Overview
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is a comprehensive consumer privacy law that grants Rhode Island residents control over their personal data while imposing strict compliance requirements on businesses. Signed into law on June 29, 2024, the RIDTPPA takes effect on January 1, 2025.
Rhode Island’s privacy law closely resembles Colorado’s CPA and Connecticut’s CTDPA, but lacks a cure period for businesses to correct violations before fines are imposed, making it one of the strictest privacy laws in the U.S..
Who Must Comply?
The RIDTPPA applies to businesses that operate in Rhode Island or target Rhode Island residents and meet one of the following criteria:
✔ Process personal data of at least 35,000 Rhode Island consumers annually
✔ Process personal data of at least 10,000 Rhode Island consumers and derive over 20% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
🚫 Higher education institutions
Key Consumer Rights Under RIDTPPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to inaccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 No Cure Period for Violations – Unlike many other state privacy laws, Rhode Island’s law does not give businesses a chance to fix violations before fines are imposed.
Business Compliance Requirements
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consumer consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Children’s data
✔ Transparency & Privacy Notices – Companies must provide clear privacy policies detailing data collection and usage.
✔ Data Protection & Security – Businesses must implement reasonable security safeguards to protect consumer data.
✔ Data Protection Assessments (DPA) – Businesses must conduct risk assessments for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven decision-making
Real-World Enforcement Cases
The Rhode Island Attorney General enforces the RIDTPPA, with penalties of up to $10,000 per violation.
📌 No Cure Period for Non-Compliance – Businesses face immediate fines if they fail to comply with the law, making Rhode Island’s enforcement approach stricter than most other state privacy laws.
Since RIDTPPA does not take effect until January 1, 2025, major enforcement cases have not yet occurred, but businesses failing to implement opt-out mechanisms or lacking proper security protections are expected to face early enforcement actions.
📌 Comparison with Other State Privacy Laws
The Rhode Island RIDTPPA is stricter than most U.S. privacy laws due to:
✅ Lower Applicability Threshold (35,000 consumers) – More businesses must comply than in Virginia (100,000 consumers).
✅ No Cure Period for Violations – Unlike California, Connecticut, and Colorado, businesses cannot fix violations before penalties are imposed.
✅ Expanded Sensitive Data Protections – Covers biometric, AI profiling, and behavioral data, unlike some other state laws.
Future of RIDTPPA Regulation
📌 Strict enforcement expected in 2025, particularly for AI-driven profiling.
📌 Potential expansion of consumer rights in future amendments.
📌 Possible alignment with federal privacy laws if enacted.Rhode Island’s RIDTPPA is one of the strictest U.S. privacy laws, with immediate enforcement, universal opt-out requirements, and broad applicability.
