Partner
In the summer of 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”). It was signed by the Rhode Island Governor and takes effect on January 1, 2026.
In theory, RIDTPPA is designed by Rhode Island lawmakers to protect the personal data of Rhode Island consumers and give residents certain rights vis-a-vis businesses that collect and process their data. However, the RIDTPPA does not apply when a person is acting in an employment capacity. Anyone who has applied for a job recently knows how much personal data is collected during that process. Who knows what happens to the data after the job is filled? And non-profit organizations are entirely exempt from the RIDTPPA.
In any event, like most of these statutes, consumer data under the RIDTPPA is protected through a notice/consent regime. This generally means that, in some circumstances and with certain types of data, controllers/processors of data must provide privacy notices and obtain consents from consumers before data is processed and sold. Further, the RIDTTPA directly imposes various duties and obligations on businesses that control and process data (such as the obligation to have state-of-the-art cybersecurity to protect the consumer data).
The RIDTPPA gives consumers certain rights which can be summarized as:
The RIDTPPA gives consumers the right to some sort of simple mechanism for exercising their rights (such as making a request to correct inaccurate data). Controllers must respond promptly — within 45 days — unless there is a good reason for delay. A consumer has a right to the information or response from the controller free of charge once a year (with protections for controllers against abusive consumer behavior). Consumers also have the right to an appeal mechanism for when a controller fails to act or refuses to act. Finally, consumers have a right to a relatively quick answer to an appeal and other requests for actions (usually within 60 days).
The RIDTPPA does not provide consumers with the right to file private lawsuits. Enforcement of the RIDTPPA is done by the Rhode Island Attorney General’s Office. Civil penalties are available of up to $10,000 per violation, and, if there was intentional disclosure of personal data, the fine could be up to $500 per disclosure.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), effective January 1, 2026, gives Rhode Island consumers meaningful rights over their personal data held by covered businesses. Understanding those rights — and knowing how to exercise them — is the first step in actually using the law’s protections.
The RIDTPPA requires covered businesses to provide a mechanism — an email address or other online tool — through which consumers can exercise their rights. In practice, this usually means a “privacy request” form on the business’s website, a dedicated privacy email address, or a toll-free privacy hotline. To submit a request, a consumer typically provides their name, email address or other identifier the business holds, and specifies what right they are exercising (access, correction, deletion, opt-out, etc.).
Businesses must respond to a verified consumer request within 45 days. The “verified” qualifier matters — businesses are permitted to verify the consumer’s identity before processing a request, to prevent unauthorized access to someone else’s data. The verification process should not be so burdensome that it effectively denies the right, but a reasonable identity check is permissible. If a business needs more time, it can extend the response period by an additional 45 days (90 days total) with notice to the consumer explaining the reason for the delay.
One of the RIDTPPA’s most consumer-friendly provisions is the requirement that businesses identify, in their privacy notice, every third party with whom they sell or share personal data — not merely the categories of third parties, but the actual entities. This means consumers can look at a business’s privacy policy and see a named list of every company their data is being sold to. This level of transparency is more granular than what most other state privacy statutes require and gives consumers a clearer picture of the data economy they are participating in.
If a business fails to provide this information in its privacy notice, consumers have the right to request it directly. A request for confirmation that personal data is being collected or sold, and a request to know specifically with whom the data has been shared, are both rights the RIDTPPA expressly grants. Consumers exercising these rights are entitled to a response free of charge once per year.
The RIDTPPA gives consumers the right to opt out of three specific types of data processing: (1) the sale of personal data to third parties; (2) processing for targeted advertising; and (3) profiling in furtherance of solely automated decisions with legal or similarly significant effects. These three categories represent the uses of personal data that consumer advocates have identified as most intrusive and most likely to cause concrete harm.
Opting out of targeted advertising does not mean the consumer will stop seeing ads. It means the business cannot use the consumer’s personal data — browsing history, purchase history, demographic information — to serve ads tailored to that consumer. The consumer may still see generic, non-targeted advertising. This distinction matters practically: opting out may reduce the relevance of ads, but it does not eliminate advertising from the consumer’s experience.
The RIDTPPA treats certain categories of data as “sensitive” and requires businesses to obtain affirmative consent (opt-in) before processing that data — a significantly stronger protection than a mere opt-out right. Sensitive data categories under the RIDTPPA include data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation and gender identity, citizenship or immigration status, genetic data, biometric data used for identification, precise geolocation (within 1,750 feet), and personal data of known children.
If a business is processing your sensitive data without having obtained your prior consent, that is a violation of the RIDTPPA. You can file a complaint with the Rhode Island Attorney General’s Office, which has enforcement authority under the statute. The AG can impose civil penalties of up to $10,000 per violation. While consumers do not have a private right to sue under the RIDTPPA, AG enforcement is a meaningful deterrent — particularly for businesses that have engaged in widespread or intentional sensitive data processing without consent.
If a business denies your consumer rights request — refusing to delete your data, declining to correct inaccurate information, or failing to honor an opt-out request — the RIDTPPA gives you the right to appeal. The business must provide you with a simple appeal mechanism and respond to the appeal within 60 days. If the appeal is unsuccessful and you believe the denial was improper, your next step is to contact the Rhode Island Attorney General’s Office and file a consumer complaint. The AG has authority to investigate and bring enforcement actions on behalf of Rhode Island consumers.
If you have questions about your rights under the RIDTPPA or any other state data privacy statute — or if you believe a business has violated your data privacy rights — the consumer data privacy attorneys at Revision Legal can advise you on your options.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?