As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th. Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature.
1. WHEN IS RI-DTPPA IN FORCE?
The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky.
Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws. The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.
- Five are already in force
- Three went into effect on July 1, 2024 and one (for Montana) is in force on October 1, 2024
- Eight are in force during 2025
- Two are in force on January 1, 2026
| State | State Customer Privacy Law Title | Effective Date |
|---|---|---|
| California | California Customer Privacy Act (CCPA) | January 1, 2020; CCPA Regulations effective January 1, 2023 |
| Colorado | Colorado Privacy Act | July 1, 2023 |
| Connecticut | Connecticut Personal Data Privacy and Online Monitoring Act | July 1, 2023 |
| Delaware | Delaware Personal Data Privacy Act | January 1, 2025 |
| Florida | Florida Digital Bill of Rights | July 1, 2024 |
| Indiana | Indiana Customer Data Protection Act | January 1, 2026 |
| Iowa | Iowa’s Act Relating to Customer Data Protection | January 1, 2025 |
| Kentucky | Kentucky Customer Data Privacy | January 1, 2026 |
| Maryland | Maryland Online Data Privacy Act | October 1, 2025 |
| Minnesota | Minnesota Customer Data Privacy Act | July 31, 2025 |
| Montana | Montana Customer Data Privacy Act | October 1, 2024 |
| Nebraska | Nebraska’s Data Privacy Act | January 1, 2025 |
| New Hampshire | Act Relative to the Expectation of Privacy | January 1, 2025 |
| New Jersey | New Jersey Data Protection Act | January 15, 2025 |
| Oregon | Oregon Customer Privacy Act | July 1, 2024 (July 1, 2025, for in-scope non-profit organizations) |
| Tennessee | Tennessee Information Protection Act | July 1, 2025 |
| Texas | Texas Data Privacy and Security Act | July 1, 2024 |
| Utah | Utah Customer Privacy Act | December 31, 2023 |
| Virginia | Virginia Customer Data Protection Act | January 1, 2023 |
2. WHAT DATA IS PROTECTED?
Like the preceding State Customer Privacy Laws, the RI-DTPPA protects “personal data”, which means information that is linked or reasonably linkable to an identified or identifiable individual.
NOTE: The RI-DTPPA uses the term “personally identifiable information” a total of 11 times – twice in § 6-48.1-3 (Information Sharing Practices) and four times in § 6-48.1-10 (Construction) as well as three times in the Legislative Findings – and the term personally identifiable data once. How these terms are different from “personal data” and why they are used is not entirely clear.
The RI-DTPPA also applies to “pseudonymous data,” which means “personal data that cannot be attributed to a specific individual without the use of additional information.” Data is, however, pseudonymous only if the additional information is “kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.” (§ 6-48.1-2(23).) This definition tracks the other State Customer Privacy Laws and the GDPR (i.e., Art 4(5) (definition of pseudonymization).) When the controller can demonstrate that the separation of the “additional information” is maintained, the controller is not obligated to comply with a customer privacy right request and the related notice requirement (see 7. below) as to the pseudonymous data. (§ 6-48.1-7(m).) A controller could avoid its obligations as to customer privacy rights by using pseudonymization tactics but would face significant technical challenges and the “burden of demonstrating” that its pseudonymization techniques are effective (§ 6-48.1-7(t).)
Like the other State Customer Privacy Laws, the definition of personal data does not include:
- de-identified data, which is “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual.” (§ 6-48.1-2(13).) To maintain the exclusion, the controller is, however, required to take reasonable measures to protect against reidentification of de-identified data (including by contractual obligations on recipients of the de-identified data) and to commit not to re-identify. (§ 6-48.1-7(j).)
- publicly available information, which is “information that is lawfully made available from federal, state, or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.” (§ 6-48.1-2(23).)
Also excluded are job-applicant data and benefits administration data (i.e., data for another individual relating to the individual employed) as long as these types of data are used solely for those purpose and emergency contact information (used for employee emergency contact purposes). As noted below, the RI-DTPPA also does not apply to individuals acting in an employment and commercial (B2B) context. Accordingly, the CCPA remains the only one of the State Customer Privacy Laws that applies to personal data collected in an employment and B2B context.
