements mandated by other data privacy laws, such as the GDPR and the Virginia Consumer Data Protection Act (VCDPA).
The contract or data processing agreement between the controller and processor must clearly outline, among other things:
- instructions for processing data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
- processor’s duty to maintain confidentiality
- requirement that the processor delete or return all personal data to the controller data after completion of processing activities
- conditions under which the processor may engage a subcontractor after notifying the controller
Processors must follow the controller’s instructions and also assist controllers in meeting their obligations under the Rhode Island privacy law.
Under most data privacy laws, controllers bear ultimate responsibility for any data processing violations or breaches committed by processors. However, the RIDTPPA provides for two specific exceptions to this rule:
- If a controller or processor lawfully shares personal data with a third-party controller or processor, they are not liable for any violations committed by the receiving party, as long as they were unaware of any intent to violate the law at the time of sharing
- If a controller or processor lawfully receives personal data, they are not responsible for any legal violations committed by the disclosing party
Enforcement of the Rhode Island Data Transparency and Privacy Protection Act
The Rhode Island Attorney General has exclusive authority to enforce the RIDTPPA. While customers do not have a private right of action, they can submit complaints about potential violations or denials of their privacy rights to the Attorney General’s office.
Unlike some other states’ consumer privacy laws, the Rhode Island privacy law does not contain a cure period provision that would have given organizations time to rectify alleged violations.
Fines and penalties under the RIDTPPA
Violations of the Rhode Island privacy law are enforceable under the state’s deceptive trade practices law and can result in penalties of up to USD 10,000 per violation.
Additionally, an entity is subject to a fine of between USD 100 and USD 500 for each disclosure if it:
- intentionally discloses personal data to a shell company or entity created to circumvent the RIDTPPA
or
- is in violation of any provision of the RIDTPPA
Consent management and the Rhode Island Data Transparency and Privacy Protection Act
The RIDTPPA adopts an opt-out consent model similar to consumer privacy laws in other US states. This means that controllers do not need to obtain prior consent to collect or process personal data, except for sensitive personal data and data belonging to children.
The law gives consumers the right to opt out of the collection and processing of their personal data for sale, targeted advertising, or profiling. Many websites use cookie consent banners that include clear links or buttons enabling users to opt out of data processing. A consent management platform (CMP) like Usercentrics CMP can automate this process by managing cookies and tracking technologies, blocking their use once a customer withdraws consent. CMPs also provide users with clear information about the categories of data collected and the third parties that might receive this data, in line with Rhode Island’s law and other data privacy regulations.
As there is currently no unified federal privacy law in the US, businesses operating nationwide and/or internationally may need to navigate multiple state and international privacy laws to protect consumer data. CMPs assist by customizing cookie banners based on the user’s location, helping businesses meet the requirements of state-level laws like the RIDTPPA and international regulations such as the GDPR.
Preparing for the Rhode Island Data Transparency and Privacy Protection Act
Businesses operating in Rhode Island have until the effective date of January 1, 2026 to prepare for compliance. Some RIDTPPA requirements, such as the right to opt out and obtaining explicit consent for processing sensitive and children’s data, overlap with other state or federal consumer privacy laws. However, there are also many unique requirements that businesses must prepare for, including information sharing and designation of controllers for businesses that may not otherwise fulfill the compliance threshold of volume of data processed. Adopting a privacy by design approach can benefit organizational operations overall, not just regulatory compliance.
Businesses must first determine if they meet the RIDTPPA compliance threshold, or if they are required to comply with the law’s specific requirements for information sharing and designating a controller. If either of these circumstances apply, they must take steps to comply with the relevant provisions of the law that are applicable to them. A consent management platform (CMP) like Usercentrics CMP can help manage cookies on websites and apps.
As the RIDTPPA evolves with changes in technology and consumer expectations, businesses should consult with a qualified legal professional or data privacy expert, such as a Data Protection Officer, to maintain compliance.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.