New Data Privacy Law in Rhode Island (RIDTPPA): Are You Prepared for 2026?

Another U.S. data privacy law is on the horizon: The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) was signed into law on June 28, 2024, and will take effect on June 1, 2026. For companies operating in Rhode Island, this introduces new compliance requirements regarding the processing of consumer data. This article provides a clear overview of the key obligations under the RIDTPPA and shows you how to best prepare your business for the new regulations.

What is the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is the new data privacy law for the state of Rhode Island. It aims to protect the personal data of its more than one million residents and to impose clear obligations on companies regarding data processing. The act was passed on June 28, 2024, and comes into force on June 1, 2026.

Which companies does the RIDTPPA apply to?

The obligations of the RIDTPPA apply to all companies ("controllers") that conduct business in Rhode Island or specifically target their products and services to the state's residents and process their personal data.

A key aspect is the definition of a "consumer": protection extends to any Rhode Island resident acting "in an individual or household context." Individuals acting in a business or professional capacity (B2B) are explicitly exempt from the RIDTPPA.

What are the core obligations for businesses?

Like many other U.S. data privacy laws (e.g., CCPA), the RIDTPPA follows an opt-out model. This means that prior consent for data collection is generally not required. However, businesses are strictly required to:

• Provide a clear and easily accessible way for consumers to opt out.

• Transparently disclose the categories of personal data they collect.

• Provide information about the third parties with whom data is shared.

• Disclose whether data is sold or processed for targeted advertising.

What makes the RIDTPPA unique? The key differences!

Although it shares many similarities with other laws, the RIDTPPA has two critical distinctions:

• No "Cure Period": This is the most significant difference. If a violation of the law is identified, fines can be imposed immediately. There is no grace period to correct the issue. This makes proactive compliance essential.

• No Obligation to Specify the Purpose of Processing: Unlike many other laws (such as the GDPR), the RIDTPPA does not explicitly require companies to disclose the specific purpose for which data is being processed.

Does the RIDTPPA apply to your business? Scope, thresholds, and exemptions

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) precisely defines which companies (known as "controllers" or data controllers) must comply with its regulations. Whether your business is affected depends primarily on the volume of data processed, not on revenue.

Who must comply with the RIDTPPA? The thresholds in detail

The law applies to any company that conducts business in Rhode Island or targets its products to its residents and meets one of the following conditions within a calendar year:

• Condition 1: It controls or processes the personal data of at least 35,000 consumers. (Exception: data processed solely for payment transactions.)

• Condition 2: It controls or processes the personal data of at least 10,000 consumers AND derives more than 20% of its gross revenue from the sale of this data.

A key difference from laws like California's CCPA/CPRA is the absence of a revenue-only threshold. The applicability of the RIDTPPA is therefore determined by the amount of data processed, which also holds smaller companies with high data volumes accountable.

Who is exempt from compliance?

Similar to other U.S. data privacy laws, the RIDTPPA provides exemptions on two levels: for specific organizations and for specific types of data.

Organizations Exempt from the Law:

• Government and public authorities

• Non-profit organizations

• Institutions of higher education

• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)

• Healthcare organizations and their business associates subject to HIPAA

Data Categories Exempt from the Law:

• Health-related information already protected by HIPAA

• Employment and HR-related data

• Data subject to other federal laws, such as the Fair Credit Reporting Act (FCRA) or the Family Educational Rights and Privacy Act (FERPA).

These exemptions ensure that the RIDTPPA supplements existing regulations without creating duplicate compliance requirements.

Key definitions in the RIDTPPA: Terms you need to know

To understand the requirements of the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), it is crucial to be familiar with the law's key terms. We have compiled the most important definitions for you.

Consumer Rights Under the RIDTPPA: An overview of your obligations as a business

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) equips consumers ("customers") with a range of rights to gain control over their personal data. For businesses, this translates into clear obligations when handling Data Subject Requests (DSRs).

The Core Consumer Rights According to the RIDTPPA

Companies must implement processes to guarantee the following five main rights:

1. Right to Access: Consumers can confirm whether their data is being processed and access it.

2. Right to Correct: Consumers have the right to have inaccurate personal data corrected.

3. Right to Delete: Consumers can request the deletion of their personal data (with some exceptions).

4. Right to Data Portability: Consumers can request a copy of their data in a common, machine-readable format.

5. Right to Opt-Out: Consumers can object to the processing of their data for the purposes of sale, targeted advertising, or profiling.

Deadlines and Obligations: How businesses must respond to requests

When a company receives a request, clear deadlines must be met:

• Response Deadline: The response to the consumer must be provided within 45 days.

• Extension: If necessary, this period can be extended once by an additional 45 days. However, the consumer must be informed of the extension within the initial 45-day period.

• Cost: The information is free of charge for the consumer once per year.

• Denial: Manifestly unfounded, excessive, or repetitive requests may be charged a fee or denied. However, the burden of proof for this lies with the company.

Important Limitation: No Private Right of Action

A crucial aspect of the RIDTPPA is that it does not provide a private right of action for consumers. This means individuals cannot sue companies directly for a violation. Enforcement of the law is exclusively the responsibility of the Rhode Island Attorney General.

