The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA): A Comprehensive Analysis

Introduction and Overview

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), codified as Chapter 6-48.1 of the Rhode Island General Laws, represents the Ocean State’s entry into the rapidly expanding landscape of U.S. state comprehensive consumer privacy laws. Enacted through House Bill 7787 Substitute A and allowed to become law without Governor Daniel McKee’s signature on June 28, 2024, the RIDTPPA took effect on January 1, 2026, providing businesses with approximately 18 months to prepare.

Closely modeled on the Connecticut Data Privacy Act (CTDPA), the RIDTPPA adopts a consumer-centric approach with several features that distinguish it as more stringent than many contemporaries. Rhode Island residents acting in individual or household contexts (“consumers”) gain robust rights to access, correct, delete, obtain portability of, and opt out of certain processing of their personal data. Controllers face obligations emphasizing data minimization, transparency, and consent for sensitive data.

Key distinguishing elements include significantly lower applicability thresholds (capturing more mid-sized businesses), a broad definition of “sale” that encompasses exchanges for monetary or other valuable consideration, no mandatory pre-enforcement cure period, and integration into Rhode Island’s Deceptive Trade Practices Act with potential penalties up to $10,000 per violation. Unlike Virginia-style laws (e.g., Indiana, Kentucky), the RIDTPPA does not require recognition of universal opt-out mechanisms but aligns closely with Connecticut, Delaware, and other CTDPA-inspired frameworks.

The law reflects growing public concern over data practices in an era of pervasive online tracking, targeted advertising, and data brokerage. As articulated during legislative debates, proponents emphasized empowering Rhode Islanders—particularly in a small state where local businesses interact closely with residents—to understand and control how their information is collected, used, and shared. The Rhode Island Attorney General’s Office, responsible for exclusive enforcement, has begun releasing consumer education materials in early 2026, stressing that “the Act gives Rhode Islanders meaningful tools to protect their privacy in the digital age.”

This comprehensive guide provides a thorough section-by-section breakdown, statutory quotations, real-world examples, extensive multi-state comparison tables, industry implications, and step-by-step compliance guidance to assist businesses navigating the law’s early implementation phase.

Legislative History and Policy Rationale

The RIDTPPA emerged from House Bill 7787, introduced in early 2024 by Representative Jacquelyn Baginski and co-sponsored by a bipartisan group. After committee hearings featuring testimony from privacy advocates, industry representatives, and the Attorney General’s Office, Substitute A incorporated refinements such as clarified exemptions and prospective DPIA application.

The bill passed the House and Senate with strong support and was transmitted to Governor McKee, who expressed reservations about potential impacts on small businesses but ultimately allowed it to become law without signature—a procedural choice that avoided veto while signaling caution.

Rhode Island’s enactment fits within a broader national trend: by mid-2024, over 15 states had comprehensive privacy laws, driven by the absence of federal legislation. Rhode Island lawmakers deliberately chose the CTDPA model over the more business-friendly VCDPA framework, citing the need for stronger protections in a state with a dense population and active digital economy. Stakeholder input highlighted concerns over data sales, profiling, and sensitive inferences, leading to the broader “sale” definition and low thresholds designed to cover entities with meaningful Rhode Island footprints despite the state’s small size (approximately 1.1 million residents).

No amendments have been enacted since passage, and as of January 2026, the Attorney General’s Office has prioritized education over immediate enforcement actions.

Applicability and Exemptions (§ 6-48.1-3)

Covered Controllers

The RIDTPPA applies to any person (including corporations, LLCs, etc.) that:

• Conducts business in Rhode Island or produces products/services targeted to Rhode Island residents; and
• During a calendar year, controls or processes personal data of at least 35,000 Rhode Island consumers (excluding solely payment-transaction data); or
• Controls or processes personal data of at least 10,000 Rhode Island consumers and derives over 20% of gross revenue from the sale of personal data.

These thresholds are among the lowest nationally, meaning even businesses with modest Rhode Island activity may be covered. For context, a company processing data of 20,000 Rhode Islanders (e.g., via a regional app or website) would trigger applicability regardless of revenue source.

Entity- and Data-Level Exemptions

Standard exemptions include state/local governments, nonprofits (with limitations), GLBA financial institutions, HIPAA entities/business associates, higher education institutions, and certain insurance-related entities. Data-level exemptions cover HIPAA-protected health information, research data, FCRA credit reports, FERPA records, employment data, and de-identified/publicly available information.

Example: A national retailer with a few Rhode Island stores processing customer loyalty data for 40,000 state residents would likely be covered, while a HIPAA-covered hospital would be exempt for protected health information.

Key Definitions (§ 6-48.1-2)

Precise definitions drive the law’s scope. Notable statutory language includes:

• Personal data: “any information that is linked or reasonably linkable to an identified or identifiable individual” (excludes de-identified or publicly available data).
• Sensitive data: Data revealing racial/ethnic origin, religious beliefs, health or mental health conditions, sex life or sexual orientation, citizenship/immigration status, genetic or biometric data processed for identification, children’s data (under 13), or precise geolocation (within a radius of 1,750 feet).
• Sale of personal data: “the exchange of personal data for monetary or other valuable consideration by the controller to a third party” (excludes processor disclosures, affiliates, or consumer-directed shares).
• Targeted advertising: Displaying ads based on personal data from cross-context activities (excludes contextual or same-site ads).
• Profiling: Fully automated processing producing legal or similarly significant effects (e.g., credit, housing, employment decisions).
• Consent: “a clear affirmative act signifying a freely given, specific, informed, and unambiguous agreement.”

The broad “sale” definition is critical: sharing email lists with a marketing partner for analytics services (valuable consideration) triggers opt-out rights, unlike monetary-only definitions in Kentucky or Indiana.

