A Business's Guide to Rhode Island's Privacy Law: Requirements + Compliance Checklist

Rhode Island's privacy law at a glance

• The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) will take effect on January 1, 2026—bringing new requirements for businesses operating in Rhode Island or targeting Rhode Island residents.
• These requirements include fulfilling consumer requests for data access, deletion, correction, and more, conducting data protection assessments, obtaining consent for sensitive data processing, and more.
• Read this guide for an overview of key requirements under Rhode Island’s privacy law, including its scope, compliance requirements, how it compares to other state privacy laws, and what businesses can do to comply.

Whose subject to Rhode Island’s privacy law?

The Rhode Island Data Transparency and Privacy Protection Act applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted at Rhode Island residents. To fall under the law's scope, a business must meet one of the following thresholds during the preceding calendar year:

1. Control or process the personal data of at least 35,000 consumers—not including data processed solely for completing payment transactions OR
2. Control or process personal data for at Least 10,000 consumers and derive more than 20% of its gross revenue from the sale of personal data.

It’s important to note that while these thresholds determine the law’s applicability, the privacy notice requirements are broader and apply more generally.

Compliance requirements under Rhode Island’s privacy law

The RIDTPPA imposes several key compliance requirements on businesses:

Consumer rights

Businesses must fulfill consumer requests for access, confirmation of processing, correction, deletion and data transfer. Additionally, though consumers can opt out of targeted advertising, data sales, and profiling, the RIDTPPA does not require businesses to honor universal opt-out signals.

Sensitive data

Rhode Island’s privacy law requires businesses to handle sensitive data, including that of users under 13, in compliance with the Children’s Online Privacy Protection Act (COPPA). For processing sensitive data, targeted advertising, data sales, and profiling, businesses must obtain consumers’ opt-in consent.

Privacy notices

The RIDTPPA mandates that any commercial website or online service that collects, stores, and sells customers' personally identifiable information (PII) must provide a detailed notice. This notice must:

1. Identify all categories of personal data collected.
2. Identify all third parties to whom the data has been sold or may be sold.
3. Provide an active electronic mail address or another online contact mechanism for customers.

The inclusion of "may sell" or "may use" in the disclosure requirements introduces complexity for compliance. The distinction between "personal data" and "PII" under the law is also unclear, which could impact how businesses determine their disclosure obligations.

How Rhode Island’s privacy law compares to other state privacy laws

Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA) shares some common ground with other state privacy laws, but does introduce several distinctive features:

Distinct approach to applicability

The RIDTPPA employs a two-tiered approach for determining applicability:

• Tier One: Commercial websites and internet service providers that sell "personally identifiable information" must adhere to specific transparency requirements. The lack of a clear definition for "personally identifiable information" introduces some ambiguity here.
• Tier Two: The main regulatory requirements apply to for-profit entities that meet certain thresholds around the volume of Rhode Island residents' data they process and revenue generated from data sales.

Expanded privacy notice requirements

Websites and online services must disclose not only third parties to whom they have sold personally identifiable information, but also those to whom they "may sell" such information. The scope of this requirement is somewhat ambiguous due to the undefined nature of "personally identifiable information."

Notably absent common provisions

In contrast to other state privacy laws, the RIDTPPA does not include:

• Data minimization requirements
• Obligations to honor universal opt-out mechanisms
• Specific restrictions on processing data from minors aged 13-17
• A mandate for controllers to provide a website link for opting out of data sales or targeted advertising

Compliance checklist for Rhode Island's Privacy Law

For businesses operating in Rhode Island or targeting Rhode Island residents, compliance with the RIDTPPA is crucial. Here’s a checklist to help you navigate the requirements:

1. Perform a compliance assessment

Start by carefully evaluating your company's data practices to see if they fall under the Vermont Data Privacy Act. Check if you meet the applicability criteria specified in the law, which are determined by the number of Vermont residents whose personal data you handle or process.

2. Build a data inventory

Start by developing a detailed inventory of the personal data your business collects, processes, and stores. Clearly outline the types of data, the processing activities involved, and the legal grounds for each. This inventory will be essential for performing a gap analysis to evaluate your compliance risks.

3. Review and revise privacy policies

Businesses need to update their privacy policies or customer agreements to include:

• Categories of Data: The types of personal data collected through websites or online services.
• Third Parties: Information on third parties to whom the business has sold or may sell personally identifiable information.
• Contact Information: An active email address or another online method for customers to reach out to the business.
• Targeted Advertising: A clear statement if the business participates in targeted advertising.

4. Implement consumer rights fulfillment mechanisms

Develop processes to handle consumer requests for access, correction, deletion, and portability of their data, and ensure compliance with opt-out requests.

5. Conduct data protection impact assessments

Starting January 1, 2026, businesses must perform impact assessments for processing activities that pose higher risks, such as targeted advertising, profiling, data sales, and processing of sensitive data.

6. Obtain consent for sensitive data

Businesses must seek customer consent before processing sensitive data and comply with COPPA regulations for data related to children.

7. Review and update processor contracts

Businesses must create binding agreements with data processors that:

• Specify Instructions: Provide clear instructions for data processing.
• Ensure Confidentiality: Include confidentiality obligations.
• Require Data Deletion: Mandate data deletion upon contract termination.
• Ensure Compliance: Ensure processors cooperate in meeting the Act’s requirements.

By following these steps, businesses can navigate the requirements of the Rhode Island Data Transparency and Privacy Protection Act and maintain compliance with the state's privacy regulations.

About Transcend

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new state privacy laws like SB 332.

From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.