Rhode Island
Rhode Island Data Transparency and Privacy Protection Act
| Passed | June 25, 2024 |
| Effective Date | January 1, 2026 |
| Who it applies to |
Entities that conduct business in Rhode Island or target Rhode Island residents, and during a calendar year either: 1) Control or process personal data of 35,000 or more Rhode Island residents; or 2) Control or process personal data of 10,000 or more residents and derive 20% or more of gross revenue from the sale of that data. Exemptions include entities and data regulated by GLBA, HIPAA-covered entities and business associates, nonprofits, institutions of higher education, state entities, data covered by FERPA, FCRA, DPPA, and national securities associations. |
| Penalties |
The Rhode Island Attorney General enforces the RIDTPPA, treating violations as deceptive trade practices subject to fines up to $10,000 per violation. Additionally, intentional disclosures to shell companies or entities created to circumvent the law carry separate penalties ranging from $100 to $500 per disclosure. Notably, the RIDTPPA does not provide a cure period; penalties can be imposed immediately upon violation. |
What’s notable about it:
Rhode Island’s RIDTPPA follows the Washington Privacy Act framework but features a unique privacy notice requirement. Only commercial websites and ISPs that collect, store, and sell personally identifiable information must disclose detailed data categories, all third-party recipients, and contact information. This narrow, prescriptive notice obligation raises practical challenges, especially around listing potential future data sales.
Unlike many state laws, RIDTPPA does not impose a general privacy notice obligation on all covered controllers, lacks a general data minimization requirement, and does not require recognition of universal opt-out signals like Global Privacy Control, limiting consumer opt-out convenience.
Finally, while its substantive provisions are weaker than many states’, Rhode Island’s law features relatively high penalties, up to $10,000 per violation plus additional fines for intentional disclosures, with no cure period. This mix of limited protections but strong enforcement creates a unique challenge for businesses needing to comply.