3. WHAT ORGANIZATIONS ARE IN SCOPE?
All but one of the operative sections apply to any for-profit entity that conducts business in Rhode Island or produces products or services that are targeted to residents of Rhode Island and “during the preceding calendar year” [emphasis added]:
- controlled or processed the personal data of not less than thirty-five thousand (35,000) customers
- controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data. (§ 6-48.1-4(a).)
NOTE: The RI-DTPPA uses the term “customer,” unlike the 19 preceding State Customer Privacy Laws (which use the term “consumer”) but the terms are defined similarly, i.e., a natural person who is a state resident.
Like several of the State Customer Privacy Laws, the RI-DTPPA excludes from the first of the two processing thresholds personal data controlled or processed solely for the purpose of completing a payment transaction.
NOTE: The one section to which the processing thresholds do not apply is the RI-DTPPA’s first operative section: Section 6-48.1-3. Sub-section (a) applies only to a controller of a website or other online service (Online Service) that collects, stores and sells customers’ personally identifiable information (which term is, as noted above, not defined) and sub-section (b) applies more broadly to any controller that sells personal data for targeted advertising. (See also 6. below.) Only the State Customer Privacy Laws of Nebraska and Texas do not have processing thresholds.
4. WHAT DATA AND ORGANIZATIONS ARE NOT SUBJECT TO RI-DTPPA?
Like the other State Customer Privacy Laws, the RI-DTPPA provides for various entity-level and data-level exemptions, including:
- Nonprofit organizations that are exempt from taxation under IRC § 501(c)(3), (4), (6), or (12) (per § 6-48.1-3(d)) as well as any other “entity recognized as a tax-exempt organization under the Internal Revenue Code.” (§ 6-48.1-10(c).)
- Covered entities and business associates and protected health information (PHI) as defined in the Health Insurance Portability and Accountability Act (HIPAA) and information deidentified according to HIPAA (per § 6-48.1-3(e)), as well as all other “information or data subject to” HIPAA (per § 6-48.1-10(a).) (Other healthcare-related exemptions include identifiable private information for purposes of the Common Rule and patient safety work product for purposes of the Patient Safety and Quality Improvement Act.)
- Financial institutions subject to, and data collected, processed or disclosed pursuant to, the Gramm-Leach-Bliley Act (GLBA). (§ 6-48.1-3(d)), § 6-48.1-10(a).)
- Institutions of higher education
- State and local government agencies
Other data-level exemptions in the RI-DTPPA apply to data processed as authorized by the Fair Credit Reporting Act (FCRA) (§ 6-48.1-3(e)) or by or for a customer reporting agency [sic] as defined in the FCRA (§ 6-48.1-10(f)), as well as data subject to the Driver’s Privacy Protection Act and Family Educational Rights and Privacy Act (among others). (§ 6-48.1-3(e)(11).)
NOTE: The RI-DTPPA contains many of the exemptions familiar from the other State Consumer Privacy Laws but these exemptions are not uniform across the 20 laws. The CCPA and MN-CDPA do not have entity-level exemptions for financial institutions under the GLBA. The State Customer Privacy Laws in California, Colorado, Delaware, New Jersey, Maryland, Minnesota and Oregon do not have entity-level exemptions for covered entities and business associates under HIPAA. The State Customer Privacy Laws in Colorado, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Jersey and Oregon do not have exemptions for all or most non-profit organizations.
5. WHAT IS AND IS NOT A “SALE OF PERSONAL DATA”?
The RI-DTPPA defines “sale of personal data” as an exchange of personal data for monetary or other valuable consideration by a “controller” to a “third party.”
The RI-DTPPA defines “controller” as a legal or natural person “that, alone or jointly with others determines the purpose and means of processing personal data” and, presumably, personally identifiable information ((§ 6-48.1-2(7).) The term “third party” means an individual or legal entity other than the customer, controller, processor or the controller’s or processor’s affiliate. (An “affiliate” is an entity that shares common branding with another legal entity, controls, is controlled by or is under common control with another legal entity. (§ 6-48.1-2(1).) The RI-DTPPA’s definition of affiliate is broader than many of the State Customer Privacy Laws because of the “common branding” inclusion.)
