Rhode Island enacted the Data Transparency and Privacy Protection Act (DTPPA) on 28th June 2024, becoming the 19th US state with a law protecting consumer privacy. The law takes effect on 1st January 2026.
What makes Rhode Island’s law unique is its dual-threshold system. Whilst most state privacy laws apply only to businesses processing data above certain volumes, Rhode Island includes a universal Privacy Policy requirement that applies to virtually any business serving Rhode Island customers.
Who Must Comply?
Rhode Island’s DTPPA has two distinct applicability thresholds.
Full compliance threshold: You must comply with the full consumer privacy rights provisions if you process personal data of 35,000 or more Rhode Island residents in a calendar year, or if you process personal data of 10,000 or more Rhode Island residents and derive 20% or more of gross revenue from selling personal data.
Privacy notice threshold: Even if you don’t meet the first threshold, you must still provide a privacy notice if you operate any commercial website that does business in Rhode Island or with Rhode Island customers. This applies if you process data of just one Rhode Island resident.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, healthcare providers covered by HIPAA, or higher education institutions.
Consumer Rights
Rhode Island residents have the following rights:
- Right to confirm whether you’re processing their data and request access
- Right to request corrections to inaccurate information
- Right to request deletion of personal data
- Right to obtain data in a portable format
- Right to opt out of targeted advertising, sale of personal data, and profiling
Business Obligations
Covered entities must:
- Maintain a clear, accessible privacy notice in plain language
- Respond to consumer requests within 45 days (with possible 45-day extension)
- Limit data collection to what’s adequate, relevant, and reasonably necessary
- Obtain consent before processing sensitive data
- Conduct data protection assessments for high-risk activities
- Implement reasonable security measures
Sensitive Data
The DTPPA requires consent before processing sensitive data, which includes:
- Racial origin
- Religious beliefs
- Health information
- Sexual orientation
- Precise geolocation
- Children’s data
Enforcement and Penalties
The Rhode Island Attorney General has exclusive enforcement authority. Consumers cannot sue businesses directly.
Unlike most state privacy laws, Rhode Island provides no cure period. If the Attorney General finds a violation, they can immediately seek penalties without giving you time to fix the problem first.
Violations carry civil penalties of up to $10,000 per violation. Each affected consumer can count as a separate violation. Additionally, intentional disclosure of personal data faces fines between $100 and $500 per disclosure.
Key Dates
- June 28 2024: DTPPA signed into law
- January 1 2026: DTPPA takes effect
Where to Find Official Resources
- Full legal text: Rhode Island General Laws Title 6, Chapter 48.1
- Rhode Island Attorney General: riag.ri.gov
Getting Started
Rhode Island’s dual-threshold system means the privacy notice requirement applies to virtually any business with Rhode Island customers. If you operate a commercial website that serves Rhode Island residents, you need a compliant privacy notice at minimum.
The absence of a cure period makes proactive compliance essential. You can’t wait for an enforcement notice to start complying. Start with a compliant privacy notice, a process for handling consumer requests, and reasonable security measures.