Consent under RIDTPPA: What businesses need to know about the Opt-Out Model

Consent management under the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is closely aligned with other U.S. data privacy laws, primarily relying on an opt-out model. However, for businesses, this does not mean that consent is never required.

The general rule: The Opt-Out Principle

For the general processing of personal data, the RIDTPPA does not require prior active consent. Instead, businesses must provide consumers with a clear and easily accessible right to object (opt-out). This opt-out right must be offered specifically for the following purposes:

• The sale of personal data

• Targeted advertising

• Profiling for purposes that produce legal or similarly significant effects

The Exception: When Active Consent (Opt-In) is mandatory

Prior, active consent is mandatory when processing:

• Sensitive personal data

• Personal data of children (under 13 years of age)

Practical Implementation with a Consent Management Platform (CMP)

For the technical implementation of the opt-out right, most companies use a Consent Management Platform (CMP). A CMP ensures that:

• Consumers are transparently informed about data processing.

• Tracking technologies are blocked as soon as a user exercises their right to opt out.

• Compliance across various laws is facilitated.

RIDTPPA Compliance: The 7 key obligations every business must know

The new Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) introduces numerous new responsibilities for businesses. We have summarized the seven central obligations for you.

1. Conduct Data Protection Assessments (DPAs) A DPA is mandatory for all high-risk activities, such as targeted advertising, the sale of data, or the processing of sensitive data. The Attorney General can demand to review them!

2. Fulfill the Unique Transparency Obligations The RIDTPPA does not require a traditional privacy policy but mandates clear information about the categories of data collected, partners to whom data is sold, and a contact method in a "conspicuous location" on your website.

3. Master Consent Management The law generally follows an opt-out model. But be aware: for sensitive data and data from children, you need active consent (opt-in). A universal opt-out mechanism like the Global Privacy Control (GPC) is not required.

4. Establish a Process for Data Subject Rights You must respond to consumer requests within 45 days and have a clear process for appeals following a denial.

5. Execute Data Processing Agreements (DPAs) Collaboration with service providers (processors) must be governed by a contract. The RIDTPPA sets clear requirements for the content of these agreements and includes a specific liability exception.

6. Ensure Data Security and Purpose Limitation Collect only the data that is truly necessary for the stated purpose and protect it with appropriate technical and organizational measures.

7. Adhere to the Prohibition of Discrimination Consumers must not be treated unfavorably for exercising their rights. Good to know: Voluntary bonus or loyalty programs are still permitted.

RIDTPPA Enforcement: What are the penalties for violations?

The enforcement of the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is centralized, making compliance a critical issue for businesses. Here, you can learn who enforces the law and what sanctions are threatened for non-compliance.

Jurisdiction: The Sole Authority of the Attorney General

The exclusive responsibility for enforcing the RIDTPPA lies with the Rhode Island Attorney General. Consumers do not have a private right of action, meaning they cannot file lawsuits themselves. However, they play an important role by filing complaints about potential violations directly with the Attorney General's office.

The Highest Risk: No "Cure Period"

One of the most stringent aspects of the RIDTPPA is the lack of a cure period. Unlike in many other U.S. data privacy laws, companies are not given a grace period to remedy identified deficiencies. A violation can lead to immediate sanctions.

Penalties and Fines under the RIDTPPA

Violations of this data privacy act are penalized under the Deceptive Trade Practices Act. This can lead to significant penalties:

• A fine of up to $10,000 can be imposed per violation.

• Additionally, for intentional or egregious violations, further fines between $100 and $500 per disclosure may be applied.

These regulations make proactive and seamless data privacy compliance essential for all affected companies.

RIDTPPA Compliance: How to prepare your business for 2026

Companies have until June 1, 2026, to implement the requirements of the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). Although there are overlaps with other U.S. data privacy laws, such as the right to opt-out or the consent requirement for sensitive data, the RIDTPPA also introduces unique obligations. Proactive preparation is therefore essential.

Your roadmap to RIDTPPA compliance:

1. Assess Applicability (Scoping): The first step is to determine if your company falls within the RIDTPPA's thresholds. Analyze the volume of consumer data you process and check if the specific requirements for information sharing apply to you.

2. Embrace "Privacy by Design" as a Core Principle: Embed data privacy into your processes from the very beginning. This approach not only helps with RIDTPPA compliance but also improves customer trust and the efficiency of your data processing.

3. Implement a Consent Management Platform (CMP): A CMP is a central tool for achieving compliance. It helps you legally manage consent for cookies and trackers, technically implement the right to opt-out, and fulfill the required transparency obligations.

4. Seek Expert Advice: The data privacy landscape is constantly evolving. To remain compliant in the long term, collaborating with qualified legal experts or an external Data Protection Officer (DPO) is strongly recommended. They ensure that your measures meet legal requirements not only today but also in the future.

Start preparing early to safely meet the June 1, 2026, deadline and avoid costly penalties.

Conclusion: Act Now to Be Ready for 2026

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) demonstrates once again that the U.S. data privacy landscape is becoming increasingly complex. In particular, the absence of a cure period makes a proactive and well-founded approach essential for businesses.

But you don't have to face this challenge alone. Our team of data privacy experts is ready to analyze your specific situation and develop a clear roadmap for your RIDTPPA compliance. Use the remaining time before June 1, 2026, to achieve legal certainty and avoid costly risks.