What You Need To Know About Rhode Island’s New Privacy Law

January 1, 2026 will mark another turning point in U.S. privacy regulation. Rhode Island, along with Kentucky and Indiana, will bring new comprehensive privacy laws online the same day, creating a coordinated wave of obligations that privacy teams can’t afford to overlook.

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) largely follows the Washington Privacy Act framework. Unlike California’s CCPA model, the RIDTPPA focuses on prescriptive notice and third-party disclosure requirements, along with unique enforcement provisions, making it familiar yet distinct for businesses operating across multiple states.

In this blog, we’ll break down the RIDTPPA’s key provisions, highlight what sets it apart from other state laws, and share practical steps to help your organization prepare for its January 2026 debut.

Understanding the RIDTPPA

Signed into law on June 25, 2024, RIDTPPA grants consumers familiar rights seen in other state privacy laws, including the ability to access, correct, delete, and port personal data, as well as opt out of certain processing activities. It also requires opt-in consent for processing sensitive data.

Beyond these familiar consumer rights, the RIDTPPA also introduces several unique requirements that make it stand out from other state privacy laws.

What Makes the RIDTPPA Notable: 

1. Prescriptive privacy notices for certain websites and ISPs
   Unlike most state laws, Rhode Island does not impose a general privacy notice requirement on all controllers. Instead, it takes a very different approach: any commercial website or internet service provider (ISP) that collects, stores, and sells personally identifiable information (PII) must make very specific disclosures, including:

• All categories of personal data collected through the website or online service;
• A list of all third parties to whom PII has been or may be sold (not just categories of third parties);
• An active email address or other online contact method for the controller.

Controllers must also clearly and conspicuously disclose if they sell personal data to third parties or process data for targeted advertising.

This obligation is narrower in scope but far more prescriptive than the notice requirements in most other state laws and here’s the kicker: it applies even outside the law’s usual thresholds, potentially pulling in smaller businesses that would otherwise be exempt. 

2. No general data minimization requirement
   Unlike most recent laws, Rhode Island does not require controllers to limit collection to what is “adequate, relevant, and reasonably necessary” for disclosed purposes. This omission aligns RIDTPPA with less strict laws like Iowa and Utah.
3. No mandated recognition of universal opt-out mechanisms (UOOMs)
   Controllers in Rhode Island do not have to support browser-based or global privacy signals, meaning consumers must opt out on a site-by-site basis—unlike California, which recognizes signals like the Global Privacy Control (GPC) to streamline opt-outs across multiple websites.
4. High penalties and no cure period
   Violations of the RIDTPPA are treated as deceptive trade practices, with penalties up to $10,000 per violation. Intentional disclosures made to circumvent the law can add $100–500 per disclosure on top of that. Unlike some states, there’s no cure period, so businesses won’t get a second chance to fix issues before enforcement.

We’ll break down these provisions further and explore the scope of the law next.

Scope of Application

The Rhode Island Data Transparency and Privacy Protection Act applies to for-profit entities that conduct business in Rhode Island or offer products or services to state residents if they meet one of the following thresholds in the prior calendar year:

• Controlled or processed the personal data of at least 35,000 Rhode Island residents, or
• Controlled or processed the personal data of at least 10,000 Rhode Island residents and derived 20% or more of gross revenue from the sale of personal data.

But as mentioned the law also imposes special privacy notice requirements on certain businesses (commercial websites and internet service providers that collect, store, and sell personal information) whether or not they meet the usual applicability thresholds.

Exemptions

The RIDTPPA contains broad exemptions for certain entities and categories of data, many of which mirror exemptions in other state privacy laws:

• Government entities and political subdivisions in Rhode Island
• Nonprofit organizations and institutions of higher education
• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities, business associates, and protected health information (PHI), as well as other health- and research-related data
• FERPA, FCRA, DPPA, and Farm Credit Act regulated data
• Employment-related information, such as personal data collected in an HR context

Organizations that fall into exempt categories or handle data types excluded under the RIDTPPA are generally not subject to the law, but should consult legal counsel to confirm any exemptions.

Rights Granted to Consumers

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) gives customers, individuals residing in Rhode Island and acting in a personal or household context, a set of rights over their personal data:

1. Right to Access: Customers can confirm whether a controller is processing their personal data and request access, except where disclosure would reveal trade secrets.
2. Right to Correction: Customers can ask for corrections to inaccurate personal data.
3. Right to Deletion: Customers may request deletion of personal data collected about them.
4. Right to Data Portability: Customers can obtain their personal data in a readily usable format, to the extent feasible, without revealing trade secrets.
5. Right to Opt-Out: Customers can opt out of processing for targeted advertising, the sale of personal data, or profiling used for automated decisions with legal or similarly significant effects. “Sale” covers transfers to third parties for monetary or other valuable consideration, but does not include disclosures to processors or affiliates.

Controllers must generally respond to customer requests within 45 days, with the possibility of an extension if reasonably necessary. 

