Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

• June 28, 2024: Law enacted
• January 1, 2026: Effective date

The Act applies to for-profit entities that conduct business in Rhode Island or target Rhode Island residents and, during the previous calendar year:

• Controlled or processed the personal data of 35,000+ customers (excluding payment-only transactions), OR
• Controlled or processed the personal data of 10,000+ customers and derived 20%+ gross revenue from the sale of personal data

The law exempts:

• State and local government agencies
• Nonprofit organizations
• Institutions of higher education
• Entities and data regulated by federal laws such as HIPAA, GLBA, FERPA, DPPA, and FCRA
• Certain activities including public health, research, and credit reporting

Businesses must:

• Designate a data controller when acting as a commercial website or ISP that sells customer data
• Identify categories of personal data collected
• Disclose all third parties to whom personal data has been or may be sold
• Provide a contact email or online mechanism
• Clearly disclose data sales and targeted advertising practices
• Maintain reasonable administrative, technical, and physical security safeguards
• Obtain consent before processing sensitive data
• Provide mechanisms to grant and revoke consent, and honor revocation within 15 days
• Avoid discriminatory processing
• Execute contracts with data processors outlining required terms
• Conduct data protection assessments for high-risk processing (applies to processing created on or after January 1, 2026)
• Take steps to prevent re-identification of de-identified data and impose contractual obligations on recipients

Commercial websites and internet service providers that conduct business in Rhode Island, have Rhode Island customers, or are otherwise subject to Rhode Island jurisdiction, and that collect, store, and sell customers’ personal data, must:

• Identify all categories of personal data collected through the website or online service
• Identify all third parties to whom customers’ personal data has been or may be sold
• Provide an active email address or other online mechanism for customers
• Clearly disclose whether personal data is sold or used for targeted advertising

These disclosures must appear in a customer agreement, an addendum, or a conspicuous website location.

• Authenticate customer requests before responding
• Offer an appeals process for denied requests and respond within 60 days
• Are not required to re-identify de-identified or pseudonymous data
• Maintain oversight of recipients of de-identified or pseudonymous data
• Process data only in ways consistent with disclosed purposes and applicable laws

Customers have the right to:

• Confirm whether their personal data is being processed
• Access their personal data
• Correct inaccuracies
• Delete personal data
• Obtain a portable copy
• Opt-out of targeted advertising, sale of personal data, and profiling with legal or similarly significant effects

• Enforced exclusively by the Rhode Island Attorney General
• No private right of action
• Violations are treated as deceptive trade practices
• Civil penalties up to $10,000 per violation under deceptive trade practices law
• Additional fines of $100–$500 for each intentional unlawful disclosure of personal data