Rhode Island

• Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA)

Effective Date: January 1, 2026

Threshold

For profit entities that conduct business in the state and for profit entities that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year:

(1) controlled or processed the personal data of at least 35,000 customers or more (excluding data processed for payment transactions),

or

(2) controlled or processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

Definition of "Personal Data"

Linked or reasonably linkable to an identified or identifiable individual and does not include de-identified or publicly-available information. Does not include people acting in an employment or commercial context.

Definition of "Sale"

Means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

Data-Protection Assessments

Required after January 1, 2026 for each processing activity that presents a heightened risk of harm to a consumer, including processing of personal data for the purposes of targeted advertising, sale of personal data, and processing of personal data for the purposes of profiling.

Opt-In Consent Required for Processing Sensitive Data

Yes

Consumer Rights to Request Access, Correction, Confirm Processing, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Certain Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

No

Data of Minors

COPPA exception; obtain parental consent to process personal data concerning a known child

GLBA Exemption

Yes (Entity and Data Level)

HIPAA Exemption

Yes (Data Level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context.

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

None

Cure Period Expiration

None

Enforcement Authority/Damages

Attorney General. Violation shall constitute a deceptive trade practice under which each violation can incur civil penalties of up to $10,000. The act also provides that any individual or entity may be fined up to $500, but no less than $100, for each prohibited and intentional personal data disclosure.

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.