PrivacyLawMap
Back to Blog
Law UpdatesMarch 28, 202611 min read

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA): Complete 2026 Compliance Guide

Share:

Rhode Island’s Privacy Law Is Now in Effect

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) took effect on January 1, 2026. Signed into law in June 2024, the RIDTPPA made Rhode Island one of the first states to adopt comprehensive data privacy legislation with notably lower applicability thresholds than most other state privacy laws — meaning more businesses are covered.

Rhode Island is now part of a growing group of 21 states with comprehensive privacy laws. Perhaps the most critical detail: the RIDTPPA includes no cure period. The Attorney General can pursue enforcement immediately, without giving businesses a grace period to fix violations. Here is everything your business needs to know.

Who Does the RIDTPPA Apply To?

The RIDTPPA applies to entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents, and that during the previous calendar year met either threshold:

  • Controlled or processed personal data of 35,000 or more Rhode Island consumers (excluding data processed solely for payment transactions), OR
  • Controlled or processed personal data of 10,000 or more Rhode Island consumers and derived more than 20% of gross revenue from the sale of personal data

These thresholds are significantly lower than the standard 100,000 / 25,000 thresholds used by Virginia, Indiana, Kentucky, and most other states. Use our Privacy Law Calculator to check applicability across all state privacy laws at once.

Key Exemptions

The RIDTPPA exempts the following entities and data categories:

  • Government entities (state, county, municipal)
  • Nonprofit organizations
  • Institutions of higher education
  • Data regulated under HIPAA, GLBA (Gramm-Leach-Bliley Act), FERPA, FCRA, and DPPA
  • Employment data processed in the context of an employment relationship
  • Personal data processed for certain insurance-related activities

Consumer Rights Under the RIDTPPA

Rhode Island consumers (“customers” in the statute) have the following data privacy rights:

  • Right to confirm and access — verify whether their personal data is being processed and obtain a copy
  • Right to correct — fix inaccuracies in their personal data
  • Right to delete — request deletion of their personal data
  • Right to data portability — receive their data in a portable, readily usable format
  • Right to opt out of targeted advertising — stop the use of their data for targeted ads
  • Right to opt out of sale — prevent the sale of their personal data
  • Right to opt out of profiling — opt out of profiling that produces legal or similarly significant effects

Controllers must respond to consumer requests within 45 days, with a possible 45-day extension where reasonably necessary. An appeals process must be provided when requests are denied. If the appeal is denied, consumers must be informed of how to file a complaint with the Rhode Island Attorney General.

Business Obligations

Privacy Notice Requirements

Controllers must provide a clear, accessible, and meaningful privacy notice disclosing:

  • Categories of personal data processed
  • The purpose of processing
  • How consumers can exercise their rights and appeal decisions
  • Categories of personal data shared with third parties
  • Categories of third parties receiving personal data

Downstream Data Recipient Transparency

A standout feature of the RIDTPPA is its requirement to identify potential downstream recipients of sold personal data. When a controller sells personal data, it must provide information about who may ultimately receive that data. This goes beyond what most state privacy laws require and underscores Rhode Island’s emphasis on data transparency — as the law’s full name suggests.

Data Minimization and Security

The RIDTPPA requires businesses to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Controllers must also establish and maintain reasonable administrative, technical, and physical data security practices.

Sensitive Data

Processing sensitive personal data requires opt-in consent. Rhode Island defines sensitive data as:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric data processed for identification purposes

Data Protection Assessments

Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, including:

  • Targeted advertising
  • Sale of personal data
  • Certain types of profiling
  • Processing sensitive data

Processor Contracts

Contracts between controllers and processors must clearly govern the nature, purpose, and duration of processing, the type of data involved, confidentiality obligations, and requirements to delete or return personal data upon the controller’s direction.

Minor Protections

The RIDTPPA requires opt-in consent for processing personal data of known children under 13. Enhanced protections apply for teenagers, requiring consent before processing data for targeted advertising or data sales.

Enforcement and Penalties

The RIDTPPA is enforced exclusively by the Rhode Island Attorney General. There is no private right of action.

  • No cure period — unlike most state privacy laws, the RIDTPPA does not require the AG to give businesses time to fix violations before pursuing enforcement. This is a major compliance risk.
  • Deceptive trade practices — violations are treated as unfair or deceptive trade practices under Rhode Island law
  • Civil penalties up to $10,000 per violation — among the higher maximum penalties of any state privacy law
  • Additional fines — intentional disclosures of personal data carry additional fines of $100 to $500 per disclosure
  • Injunctive relief — the AG can seek court orders to stop violations

The combination of no cure period and $10,000-per-violation penalties makes the RIDTPPA one of the more enforcement-friendly state privacy laws in the country. Monitor enforcement developments on our penalties tracker.

How the RIDTPPA Compares to Other State Laws

Rhode Island’s law stands out in several key ways:

  • Lower thresholds: 35,000 / 10,000+20% vs. the standard 100,000 / 25,000+50% in most states — more businesses are covered
  • No cure period: Only a handful of states (including Rhode Island) allow immediate enforcement with no opportunity to cure. California, Colorado, and Oregon have also moved away from cure periods.
  • Higher penalties: $10,000 per violation exceeds the $7,500 maximum common in Virginia-model states
  • Downstream recipient transparency: Unique requirement to identify potential downstream recipients of sold data
  • No universal opt-out requirement: Unlike California, Colorado, Connecticut, Montana, and others, Rhode Island does not require businesses to honor universal opt-out mechanisms like GPC. Check your obligations with our GPC Compliance Checker.

For a detailed side-by-side view, use our state comparison tool.

Step-by-Step Compliance Plan

  1. Determine applicability — Note the lower thresholds: 35,000 consumers or 10,000 consumers + 20% data sale revenue. Our calculator automates this across all states.
  2. Conduct a data inventory — Identify what personal data you collect from Rhode Island consumers, where it is stored, how it flows, and who receives it downstream.
  3. Update your privacy notice — Ensure your privacy policy includes all RIDTPPA-required disclosures, including downstream recipient information for sold data.
  4. Build consumer rights workflows — Implement request intake, identity verification, and response processes to meet the 45-day deadline.
  5. Implement consent for sensitive data — Add opt-in consent mechanisms for any processing of sensitive personal data.
  6. Conduct data protection assessments — Perform assessments for targeted advertising, data sales, profiling, and sensitive data processing.
  7. Update processor agreements — Review and amend vendor contracts to include required processor provisions.
  8. Prioritize compliance urgency — Remember: there is no cure period. The AG can take enforcement action immediately upon discovering a violation. Document everything thoroughly.

For a complete checklist, visit the Rhode Island compliance checklist.

The Bottom Line

The Rhode Island Data Transparency and Privacy Protection Act stands out for three reasons: lower thresholds that capture more businesses, no cure period that allows immediate enforcement, and a unique transparency requirement around downstream data recipients. If your business processes data from Rhode Island consumers — even if you thought you were below the radar for other state laws — the RIDTPPA’s lower thresholds may bring you into scope. With penalties up to $10,000 per violation and no grace period, compliance should be an immediate priority.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.