What Is the Rhode Island DTPPA?
Rhode Island enacted the Data Transparency and Privacy Protection Act (DTPPA), also known as the RIDTPPA, on 28th June 2024, becoming the 19th US state with a law protecting consumer privacy. The law takes effect on 1st January 2026.
What makes Rhode Island’s law unique is its dual-threshold system. Whilst most state privacy laws apply only to businesses processing data above certain volumes, Rhode Island includes a universal Privacy Policy requirement that applies to virtually any business serving Rhode Island customers. As the Future of Privacy Forum notes, this prescriptive privacy notice requirement applies to a different set of entities than the law’s other substantive provisions.
If your organisation does any business with Rhode Island residents, this law likely affects you.
Who Must Comply?
Rhode Island’s DTPPA has two distinct applicability thresholds.
You must comply with the full consumer privacy rights provisions if you process personal data of 35,000 or more Rhode Island residents in a calendar year, or if you process personal data of 10,000 or more Rhode Island residents and derive 20% or more of gross revenue from selling personal data.
Here’s the catch: even if you don’t meet the first threshold, you must still provide a privacy notice if you operate any commercial website that does business in Rhode Island or with Rhode Island customers. This applies if you process data of just one Rhode Island resident.
For international businesses, this means if you accept orders from Rhode Island, you need a compliant privacy notice regardless of volume.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, healthcare providers covered by HIPAA, or higher education institutions.
Key Definitions Under the RIDTPPA
Understanding Rhode Island’s privacy law requires familiarity with its specific terminology. The DTPPA uses precise definitions that determine how the law applies to your business.
What Is a “Customer” Under the RIDTPPA?
Rhode Island uses the term “customer” rather than “consumer.” The law defines a customer as an individual residing in Rhode Island acting in an individual or household context. This definition excludes individuals acting in a commercial or employment context. The IAPP has noted this terminology choice as one of several areas where Rhode Island’s law differs from other state privacy frameworks.
What Is “Personal Data”?
Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. This broad definition covers names, email addresses, IP addresses, location data, browsing history, and any other information that could identify someone.
The definition specifically excludes:
- Publicly available information – Information lawfully available through government records or widely distributed media
- De-identified data – Data that cannot be used to identify an individual and that the controller has implemented measures to prevent re-identification
What Is “Sensitive Data”?
Sensitive data receives additional protection under the RIDTPPA. You must obtain explicit consent before processing any of the following categories:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnoses
- Sex life
- Sexual orientation
- Citizenship or immigration status
- Genetic data processed to identify an individual
- Biometric data processed to identify an individual
- Personal data of a known child (under 13 years old)
- Precise geolocation data
For children’s data, you must obtain verifiable parental consent in compliance with the federal Children’s Online Privacy Protection Act (COPPA).
Consumer Rights Under the DTPPA
Rhode Island residents have five key rights regarding their personal data: the right to confirm whether you’re processing their data and request access to it, the right to request corrections to inaccurate information, the right to ask for deletion of personal data you’ve collected, the right to obtain their data in a portable format for transfer to another business, and the right to opt out of targeted advertising, the sale of their personal data, and profiling used for automated decisions that produce legal or similarly significant effects.
What Are Your Obligations?
If you meet the first threshold, you must implement several compliance measures.
You need a clear, accessible privacy notice explaining what data you collect, why you collect it, with whom you share it, and how consumers exercise their rights. The notice must use plain language and avoid legal jargon.
When consumers submit rights requests, you have 45 days to respond. You can extend this by another 45 days if needed, but you must inform the consumer of the extension and explain why it’s necessary.
You must limit data collection to what’s adequate, relevant, and reasonably necessary for your disclosed purposes. Collecting data “just in case” isn’t acceptable.
For sensitive data—including racial origin, religious beliefs, health information, sexual orientation, precise geolocation, and children’s data—you need consumer consent before processing.
Conduct data protection assessments for high-risk activities like targeted advertising, selling personal data, processing sensitive data, or profiling that produces legal effects. Document these assessments and retain them for at least three years.
Implement reasonable security measures appropriate to the volume and nature of personal data you process. This includes both technical safeguards (encryption, access controls) and organisational measures (policies, training).
Data Processing Agreements
The RIDTPPA requires controllers to establish contracts with any processors who handle personal data on their behalf. These data processing agreements must specify:
- Clear instructions for processing personal data
- The nature and purpose of the processing
- The type of data being processed and categories of customers
- Duration of the processing
- Rights and obligations of both parties
Processors must assist controllers with responding to customer rights requests and must delete or return personal data at the end of the service relationship. If you use third-party vendors, marketing platforms, or cloud services that process customer data, you need compliant agreements in place before January 2026.
