Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA)

I. Introduction

Rhode Island has become the nineteenth state to enact a comprehensive data privacy law. The Rhode Island Transparency and Privacy Protection Act (SB 2500/HB 7787) was passed into law on June 25, 2024.

Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA) follows in the footsteps of other state privacy laws and introduces similar obligations for controllers and data subjects. The provisions may seem familiar to many large businesses. However, a distinct obligation now covers small-scale businesses that collect and process the personal data of Rhode Island residents.

The law will take effect on January 1, 2026.

II. Who Needs to Comply with the Law

A. Application

The law applies to for-profit entities that conduct business in Rhode Island, or offer products and services built to serve the residents of Rhode Island, and meet any of the following criteria during the preceding calendar year:

• Controlled and processed the personal data of at least 35,000 Rhode Island residents, excluding personal data controlled and processed for the exclusive purpose of completing a payment transaction; or
• Controlled and processed the personal data of at least 10,000 Rhode Island residents and derived more than 20% of their gross revenue from the sale of customers’ personal data.

Moreover, the law requires that any operator of a commercial website or internet service provider operating in the state, doing business with a customer, or is subject to any state-level jurisdiction must provide a privacy notice. The notice should be provided either in the customer agreement or as a link on the operator’s website or online platform.

B. Exemptions

The law provides exemptions for some entities as well as certain categories of data.

Exempted Entities

The law relieves several entities from the scope of the application, such as:

• State or political subdivisions' bodies,  authorities, boards, bureaus, commissions, districts, or agencies.
• Non-profit organizations.
• Higher education institutions.
• National securities associations registered under 15 U.S.C. Section 78o-3 of the Securities Exchange Act of 1934.
• Financial institutions or data subjects that are covered under Title V of the Gramm-Leach-Bliley Act (GLBA).
• A Covered entity or business associate that is defined under 45 C.F.R. 160.103.

Exempted Categories of Data

Moreover, there are certain categories of data or information that are exempted, such as:

• Protected health information under HIPAA.
• Patient-identifying information for purposes of 42 U.S.C. § 290dd-2.
• Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. 46.
• Identifiable private information collected as part of human subjects research per the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use.
• Information under the protection of human subjects regulations (21 C.F.R. Parts 50 and 56), personal data used/shared in research per 45 C.F.R. § 164.501, or other legally compliant research.Information under the protection of human subjects regulations (21 C.F.R. Parts 50 and 56), personal data used/shared in research per 45 C.F.R. § 164.501, or other legally compliant research.
• Information and documents created for purposes of the Health Care Quality Improvement Act of 1986.
• Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, 42 U.S.C. 299b-21 et seq., as amended.
• De-identified information derived from health care-related information as per HIPAA requirements.
• Information indistinguishable from or treated the same as exempt information maintained by a covered entity or business associate, program, or qualified service organization.
• Information used for public health activities as authorized by HIPAA.
• Consumer information which is covered under the Fair Credit Reporting Act (FCRA).
• Data collected, processed, or sold under the Driver’s Privacy Protection Act.
• Personal data regulated under the Family Educational Rights and Privacy Act.
• Farmers’ credit information under the Farm Credit Act.
• Data processed or maintained in employment contexts or for administering employee benefits.
• Personal data which is subject to the Airline Deregulation Act.

III. Definitions of Key Terms

A. Biometric Data

"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual. "Biometric data" does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

B. Consent

"Consent" means a clear, affirmative act signifying a customer has freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the customer. "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action. "Consent" does not include acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing or closing a given piece of content, or agreement obtained through the use of dark patterns.

C. Customer

"Customer" means an individual residing in this state acting in an individual or household context. "Customer" does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.

D. Dark Pattern

"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern".

E. Personal Data

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

F. Processing

"Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data. "Processor" means an individual who, or legal entity that processes personal data on behalf of a controller.

G. Sensitive Data

"Sensitive data" means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child or precise geolocation data.

IV. Obligations for Organizations Under the Law

A. Data Minimization and Purpose Limitation

The law requires controllers to limit the processing of a customer’s personal data to what is reasonably necessary. The processing should be limited to what is adequate, relevant, and necessary for the purposes defined under the law. Controllers must further consider the nature and purposes for which the data is collected, used, and retained.

B. Consent Requirements

Controllers must obtain an individual's prior consent for the processing of their sensitive personal data or, in the case of a known child, in accordance with COPPA.

Controllers should further provide customers with a mechanism for granting or revoking their consent and cease processing the data within 15 days of the revocation of consent.

C. Privacy Notice

The privacy notice must include:

1. All the categories of customers’ personal data that the controller collects through the commercial website or online services.
2. All the third parties to whom the controller sold or may sell customers’ personally identifiable information (PII).
3. An email address or any other online mechanism that the customer can use to contact the controller.

Moreover, if the organization sells consumers' personal data to third parties for targeted advertising, it should disclose this to the consumers.

D. Data Protection Impact Assessment Requirements

The law requires controllers to conduct and document data protection impact assessment (DPA) for processing activities that present a heightened risk of harm to customers. These activities include:

1. the processing of personal data for targeted advertising;
2. selling of personal data;
3. processing of personal data for profiling where the profiling may present reasonably foreseeable unfair risks and physical, financial, or reputational harm to consumers; and
4. processing of sensitive data.

The Attorney General (AG) of Rhode Island may require a controller to produce and make available any DPA that is relevant to an investigation conducted by the AG. The AG may assess the DPA to check the controller’s compliance with the responsibilities provided in the law. The DPA must remain confidential and exempt from disclosure.

The data assessment requirement is not retroactive, so it will only apply to data processing activity from January 1, 2026, onward.

