Rhode Island Passes Privacy Law

The Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act, which goes into effect on January 1, 2026.

Rhode Island’s privacy law is missing some elements found in other states. Some organizations have criticized the law for being vague and lacking consumer protections. A group of organizations, including the ACLU and Consumer Reports, sent a letter to Governor Dan McKee, urging him to veto the bill. Their concerns with the bill include:

• Lack of data minimization rules
• Unclear requirements for universal opt-out signals
• Privacy notice requirements that are not applied broadly
• No definition for the term “personally identifiable information”
• Lack of civil rights protections

Here is a breakdown of what is included in the Rhode Island privacy law.

Applicability

The law will apply to organizations that meet the following criteria:

• Control or process the personal data of 35,000 or more Rhode Island consumers (excluding data used solely to complete a payment transaction)
• Control or process the personal data of 10,000 or more consumers and derive more than 20% of their gross revenue from the sale of personal data.

The Rhode Island law has exemptions for organizations and data subject to HIPAA and the GLBA. Non-profit organizations are also exempt.

Consumer Rights

The Rhode Island privacy law gives consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling
• Consumers can designate another person to serve as their authorized agent

Business Obligations

• Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, health conditions, sexual information, and citizenship status. Processing the data of a known child must be done in accordance with COPPA.
• Conduct a data protection assessment where the processing presents a heightened risk of harm such as:
  • For targeted advertising,
  • The sale of personal data, and
  • The processing of personal data for profiling
  • Processing sensitive data
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Cannot discriminate against a consumer for exercising any of the consumer rights
• Provide consumers with a mechanism to grant and revoke consent

Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary.

Privacy Notice

The Rhode Island law requires “Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island” must provide a privacy notice that includes the following:

• The categories of personal data the controller collects through the website or online services
• The identities of all third parties to which the controller may disclose a consumer’s data
• The categories of personal data that the controller shares with third parties
• An email address or other online method consumers may use to contact the controller
• If the controller sells personal data to third parties or processes personal data for targeted advertising

Enforcement

The Rhode Island Attorney General has the exclusive authority to enforce a violation. The law does not include a private right of action or a right-to-cure period.

CompliancePoint has a team of experienced privacy professionals available to help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.