Universal Opt-Out Mechanisms
Unlike several other state privacy laws, the Rhode Island DTPPA does not require businesses to honour universal opt-out mechanisms such as the Global Privacy Control (GPC). States like California, Colorado, and Connecticut require businesses to recognise browser-based opt-out signals, but Rhode Island has not included this requirement.
This means Rhode Island customers must submit individual opt-out requests to each business rather than using a single browser setting. However, if you already honour GPC signals for compliance with other state laws—as required by California’s CCPA—continuing to do so for Rhode Island customers demonstrates good privacy practice.
Training Your Team
Whilst the DTPPA doesn’t explicitly require employee training, compliance is impossible without it.
Your staff need to understand what personal data your organisation collects, how to recognise consumer rights requests, how to verify consumer identities, what your response procedures are, and how to escalate issues they can’t resolve.
Train customer service teams to handle requests promptly and correctly. Train marketing teams on the difference between standard advertising and targeted advertising. Train IT teams on data security requirements and technical implementation of consumer rights.
Regular refresher training helps maintain compliance as your business evolves and as staff turnover occurs.
Enforcement and Penalties
The Rhode Island Attorney General has exclusive enforcement authority. Consumers cannot sue businesses directly for DTPPA violations.
Unlike most state privacy laws, Rhode Island provides no cure period. If the Attorney General finds a violation, they can immediately seek penalties without giving you time to fix the problem first. This makes proactive compliance essential.
Violations carry civil penalties of up to $10,000 per violation. Each affected consumer can count as a separate violation, so penalties accumulate quickly for systemic issues. Additionally, anyone who intentionally discloses personal data faces fines between $100 and $500 per disclosure.
The DTPPA incorporates into Rhode Island’s unfair and deceptive trade practices law, giving the Attorney General broad enforcement powers.
How the RIDTPPA Compares to Other State Privacy Laws
Rhode Island’s privacy law shares similarities with other state laws but has several distinctive features. Here’s how it compares:
| Feature | Rhode Island (RIDTPPA) | California (CCPA/CPRA) | Virginia (VCDPA) | Colorado (CPA) |
|---|---|---|---|---|
| Effective Date | 1 Jan 2026 | 1 Jan 2020 / 1 Jan 2023 | 1 Jan 2023 | 1 July 2023 |
| Processing Threshold | 35,000 residents | 50,000 households | 100,000 residents | 100,000 residents |
| Revenue Threshold | 10,000 + 20% from data sales | $25M revenue OR 50% from data sales | 25,000 + 50% from data sales | 25,000 + revenue from data sales |
| Cure Period | None | None (removed in 2023) | 30 days (permanent) | 60 days (expired 2025) |
| Universal Opt-Out Required | No | Yes | No | Yes |
| Private Right of Action | No | Limited (data breaches) | No | No |
| Maximum Penalty | $10,000 per violation | $7,500 per violation | $7,500 per violation | $20,000 per violation |
Rhode Island’s lower processing threshold of 35,000 residents means more businesses will need to comply compared to states requiring 100,000. The lack of a cure period is particularly significant—you cannot fix violations after the fact to avoid penalties. For a comprehensive overview of US state privacy laws, see the IAPP’s State Privacy Legislation Tracker.
RIDTPPA Compliance Checklist
Use this checklist to assess your readiness for Rhode Island’s privacy law:
Applicability Assessment
- Determine how many Rhode Island residents’ data you process annually
- Calculate whether you derive 20% or more revenue from selling personal data
- Identify if you operate a commercial website serving Rhode Island customers
Privacy Notice Requirements
- Publish a clear, accessible privacy notice on your website
- List all categories of personal data you collect
- Disclose all third parties with whom you share or sell data
- Explain the purposes for data collection and processing
- Describe customer rights and how to exercise them
- Provide contact information for privacy enquiries
Consumer Rights Processes
- Create a system to receive and track customer rights requests
- Implement identity verification procedures
- Establish workflows to respond within 45 days
- Document all requests and responses
- Create an appeals process for denied requests
Data Management
- Map all personal data you collect, store, and process
- Review data collection practices for necessity and minimisation
- Identify all sensitive data processing activities
- Obtain consent mechanisms for sensitive data
- Implement data retention schedules
Third-Party Management
- Inventory all processors and third parties handling customer data
- Execute compliant data processing agreements
- Ensure processors can support customer rights requests
Security and Assessments
- Implement appropriate technical security measures
- Establish organisational security policies
- Conduct data protection assessments for high-risk processing
- Document and retain assessments for three years
Training and Culture
- Train customer service teams on handling rights requests
- Train marketing teams on targeted advertising rules
- Train IT teams on security and data handling requirements
- Schedule regular refresher training
Preparing for Compliance
Start by determining which threshold applies to you. Count how many Rhode Island residents’ data you process. If it’s even one person and you operate a commercial website, you need a privacy notice at minimum.
