Starting January 1, 2026, businesses operating in Rhode Island will need to comply with the Rhode Island Data Transparency and Privacy Protection Act, a mouthful of a law abbreviated as RIDTPPA. (Not exactly catchy, is it?)
Like many data privacy laws, its provisions are broad and complex. But if you need to bring your organization into compliance with the RIDTPPA, don’t worry; here are all the basics.
Enacted June 29, 2024, RIDTPPA resembles many other US data privacy laws, including its requirements surrounding consent, sensitive personal information processing, and consumer rights. The law, however, does feature several important differences, especially regarding its requirements around notices (more on that later).
Notably, the law also lacks a cure period. If you’re found to have violated the law, you’ll simply be fined without any grace period to fix the violation. Most state data privacy laws feature cure periods, though some expire at various dates in the future, and some are permanent features.
We’ll cover key similarities and differences between the RIDTPPA and other laws in each section.
If your organization is a for-profit entity and conducts business in Rhode Island or provides products or services targeted to Rhode Islanders, you may be subject to the RIDTPPA.
Specifically, you must meet the above criteria as well as one of the following:
There are exemptions, of course, but if you meet the above criteria, you likely will need to comply with the law.
The RIDTPPA features both data- and entity-level exemptions, as is the case in other data privacy laws. These exemptions include:
These exemptions ensure that RIDTPPA complements existing legal frameworks without creating redundant compliance requirements.
Under the RIDTPPA, consumers are granted several rights regarding their personal data. These include the rights to:
Businesses must honor consumer rights requests within 45 days of receipt, with the possibility of a 45-day extension if requests are particularly complex or numerous.
Like other state data privacy laws, the RIDTPPA has additional requirements for collecting sensitive data and children’s data. Specifically, a business must obtain affirmative, opt-in consent before collecting or processing sensitive data. The law defines sensitive data as:
For the most part, this adheres to other state laws, though its inclusion of data relating to an individual’s sex life and citizenship or immigration status isn’t common to all state data privacy laws.
Additionally, the law defines a “child” as a person under 13 years of age, which is the same definition used under the Children’s Online Privacy Protection Act (COPPA). Some states, like California, have higher age thresholds that define whether a person is considered a child or not under the law. (The California Consumer Privacy Act [CCPA] defines children as people under the age of 16.)
Notably, the RIDTPPA does not require businesses to honor universal opt-out mechanisms, bucking the recent trend found in other state privacy laws. These mechanisms allow consumers to indicate their consent one time in a tool like the Global Privacy Control, rather than interacting with each individual website they visit.
As is now standard practice, the RIDTPPA mandates that businesses conduct data protection assessments that evaluate their processing activities relative to possible risk. Specifically, businesses must conduct assessments prior to:
Furthermore, the Attorney General can request to view the assessment whenever it’s relevant to an investigation—making it essential to conduct these assessments when you suspect they may be necessary!
The law’s provisions around privacy notices are the most unique aspects of the RIDTPPA, and currently, the language of the statute is somewhat ambiguous.
First, the law states that “Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.” If that “commercial website or Internet service provider collects, stores and sells customers' personally identifiable information,” then its designated controller must provide a privacy notice with certain information.
This is a bit confusing since it seems to imply that there is no minimum threshold to which businesses must provide a privacy notice. It doesn’t matter if that commercial website or internet service provider collects one individual’s or one million individuals’ personal data—if it collects, stores, and sells that information then it needs to designate a controller that will post a privacy notice. What it means to “designate a controller” isn’t clarified, either.
Regardless, that privacy notice needs to include the following information:
The most notable item here is the list of third parties to whom the controller has sold or may sell personal data. It’s difficult to see how a business could predict to whom it will sell personal data in the future. Furthermore, it’s difficult to actually track down all the third parties that receive personal data and could result in a fairly lengthy list in a privacy notice.
While you should consult with legal counsel on the best approach to deal with this and other RIDTPPA requirements, there are a few approaches you can investigate to make compliance easier.
The difficult part about complying with the RIDTPPA’s privacy policy requirements is knowing about all the third parties that may be involved. Most organizations have more vendors, partners, service providers, and other third parties than they are aware of.
One way to make it easier to discover these relationships is through data mapping solutions. These tools discover different data stores and systems in your organization, including those systems that may transfer data externally to third parties. With a complete data map, you’ll be able to identify the third parties to whom your organization transfers personal data, enabling you to list them in your privacy policy.
The Rhode Island Attorney General enforces the RIDTPPA, which treats violations as a deceptive trade practice under Rhode Island’s general consumer protection law.
RIDTPPA’s penalization structure is somewhat unique. Deceptive trade practices under Rhode Island law are subject to a penalty of $10,000 per violation. However, the RIDTPPA also stipulates that if an entity or individual intentionally discloses personal information, they are also subject to a penalty of between $100 and $500 per violation.
This makes it somewhat unclear exactly how much a company might be penalized for a given violation under different circumstances. Your best bet is to pursue compliance to your utmost—then you won’t have to find out how much noncompliance costs in Rhode Island!
And, as we said above, there’s no cure period in Rhode Island. If you’re out of compliance, you can expect to be fined. If you didn’t care about compliance before, you’d better start.
For Rhode Island businesses subject to the RIDTPPA, it serves as a major wakeup call. That’s especially true given its broad requirements around privacy notices. Organizations must be truthful about the information they convey in privacy notices, requiring at least some investment into data privacy practices.
Between data protection assessments, DSAR response times, consent management, tracking the flow of data into and out of your organization, and more, businesses and their privacy teams have good reason to be anxious about meeting all the RIDTPPA’s requirements.
If you’re feeling overwhelmed, Osano can help you meet the requirements of the RIDTPPA and other state data privacy laws. To learn more about the Osano platform can help with your specific requirements, schedule a demo with us.
The RIDTPPA is scheduled to go into effect on January 1, 2026. This timeline provides businesses and organizations ample time to adjust their data practices and ensure compliance with the new regulations.
Enforcement of the RIDTPPA falls under the jurisdiction of the Rhode Island Attorney General’s office. The Attorney General is responsible for investigating potential violations and taking action to ensure that businesses adhere to the law’s requirements.
No, the RIDTPPA does not include a cure period for businesses that may be found in violation of the law.
Penalties for violating the RIDTPPA can be significant. They constitute a violation of the state’s consumer protection law, which imposes a $10,000 penalty per violation on the business. In addition, if a violator is found to have intentionally disclosed personal information in violation of the RIDTPPA, the state Attorney General can fine the organization between $100 and $500 per violation.
No, the RIDTPPA does not require businesses to honor global opt-out signals.