Rhode Island’s new privacy law has now passed into law, adding to the constantly evolving US privacy law patchwork. Rhode Island becomes the 20th state to enact a “comprehensive” privacy law (this one passing by default, without governor signature). It will go into effect on January 1, 2026, the same day as Indiana and Kentucky.
Rhode Island’s law does not have the same deviations from the standards that we saw with those recently enacted Maryland and Minnesota. The key provisions will thus look familiar:
- Applicability. The law will apply to businesses that either (1) process personal data of at least 35,000 Rhode Island consumers or (2) control or process personal data of at least 10,000 consumers and derive more than twenty percent of gross revenue from the sale of personal data. The notice obligation, however, applies regardless of organize size or volume of data processed. Like all states except California, the law defines “consumer” to exclude those in an employment or commercial context. The law contains familiar exemptions for entities and information subject to GLBA and HIPAA.
- Collection and Notice Obligations. Rhode Island’s notice obligations are narrower than most other states. It has specific provisions for website operators who sell information. This includes what information is collected, to whom it is sold, and if the company engages in behavioral advertising. Sale, like in California and several other states, includes the exchange of information for monetary or other consideration. Rhode Island does not include a data minimization requirement.
- Sensitive information. Businesses that process the sensitive information of Rhode Island residents will need to first get consent, mirroring all other states except California, Iowa and Utah. The list of information deemed “sensitive” is familiar and aligns with other state laws. It includes, for example, consumers’ religion, sexual orientation, and health diagnoses.
- Consumer rights. Rhode Island consumers are provided the same rights (access, correction, deletion) found in other state laws. Timing for processing rights will be 45 days. Authorized agents can submit requests on a consumer’s behalf. Businesses will not need to comply with universal online opt-out mechanisms joining roughly half the states with comprehensive privacy laws.
- Opt-out mechanism. Businesses that engage in targeted advertising, the sale of personal data, or profiling will need to give Rhode Island residents notice and the ability to opt out of those activities. This is in addition to the notice required for selling information discussed above.
- Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data presents a heightened risk to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.
Like other states, consumers will not have a private right of action. The Rhode Island Attorney General’s office will be responsible for enforcement. Unlike other state privacy laws, Rhode Island’s law does not contain a cure period, meaning businesses may not have an opportunity to remediate before enforcement actions. The law contains no rulemaking provisions.
Putting it Into Practice: As the privacy tidal waves brings more laws, companies may feel overwhelmed by the constant flux. Companies will be well served to take an adaptive approach to developing their privacy programs. This can be particularly helpful since, as we have written before, the US privacy patchwork includes more than just state “comprehensive” laws.