NOTE: Two-thirds of the State Customer Privacy Laws have materially the same definition as the RI-DTPPA. To date, only 6 of 20 State Customer Privacy Laws more narrowly define a “sale” as an exchange for monetary (only) consideration: Indiana, Iowa, Kentucky, Tennessee, Utah, and Virginia.
The RI-DTPPA (§ 6-48.1-2(25)) excludes from the definition of sale:
- The disclosure of personal data to a processor that/who processes the personal data on behalf of the controller.
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the customer (Some States Customer Privacy Laws require that the customer request is made “affirmatively”.)
- The disclosure or transfer of personal data to an affiliate of the controller or a processor.
- The disclosure of personal data that the customer directs the controller to disclose or intentionally uses the controller to interact with a third party
- The disclosure of personal data that the customer: (i) intentionally made available to the public via a channel of mass media; and (ii) did not restrict to a specific audience.
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
These exclusions are typical of most of the State Customer Privacy Laws.
6. WHAT NOTICE REQUIREMENTS APPLY?
The privacy notice/policy requirements are in a few different sections of the RI-DTPPA.
Per § 6-48.1-3(a), the controller of an Online Service (defined in 3. above) must post a notice that includes:
- Categories of personal data collected about customers through the Online Service
- “All third parties” to which the controller “has sold or may sell” customers’ personally identifiable information [NOTE: This notice requirement implies that a controller must maintain a ‘live’ (up to date) list of actual or possible personal data sale recipients.]
- An active email address or online mechanism for contacting the controller
The next sub-section (§ 6-48.1-3(b)) applies more broadly by requiring any controller that sells personal data for targeted advertising to “disclose such processing.” Like the other State Customer Privacy Laws, the RI-DTPPA defines “targeted advertising” as online advertising based on personal data obtained or inferred from a customer’s online activity over time and nonaffiliated “Internet websites and online applications” to predict a customer’s preferences or interests.
The controller must include the notice for its Online Service “in its customer agreement or incorporated addendum” or in another “conspicuous” place “where similar notices are customarily posted” on its “website or online service platform.” No specific posting requirements apply for the targeted advertising sales notice.
A different section of the RI-DTPPA (§ 6-48.1-5(f)) requires that a “controller’s privacy notice” explain how a customer “may exercise [privacy] rights … by secure and reliable means established by the controller’s privacy notice.” In other words, all controllers must explain how each privacy right is exercised. (The requirement for “secure and reliable means” is not expressly required in other State Customer Privacy Laws, although most do include general data security requirements.)
NOTE: The notice requirements are the RI-DTPPA’s most differentiating feature because the requirements are much slimmer than other State Customer Privacy Laws. For example, unlike the majority of the State Consumer Privacy Laws, a controller is not required to disclose its purposes for processing personal data or retention practices, no accessibility or opt-out preference signal requirements apply and the controller is only required to disclose its third-party data sharing for actual or future sales of personally identifiable information in its Online Service notice.
Also, § 6-48.1-3 of the RI-DTPPA does not expressly require that the customer consent to the Online Service’s notice; rather, consent requirements expressly apply to sensitive data processing (see 10. below.)
7. WHAT RIGHTS ARE AVAILABLE FOR CUSTOMERS IN RI-DTPPA?
The RI-DTPPA offers a customer these privacy rights:
- Right to confirm what personal data concerning the customer that the controller is processing and to access that personal data.
- Right to correct inaccuracies in the customer’s personal data.
- Right to delete personal data provided by or obtained about the customer.
- If the controller did not receive the personal data from the customer, then the controller may, instead of deletion, retain only the personal data needed for recordkeeping purposes and not use that retained data or opt the customer out of processing, except for the exempt processing purposes described in the RI-DTPPA (e.g., processing for compliance with law per § 6-48.1-7(o).)
- Some of the State Consumer Privacy Laws offer a narrower deletion right (when personal data is provided by individual to whom the personal data relates (e.g., Iowa)) or a broader right for any personal data concerning the individual (e.g., Minnesota.)
