Rhode Island officially passed its comprehensive consumer data privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), in June 2024.
In this guide, I summarize everything businesses need to know about the RIDTPPA, including its requirements, the rights it grants to consumers, penalties for noncompliance, and more.
- What Is the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
- RIDTPPA Key Terms and Definitions
- What Does the Rhode Island Data Transparency and Privacy Protection Act Cover?
- Requirements of the Rhode Island Data Transparency and Privacy Protection Act
- Rhode Island Data Transparency and Privacy Protection Act vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the RIDTPPA?
- Who Does the RIDTPPA Apply To?
- How Will Businesses Be Impacted by the RIDTPPA?
- Who Must Comply With Rhode Island’s New Data Privacy Law?
- How Will the RIDTPPA Be Enforced?
- Fines and Penalties Under the Rhode Island Data Transparency and Privacy Protection Act
- How Will Termly Help with RIDTPPA Compliance?
- Are There Other Privacy Related Laws in Rhode Island?
- Summary
What Is the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is the state’s newly passed consumer data privacy law.
It protects how the personal information of Rhode Island residents gets collected, processed, and used by external entities and grants individuals various rights over their data.
The law also establishes penalties for noncompliance.
RIDTPPA Effective Date
Rhode Island’s new data privacy law becomes effective on January 1, 2026.
RIDTPPA Key Terms and Definitions
To help you with RIDTPPA compliance, I’ve included some key terms from the law with their precise definitions:
When I use these terms throughout this guide, it’s with these definitions in mind.
What Does the Rhode Island Data Transparency and Privacy Protection Act Cover?
The RIDTPPA covers the personal information of residents of Rhode Island.
It does not cover people in the state acting in an employment or commercial context.
Requirements of the Rhode Island Data Transparency and Privacy Protection Act
In this next section, I summarize some key requirements outlined by the Rhode Island Data Transparency and Privacy Protection Act.
Lawful Basis for Processing Data
To lawfully collect, store, or sell personal data under the RIDTPPA, commercial websites or internet service providers must disclose all data collected to users in a conspicuous location on their website.
However, to process sensitive data, you must obtain active opt-in consent from the customer.
Consent
Consent is required under the RIDTPPA to collect and process sensitive personal information or data from known children.
The law defines consent as being:
- Clear
- Affirmative
- Freely given
- Specific
- Informed
- Unambiguous
Consent can include a written statement by electronic means but cannot involve hovering over, muting, pausing, or closing a piece of content or any agreement obtained through dark patterns.
Contractual Obligations with Data Processors
According to the RIDTPPA, a contract must exist between all data processors and controllers outlining the following:
- Ensure each person processing the data is subject to a duty of confidentiality;
- At the controller’s direction, require the processor to delete or return all data at the end of the service unless retention is required by law;
- At the controller’s request, make all information available to demonstrate the processor’s compliance with the RIDTPPA;
- Processors must ensure subcontractors are subject to a written contract outlining these same obligations but allow the controller an opportunity to object to the subcontractor; and
- Cooperate with reasonable data protection assessments by the controller or designated assessor as necessary.
Data Protection Assessments
Data protection assessments must be performed under the RIDTPPA to process data for the following purposes:
- Conducting targeted advertising
- Selling data
- Profiling where it presents reasonably foreseeable risks of unfair or deceptive treatment
- Processing sensitive personal data
A single assessment may be used if one has already been performed to meet the obligations outlined by other privacy laws that are similar in scope.
The attorney general may require a controller to make the data protection assessment available for evaluation to verify compliance with the RIDTPPA.
Data Safety and Security
Under the RIDTPPA, businesses must implement security measures to protect the integrity and accessibility of all collected personal data.
While it isn’t specific about what safety techniques to use, common approaches are:
- Encryption
- Anonymization
- Access controls
- Firewalls
Rhode Island Data Transparency and Privacy Protection Act vs. Other States: Similarities and Differences
Several other U.S. states have passed data privacy laws, including the following:
- California Consumer Protection Act (CCPA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
- Florida Digital Bill of Rights (FDBR) — currently in force
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
- Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
- Minnesota Consumer Data Privacy Act (MCDPA) — effective Jul. 31, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
- Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
- Nebraska Data Privacy Act (NDPA) — effective Jan. 1, 2025
- New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
- New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
- Oregon Consumer Privacy Act (OCPA) — currently in force
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Texas Data Privacy and Security Act (TDPSA) — currently in force
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
You can compare aspects of the RIDTPPA to these other U.S. privacy laws in the table below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
| RIDTPPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FDBR | ✓ | ✓ | ✓ | ✓ | |||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| KCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Minnesota CDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Montana CDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| MODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NHDPL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NJDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| OCPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
How Will Consumers Be Impacted by the RIDTPPA?