Example: A fitness app sharing user location data with a mapping service for enhanced features would not be a sale if consumer-directed, but sharing with an ad network for payment or data enrichment would qualify.

Consumer Rights (§ 6-48.1-4)

Consumers may exercise rights free of charge (reasonable limits for manifestly unfounded requests) via authenticated channels.

Core Rights

1. Confirm and Access: Confirm processing and obtain a copy (excluding trade secrets).
2. Correct Inaccuracies: Rectify errors, considering data nature and purpose.
3. Delete: Request deletion of data provided by or obtained about the consumer.
4. Portability: Obtain data in a readily usable format (technically feasible).
5. Opt-Out: From targeted advertising, sales (broadly defined), or profiling with significant effects.

Additional Protections

• Opt-in consent required for sensitive data processing;
• COPPA compliance suffices for children’s data;
• Non-discrimination for rights exercise (voluntary loyalty programs permitted).

Process Details

Controllers must respond within 45 days (one 45-day extension allowed). Denials require written explanation and appeal instructions (appeal resolved within 60 days). No further cure is mandated.

Example: A Rhode Island resident discovers an outdated address in their e-commerce profile and requests correction. If the controller denies it as inaccurate, the consumer may appeal; if unsuccessful, they can file a complaint with the AG.

Controller Obligations (§ 6-48.1-5 and § 6-48.1-6)

Transparency Requirements

Provide a clear, accessible privacy notice detailing categories processed, purposes, shared data, third-party categories, and rights exercise methods (including opt-outs and appeals).

Data Minimization and Purpose Limitation

Processing must be limited to what is reasonably necessary and proportionate; secondary uses require consent if incompatible.

Sensitive Data and Security

Explicit consent for sensitive data; implement reasonable safeguards considering risk.

Processor Contracts

Binding agreements mandating assistance with rights, security, assessments, confidentiality, and subprocessor governance.

Example: An online retailer must contractually require its analytics vendor to delete consumer data upon request and permit audits.

Data Protection Assessments (§ 6-48.1-7)

Mandatory for high-risk activities: targeted advertising, sales, profiling with significant effects, sensitive data processing, or processing posing substantial injury risk.

Assessments must weigh benefits against consumer risks, document safeguards, and be available to the AG upon request. Prospective application (post-January 1, 2026); one assessment may cover comparable processing.

Example: A credit-scoring service using automated profiling of Rhode Island applicants must document how risks (e.g., bias) are mitigated versus benefits (e.g., faster decisions).

Enforcement and Remedies (§ 6-48.1-8)

Exclusive enforcement by the Rhode Island Attorney General under the Deceptive Trade Practices Act.

• No pre-enforcement cure period;
• Civil penalties up to $10,000 per violation;
• Injunctive relief, costs, and restitution;
• No private right of action.

The AG may issue interpretive guidance and accept consumer complaints. Early 2026 materials emphasize education, with no public actions reported yet.

Multi-State Comparison Tables

These tables illustrate RIDTPPA’s alignment with CTDPA while highlighting stricter elements (no cure, lower thresholds) compared to VCDPA-style laws.

Practical Compliance Guidance

Covered entities should implement a structured program:

1. Data Mapping and Gap Analysis: Inventory Rhode Island consumer data flows, identifying sales (broad definition), sensitive categories, and high-risk processing.
2. Privacy Notice Overhaul: Update to disclose broader sales and provide clear opt-out links; consider layered notices for accessibility.
3. Rights Management System: Deploy authenticated web forms or email processes; automate where possible and document appeals.
4. Consent Architecture: Implement granular opt-in mechanisms for sensitive data (e.g., checkboxes, not pre-ticked).
5. DPIA Program Launch: Conduct assessments immediately for ongoing high-risk activities; template risk-benefit analyses.
6. Vendor Due Diligence: Review and amend processor contracts; include flow-down obligations.
7. Employee Training: Educate staff on authentication, timelines, and non-discrimination.
8. Ongoing Monitoring: Track AG guidance and complaint trends; prepare incident response for potential investigations.
9. Small/Mid-Size Business Focus: Even limited Rhode Island targeting may trigger coverage—assess early.

Leverage multi-state tools (e.g., OneTrust, TrustArc) configured for CTDPA/RIDTPPA nuances.

Industry-Specific Implications and Outlook

Retail and E-Commerce: Broader sale definition impacts loyalty program data sharing; enhanced opt-out processes needed.

Ad Tech and Marketing: DPIAs critical for cross-context targeting; no cure increases investigation risk.

Healthcare and Finance: Entity exemptions provide relief, but non-exempt activities (e.g., marketing) remain covered.

Tech Platforms and Apps: Precise geolocation and profiling trigger heightened obligations; consent flows essential.

Small Businesses: Lower thresholds demand attention; many previously exempt under higher-threshold laws now comply.

Early 2026 outlook: The AG’s educational focus suggests measured enforcement initially, but the absence of a cure period may lead to quicker actions on clear violations. Multi-state operators should harmonize with CTDPA while noting Rhode Island-specific risks.

RIDTPPA Compliance Software Solution

Captain Compliance is proud to be a Rhode Island privacy software provider to keep you compliant with the privacy laws in the state. The RIDTPPA establishes a robust, consumer-oriented privacy framework tailored to Rhode Island’s context, prioritizing transparency and control through lower thresholds, broad sale definitions, and strong enforcement tools. While presenting compliance challenges—particularly the lack of a cure period and heightened penalties—the law aligns with evolving expectations for responsible data stewardship. Businesses operating in or targeting Rhode Island should prioritize proactive measures to mitigate risks in this new regulatory environment. As implementation progresses throughout 2026, guidance from the Attorney General and potential coordinated multi-state actions will further shape its impact.