Articles

All About the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Written by Matt Davis, CIPM (IAPP) | September 16, 2024

Starting January 1, 2026, businesses operating in Rhode Island will need to comply with the Rhode Island Data Transparency and Privacy Protection Act, a mouthful of a law abbreviated as RIDTPPA. (Not exactly catchy, is it?) 

Like many data privacy laws, its provisions are broad and complex. But if you need to bring your organization into compliance with the RIDTPPA, don’t worry; here are all the basics.  

What Is the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)? 

Enacted June 29, 2024, RIDTPPA resembles many other US data privacy laws, including its requirements surrounding consent, sensitive personal information processing, and consumer rights. The law, however, does feature several important differences, especially regarding its requirements around notices (more on that later).  

Notably, the law also lacks a cure period. If you’re found to have violated the law, you’ll simply be fined without any grace period to fix the violation. Most state data privacy laws feature cure periods, though some expire at various dates in the future, and some are permanent features.  

We’ll cover key similarities and differences between the RIDTPPA and other laws in each section.   

RIDTPPA Applicability and Exemptions 

If your organization is a for-profit entity and conducts business in Rhode Island or provides products or services targeted to Rhode Islanders, you may be subject to the RIDTPPA. 

Specifically, you must meet the above criteria as well as one of the following: 

  • Your organization controlled or processed at least 35,000 state residents’ personal data. 
  • Your organization controlled or processed at least 10,000 state residents’ personal data and derived more than 20% of its gross revenue from the sale of that data. 

There are exemptions, of course, but if you meet the above criteria, you likely will need to comply with the law.  

Exemptions to Rhode Island’s Data Privacy Law 

The RIDTPPA features both data- and entity-level exemptions, as is the case in other data privacy laws. These exemptions include: 

  • Entities and data regulated by the Gramm-Leach-Bliley Act (GLBA) 
  • Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates (e.g., service providers associated with HIPAA-covered entities) 
  • Non-profit organizations 
  • Data regulated by the Family Educational Rights and Privacy Act (FERPA) 
  • State entities 
  • Higher education institutions 
  • Data protected by the Fair Credit Reporting Act (FCRA) 
  • Data covered by the Driver’s Privacy Protection Act (DPPA) 
  • National securities associations 

These exemptions ensure that RIDTPPA complements existing legal frameworks without creating redundant compliance requirements. 

Consumer Rights Granted by Rhode Island’s Data Privacy Law 

Under the RIDTPPA, consumers are granted several rights regarding their personal data. These include the rights to: 

  • Confirm whether a controller is processing their personal data and to access said data 
  • Correct inaccurate personal data 
  • Delete personal data 
  • Data portability 
  • Opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.” 

Businesses must honor consumer rights requests within 45 days of receipt, with the possibility of a 45-day extension if requests are particularly complex or numerous. 

Sensitive Data and Children’s Data 

Like other state data privacy laws, the RIDTPPA has additional requirements for collecting sensitive data and children’s data. Specifically, a business must obtain affirmative, opt-in consent before collecting or processing sensitive data. The law defines sensitive data as: 

  • Data revealing: 
  1. Racial or ethnic origin 
  2. Religious beliefs 
  3. Mental or physical health conditions or diagnoses 
  4. Sex life 
  5. Sexual orientation 
  6. Citizenship or immigration status 
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual 
  • The personal data of a known child 
  • Precise geolocation data 

For the most part, this adheres to other state laws, though its inclusion of data relating to an individual’s sex life and citizenship or immigration status isn’t common to all state data privacy laws. 

Additionally, the law defines a “child” as a person under 13 years of age, which is the same definition used under the Children’s Online Privacy Protection Act (COPPA). Some states, like California, have higher age thresholds that define whether a person is considered a child or not under the law. (The California Consumer Privacy Act [CCPA] defines children as people under the age of 16.) 

The RIDTPPA and Universal Opt-Out Mechanisms 

Notably, the RIDTPPA does not require businesses to honor universal opt-out mechanisms, bucking the recent trend found in other state privacy laws. These mechanisms allow consumers to indicate their consent one time in a tool like the Global Privacy Control, rather than interacting with each individual website they visit.  

Data Protection Assessments Under the RIDTPPA 

As is now standard practice, the RIDTPPA mandates that businesses conduct data protection assessments that evaluate their processing activities relative to possible risk. Specifically, businesses must conduct assessments prior to: 

  • Processing data for targeted advertising 
  • Selling personal data 
  • Profiling that could pose a risk of unfair or deceptive treatment of consumers; cause physical, financial, or reputational injury; intrude on consumers’ solitude or private affairs; or cause similar harm 
  • Processing sensitive data 

Furthermore, the Attorney General can request to view the assessment whenever it’s relevant to an investigation—making it essential to conduct these assessments when you suspect they may be necessary! 