- Right to obtain a copy of the customer’s personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without hindrance, but only when the processing is carried out by automated means.
- Right to opt out of processing personal data for:
- targeted advertising (defined in 6 above)
- sale of personal data (defined in 5. above)
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.
- Like other State Consumer Privacy Laws, “profiling” is automated personal data processing to evaluate, analyze, or predict personal aspects related to an identified or identifiable customer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (§ 6-48.1-2(2)); and “decisions that produce legal or similarly significant effects” means a controller’s decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care or access to essential goods or services. (§ 6-48.1-2(12).)
The controller must offer a secure and reliable means to exercise privacy rights (see also 6. above).
Like the RI-DTPPA, the State Consumer Privacy Laws of Connecticut, Delaware, Maryland, Montana and New Hampshire laws offer an opt out right for profiling in furtherance of solely automated decisions. Many of the other State Consumer Privacy Laws offer a profiling opt out for a broader set of decisions, i.e., that are not solely automated.
8. WHAT ARE THE CONTROLLER’S OBLIGATIONS IN RESPONDING TO A CUSTOMER PRIVACY RIGHTS REQUEST?
Timing: A controller has up to 45 days after receipt of a customer’s privacy rights request to respond, subject to a 45-day extension when “reasonably necessary” and after informing the customer of the delay and reason for it. In responding to a request, the controller must provide information free of charge and once annually per customer, although the controller may charge a reasonable fee or decline a request if a request is manifestly unfounded, excessive or repetitive. If a controller declines the customer’s request, the controller must inform the customer within 45 days after receipt of request the reasons for declining and instructions for how to appeal the decision. These timing requirements are like most of the other State Customer Privacy Laws. (§ 6-48.1-6(b).)
The controller is obligated to respond to a customer request free of charge during a 12-month period. The controller can charge for excessive request but bears the burden of proof as to excessiveness.
Authentication of Customer Request: A controller is not required to comply with a privacy rights request that the controller cannot authenticate, but must provide notice to the customer that additional information is needed to authenticate. Opt-out requests (see 7. above) do not require authentication unless the controller reasonably believes that the request is fraudulent, in which case the controller must notify the requesting customer. (§ 6-48.1-6(b)(4).)
Authorized agents: The RI-DTPPA allows a customer to designate an authorized agent (or, for a “known child”, a parent of legal guardian) to exercise the customer’s right to opt out of the processing of the customer’s personal data. The controller is obligated to comply with an opt-out request only if the controller is able to verify the customer and the agent’s authority. (§ 6-48.1-6(b)(7).) Not all State Customer Privacy Lawsinclude provisions that allow an authorized agent to exercise privacy rights on behalf of a customer.
Appeals: A controller must allow a customer to appeal when the controller refuses to act on a customer’s request and ensure that the appeal process is “clearly and conspicuously available.” Within 60 days, the controller must provide a written explanation of any action taken or not taken in response to the appeal. If the appeal is denied, the customer can submit a complaint to the Attorney General. (§ 6-48.1-6(b)(6).) (Only the State Customer Privacy Laws of Utah and California do not allow for appeals.)
9. ARE CONTROLLERS REQUIRED TO CONDUCT DATA PROTECTION ASSESSMENTS?
A controller is required to conduct and document a data protection assessment (§ 6-48.1-7(e) – (i).)
The RI-DTPPA requires a data protection assessment when processing presents a heightened risk of harm to customer which includes:
- Processing personal data for targeted advertising
- Sale of personal data
- Processing personal data for profiling, if the profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment, (ii) unlawful disparate impact, (iii) financial, physical or reputational injury, (iii) physical or other intrusion upon solitude, seclusion, or private affairs that would be offensive to a reasonable person or (iv) other substantial injury to customers
- Processing of sensitive data (see 10. below)
The assessment requirements are not retroactive – they apply only to processing activities “created or generated” after January 1, 2026 (the same date on which the RI-DTPPA is in force). Like other State Consumer Privacy Laws that apply to activities ‘generated’ after a certain date, the term ‘generate’ is not defined in the RI-DTPPA and could capture ongoing activities to which the RI-DTPPA would apply.
