Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Effective Date: January 1, 2026.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the RIDTPPA applies to for-profit entities that conduct business in the State of Rhode Island or produce products or services targeted to Rhode Island residents (customers); and, during the preceding calendar year, controlled or processed either:

• 35,000+ Rhode Island customers' personal data (excluding payment transaction data); or
• 10,000+ Rhode Island customers' personal data and derived more than 20 percent of its gross revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sale of personal data" is broadly defined to include the sharing, disclosing, or transferring of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

3. Business Obligations:

The RIDTPPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal data (Controller):

• Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment: Required. Where processing activities present a heightened risk of harm to customers, which includes targeted advertising, sale of personal data, "high-risk" profiling activities, and processing of sensitive data.
• Privacy Notice: The Controller of any commercial website or internet service provider that "collects, stores, and sells" a customer's personally identifiable information must have a privacy notice available.
• Universal Opt-out Mechanism: N/A. As of January 1, 2025, there is no requirement for Controllers to honor universal opt-out mechanisms under the RIDTPPA.

4. Consumer Rights:

Subject to certain exceptions, a Rhode Island Customer has the right to:

• Confirm whether a Controller is processing its personal data, and access personal data being processed;
• Correct inaccuracies in its personal data;
• Delete personal data provided by or obtained about the consumer;
• Obtain a copy of personal data processed by the Controller in a portable and readily usable format; and
• Opt-out of data processing for targeted advertising, sales of personal data, or profiling for solely automated decisions producing legal or similarly significant effects.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: Not more than $10,000 per violation in civil penalties. However, if it is found that an entity intentionally violated RIDTPPA, additional penalties of $100 to $500 per violation may be assessed.

Cure Period: N/A. There is no cure period.