Disclosure of Third Parties

One of the most distinctive aspects of the Rhode Island Data Privacy Act is its requirement for controllers to disclose both current and potential third-party recipients of personal data. Unlike most state privacy laws, which only require disclosure of third parties currently receiving personal data, Rhode Island goes further by asking businesses to identify third parties to which they may sell personal data in the future.

This rule is intended to provide consumers with greater transparency into how their personal data might be shared. At the same time, it introduces operational challenges for businesses, which must anticipate potential future recipients—something that can be difficult to predict and manage.

Key Obligations for Businesses

Businesses operating in Rhode Island or providing products or services to Rhode Island residents must take several critical steps to ensure compliance. The RIDTPPA imposes obligations on both controllers and processors of personal data.

Controllers’ Responsibilities

Controllers—entities that determine the purposes and means of processing personal data—are required to:

• Prescriptive Privacy Notices: Commercial websites and ISPs that collect, store, and sell personally identifiable information (PII) must disclose:
  • Categories of personal data collected through the website or online service;
  • All third parties to whom PII has been or may be sold;
  • A direct email or other online contact method for the controller;
  • Any processing for targeted advertising or sales of personal data.
• Consumer Rights Fulfillment: Respond to requests to access, correct, delete, port, or opt out of processing for targeted advertising, sale, or profiling. Responses generally must be provided within 45 days, with a possible extension if reasonably necessary. Provide an appeals process if a request is denied. 
• Data Security: Implement reasonable administrative, technical, and physical safeguards to protect personal data from unauthorized access or disclosure.
• Data Protection Assessments: Although the RIDTPPA does not specify details, controllers should assess high-risk processing activities, including targeted advertising, sales of personal data, processing of sensitive data, and automated profiling.
• Minors’ Protections: Obtain opt-in consent before processing personal data of children under 13. The law does not impose additional protections for teens.
• Third-Party Risk Management: Ensure agreements with third parties limit use of personal data to disclosed purposes and protect consumer rights.

Processors’ Responsibilities

Processors—entities that handle personal data on behalf of a controller—are required to:

• Data Processing Agreements: Maintain contracts with controllers that define processing scope, data involved, and obligations regarding security and consumer rights.
• Assist with Compliance: Support controllers in fulfilling consumer requests, conducting risk assessments, and maintaining secure processing practices.
• Implement Security Measures: Maintain appropriate technical and organizational safeguards based on the type and sensitivity of data processed.

Enforcement of RIDTPPA

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is enforced exclusively by the Rhode Island Attorney General (AG); the law does not provide a private right of action.

Civil Penalties: Violations can result in fines of up to $10,000 per violation. Additionally, any individual or entity that intentionally discloses personal data may be subject to fines between $100 and $500 per disclosure. The scope and calculation of these intentional disclosure penalties remain somewhat ambiguous.

No Cure Period: Unlike many other state privacy laws, the RIDTPPA does not provide a right to cure. Businesses found in violation are immediately subject to enforcement under the state’s deceptive trade practices provisions.

Bottom Line: While the RIDTPPA may be narrower than other state privacy laws in some respects, its enforcement framework is strong, and businesses should be aware that intentional violations carry additional financial risk.

How DataGrail Can Help

DataGrail helps simplify compliance with complex state privacy laws like the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). 

Here’s how:

• Automate Consumer Rights Requests: DataGrail’s Request Manager enables you to efficiently handle access, correction, deletion, data portability, and opt-out requests within Rhode Island’s 45-day response window. Ensure timely fulfillment across all systems and vendors while keeping compliant with other major privacy laws like CCPA and GDPR.
• Maintain a Compliant Data Inventory: Rhode Island’s prescriptive notice requirements and third-party disclosure obligations demand clear visibility into personal data. DataGrail’s Live Data Map provides an up-to-date inventory of personal data collection, processing, and sharing—including sensitive data—reducing reliance on spreadsheets and manual tracking.
• Simplify Consent and Opt-Out Management: DataGrail’s Consent solution helps automate the collection of consents and honor opt-outs for targeted advertising, the sale of personal data, and profiling. This ensures customers can easily exercise their rights while minimizing operational burden.
• Third-Party Oversight & AI-Powered Risk Management: Use DataGrail’s AI-powered platform to monitor personal data shared with vendors and partners, including entities to which data may be sold, automatically identifying high-risk relationships, tracking third-party data flows, and flagging unusual sharing activity to help keep your business RIDTPPA-compliant and enforcement-ready.

Ready to simplify compliance? Request a demo here.

Stay ahead of evolving state privacy laws. Check out our Guide to State Privacy Laws to understand how upcoming regulations may impact your business and keep your compliance strategy up to date.

Lastly, join Privacy Basecamp, our exclusive Slack community for privacy professionals, to connect, share resources, and discuss best practices. Stay informed on the latest state privacy legislation and engage with experts in the field.