The Attorney General may request a data protection assessment that is relevant to an investigation and evaluate it for compliance with the RI-DTPPA. Although the RI-DTPPA is light on compliance requirements when compared to other State Consumer Privacy Laws, a data protection assessment that complies with another applicable law is deemed to satisfy the RI-DTPPA’s requirements. Any data protection assessment provided to the state regulator remains confidential and the disclosure does not constitute a waiver of attorney-client privilege or work product protection.
Of the 20 State Customer Privacy Laws, only the laws of Iowa and Utah do not have some form of assessment requirement and the CCPA provides for regulations on the topic of data protection assessments, which remain in discussion draft form.
10. WHAT OTHER OBLIGATIONS APPLY TO CONTROLLERS?
The RI-DTPPA includes many of the same controller obligations as the preceding 19 State Customer Privacy Laws, including:
Role based processing agreements
A controller must enter into a binding personal data processing agreement with each of its processors that:
- sets out processing instructions, the nature, purpose and duration of processing, the type of personal data subject to processing, and the rights and obligations of each party;
- contractually imposes a duty of confidentiality with respect to the personal data shared with a processor;
- requires the processor to return or delete (at the controller’s discretion) all personal data at the end of provision of the processor’s services unless retention is required by law;
- upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the RI-DTPPA; and
- requires that the processor cooperate with the controller including by allowing an assessment of the processor’s policies and practices “using an appropriate and accepted control standard of framework and assessment procedure.”
A processor must ensure that all sub-contractors handling the controller’s personal data are bound by a processing agreement that requires the sub-contractor to meet the requirements of the processor’s agreement with the controller. The controller also must have the opportunity to object to proposed new sub-contractors. These requirements add nothing not already applicable under other State Consumer Privacy Laws.
(These role-based processing requirements are in § 6-48.1-7(b)-(c).)
Processing obligations related to sensitive data
The RI-DTPPA defines “sensitive data” as personal data that reveals (1) racial or ethnic origin, (2) religious beliefs, (3) mental or physical health condition or diagnosis, (4) sex life, (5) sexual orientation, and (6) citizenship or immigration status, (6) genetic data or biometric data processed to uniquely identify a specific natural person, (7) personal data of a known child (same as COPPA – under age 13), and (8) precise geolocation data (with 1,750’ radius).
Like most State Customer Privacy Laws, a controller may not process sensitive data without obtaining the customer’s (opt-in) consent or, for a child, in parental consent in compliance with COPPA. (§ 6-48.1-4(c))
Consent
A controller must offer a mechanism for customers to grant and revoke consent. The controller must effectuate a revocation within 15 days. (§ 6-48.1-4(e)) An express consent requirement applies only to sensitive data processing.
Other obligations in the RI-DTPPA include reasonable data security practices, no discrimination against a customer for exercising privacy rights and data minimization.
11. WHAT ARE THE CONSEQUENCES OF NONCOMPLIANCE?
A violation of the RI-DTPPA is a deceptive trade practice under Rhode Island’s deceptive trade practices law. The Attorney General has exclusive enforcement power, i.e., no private right of action is available (even though Rhode Island’s consumer protection/deceptive trade practices law offers a private right of action). The Attorney General may enforce the RI-DTPPA (A) with fines of not less than $100 and not more than $500 for each intentional disclosure of personal data to a “shell company” or other entity formed for the “purposes of circumventing the intent” of the RI-DTPPA or in violation of the RI-DTPPA (§ 6-48.1-8(a)); or (B) under the general regulatory provisions of Title 6 of the Rhode Island General Laws (§ 6-48.1-8(b).)
As we have noted above, the RI-DTPPA includes some distinct obligations that require consideration for existing privacy compliance programs. With 20 State Consumer Privacy Laws, perhaps the stalled mark-up of the APRA discussion draft will be replaced with a nation-wide strictest requirement model for compliance with the State Consumer Privacy Laws.
Privacy World will continue to cover privacy law developments in the US and around the world. Please contact the authors for more information.
The authors are grateful to Krista Setera, Paralegal, and Mary Aldrich, Paralegal, for their assistance.