The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), enacted on June 28, 2024, makes Rhode Island the 19th U.S. state to pass a comprehensive consumer data privacy law. Taking effect January 1, 2026, the RIDTPPA grants consumers rights over their personal data and imposes obligations on businesses handling it. Modeled after Virginia’s law, it emphasizes transparency, data minimization, and consumer opt-out rights, and is enforced by the Rhode Island Attorney General.
What is the Rhode Island Data Transparency and Privacy Protection Act?
Why was RIDTPPA passed?
What makes RIDTPPA unique?
Rhode Island’s new privacy law stands out because it doesn’t include a data minimization rule, meaning it doesn’t explicitly limit companies to collecting only the personal data that’s “reasonably necessary” for what they’re doing (a requirement many other state laws include).
It also takes a more aggressive enforcement stance by giving businesses no built-in “cure period” to fix violations before the Attorney General can take action, with civil penalties up to $10,000 per violation. And instead of pushing automated opt-outs, Rhode Island doesn’t require universal opt-out mechanisms (UOOMs), but it does require companies to be extra transparent by disclosing not just who they do sell data to, but who they may sell data to.
The key definitions for the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) are outlined in § 6-48.1-2 of the act.
Consumer: A Rhode Island resident acting in a personal context, not in an employment or commercial setting.
Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.
Sensitive data: Includes race/ethnicity, religious beliefs, health data, sexual orientation, citizenship status, biometric/genetic data, precise geolocation, and children’s data.
Controller: An individual or entity that determines the purpose and means of processing personal data.
Processor: An individual or entity that processes personal data on behalf of a controller.
Processing: Any operation performed on personal data, including collection, use, storage, sharing, or deletion.
Sale of personal data: The exchange of personal data for monetary consideration to a third party.
Targeted advertising: Showing ads based on personal data obtained from a consumer’s activities across nonaffiliated websites or apps.
Who must comply with RIDTPPA?
The RIDTPPA applies to businesses that:
Conduct business in Rhode Island or target products/services to Rhode Island residents, and
Annually control or process personal data of:
35,000 or more consumers, or
10,000 or more consumers and derive over 20% of gross revenue from the sale of personal data
This threshold is lower than many other state privacy laws, meaning more businesses may be subject to compliance.
RIDTPPA exemptions
The RIDTPPA exempts government entities, nonprofits, higher education institutions, GLBA-regulated financial institutions, and HIPAA-covered entities. It also excludes data covered by HIPAA, FCRA, FERPA, DPPA and employment-related data.
Key provisions of RIDTPPA
The Rhode Island Data Transparency and Privacy Protection Act establishes comprehensive consumer data privacy protections. Key provisions of the RIDTPPA include:
Consumer rights: Consumers can access, correct, delete, and obtain a copy of their personal data, and opt out of targeted advertising, data sales, and profiling.
Sensitive data: Requires opt-in consent before processing data like health info, race, religion, or geolocation.
Transparency requirements: Businesses must provide clear, accessible privacy notices describing data practices and consumer rights
Controller obligations: Must limit data collection, implement reasonable security measures, and ensure data is used only for disclosed purposes.
Processor contracts: Controllers must have written agreements with processors that outline data handling responsibilities.
Data protection assessments: Required for high-risk processing such as profiling, targeted advertising, or processing sensitive data.
Appeals process: Consumers must be able to appeal denied rights requests and escalate unresolved issues to the Rhode Island Attorney General.
Enforcement: The Attorney General enforces the law, with a 60-day cure period available until December 31, 2025.
“It allows Rhode Islanders to opt in to what data is collected. This protects our privacy when we’re all at risk, and it’s a long time coming.”
RIDTPPA is primarily an opt-out law for most data practices. Consumers can opt out of:
Targeted advertising
Sale of personal data
Profiling that leads to significant decisions
However, it requires opt-in consent for processing sensitive data, such as health information, race, religion, sexual orientation, biometric data, and precise geolocation.
The price of non-compliance
The price of non-compliance with RIDTPPA includes:
Civil penalties of up to $10,000 per violation, enforced by the Rhode Island Attorney General.
Unlike other US State Data Privacy Laws, the Act does not provide controllers an opportunity to remedy alleged violations before an enforcement action. (No cure period.)
Businesses may also face reputational harm, consumer complaints, and increased regulatory scrutiny if found in violation.
The impact of RIDTPPA on businesses
RIDTPPA requires businesses to implement new processes for handling consumer data, including rights requests, consent management, and data security. It increases compliance obligations, especially for companies processing sensitive data or engaging in targeted advertising and data sales.
