Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island's first comprehensive consumer privacy legislation.
What is the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is one of the latest data privacy laws enacted in the United States to provide data privacy protections for the personal data of Rhode Island citizens.
It was signed into law on June 28, 2024, and it will become effective as of January 1, 2026 and it aims to ensure that individuals have transparency about how their personally identifiable information (PII) is collected, used, shared, and sold by businesses and it emphasizes the right to privacy as a fundamental right, aiming to protect individuals and their families from cyber-crimes and identity theft.
When compared to other US laws, it stands out through several differences:
- It does not mandate the use of UOOMs;
- It doesn’t impose on controllers an obligation to limit the collection of personal data to only that which is reasonably necessary;
- It imposes on controllers an obligation to disclose not just third parties to which they currently sell personal information, but also those to whom it may sell personal data.
Find out your compliance score for free!
How does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) define Personal Information and what are other key definitions?
Rhode Island’s data privacy law defines ‘personal data’ as any information linked or reasonably linkable to an identified or identifiable individual, which excluded de-identified data or publicly available information. Sensitive personal data is “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.”
When referring to ‘biometric data’ the RIDTPPA understand this to mean “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual,” which doesn’t include “a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.”
Consent has to be “a clear, affirmative act signifying a customer has freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the customer” which may include “a written statement, including by electronic means, or any other unambiguous affirmative action,” but does not include “acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing or closing a given piece of content, or agreement obtained through the use of dark patterns.”
Unlike other US privacy laws, Rhode Island’s data privacy act does not use the word ‘consumer’ but rather ‘customer’ which it defines as “an individual residing in this state acting in an individual or household context” but which does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.”
Similar to other privacy laws, it defines controllers and processors as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data” for the former and “an individual who, or legal entity that processes personal data on behalf of a controller” for the latter.
Last but not least, the RIDTPPA defines the ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” which excludes the following:
- “the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer,
- the disclosure or transfer of personal data to an affiliate of the controller,
- the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, or
- the disclosure of personal data that the customer:
- Intentionally made available to the general public via a channel of mass media; and
- Did not restrict to a specific audience, or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.”
Who does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) apply to?
The Rhode Island Data Transparency and Privacy Protection Act applies to “for-profit entities
for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.”
Talk to one of our experts today about your compliance needs! Speak to an Expert →
Who does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) exempt?
Rhode Island's data privacy law exempts:
- Government agencies and political subdivisions.
- Nonprofit organizations.
- Institutions of higher education.
- Entities regulated by specific federal laws (e.g., HIPAA, Gramm-Leach-Bliley Act).
- Personal data used for certain exempted activities such as public health, credit reporting, and scientific research.
USA Consumer Privacy Landscape
The RIDTPPA mandates that “any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller” and if it “collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted:
- Identify all categories of personal data that the controller collects through the website or online service about customers;
- Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and
- Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.
In addition to this, controllers have the following obligations:
- if they sell personal data to third parties or process personal data for targeted advertising, they have to clearly and conspicuously disclose such processing;
- establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- do not process sensitive data concerning a customer without obtaining customer consent
- do not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA;
- do not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers;
- provide customers with a mechanism to grant and revoke consent where consent is required and upon receipt of revocation suspend the processing of data as soon as is practicable, but no later than 15 days;
- do not discriminate against a customer for exercising their customer rights;
- have a contract in place for any data processing done by a processor on their behalf which “shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties;”
- for processing activities created or generated after January 1, 2026, conduct and document “a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes:
- the processing of personal data for the purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers; and
- the processing of sensitive data.
- if they are in possession of de-identified data:
- take reasonable measures to ensure that the data cannot be associated with an individual;
- publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
- contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.
- Establish and maintain a mechanism for customers to exercise their data subject rights.
As regards processors’ obligations, they have to adhere to the instructions of a controller and assist the controller in meeting the controller's obligations of this chapter.
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
See how Clym facilitates compliance:
What are the consumer rights under the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
Under the Rhode Island Data Transparency and Privacy Protection Act consumers, or customers, have the right to:
- Confirm whether their personal data is being processed.
- Access their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of their personal data in a portable format.
- Opt-out of processing for targeted advertising, sale of personal data, or profiling.
Customers can exercise their rights under the RIDTPPA through secure and reliable means established by the controller and described in the controller's privacy notice and they can designate an authorized agent to exercise the rights to opt out on their behalf.
For cases where the personal data of a known child is processed, a parent or legal guardian can exercise these rights on their behalf and where the personal data of an individual subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on their behalf.
2024 Guide to Data Subject Requests
How to respond to consumer requests under the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
Controllers have to respond to customer requests without undue delay, within 45 days, and can extend this by an additional 45 days if necessary.
If a request is declined, controllers have to inform the customer of the denial and provide instructions for appealing this, no later than the initial 45 days.
Information has to be provided free of charge once per year and for manifestly unfounded, excessive or repetitive requests controllers can charge a reasonable fee, however they bear the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the requests.
Before responding to a request controllers have to authenticate it and if they are unable to do so they have no obligation to honor it.
Last but not least, controllers have an obligation to establish an appeal process for customers to challenge the controller’s decisions, which has to be “clearly and conspicuously available.” No later than 60 days after receiving an appeal, controllers have to “inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision” and if the appeal is denied, the customer may submit a complaint to the Attorney General.”
Manage Your DSARs Easily!
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) enforcement and penalties
The Attorney General has sole enforcement authority of the Rhode Island Data Transparency and Privacy Protection Act and there is no private right of action available.
Violations of the RIDTPPA are considered deceptive trade practices under commercial law and are enforceable by the Attorney General with penalties ranging between $100 and $500 for each violation.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 50+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
Seeing is believing!
FAQs about the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
What does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) apply to?
The RIDTPPA applies to “for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.”
What is exempt under the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
The RITDPPA exempts:
- Government agencies and political subdivisions.
- Nonprofit organizations.
- Institutions of higher education.
- Entities regulated by specific federal laws (e.g., HIPAA, Gramm-Leach-Bliley Act).
- Personal data used for certain exempted activities such as public health, credit reporting, and scientific research.
What consumer rights does the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) grant to residents of the state?
Under the Rhode Island Data Transparency and Privacy Protection Act consumers, or customers, have the right to:
- Confirm whether their personal data is being processed.
- Access their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of their personal data in a portable format.
- Opt-out of processing for targeted advertising, sale of personal data, or profiling.
What are the penalties for non-compliance with the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)?
Violations of the RIDTPPA are considered deceptive trade practices under commercial law and are enforceable by the Attorney General with penalties ranging between $100 and $500 for each violation.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message