The Rhode Island Data Transparency and Privacy Protection Act took effect on January 1 2026. The law is notable for having no cure period and relatively high per-violation penalties, creating a stricter enforcement environment than many other states.
How RIDTPPA Enforcement Works
The Rhode Island Attorney General has exclusive enforcement authority under the RIDTPPA. Consumers cannot bring private lawsuits for violations.
No cure period. Unlike most state privacy laws, Rhode Island does not provide businesses an opportunity to remedy violations before enforcement. Non-compliance can result in immediate penalties.
The law uses a two-tiered penalty structure:
General violations: Violations constitute breaches of Rhode Island’s consumer protection law, with penalties up to $10,000 per violation.
Intentional disclosure: Any individual or entity that intentionally discloses personal data can be fined between $100 and $500 per disclosure.
Enforcement Status
As of January 2026, the RIDTPPA has just taken effect. No enforcement actions or fines have been announced yet.
The lack of a cure period means enforcement can proceed immediately against non-compliant businesses.
What Makes Rhode Island Different
Rhode Island’s enforcement environment is stricter than most states:
No cure opportunity. Most states provide 30-60 days to fix violations before penalties apply. Rhode Island provides no such opportunity. If you are non-compliant when investigated, you face immediate penalties.
Higher base penalties. The $10,000 per-violation penalty is higher than the $7,500 found in most states. Only Delaware and New Hampshire match this level.
Individual liability. The intentional disclosure penalty can apply to individuals, not just businesses. This creates personal liability for employees who knowingly violate the law.
Expected Focus Areas
Based on the RIDTPPA’s structure:
Immediate compliance gaps. Without a cure period, businesses that have not achieved compliance by the effective date face immediate risk. Any identifiable violation is enforceable.
Intentional disclosures. The specific penalty for intentional disclosure suggests this will be an enforcement priority. Employees who knowingly share personal data improperly may face individual fines.
Data protection assessments. Assessment requirements apply to processing activities from January 1 2026 onwards. Missing assessments for new processing activities could attract attention.
Low threshold businesses. Rhode Island’s 35,000-consumer threshold (matching Delaware and New Hampshire) means more businesses are covered. Entities unaware they must comply are potential enforcement targets.
Threshold Comparison
| State | Primary Threshold |
|---|---|
| California | 100,000 consumers |
| Virginia | 100,000 consumers |
| Rhode Island | 35,000 consumers |
| Delaware | 35,000 consumers |
| New Hampshire | 35,000 consumers |
What This Means for Your Organization
Rhode Island’s lack of a cure period makes proactive compliance essential. By the time a business receives an enforcement inquiry, penalties may already be applicable.
Businesses should:
- Verify compliance before any investigation begins
- Assess whether they meet the 35,000-consumer threshold
- Implement consent mechanisms for sensitive data processing
- Train employees on data handling to avoid intentional disclosure penalties
- Document data protection assessments for all processing from January 2026
The combination of no cure period and higher penalties makes Rhode Island one of the stricter state enforcement environments. Businesses cannot rely on receiving a warning before facing consequences.
