Rhode Island became one of the newest states to enact comprehensive privacy legislation when the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) took effect on January 1, 2026. If you're a Rhode Island resident, you now have powerful new rights over your personal data — and it's worth understanding exactly how this law protects you.
What Is the Rhode Island Data Transparency and Privacy Protection Act?
The RIDTPPA, originally introduced as House Bill 7787, was signed into law in June 2024 and became enforceable on January 1, 2026. It grants Rhode Island consumers a robust set of rights over how businesses collect, process, and sell their personal information.
The law largely follows the framework established by Virginia's Consumer Data Protection Act, with some notable differences — particularly its lower applicability thresholds, which mean more businesses are covered compared to some other state privacy laws.
Who Does the Law Apply To?
The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and meet one of these thresholds during the preceding calendar year:
- 35,000 or more consumers — controlled or processed the personal data of at least 35,000 Rhode Island consumers (excluding data processed solely for payment transactions)
- 10,000 or more consumers with revenue from data sales — controlled or processed data of at least 10,000 consumers and derived more than 20% of gross revenue from selling personal data
Why the Lower Threshold Matters
Rhode Island's 35,000-consumer threshold is significantly lower than many other states. For comparison, Virginia and several other states set their thresholds at 100,000 consumers. This means more mid-sized businesses and data brokers fall under Rhode Island's law, giving residents broader protection.
Your Rights Under the RIDTPPA
As a Rhode Island consumer, the RIDTPPA grants you several key rights when it comes to your personal data:
Right to Access
You can request that a business confirm whether it is processing your personal data and provide you with a copy of that data in a portable, readily usable format.
Right to Correction
If a business holds inaccurate personal data about you, you have the right to request corrections.
Right to Deletion
You can request that a business delete the personal data it has collected about you. This is one of the most powerful tools for controlling your digital footprint.
Right to Data Portability
Businesses must provide your data in a format that allows you to transfer it to another service or entity.
Right to Opt Out
You can opt out of the processing of your personal data for targeted advertising, the sale of your personal data, and profiling that produces legal or similarly significant effects.
What Counts as Personal Data?
The RIDTPPA defines personal data broadly as any information that is linked or reasonably linkable to an identified or identifiable individual. This includes names, addresses, email addresses, phone numbers, Social Security numbers, geolocation data, browsing history, and much more.
The law also recognizes sensitive data as a special category requiring additional protections, including racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation information.
Important Limitation
The RIDTPPA applies only to consumers acting in an individual or household context. It does not cover data collected in an employment or commercial (B2B) context. If your employer collects your data as part of the employment relationship, different rules may apply.
How Businesses Must Comply
Businesses subject to the RIDTPPA must take several steps:
- Privacy notices: Publish clear, accessible privacy policies disclosing what data they collect, why, and who they share it with
- Data minimization: Limit data collection to what is reasonably necessary for the disclosed purpose
- Security safeguards: Implement appropriate administrative, technical, and physical data security practices
- Consent for sensitive data: Obtain explicit opt-in consent before processing sensitive personal data
- Response timelines: Respond to consumer rights requests within 45 days, with one possible 45-day extension
How the Law Is Enforced
The Rhode Island Attorney General has exclusive enforcement authority under the RIDTPPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations. However, the Attorney General can investigate complaints and pursue enforcement actions against non-compliant businesses.
Before taking enforcement action, the Attorney General must provide a 30-day cure period, giving businesses an opportunity to fix violations. This cure provision is set to expire on January 1, 2028, after which the Attorney General may pursue enforcement without offering a cure period first.
How Rhode Island Compares to Other State Privacy Laws
Rhode Island is the 19th state (now one of 20+) to enact comprehensive consumer privacy legislation. Here's how it stacks up:
- Lower thresholds than most states — 35,000 consumers compared to 100,000 in Virginia, Colorado, and others
- Standard consumer rights — Access, correction, deletion, portability, and opt-out rights mirror most other state laws
- No private right of action — Like most state privacy laws (except California), enforcement is limited to the Attorney General
- Sensitive data protections — Requires opt-in consent for sensitive data processing, consistent with the majority of state privacy frameworks
How to Exercise Your Privacy Rights in Rhode Island
If you want to take advantage of the RIDTPPA, here's what to do:
- Identify businesses that have your data — Start with data brokers, people-search sites, and companies you've interacted with online
- Submit access or deletion requests — Look for a privacy policy or "Do Not Sell My Information" link on the company's website and follow their process
- Opt out of data sales — Use universal opt-out mechanisms like the Global Privacy Control (GPC) browser signal, which many businesses are required to honor
- File complaints — If a business fails to respond to your request within 45 days, file a complaint with the Rhode Island Attorney General's office
Let PrivacyOn Handle It for You
Exercising your rights under the RIDTPPA with every data broker individually can take dozens of hours. PrivacyOn automates the process by submitting opt-out and deletion requests to 100+ data brokers on your behalf and continuously monitoring for your data to reappear. Plans start at just $8.33 per month.
What's Next for Rhode Island Privacy
The RIDTPPA is still in its early enforcement phase. As the Attorney General begins acting on complaints and the 2028 cure-period sunset approaches, expect businesses to take compliance more seriously. Rhode Island residents should start exercising their rights now to establish a strong precedent for data protection in the state.
Combined with federal efforts and other states' laws, Rhode Island's privacy act is part of a growing movement that gives consumers real power over their personal information. Whether you choose to submit requests yourself or use a service like PrivacyOn to automate the process, the important thing is to take action.