What makes Rhode Island's privacy law different?

The RIDTPPA has lower applicability thresholds than most states — 35,000 consumers or 10,000 consumers with 20%+ data sale revenue — meaning more businesses are covered.

When does the RIDTPPA take effect?

The Rhode Island Data Transparency and Privacy Protection Act becomes effective on January 1, 2026.

What are the penalties under the RIDTPPA?

Violations are treated as deceptive trade practices and can result in civil penalties of up to $10,000 per violation, enforced by the Rhode Island Attorney General. Intentional disclosures of personal data carry additional fines of $100 to $500 per disclosure. Importantly, there is no cure period — the AG can pursue enforcement immediately.

Rhode Island Privacy Law

Rhode Island Data Transparency and Privacy Protection Act

Effective: January 1, 2026Active

Overview

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) was signed into law in 2024 and becomes effective on January 1, 2026. Rhode Island adopted relatively low applicability thresholds compared to most state privacy laws, making the law applicable to a broader range of businesses. The RIDTPPA provides Rhode Island consumers with comprehensive privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. The law includes an appeals process for denied consumer requests, strengthening consumer protections. The law applies to entities conducting business in Rhode Island or targeting Rhode Island consumers that control or process personal data of 35,000 or more consumers (excluding payment transaction data), or control or process personal data of 10,000 or more consumers while deriving more than 20% of gross revenue from the sale of personal data. Notably, the RIDTPPA does not include a cure period — the Attorney General is not required to give businesses time to correct violations before pursuing enforcement. Violations are treated as deceptive trade practices with civil penalties of up to $10,000 per violation, plus additional fines of $100 to $500 per intentional disclosure.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

35,000+

Rhode Island consumers' data processed

10,000+ consumers

AND 20%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law became effective January 1, 2026 — businesses must be in full compliance
No cure period — Rhode Island AG can enforce immediately without giving businesses time to fix violations
Lower thresholds mean more businesses are covered compared to typical state laws (35,000 consumers vs. 100,000 in most states)
Violations treated as deceptive trade practices under Rhode Island law, with penalties up to $10,000 per violation
Additional fines of $100 to $500 per intentional disclosure of personal data

Enforcement Details

Enforced By

Rhode Island Attorney General

Penalty Per Violation

$10,000

Cure Period

None — immediate enforcement

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The RIDTPPA does not currently mandate universal opt-out signal recognition. Businesses may voluntarily support GPC and similar mechanisms.

Minor / Child Protections

The RIDTPPA requires opt-in consent for processing personal data of known children under 13. Enhanced protections apply for teens, requiring consent before processing data for targeted advertising or data sales.

Compliance Checklist

1Assess applicability — note the lower thresholds of 35,000 consumers or 10,000+ with 20% revenue from data sales
2Update privacy notices with all RIDTPPA-required disclosures
3Implement consumer rights request mechanisms with 45-day response period
4Obtain opt-in consent for processing sensitive personal data
5Implement opt-out mechanisms for data sales, targeted advertising, and profiling
6Establish an appeals process for denied consumer requests
7Prioritize compliance readiness — there is no cure period to correct violations after AG notification

Rhode Island Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.