On June 25, 2024, Rhode Island became the 20th state to enact a comprehensive consumer data protection law, the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”). The state joins Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey in passing consumer data privacy laws this year.
The RIDTPPA takes effect on January 1, 2026.
To Whom does the law apply?
The law applies to two types of organizations, defined as “controllers”:
1. For-profit entities that conduct business in the state of Rhode Island or that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than thirty-five thousand (35,000)
customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
- Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
2. A commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or that is otherwise subject to Rhode Island jurisdiction and collects stores, and sells customers’ personally identifiable information.
Who is protected by the law?
Customer means an individual residing in Rhode Island who is acting in an individual or household context. The definition of customer does not include an individual acting in a commercial or employment context.
What data is protected by the law?
The law protects personal data, which is defined as any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
RIDTPPA contains numerous exceptions for specific types of data including data that meets the definition of protected health information under HIPAA, personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and personal data regulated by the federal Family Educations Rights and Privacy Act.
The law also provides heightened protection for sensitive data, which means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; the personal data of a known child; or precise geolocation data.
What are the rights of customers?
Under the law, customers have the following rights with respect to data collected by for-profit entities that conduct business in the state or produce products or services targeted to residents of the state and meet one of the relevant thresholds:
- Confirm whether a controller is processing their personal data and access that data.
- Correct inaccuracies in the data a controller is processing.
- Have personal data deleted unless the retention of the personal data is permitted or required by law.
- Port personal data.
- Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the customer.
Under the law, customers also have a right to receive notice from commercial websites or internet service providers of their data collection activities.
What obligations do controllers have?
Both categories of controllers under Rhode Island’s law are required to provide a notice of data collection activities. Controllers that are for-profit entities conducting business in the state or producing products or services targeted to residents of the state and that meet one of the relevant thresholds have the following additional obligations:
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect, the confidentiality, integrity, and accessibility of personal data.
- Obtain consent prior to processing a customer’s sensitive personal data.
- Conduct and document a data privacy and protection assessment for processing activities that represent heightened risk.
- Contractually obligate any processors who will process personal data on behalf of the organization to adhere to specific data protection obligations including ensuring the security of the processing.
How is the law enforced?
The statute will be enforced by the Rhode Island Attorney General and does not provide for a right to cure. The statute does not create a private right of action.