The RIDTPPA impacts consumers (called customers in the text of the law) by granting them the following rights over their personal information:
- Confirm if a controller is processing their personal data and access that data
- Correct inaccuracies in their data
- Request to delete their personal data
- Obtain a portable copy of their personal data
- Opt-out of data processing for targeted advertising, the sale of data, or profiling
- Opt-in to having their sensitive personal data collected and processed
Who Does the RIDTPPA Apply To?
The RIDTPPA applies to Rhode Island residents but does not apply to anyone in the state acting in a commercial or employment context.
How Will Businesses Be Impacted by the RIDTPPA?
Beyond the legal purposes for data processing, contractual obligations, and other requirements I already covered, the RIDTPPA also impacts businesses’ privacy and cookie policies.
How Will the RIDTPPA Affect My Privacy Policy?
The RIDTPPA affects your privacy policy by requiring that it includes the following details:
- Identify all categories of personal data collected through the website or online service;
- Identify all third parties the controller sells data to;
- Identify an active email address or other online mechanism customers can use to contact the controller;
- Clearly disclose if data is sold to third parties or processed for targeted advertising.
How Will the RIDTPPA Affect My Cookie Policy?
The RIDTPPA affects your cookie policy because the law gives users the right to opt out of or into specific data processing that might involve the deployment of internet cookies.
For example, customers must give their opt-in consent before sensitive personal data about them is collected and processed and they have the right to opt out of having their data sold or processed for targeted advertising.
Ensure you’re using a consent management platform that allows your Rhode Island users to follow through on their opt-in and opt-out rights, and always present them with an updated, accurate cookie policy.
Who Must Comply With Rhode Island’s New Data Privacy Law?
Your business must comply with the RIDTPPA if you’re for-profit, conduct business in the state or produce goods and services targeted at RI residents, and:
- In a calendar year, controls or processes the personal data of 35,000 customers, excluding data processed solely to complete a payment transaction, or
- In a calendar year, controls or processes the personal data of 10,000 customers and earns 20% or more gross revenue from the sale of personal data.
Who Is Exempt From the RIDTPPA?
The following entities are exempt from following the RIDTPPA:
- Any authority, body, board, bureau, commission, district, or agency of the state of RI or political subdivisions of the state
- Nonprofit organizations
- Institutions of higher education
- National securities associations registered under the Securities Exchange Act of 1934
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
How Can Businesses Prepare for the RIDTPPA?
Your businesses can prepare for the RIDTPPA by ensuring you’ve updated your cookie and privacy policies to account for all transparency and notification guidelines outlined by the law.
Use a consent management platform (CMP) on your website to allow your Rhode Island customers to follow through on their privacy rights, like opting out of targeted advertising or the sale of their data.
Finally, adding a Data Subject Access Request (DSAR) form to your website helps you provide customers with a straightforward way to submit requests to follow through on additional rights.
How Will the RIDTPPA Be Enforced?
The attorney general will enforce the RIDTPPA, and violating the act will be considered a deceptive practice.
Fines and Penalties Under the Rhode Island Data Transparency and Privacy Protection Act
Businesses that violate the RIDTPPA are subject to fines between $100 to $500 per incident.
However, customers do not have a right to private action under the law.
How Will Termly Help with RIDTPPA Compliance?
Termly will help businesses simplify their compliance with the RIDTPPA by ensuring our Privacy Policy Generator is updated to meet all notification guidelines outlined by the law before it becomes enforceable in 2026.
Backed by our legal team and data privacy experts, it asks multiple-choice questions about your business and its data processing activities.
It makes a custom policy based on your answers.
Our consent management platform (CMP) is also configurable to meet the opt-out and opt-in requirements described in the RIDTPPA.
It includes a free DSAR form, making it easy for businesses to receive customer requests to follow through on their privacy rights.
Are There Other Privacy Related Laws in Rhode Island?
A few other privacy-related laws exist in Rhode Island that will work in tandem with the RIDTPPA, including the following:
- Identity Theft Protection Act of 2015: This law outlines protections for personal information regarding the disclosure of breaches of security systems. It requires the implementation of risk-based security programs to prevent cybercrimes.
- Consumer Empowerment and Identity Theft Prevention Act of 2006: This law also protects consumers regarding data breaches, giving them the right to place a security freeze on their credit reports.
Summary
Before the RIDTPPA enters into force in 2026, make sure your business takes the proper steps to prepare for compliance:
- Add a privacy policy to your website or online service informing users about all data you collect and if and how you share it with third parties.
- Update your cookie policy to ensure it discloses all internet cookies used so your RI customers can follow through on their privacy rights.
- Add a DSAR form to your website so RI customers can easily submit requests to access, correct, or delete their personal data.
- Use and sign a compliant contract if you work with any data processors.
- Perform data protection assessments as needed for specific data processing purposes.
Fortunately, with solutions like Termly’s Privacy Policy Generator and CMP, complying with laws like the RITDPPA has never been easier.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
