On June 25, Rhode Island adopted its own consumer data privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). The law begins enforcement on January 1, 2026.

Like many other privacy laws, the RIDTPPA clearly takes inspiration from the GDPR and similar legislation. However, it also deviates in a few notable ways. Let’s take a closer look at the key aspects and implications of Rhode Island’s privacy law.

Key Provisions of the Law

The RIDTPPA grants consumers several rights, including:

• Access: The right to know what personal data is being collected about them.
• Correction: The ability to correct inaccurate personal data.
• Deletion: The right to have their personal data deleted.
• Data portability: The right to obtain a copy of their data in a portable format.
• Opt-out: The right to opt out of the sale of their personal data and the use of their data for targeted advertising.

Businesses are subject to the RIDTPPA if they control or process more than 35,000 Rhode Islanders’ personal information, or if they process more than 10,000 residents’ data while also obtaining 20% of their gross revenue from selling said data. These businesses have several obligations under the law, including but not limited to:

• Transparency: Provide clear and understandable privacy notices.
• Data security: Implement reasonable data security measures.
• Accountability: Conduct data protection assessments for high-risk processing activities.

Implications for Businesses

Businesses operating in Rhode Island or handling the data of Rhode Island residents need to prepare for these new requirements. Key steps include:

• Review and update privacy policies: Ensure privacy notices are clear and compliant with the new law.
• Enhance data security practices: Implement robust security measures to protect consumer data.
• Conduct data protection assessments: Regularly assess high-risk data processing activities to identify and mitigate potential risks.
• Train employees: Educate staff about the new privacy requirements and their roles in maintaining compliance.

Notable Differences from Other Laws

The RIDTPPA differs from other privacy laws in one significant way: it does not define personally identifiable information, despite using the term in its text. The law also requires businesses to disclose not only the companies that they currently sell personal data to, but any companies that they may eventually sell personal data to, with no clear time limit. Some privacy advocates have also pointed out that pseudonymized data enjoys far less protection under the RIDTPPA than under similar legislation. The law also does not include requirements of universal opt-out systems, the right to cure violations, or special protections for children’s data, all of which appear in different states’ privacy legislation.

The law’s full official text can be read here.

Final Thoughts on the RIDTPPA

Rhode Island’s consumer data privacy law may represent a significant step forward in protecting personal information. However, the RIDTPPA brings a new set of challenges for businesses used to looking to other states’ privacy laws for guidance. The best thing any covered businesses can do is stay informed and adapt proactively.

Don’t get the RIDTPPA mixed up with other state privacy laws! 4Comply, our flagship privacy software, can keep your marketing and legal teams on the same page at every step. Contact our team today to learn more.