E. Data Processor's Obligations

The law requires data processors to comply with the instructions of the controller, enabling them to meet the obligations provided in the law. The law requires data processors to be bound by an agreement with the controller regarding the processing activities conducted on the controller’s behalf. The agreement should be binding and provide clear instructions regarding data processing, the types and purposes of processing, the types of data subjects to process, and the privacy rights of the data subjects.

Under the agreement, the processor should comply with the following obligations:

• Must ensure that the personnel responsible for data processing must maintain confidentiality.
• Unless subject to retention as required by law, the processor must delete or return the personal data at the controller’s discretion or at the end of service.
• The processor must provide the controller with all necessary information to demonstrate compliance with this law upon the controller's reasonable request.
• The controller may engage any subcontractor after signing a written contract with the subcontractor to meet the processor’s obligations.
• As per law, the processor must cooperate with the controller and make reasonable assessments where an assessment of the processor’s policies and technical measures is required.

F. Data Security Requirements

The law provides a baseline set of requirements for protecting personal or sensitive personal data. The law requires controllers to create, implement, and maintain reasonable technical, administrative, and organizational security measures to protect personal data integrity, confidentiality, and accessibility against unauthorized access.

V. Data Subject Rights

The customers should have the following rights under the law:

A. Right to Access and Confirm

Customers may request a controller to confirm the processing of their personal data and request access to such data. The controller may refuse to entertain such a right if the confirmation or access of such personal data would result in exposing a trade secret.

B. Right to Correct or Delete

Customers may request a controller to correct any inaccuracies in their personal data or delete the personal data while taking into account the nature and purpose of processing such data.

C. Right to Data Portability

Customers may request a controller to obtain a copy of their personal data in a portable and readily usable format so that the customer may transmit the data to another controller without undue delay. A controller is not required to reveal trade secrets.

D. Right to Opt Out

Customers may request a controller to opt out of the processing of their personal data if the processing involves targeted advertising, sale of personal data or profiling.

E. Exercising Rights on Consumer’s Behalf

Customers have been given the right to designate another person as an authorized agent to act on their behalf and to opt out of the processing of their personal data. The controller should comply with the opt-out request, provided that the controller verifies the identity of the customer and their designated authorized agent. For children or consumers subject to guardianship, these rights can be exercised by the legal guardians.

F. Response Period

Upon receiving a customer’s request, the controller should respond without undue delay and no later than 45 days. However, if the complexity and volume of requests demand an extension, the controller may extend the response to an additional 45 days. In such an event, the controller must inform the customer about such an extension within the initial 45-day response period and explain the reason for the extension.

If the controller declines a customer’s request, the controller must inform the customer of the reasons for declining the request and instructions to appeal the decision without undue delay or within 45 days of receipt of the request. Furthermore, the controller must provide the response to the customer free of charge and once per customer during a 12-month period.

If a controller has reasons to believe that a customer’s request is “manifestly unfounded, excessive, or repetitive”, the controller can ask the customer for administrative costs of complying with the request or decline the request.

G. Data Subject Authentication

If a controller is unable to authenticate a customer's request, it may refuse to comply with the request. However, the controller must inform the customer about the refusal and its reason until the customer provides reasonably necessary information for authentication.

A controller may also refuse to authenticate a customer's opt-out request if the controller has a reasonable and documented belief that the request is fraudulent. In such an event, the controller must inform the customer about the refusal and that the request was fraudulent.

H. Right to Appeal

Customers have the right to appeal the controller’s decision to refuse their privacy rights request. The process for the appeal should be made available to the customer in a clear and conspicuous manner by the controller. If a customer appeals, the controller should respond to the customer regarding any legal action taken or not taken within 60 days of receiving the receipt of the appeal. In case of refusal, the controller should inform in writing about the reason for refusal.

VI. Penalties for Non-Compliance

The law does not provide any private right of action. However, the law states that any violation of the law constitutes a violation of the provisions under Title 6 of Rhode Island's Commercial Law. This means that the violator may receive a civil penalty of up to $10,000.

The law additionally states that if any individual or entity intentionally discloses personal data, they would be fined up to $100 and no more than $500 for each disclosure.

VII. Regulatory Authority

The Attorney General (AG) of the State of Rhode Island has the exclusive authority to enforce this law and seek injunctive relief in the event of a violation.

VIII. How Organizations Can Operationalize RIDTPPA

Controllers may operationalize the law by:

• Ensuring that appropriate policies and procedures are established and maintained for processing customers’ data in accordance with the law.
• Mentioning clear, accessible, and updated privacy notices on their websites or customer agreements providing necessary information as required by the law.
• Obtain informed consent from customers before processing their sensitive data or the data of a minor.
• Develop, implement, and maintain a robust, automated mechanism to streamline customers’ data and privacy rights requests.
• Taking necessary measures to safeguard customers’ data against unauthorized access.
• Conducting regular training of employees for proper management of customers’ data keeping in mind the requirements of the law.

IX. How Securiti Can Help

Securiti PrivacyOps, an integration of the Data+AI Command Center, empowers businesses to streamline their privacy and compliance operations with the RIDTPPA by leveraging contextual data and AI intelligence and unified automated controls.

PrivacyOps has been named as a leader by the world’s top-rated independent firms. The tool uses a Data Command Graph to create a comprehensive knowledge graph containing all the rich metadata, security, and privacy policies, and regulatory intelligence. The knowledge graph provides you with a single source of truth around your data across all systems. This rich understanding of your data helps you to automate your data privacy operations, including but not limited to privacy impact assessments, ROPA reports or GDPR Article 30 reports, consumer privacy rights, cookie preferences, consent management, privacy notices, and breach notifications.

Request a demo to learn more.