In the summer of 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”). It was signed by the Rhode Island Governor and takes effect on January 1, 2026.

In theory, RIDTPPA is designed by Rhode Island lawmakers to protect the personal data of Rhode Island consumers and give residents certain rights vis-a-vis businesses that collect and process their data. However, the RIDTPPA does not apply when a person is acting in an employment capacity. Anyone who has applied for a job recently knows how much personal data is collected during that process. Who knows what happens to the data after the job is filled? And non-profit organizations are entirely exempt from the RIDTPPA.

In any event, like most of these statutes, consumer data under the RIDTPPA is protected through a notice/consent regime. This generally means that, in some circumstances and with certain types of data, controllers/processors of data must provide privacy notices and obtain consents from consumers before data is processed and sold. Further, the RIDTTPA directly imposes various duties and obligations on businesses that control and process data (such as the obligation to have state-of-the-art cybersecurity to protect the consumer data).

The RIDTPPA gives consumers certain rights which can be summarized as:

• Right to confirm whether their personal data is collected, processed, and sold
• If yes, right to know specifically with whom data has been or will be sold/shared
• Right to access such data
• To obtain a copy of their personal data held by a business (right of data portability)
• Right to correct personal data;
• Right to have personal data deleted
• Right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of their personal data, or profiling
• Right to have sensitive data NOT processed unless the consumer has opted-in; right to have an easy method to revoke any previous opting-in
• Right to have an email address or other online mechanism that can be used to contact the controller

The RIDTPPA gives consumers the right to some sort of simple mechanism for exercising their rights (such as making a request to correct inaccurate data). Controllers must respond promptly — within 45 days — unless there is a good reason for delay. A consumer has a right to the information or response from the controller free of charge once a year (with protections for controllers against abusive consumer behavior). Consumers also have the right to an appeal mechanism for when a controller fails to act or refuses to act. Finally, consumers have a right to a relatively quick answer to an appeal and other requests for actions (usually within 60 days).

The RIDTPPA does not provide consumers with the right to file private lawsuits. Enforcement of the RIDTPPA is done by the Rhode Island Attorney General’s Office. Civil penalties are available of up to $10,000 per violation, and, if there was intentional disclosure of personal data, the fine could be up to $500 per disclosure.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.