Rhode Island
Code/Regulations
- Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA)
- Code: R.I. Gen. Laws §§ 6-48.1-1 to 6-48.1-12 (2024)
Effective Date: January 1, 2026
Details
Threshold
For profit entities that conduct business in the state and for profit entities that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year:
(1) controlled or processed the personal data of at least 35,000 customers or more (excluding data processed for payment transactions),
or
(2) controlled or processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.
Definition of "Personal Data"
Linked or reasonably linkable to an identified or identifiable individual and does not include de-identified or publicly-available information. Does not include people acting in an employment or commercial context.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Mental or physical health condition or diagnosis; and
- Sexual orientation.
In addition, Rhode Island's definition also includes:
- Sex life
- Precise geolocation data; and
- Personal information of a known child.
Definition of "Sale"
Means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Data-Protection Assessments
Required after January 1, 2026 for each processing activity that presents a heightened risk of harm to a consumer, including processing of personal data for the purposes of targeted advertising, sale of personal data, and processing of personal data for the purposes of profiling.
Opt-In Consent Required for Processing Sensitive Data
Yes
Consumer Rights to Request Access, Correction, Confirm Processing, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads/Sharing
Yes
Consumer Right to Opt Out of Certain Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
No
Data of Minors
COPPA exception; obtain parental consent to process personal data concerning a known child
GLBA Exemption
Yes (Entity and Data Level)
HIPAA Exemption
Yes (Data Level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context.
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
None
Cure Period Expiration
None
Enforcement Authority/Damages
Attorney General. Violation shall constitute a deceptive trade practice under which each violation can incur civil penalties of up to $10,000. The act also provides that any individual or entity may be fined up to $500, but no less than $100, for each prohibited and intentional personal data disclosure.
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.