Rhode Island Data Transparency and Privacy Protection Act
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) joins a host of other states in passing a consumer privacy law in line with the Washington Privacy Act model. The RIDTPPA goes into effect January 1, 2026, and likely won’t have much of an impact for organizations already complying with other US state laws. However, the law has some confusing elements — especially around how it applies to personal information versus personally identifiable information, which isn’t defined but is used throughout the law.
What you need to know about the RIDTPPA:
RIDTPPA applies to for-profit entities that:
- Conduct business in Rhode Island or produce products or services targeted to residents of Rhode Island (consumers), and
- Annually (during a calendar year) control or process the PI of either:
- 35,000 or more consumers, excluding personal information used solely for completing payment transactions; or
- 10,000 or more consumers and derives over 20% of gross revenue from the sale of personal information.
Exempt Entities: Rhode Island offers limited entity-level exemptions, including:
- State government entities or contractor for a state agency;
- Institute of higher education;
- Non-profits;
- National securities associates registered under the SEC Act;
- GLBA covered entities; or
- HIPAA covered entities
Exempt Data: Rhode Island also offers limited data-level exemptions, including (but limited too):
- PHI covered under HIPAA and processed by a covered entity or business associate;
- GLBA-covered data;
- Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
- Various forms of credit data regulated by the Fair Credit Reporting Act; and
- Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.
Exempt Use Cases: RIDTPPA is not applicable in some circumstances, such as:
- Processing PI in an employment or commercial (B2B) context;
- Processing PI for emergency contact purposes; and
- Processing PI of another individual in relation to the provision of benefits.
In addition, RIDTPPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- Product recalls;
- Identifying and repairing technical errors that impair existing or intended functionality; and
- Performing internal operations.
It also doesn’t restrict the dissemination or sale of product sales summaries or statistical information or aggregate customer data which may include personally identifiable information (which should be noted is not a defined term and may be distinct from personal data/personal information).
Key Components of RI’s Data Privacy Law
The RIDTPPA covers “personal data,” also called personal information or PI, which is defined as “any information that is linked or reasonably linkable to an identified or identifiable person.”
The definition exempts de-identified and information made publicly available.
Rhode Island’s definition of sensitive PI consists of:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical condition, treatment, or diagnosis;
- Sex life or sexual orientation;
- Citizenship or immigration status;
- PI collected from a known child;
- Precise geolocation data; or
- Genetic or biometric data processed for identification purposes.
Where a controller processes de-identified data, Rhode Island requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the RIDTPPA.
Rhode Island also exempts pseudonymous data from privacy rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.
In a word: YES!
Parental consent is required to collect and process PI about a known child (under 13), which reflects COPPA in its age limit, but COPPA applies to PI collected from a child under 13.
Notably for Rhode Island, there is no requirement for consent to be received for the secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.
Whenever consent is revoked a controller has 15 days to effectuate revocation.
The entire section on privacy notices presents some challenges for compliance, as the law neither defines “personally identifiable information,” nor does it seem to regulate it in any other way. This issue, among others in the privacy notice section of the law, suggest either a drafting error or leftover language from an earlier version of the bill. The applicability and intention of this entire section are somewhat unclear.
Nonetheless, the section on privacy notices only applies to commercial websites or internet service providers that collect, store, and sell customers’ personally identifiable information. The notice must be conspicuous and posted on the homepage of the company’s website (where applicable) using the hyperlinked term “Privacy.” It also allows for the required notice information to exist in in a “customer agreement or incorporated addendum.”
A privacy notice must include:
- Categories of PI collected through a website or online service;
- A list of all third parties to whom the controller has sold or may sell personally identifiable information (again, not a defined term);
- An active email or other online mechanism to contact the controller;
- That they sell PI or use it for targeted advertising (where applicable); and
- A list of privacy rights and methods to exercise them as well as how to appeal a rights decision.
Notably, unlike other privacy laws, there is no requirement to disclose the purpose for processing. Note also that the disclosure of the categories of PI is limited to what is collected online — the obligation does not apply to PI collected offline.
Rhode Island defines “sale” to include exchange for monetary or other valuable consideration.
There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger.
The RI Attorney General has sole enforcement authority, and the law does not include a right to cure. Violations of the act are subject to enforcement under the state’s deceptive trade practice laws. Penalties for violations range from $100 – 500, and there is a provision prohibiting organizations from setting up international shell companies to bypass the act.
Privacy Rights
Privacy rights under the RI law generally align with those provided in other states. If RIDTPPA applies to your business, you must provide the following privacy rights to consumers:
- Right to know whether a business is processing your PI;
- Right to access PI;
- Right to correct inaccuracies in PI;
- Right to delete PI about them;
- Right to obtain a copy of PI (data portability);
- Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Rhode Island requires that businesses respond to individual rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 60 days of receipt.
Universal Opt Out
Rhode Island allows for authorized agents to opt out of processing on behalf of the consumer, however it does not include a requirement that controllers recognize a universal opt-out.
RIDTPPA requires that regulated businesses conduct data protection or privacy impact assessments.
Rhode Island requires assessments for activities that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Processing sensitive PI;
- Selling PI;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, or physical injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs orconcerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
RIDTPPA requires that organizations have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:
- Instructions for processing PI including rights and obligations of both parties;
- The nature and purpose of processing;
- Type of data that is subject to processing;
- The duration of processing;
- A duty of confidentiality for individuals who process the PI;
- Compliance with audits by the controller;
- Grant controller opportunity to object to sub-processor;
- Processor must pass along obligations to any subcontractor in a written contract.
- Security obligations;
- Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law; and
- Make available all information necessary to demonstrate the processor’s compliance with its obligations.
Data Minimization
The Rhode Island law contains a watered-down data minimization obligation that includes limiting the processing (the definition of which includes collection) of PI to ways that are necessary and relevant to the purposes for which it was collected and were noticed to the consumer. It also requires controllers to consider the nature and purposes when determining retention periods.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S. might seem like a daunting task. But just because the task appears daunting doesn’t mean it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.