What are the RIDTPPA requirements for businesses?
To comply with the RIDTPPA, businesses must:
Honor consumer rights: Allow consumers to access, correct, delete, and obtain their personal data, and opt out of targeted advertising, data sales, and profiling.
Obtain opt-in consent: Before processing sensitive data such as health info, race, religion, sexual orientation, or geolocation.
Provide clear privacy notices: Disclose what personal data is collected, how it’s used, and how consumers can exercise their rights.
Limit data use and collection: Only collect data that is necessary for disclosed purposes and avoid using it for unrelated activities.
Implement reasonable security: Protect personal data with administrative, technical, and physical safeguards.
Maintain processor contracts: Have written agreements with vendors that outline their data handling responsibilities.
Conduct data protection assessments: For high-risk processing activities, such as profiling or handling sensitive data.
Establish an appeals process: Let consumers appeal if their data rights requests are denied, and provide escalation to the Attorney General if unresolved.
The impact of RIDTPPA on consumers
Understanding Rhode Island consumer rights
RIDTPPA empowers Rhode Island consumers with meaningful privacy rights and greater visibility into how their data is collected and used.
Individuals can request copies of their data, make corrections, or ask for deletion, giving them more control over their digital footprint.
The Rhode Island privacy law also requires businesses to provide clear privacy notices, making it easier for consumers to understand data practices.
By requiring opt-in consent for sensitive data, RIDTPPA strengthens protections around health, biometric, and location information, offering consumers a stronger sense of security and autonomy online.
“Whenever you enter your information on a website, you should know if the administrators of that site are taking that information and selling it. If they are, then they should say so by posting it in an obvious and visible place on their home page, and give you an opportunity to opt out. It is imperative that consumers understand how their information — especially information relating to their children — is shared by businesses.”
How RIDTPPA compares to other U.S. data privacy laws
RIDTPPA closely resembles laws like Virginia’s VCDPA and Connecticut’s CTDPA, offering core consumer rights and opt-out options for data sales, profiling, and targeted advertising.
RIDTPPA vs other state privacy laws
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Rhode Island (RIDTPPA)
Rhode Island residents
January 1, 2026
Consumer rights to access, delete, and opt out of targeted advertising and data sales
Up to $10,000 per violation
Kentucky (KCDPA)
Kentucky residents
January 1, 2026
Consumer rights, opt-out of targeted advertising and data sales, data protection assessments
Up to $7,500 per violation
Indiana (ICDPA)
Indiana residents
January 1, 2026
Consumer rights, opt-out of targeted advertising, consent for sensitive data
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
What makes RIDTPPA stand out?
The RIDTPPA stands out for its lower applicability threshold (35,000 consumers or 10,000 with 20%+ revenue from data sales), which brings more businesses under its scope. Like many modern state laws, RIDTPPA requires opt-in consent for sensitive data and mandates data protection assessments for high-risk processing.
What makes RIDTPPA stand out:
No data minimization rule: Rhode Island doesn’t explicitly limit collection to only what’s “reasonably necessary” for the stated purpose.
No cure period: Businesses don’t get a built-in chance to fix issues before the Attorney General can take enforcement action.
Stronger penalty exposure: Violations can trigger civil penalties of up to $10,000 per violation, plus extra fines for intentional disclosures.
Broader “sale of data” concept: The law treats “sale” as sharing personal data for money or other valuable consideration.
Must disclose who you may sell to: Companies have to name not just third parties they sell data to, but third parties they might sell data to.
No universal opt-out required: Rhode Island doesn’t require support for user-selected universal opt-out mechanisms.
Website/ISP controller designation + extra disclosures: Certain commercial websites and internet service providers must designate a controller and make specific website disclosures if they collect, store, and sell personal data.
DPAs apply going forward (not retroactive): Data protection assessments are only required for high-risk processing starting January 1, 2026.
What are the differences between RIDTPPA and CCPA?
Unlike California’s CCPA/CPRA, which is enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA) and includes a limited private right of action for certain data breaches, Rhode Island’s law is enforced only by the Rhode Island Attorney General and does not create a private right of action.
Rhode Island also gives businesses no built-in “cure period” before enforcement, while California previously had one (and now doesn’t guarantee it).
What are the differences between RIDTPPA and GDPR?
Rhode Island’s law mostly runs on an opt-out model (with opt-in consent mainly for sensitive data), while GDPR requires a legal basis for all processing—meaning companies can’t collect or use personal data unless they can justify it under specific lawful grounds like contract necessity or legitimate interests.