Review your current privacy notice against DTPPA requirements. Does it clearly explain your data practices? Is it written in plain language? Does it cover all required elements?
Implement systems to handle consumer requests. You’ll need processes to verify identities, locate relevant data across your systems, fulfil requests within 45 days, and document your responses.
Review your data collection practices. Are you collecting more data than necessary? Can you minimise what you collect? Do you have clear purposes for each category of data?
Assess your security measures. Are they appropriate for the sensitivity and volume of data you process? Do you have both technical and organisational safeguards in place?
For businesses meeting the first threshold, conduct data protection assessments for high-risk processing activities. Document your findings and the safeguards you’ve implemented.
Train your staff now, not in December 2025. Building a privacy-aware culture takes time.
Where to Get Help
For detailed compliance advice specific to your business, consult a privacy lawyer familiar with US state privacy laws. For international businesses, seek guidance on how the DTPPA interacts with laws in your jurisdiction. Privacy consultants can conduct gap assessments to identify what you need to change before January 2026.
Understanding the Rhode Island DTPPA is your first step towards compliance. Measured Collective offers privacy training that covers the principles underlying state privacy laws. Whilst each state law has specific requirements, the core concepts—transparency, data minimisation, security, consumer control—are universal. Building strong privacy practices prepares you not just for Rhode Island, but for privacy regulations across jurisdictions.
The absence of a cure period makes Rhode Island’s law less forgiving than others. You can’t wait for an enforcement notice to start complying. Act now whilst you have time to implement changes properly.
Start with the basics: a compliant privacy notice, a process for handling consumer requests, and reasonable security measures. Build from there based on the volume and sensitivity of data you process.
Remember, if you do any commercial business with Rhode Island residents online, you need at least a compliant privacy notice. That’s non-negotiable and applies regardless of your business size.
Frequently Asked Questions
When does the Rhode Island DTPPA take effect?
The Rhode Island Data Transparency and Privacy Protection Act takes effect on 1st January 2026. Businesses should begin compliance preparations well in advance, as there is no cure period for violations once the law is in force.
Does Rhode Island’s privacy law have a cure period?
No. Unlike most other state privacy laws, the RIDTPPA does not include a cure period. If the Attorney General finds a violation, penalties can be sought immediately without giving businesses an opportunity to fix the issue first. This makes proactive compliance essential.
What is the penalty for violating the Rhode Island privacy law?
Violations of the RIDTPPA carry civil penalties of up to $10,000 per violation. Each affected customer can constitute a separate violation, meaning penalties accumulate quickly. Intentional disclosure of personal data can result in additional fines of $100 to $500 per disclosure.
Do I need to honour Global Privacy Control (GPC) signals under the RIDTPPA?
No. The Rhode Island DTPPA does not require businesses to recognise or honour universal opt-out mechanisms like the Global Privacy Control. This differs from states like California and Colorado, which do require GPC compliance.
Can consumers sue businesses for RIDTPPA violations?
No. The RIDTPPA does not include a private right of action. Only the Rhode Island Attorney General can enforce the law. Consumers who believe their rights have been violated must file complaints with the Attorney General’s office.
How long do I have to respond to customer rights requests?
Businesses must respond to customer rights requests within 45 days. This can be extended by an additional 45 days if necessary due to the complexity or volume of requests, but you must inform the customer of the extension and the reason for it.
Does the RIDTPPA apply to non-profit organisations?
No. Non-profit organisations are exempt from the Rhode Island Data Transparency and Privacy Protection Act. Other exempt entities include government agencies, higher education institutions, and entities already regulated by HIPAA or the Gramm-Leach-Bliley Act.
This article is for educational purposes only and does not constitute legal advice. For guidance specific to your organisation, consult a qualified legal professional.
Official Sources:
- Rhode Island General Laws Title 6, Chapter 48.1
- Rhode Island Attorney General
- White & Case Legal Analysis
- IAPP Analysis of RIDTPPA
- Future of Privacy Forum Overview
