What Is the Rhode Island DTPPA?
Rhode Island enacted the Data Transparency and Privacy Protection Act (DTPPA) on 28th June 2024, becoming the 19th US state with a law protecting consumer privacy. The law takes effect on 1st January 2026.
What makes Rhode Island’s law unique is its dual-threshold system. Whilst most state privacy laws apply only to businesses processing data above certain volumes, Rhode Island includes a universal Privacy Policy requirement that applies to virtually any business serving Rhode Island customers.
If your organisation does any business with Rhode Island residents, this law likely affects you.
Who Must Comply?
Rhode Island’s DTPPA has two distinct applicability thresholds.
You must comply with the full consumer privacy rights provisions if you process personal data of 35,000 or more Rhode Island residents in a calendar year, or if you process personal data of 10,000 or more Rhode Island residents and derive 20% or more of gross revenue from selling personal data.
Here’s the catch: even if you don’t meet the first threshold, you must still provide a privacy notice if you operate any commercial website that does business in Rhode Island or with Rhode Island customers. This applies if you process data of just one Rhode Island resident.
For international businesses, this means if you accept orders from Rhode Island, you need a compliant privacy notice regardless of volume.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, healthcare providers covered by HIPAA, or higher education institutions.
Consumer Rights Under the DTPPA
Rhode Island residents have five key rights regarding their personal data: the right to confirm whether you’re processing their data and request access to it, the right to request corrections to inaccurate information, the right to ask for deletion of personal data you’ve collected, the right to obtain their data in a portable format for transfer to another business, and the right to opt out of targeted advertising, the sale of their personal data, and profiling used for automated decisions that produce legal or similarly significant effects.
What Are Your Obligations?
If you meet the first threshold, you must implement several compliance measures.
You need a clear, accessible privacy notice explaining what data you collect, why you collect it, with whom you share it, and how consumers exercise their rights. The notice must use plain language and avoid legal jargon.
When consumers submit rights requests, you have 45 days to respond. You can extend this by another 45 days if needed, but you must inform the consumer of the extension and explain why it’s necessary.
You must limit data collection to what’s adequate, relevant, and reasonably necessary for your disclosed purposes. Collecting data “just in case” isn’t acceptable.
For sensitive data—including racial origin, religious beliefs, health information, sexual orientation, precise geolocation, and children’s data—you need consumer consent before processing.
Conduct data protection assessments for high-risk activities like targeted advertising, selling personal data, processing sensitive data, or profiling that produces legal effects. Document these assessments and retain them for at least three years.
Implement reasonable security measures appropriate to the volume and nature of personal data you process. This includes both technical safeguards (encryption, access controls) and organisational measures (policies, training).
Training Your Team
Whilst the DTPPA doesn’t explicitly require employee training, compliance is impossible without it.
Your staff need to understand what personal data your organisation collects, how to recognise consumer rights requests, how to verify consumer identities, what your response procedures are, and how to escalate issues they can’t resolve.
Train customer service teams to handle requests promptly and correctly. Train marketing teams on the difference between standard advertising and targeted advertising. Train IT teams on data security requirements and technical implementation of consumer rights.
Regular refresher training helps maintain compliance as your business evolves and as staff turnover occurs.
Enforcement and Penalties
The Rhode Island Attorney General has exclusive enforcement authority. Consumers cannot sue businesses directly for DTPPA violations.
Unlike most state privacy laws, Rhode Island provides no cure period. If the Attorney General finds a violation, they can immediately seek penalties without giving you time to fix the problem first. This makes proactive compliance essential.
Violations carry civil penalties of up to $10,000 per violation. Each affected consumer can count as a separate violation, so penalties accumulate quickly for systemic issues. Additionally, anyone who intentionally discloses personal data faces fines between $100 and $500 per disclosure.
The DTPPA incorporates into Rhode Island’s unfair and deceptive trade practices law, giving the Attorney General broad enforcement powers.
Preparing for Compliance
Start by determining which threshold applies to you. Count how many Rhode Island residents’ data you process. If it’s even one person and you operate a commercial website, you need a privacy notice at minimum.
Review your current privacy notice against DTPPA requirements. Does it clearly explain your data practices? Is it written in plain language? Does it cover all required elements?
Implement systems to handle consumer requests. You’ll need processes to verify identities, locate relevant data across your systems, fulfil requests within 45 days, and document your responses.
Review your data collection practices. Are you collecting more data than necessary? Can you minimise what you collect? Do you have clear purposes for each category of data?
Assess your security measures. Are they appropriate for the sensitivity and volume of data you process? Do you have both technical and organisational safeguards in place?
For businesses meeting the first threshold, conduct data protection assessments for high-risk processing activities. Document your findings and the safeguards you’ve implemented.
Train your staff now, not in December 2025. Building a privacy-aware culture takes time.
Where to Get Help
For detailed compliance advice specific to your business, consult a privacy lawyer familiar with US state privacy laws. For international businesses, seek guidance on how the DTPPA interacts with laws in your jurisdiction. Privacy consultants can conduct gap assessments to identify what you need to change before January 2026.
Understanding the Rhode Island DTPPA is your first step towards compliance. Measured Collective offers privacy training that covers the principles underlying state privacy laws. Whilst each state law has specific requirements, the core concepts—transparency, data minimisation, security, consumer control—are universal. Building strong privacy practices prepares you not just for Rhode Island, but for privacy regulations across jurisdictions.
The absence of a cure period makes Rhode Island’s law less forgiving than others. You can’t wait for an enforcement notice to start complying. Act now whilst you have time to implement changes properly.
Start with the basics: a compliant privacy notice, a process for handling consumer requests, and reasonable security measures. Build from there based on the volume and sensitivity of data you process.
Remember, if you do any commercial business with Rhode Island residents online, you need at least a compliant privacy notice. That’s non-negotiable and applies regardless of your business size.
Official Sources:
- Rhode Island General Laws Title 6, Chapter 48.1
- Rhode Island Attorney General
- White & Case Legal Analysis
