In the summer of 2024, Rhode Island became the 19th State to enact a version of a consumer data privacy statute entitled the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”).

In this article, the Consumer Data Privacy Compliance attorneys at Revision Legal discuss what businesses need to know about the RIDTPPA. As with all of these statutes, a portion of the RIDTPPA is “aimed” at protecting Rhode Island consumers and giving them certain rights vis-a-vis businesses that collect and process their data. This generally means providing privacy notices to consumers and obtaining consents from consumers in some circumstances related to what data can be collected, processed, and sold. Another large part of the RIDTPPA is “geared” towards directly imposing various duties and obligations on businesses that control and process data. An example here is the obligation to have state-of-the-art cybersecurity to protect consumer data from hacking, unauthorized access and/or exfiltration.

What businesses need to know about the RIDTPPA

In reviewing the various consumer data protection statutes enacted over the last few years, the RIDTPPA may be rightly termed the mildest version of these statutes passed. For example, many newer versions of these statutes say a controller SHALL not process data beyond what is “adequate, relevant and limited to what is necessary in relation to the specific purposes” of the processing. The RIDTPPA states that controllers MAY process data in such a limited manner. Section 6-48.1-7(s).

It seems that there is almost nothing that could be seen as unique or different about the RIDTPPA compared to similar statutes. Thus, in many respects, if your business is in compliance with the requirements of a consumer data protection statute passed by another State, likely, your business is easily in compliance with what is mandated in the RIDTPPA.

There is one notable exception, but even here, this statutory obligation was earlier made part of the Maryland consumer data privacy protection statute. That aspect requires a data controller to specifically identify all parties with whom the business sells or shares or will sell/share the consumer’s data. Depending on the business, that obligation could impose a significant administrative burden.

Here are the notable obligations imposed by the RIDTPPA on businesses:

• Provide consumer notice/disclosure (as indicated above) where the website collects, stores, and/or sells customer data identifying:
  • All categories of data collected
  • All third parties with whom the data has been sold or may be sold
  • An email address or other online mechanism customers can use to contact the controller
• Provide notice/disclosure for other consumer rights such as right to know what data is collected, right to correct, delete, portability, etc.
• Provide mechanism allowing consumers to opt out of the processing of their personal data “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer”
• Provide a mechanism for the consumer to appeal denial of requests by the controller (such as an opt-out request, a request to delete or correct data, etc.)
• Not process sensitive data unless the consumer specifically consents — controller must, therefore, provide an “opt-in” mechanism (and an easy opt-out mechanism) for permitting processing of sensitive data (data revealing, for example, race, religion, etc.)
• Have state-of-the-art cybersecurity to protect consumer data
• Not process sensitive data of a known child without parental consent
• Have non-discrimination policies in place for data processing
• Have proper contractual controls for data processors
• Not re-identify data that has been de-identified
• Conduct data protection impact assessments where data processing can create a “heightened risk of harm to the customer,” including a heightened risk of targeted advertising

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

RIDTPPA Compliance: Implementation Steps for Businesses

For businesses that are already compliant with other state consumer data privacy statutes, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) — effective January 1, 2026 — should not require a complete overhaul of existing compliance programs. However, the RIDTPPA does contain some unique requirements, and businesses should audit their current programs against Rhode Island’s specific language rather than assume complete carry-over compliance.

Who Must Comply: Applicability Thresholds

The RIDTPPA applies to controllers — entities that determine the purpose and means of processing personal data — who conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and, during a calendar year, either: (1) control or process the personal data of at least 35,000 consumers; or (2) control or process the personal data of at least 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data. These thresholds are consistent with other mid-tier state privacy statutes. Smaller businesses that do not meet either threshold are not covered.

Importantly, the RIDTPPA, like most state privacy statutes, excludes personal data processed in connection with employment — the personal data of employees and job applicants falls outside its scope. Non-profit organizations are also entirely exempt. These exclusions are meaningful for businesses that primarily interact with Rhode Island residents in an employment context, but any business with a consumer-facing operation that meets the thresholds should treat the RIDTPPA as fully applicable.

The Third-Party Disclosure Requirement

The RIDTPPA’s most distinctive and operationally demanding provision is the requirement to specifically identify, in the privacy notice, all third parties with whom consumer personal data is sold or shared. Most other state privacy statutes require only that businesses disclose the categories of third parties to whom data is sold. The RIDTPPA requires identification of the actual parties. This is a more granular disclosure obligation and can impose a significant administrative burden on businesses with complex data-sharing arrangements.

If your business sells consumer data to ten advertising networks, the RIDTPPA requires you to list all ten by name in your privacy notice. This means the privacy notice must be updated whenever a new data-sharing relationship is established or an existing one is terminated. Businesses that use automated data brokerage arrangements — where data is sold to a large number of buyers through a data marketplace — should work with counsel to structure those arrangements in a way that satisfies Rhode Island’s disclosure requirements without creating an unmanageable updating obligation.

Sensitive Data: Opt-In Required

The RIDTPPA prohibits processing sensitive personal data without the consumer’s prior, affirmative consent — an opt-in requirement, not merely a right to opt out. Sensitive data under the RIDTPPA includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data of known children. If your business collects any of these categories from Rhode Island consumers, you must obtain affirmative consent before processing — not merely provide an opt-out mechanism.

The children’s data provision aligns with the broader trend of heightened protection for minors’ data across state laws and federal law (COPPA). Businesses that operate platforms or services likely to be accessed by minors should have age-gating and parental consent mechanisms in place independent of the RIDTPPA, but Rhode Island’s statute adds an express obligation to the existing framework.

Data Protection Impact Assessments

The RIDTPPA requires controllers to conduct data protection impact assessments (DPIAs) for processing activities that present a “heightened risk of harm,” including targeted advertising, sale of personal data, profiling for certain automated decisions, and processing of sensitive data. A DPIA is a structured analysis that identifies the purpose of the processing, the necessity of collecting the data, the risks to consumers, and the safeguards in place to mitigate those risks. Businesses that have already implemented DPIAs for other state privacy laws can likely adapt those assessments for Rhode Island with modest modification.

DPIAs are not filed with any government agency under the RIDTPPA — they are internal documents that businesses must maintain and make available to the Rhode Island Attorney General upon request during an enforcement investigation. The RIDTPPA gives the AG’s office enforcement authority, with civil penalties of up to $10,000 per violation and up to $500 per consumer for intentional data disclosure violations. There is a 30-day cure period for violations discovered by the AG before penalties may be imposed.

If your business needs a RIDTPPA compliance assessment or a gap analysis against your existing state privacy compliance program, the data privacy attorneys at Revision Legal can help. We advise businesses on all aspects of state and federal consumer data privacy law, including privacy notice drafting, consent mechanism design, and data processing agreement review.