On June 13, 2024, the Rhode Island legislature passed House Bill H7787. Governor Daniel McKee allowed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) to become law without his signature, making Rhode Island the 19th state to enact a comprehensive consumer data privacy law. RIDTPPA became effective statewide on January 1, 2026, establishing a new framework for how businesses are required to handle the personal data of Rhode Island residents moving forward.
What types of businesses are affected?
he RIDTPPA applies to businesses that meet one of the following thresholds while conducting business in or producing products in the state or providing services to state residents.
Applicability thresholds and criteria
RIDTPPA applies if a business or entity:
- Controls or processes personal data of at least 35,000 Rhode Island consumers during a calendar year, or
- Controls or processes personal data of at least 10,000 Rhode Island consumers, and derives more than 20% of gross revenue from the sale of personal data
Exemptions
The law allows certain exemptions for certain circumstances and entities:
- Higher education institutions
- National securities associations
- Personal data processed solely for completing payment transactions.
- Data and businesses regulated by the Gramm-Leach-Bliley Act (GLBA)
- Data pertaining to businesses affected by the Health Insurance Portability and Accountability Act (HIPAA)
- Patient-identifying information, human subjects research data, clinical trial data, quality improvement materials, and patient safety work products that are governed by federal health and research laws.
- Other data already regulated by federal law to prevent duplicative or conflicting requirements (e.g., Fair Credit Reporting Act, Family Educational Rights and Privacy Act, and Driver’s Privacy Protection Act)
Consumer rights
Consumers are granted several rights regarding their personal data. These rights require businesses to implement processes for processing, verification, and response.
5 key consumer rights
1: Right to data portability: Consumers have the right to obtain a copy of their personal data in a portable and readily usable format.
2: Right to delete: Consumers have the right to request deletion of personal data held by a controller.
3: Right to correct: Consumers may request correction of inaccurate personal data.
4: Right to opt out of:
- Targeted advertising
- The sale of personal data
- Profiling that produces significant effects
5: Opting in for data collection that is considered sensitive: This includes data such as precise geolocation, racial or ethnic origin, biometric identifiers, and other categories defined in the statute.
Controller responsibilities
A Controller is defined as an “individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Entities that RIDTPPA applies to are required to “establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.”
Entities performing activities that are considered high‑risk processing, such as targeted advertising, the sale of personal data, or profiling with significant consequences, are required to conduct data protection impact assessments. Below is an overview of the responsibilities that apply to all businesses meeting RIDTPPA criteria.
Data protection assessments
Applicable businesses are required to conduct data protection assessments to assess risks associated with:
- Processing data that is sensitive or for advertising
- The risk of unfair profiling that could cause harm to consumers
Opt-in for collecting sensitive data
Data that is sensitive requires opt-in consent before collecting. RIDTPPA defines sensitive data as:
- Precise geological location
- A known child under the age of 13
- Unique biometric data to identify an individual
Deadline for responding to consumer rights requests
Under RIDTPPA, businesses have 45 days to respond to consumer requests. Consumer request situations that are more complex may qualify for a 45-day extension.
Privacy notice
Privacy notices must include the following information:
- Details on how the data is being used
- All categories of personal data collected
- A mechanism for consumer communication
- Any third party that the controller has sold or may sell data to
- Data that elicits information such as religion, race or ethnicity, mental or physical health conditions, sexual activity or orientation, or citizenship status.
Penalty structure
Businesses that do not meet the requirements of the law could face:
- Up to $10,000 per violation for noncompliance with the Act
- $100 to $500 per disclosure for individuals or entities that intentionally disclose personal data unlawfully
The law does not provide a private right of action, meaning that individuals cannot sue businesses directly under RIDTPPA. Additionally, no cure period is provided, meaning businesses do not receive a guaranteed opportunity to remedy violations before enforcement. The law grants sole enforcement authority to the Rhode Island Attorney General.
More data privacy laws are likely throughout 2026
Conversations around data governance, transparency, and security expectations are being reflected in state policies. In 2025 alone, we covered eight new or revised consumer data privacy laws in the United States. Rhode Island was the 19th state to enact a comprehensive consumer data privacy law, and additional data privacy regulations are likely to pop up in 2026.
As always, all readers should consult their legal counsel before taking any actions related to compliance or policy development. For the full details about the Rhode Island Data Transparency and Privacy Protection Act, take a closer look at the original text of the law here.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