GDPR is also much stricter on enforcement and exposure: regulators can issue fines up to €20M or 4% of global annual revenue, and individuals can seek compensation for harm, while Rhode Island is enforced only by the state Attorney General with penalties capped at $10,000 per violation.
How to ensure RIDTPPA compliance
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy.
What is RIDTPPA compliance
RIDTPPA compliance means meeting the requirements of Rhode Island’s data privacy law by honoring consumer rights, obtaining consent for sensitive data, maintaining clear privacy disclosures, securing personal data, and conducting data protection assessments. It also involves responding to consumer requests and following enforcement rules set by the Rhode Island Attorney General.
How to comply with RIDTPPA
To comply with the Rhode Island Data Transparency and Privacy Protection Act, businesses should:
Assess applicability: Determine if you process data of 35,000+ Rhode Island consumers, or 10,000+ with 20%+ revenue from data sales.
Map data: Identify what personal and sensitive data you collect, store, and share.
Update privacy notices: Clearly explain data collection practices, consumer rights, and opt-out mechanisms.
Enable consumer rights: Set up processes for handling access, correction, deletion, portability, and opt-out requests.
Obtain consent: Get opt-in consent before processing sensitive data (e.g. health, race, geolocation).
Secure data: Implement reasonable technical and organizational safeguards.
Review vendor contracts: Ensure processors follow your data handling rules and include required contractual terms.
Conduct data protection assessments: Evaluate risks for high-impact processing (like profiling or targeted ads).
Create an appeals process: Allow consumers to appeal denied requests and escalate to the Rhode Island Attorney General if needed.
Document compliance: Keep records to demonstrate your efforts in case of enforcement.
How Ketch can simplify RIDTPPA compliance
Using the Ketch Platform, you can automate and streamline RIDTPPA compliance with:
Consent management: Enables businesses to collect and track opt-in consent for sensitive data processing.
When you automate these processes, you enable your internal stakeholders:
Your developers and marketers can do their jobs without fretting about regulations
Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Final thoughts: Preparing your business for RIDTPPA
Now is the time for businesses to evaluate their data practices and close any privacy gaps. Start by mapping your data, updating privacy notices, and setting up systems to handle consumer rights requests and opt-outs. Focus on securing sensitive data, reviewing processor contracts, and conducting risk assessments for high-impact processing. Early preparation will reduce legal risk, ensure smoother data privacy compliance, and strengthen consumer trust in your brand.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does RIDTPPA apply to small businesses RIDTPPA generally does not apply to small businesses. It only applies to entities that: Process the personal data of at least 35,000 Rhode Island consumers annually, or Process data of at least 10,000 consumers and derive over 20% of gross revenue from the sale of personal data. Most small businesses fall below these thresholds and are not subject to the law.
Does RIDTPPA apply to personal data collected before the law takes effect? No. The law applies to data collected and processed after the effective date, unless otherwise specified during enforcement.
Does RIDTPPA require businesses to verify consumer identities? Yes. Businesses must take reasonable steps to verify a consumer’s identity before fulfilling a rights request to prevent unauthorized access.
Are pseudonymized or de-identified data subject to RIDTPPA? No. RIDTPPA excludes de-identified and publicly available data from its scope.
Is there a data retention requirement? While no specific timeline is imposed, businesses must avoid retaining personal data longer than necessary for disclosed purposes.
Can consumers make unlimited data requests? No. Businesses are only required to respond to one free request per consumer per right every 12 months.
Does RIDTPPA apply to children’s data? Yes. The law includes additional protections for children under 13, requiring compliance with the Children’s Online Privacy Protection Act (COPPA).
Are loyalty programs affected? Potentially. Businesses must ensure any use of personal data for loyalty or rewards programs complies with notice and opt-out requirements.
Can businesses charge fees for fulfilling consumer rights requests? Only if a request is manifestly unfounded, excessive, or repetitive. Even then, a reasonable fee may apply or the request may be denied.
Does RIDTPPA require a data protection officer (DPO)? No. Unlike the GDPR, RIDTPPA does not mandate the appointment of a DPO.
What happens if a business fails to implement an appeals process? Failure to provide an appeals process may be considered non-compliance and subject to enforcement by the Rhode Island Attorney General.
Jack Carvel is Head of Legal and DPO at Ketch, helping global SaaS companies operationalize privacy, data governance, and AI responsibly. Jack is a dual-qualified privacy attorney with 10+ years of experience.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