RIDTPPA Privacy Notices 

The law’s provisions around privacy notices are the most unique aspects of the RIDTPPA, and currently, the language of the statute is somewhat ambiguous.  

First, the law states that “Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.” If that “commercial website or Internet service provider collects, stores and sells customers' personally identifiable information,” then its designated controller must provide a privacy notice with certain information. 

This is a bit confusing since it seems to imply that there is no minimum threshold to which businesses must provide a privacy notice. It doesn’t matter if that commercial website or internet service provider collects one individual’s or one million individuals’ personal data—if it collects, stores, and sells that information then it needs to designate a controller that will post a privacy notice. What it means to “designate a controller” isn’t clarified, either. 

Regardless, that privacy notice needs to include the following information: 

  • All third parties to whom the controller has sold or may sell personal data 
  • All categories of personal data collected 
  • An email address or other mechanism for consumer communication 
  • Whether the organization sells to third parties or uses personal data for targeted advertising 

The most notable item here is the list of third parties to whom the controller has sold or may sell personal data. It’s difficult to see how a business could predict to whom it will sell personal data in the future. Furthermore, it’s difficult to actually track down all the third parties that receive personal data and could result in a fairly lengthy list in a privacy notice. 

Possible Solutions to Consider 

While you should consult with legal counsel on the best approach to deal with this and other RIDTPPA requirements, there are a few approaches you can investigate to make compliance easier. 

The difficult part about complying with the RIDTPPA’s privacy policy requirements is knowing about all the third parties that may be involved. Most organizations have more vendors, partners, service providers, and other third parties than they are aware of.  

One way to make it easier to discover these relationships is through data mapping solutions. These tools discover different data stores and systems in your organization, including those systems that may transfer data externally to third parties. With a complete data map, you’ll be able to identify the third parties to whom your organization transfers personal data, enabling you to list them in your privacy policy. 

The Rhode Island Data Privacy Law: Enforcement 

The Rhode Island Attorney General enforces the RIDTPPA, which treats violations as a deceptive trade practice under Rhode Island’s general consumer protection law.  

RIDTPPA’s penalization structure is somewhat unique. Deceptive trade practices under Rhode Island law are subject to a penalty of $10,000 per violation. However, the RIDTPPA also stipulates that if an entity or individual intentionally discloses personal information, they are also subject to a penalty of between $100 and $500 per violation. 

This makes it somewhat unclear exactly how much a company might be penalized for a given violation under different circumstances. Your best bet is to pursue compliance to your utmost—then you won’t have to find out how much noncompliance costs in Rhode Island! 

And, as we said above, there’s no cure period in Rhode Island.  If you’re out of compliance, you can expect to be fined. If you didn’t care about compliance before, you’d better start. 

What Does the RIDTPPA Mean for Businesses? 

For Rhode Island businesses subject to the RIDTPPA, it serves as a major wakeup call. That’s especially true given its broad requirements around privacy notices. Organizations must be truthful about the information they convey in privacy notices, requiring at least some investment into data privacy practices. 

Between data protection assessments, DSAR response times, consent management, tracking the flow of data into and out of your organization, and more, businesses and their privacy teams have good reason to be anxious about meeting all the RIDTPPA’s requirements.  

If you’re feeling overwhelmed, Osano can help you meet the requirements of the RIDTPPA and other state data privacy laws. To learn more about the Osano platform can help with your specific requirements, schedule a demo with us.  

Rhode Island Data Privacy Law Frequently Asked Questions  

When Does the RIDTPPA Go into Effect? 

The RIDTPPA is scheduled to go into effect on January 1, 2026. This timeline provides businesses and organizations ample time to adjust their data practices and ensure compliance with the new regulations. 

Who Enforces the RIDTPPA? 

Enforcement of the RIDTPPA falls under the jurisdiction of the Rhode Island Attorney General’s office. The Attorney General is responsible for investigating potential violations and taking action to ensure that businesses adhere to the law’s requirements. 

Does Rhode Island’s Law Provide a Cure Period for Violations? 

No, the RIDTPPA does not include a cure period for businesses that may be found in violation of the law. 

What Is the Penalty for Violating the RIDTPPA? 

Penalties for violating the RIDTPPA can be significant. They constitute a violation of the state’s consumer protection law, which imposes a $10,000 penalty per violation on the business. In addition, if a violator is found to have intentionally disclosed personal information in violation of the RIDTPPA, the state Attorney General can fine the organization between $100 and $500 per violation.  

Does Rhode Island’s Privacy Law Require Businesses to Honor Global Opt-out Signals? 

No, the RIDTPPA does not require businesses to honor global opt-out signals.