With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.
Applicability and Scope
The Act differentiates itself from other state privacy laws with its unique notice obligations. Any commercial website or internet service provider that conducts business in the state or with Rhode Island customers or is otherwise subject to Rhode Island jurisdiction must designate a controller, and if the business collects, stores and sells customers’ personally identifiable information, then the controller must conspicuously disclose via a privacy policy or customer agreement (i) the categories of personal data collected through the website or online service, (ii) an email address or other online option to contact the controller, and (iii) all third parties to whom the controller has sold or may sell customers’ personally identifiable information. Additionally, if a controller sells personal data to third parties or processes such data for targeted advertising, then the controller must conspicuously disclose such processing.
Aside from this unique requirement, the remainder of the Act’s obligations otherwise apply to for-profit entities that conduct business in Rhode Island, or produce products or services targeted to Rhode Island residents, and that during the preceding calendar year either (1) controlled or processed personal data of at least 35,000 Rhode Island customers, or (2) controlled or processed personal data of at least 10,000 Rhode Island customers and derived more than 20% of their gross revenue from the sale of personal data.
Exemptions are provided for nonprofit organizations, higher education institutions, financial institutions or data subject to the Gramm-Leach-Bliley Act, covered entities or business associates regulated under HIPAA, and national securities associations registered under the Securities Exchange Act of 1934, as well as other exemptions based on the type of data processed (e.g., consumer credit reporting data).
Consumer Rights
The Act provides rights for customers that are consistent with those found in other state laws, such as the right to access, correct, and delete their personal data, the right to data portability, and the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. Unlike some of the other comprehensive state privacy laws passed to date, the Act does not require controllers to recognize universal opt-out mechanisms. A controller has 45 days to respond after receipt of a customer’s request to exercise their rights, which may be extended if reasonably necessary and the controller gives proper notice and reasoning to the customer.
Obligations
Similar to other state laws, the Act prohibits the processing of sensitive data without prior express consent. Sensitive data is defined as personal data that reveals racial origin, religious beliefs, sexual orientation or precise geolocation data, among others. Controllers are required to have contracts in place with processors that process personal data on their behalf and conduct data protection assessments for activities that present a heightened risk of harm to a customer, including the processing of personal data for targeted advertising and profiling, the sale of personal data, and the processing of sensitive data. The Attorney General has the authority to request the data protection assessment in a relevant investigation.
Enforcement
The Rhode Island Attorney General has sole enforcement authority, and the Act does not provide for a private right of action. A violation of the Act is deemed a deceptive trade practice under Rhode Island’s deceptive trade practices law, which authorizes penalties of up to $10,000 per violation. The Act also provides for fines ranging from $100 to $500 for each instance of intentional disclosure of personal information in violation of the Act by an individual or entity. Unlike some other state privacy laws, the Act does not provide for a cure period to allow entities an opportunity to correct noncompliant practices.
***
While the Act mirrors many aspects of current comprehensive state privacy laws, it also has distinct obligations to consider for business’s privacy compliance programs. As more states enact comprehensive privacy laws, businesses should evaluate the applicability and obligations contained therein. Ropes & Gray will continue to keep a close watch on these developments.