Rhode Island Joins the US Privacy Patchwork
Rhode Island became the nineteenth US state to enact a comprehensive consumer privacy law when Governor Dan McKee signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) on 28 June 2024. The law took effect on 1 January 2026.
The RIDTPPA shares its basic architecture with laws like the Virginia VCDPA and Connecticut CTDPA, but it departs from those models in several meaningful ways. There is no cure period for violations, the Attorney General holds exclusive enforcement power, and penalties reach $10,000 per violation. These differences make the RIDTPPA one of the stricter state-level privacy frameworks currently in force.
Who the RIDTPPA Applies To
The law targets for-profit entities that conduct business in Rhode Island or direct products and services to Rhode Island residents. A business falls within scope if it met at least one of two thresholds during the preceding calendar year:
- Controlled or processed the personal data of at least 35,000 Rhode Island residents, or
- Controlled or processed the personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data.
The 35,000-resident threshold is lower than what many other states set. Compare this with the 100,000-resident bar used by Colorado and several other states. A mid-sized e-commerce site or regional publisher with meaningful Rhode Island traffic could trip that threshold without realising it.
Exemptions exist for entities already governed by HIPAA, the Gramm-Leach-Bliley Act, and certain other federal frameworks, as well as for nonprofits and higher education institutions.
Consumer Rights Under the RIDTPPA
Rhode Island residents receive a set of rights broadly consistent with other state privacy laws. The law grants what it refers to as "customers" - not "consumers" - the following:
| Right | Description | Response Window |
|---|---|---|
| Confirm and access | Confirm whether a controller processes personal data and access that data | 45 days |
| Correct | Request correction of inaccurate personal data | 45 days |
| Delete | Request deletion of personal data | 45 days |
| Portability | Obtain a portable copy of personal data in a usable format | 45 days |
| Opt out of targeted advertising | Opt out of processing for targeted advertising purposes | 45 days |
| Opt out of sale | Opt out of the sale of personal data | 45 days |
| Opt out of profiling | Opt out of profiling that produces legal or similarly significant effects | 45 days |
Controllers must respond within 45 calendar days, with a possible 45-day extension where reasonably necessary. If a request is refused, the controller must provide an appeals process.
Sensitive Data and Opt-In Consent
The RIDTPPA follows an opt-out model for most personal data processing. Sensitive data is the exception - controllers must obtain affirmative, opt-in consent before collecting or processing it.
Sensitive data under the RIDTPPA includes personal data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship or immigration status, genetic or biometric identifiers, and precise geolocation data. Data collected from a known child also falls into this category.
For children under 13, controllers must obtain verifiable parental consent before processing, in line with COPPA requirements. All personal data of minors under 18 is treated as sensitive data, which means opt-in consent applies broadly to younger users.
No Cure Period and Strict Enforcement
This is where the RIDTPPA stands apart from most of its peers. The law does not grant businesses a right to cure violations before enforcement action begins. Many state privacy laws, including the Texas TDPSA, provide a 30- or 60-day cure window. Rhode Island offers none.
The Attorney General holds exclusive enforcement authority. There is no private right of action, so individual consumers cannot sue directly. But the absence of a cure period means the AG can pursue penalties immediately upon discovering a violation.
Penalties are structured as follows:
- Up to $10,000 per violation under Rhode Island's commercial law provisions (Title 6)
- Intentional disclosure of personal data may result in fines between $100 and $500 per incident
Multiple violations across a large customer base could accumulate rapidly.
No Universal Opt-Out Signal Requirement
Unlike Colorado, Connecticut, and Montana, Rhode Island does not require controllers to recognise universal opt-out mechanisms such as Global Privacy Control (GPC). Customers who wish to opt out of data sales or targeted advertising must submit individual requests to each business.
This does not mean you should ignore GPC signals from Rhode Island visitors. Honouring browser-level opt-out signals voluntarily demonstrates good faith and simplifies compliance if your site also serves users in states that mandate GPC recognition. A consent management platform can detect the Sec-GPC header and apply the appropriate preferences automatically.
Website Disclosure and Cookie Obligations
The RIDTPPA requires commercial websites to disclose all personal data they collect in a conspicuous location. This means your privacy policy must clearly describe:
- The categories of personal data collected
- The purposes of processing
- How customers can exercise their rights
- Whether personal data is sold or used for targeted advertising
Cookies and tracking technologies that collect personal data - such as _ga, _fbp, or advertising identifiers - fall within scope. If your site sets cookies that support targeted advertising or data sales, you need a mechanism for Rhode Island visitors to opt out.
Consent obtained through dark patterns is invalid. The statute explicitly states that consent cannot be obtained by hovering over, muting, pausing, or closing content. Pre-ticked checkboxes and deceptive interface designs will not hold up under scrutiny.
Data Protection Assessments
Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm. These include:
- Processing personal data for targeted advertising
- Selling personal data
- Profiling where it creates a risk of unfair treatment, financial injury, or intrusion on privacy
- Processing sensitive data
If your website runs remarketing campaigns through tools like the Meta Pixel or Google Ads, those activities likely trigger the assessment requirement. The assessment must weigh the benefits of processing against potential risks to consumer privacy.
How the RIDTPPA Compares to Other State Laws
The table below highlights where Rhode Island differs from neighbouring state frameworks:
| Feature | Rhode Island | Connecticut | Virginia |
|---|---|---|---|
| Effective date | 1 January 2026 | 1 July 2023 | 1 January 2023 |
| Resident threshold | 35,000 | 100,000 | 100,000 |
| Cure period | None | 60 days (expired 2025) | 30 days (expired 2025) |
| Universal opt-out (GPC) | Not required | Required | Not required |
| Max penalty per violation | $10,000 | $5,000 | $7,500 |
| Private right of action | No | No | No |
| Sensitive data consent | Opt-in | Opt-in | Opt-in |
For a broader view of how all active US state privacy laws compare, see the full side-by-side comparison.
Practical Steps for Website Owners
If your site serves Rhode Island residents and meets the applicability thresholds, take these steps:
- Run a cookie scan. Identify every cookie and tracking technology on your site. Tools like the Kukie.io free scanner can automate this process.
- Update your privacy policy. Disclose the categories of data collected, purposes, and opt-out mechanisms. Place this information prominently on your site.
- Provide opt-out controls. Offer clear, accessible methods for visitors to opt out of data sales, targeted advertising, and profiling.
- Obtain opt-in consent for sensitive data. If you process health data, precise geolocation, biometric identifiers, or data from minors, ensure you collect affirmative consent first.
- Conduct data protection assessments. Document your assessment for any processing activity that involves targeted advertising, data sales, or profiling.
- Review processor contracts. Ensure your data processing agreements with third-party vendors meet the RIDTPPA's requirements for processor obligations, including breach notification assistance.
Frequently Asked Questions
When did the Rhode Island Data Transparency and Privacy Protection Act take effect?
The RIDTPPA took effect on 1 January 2026. It was signed into law on 28 June 2024.
Does Rhode Island require businesses to recognise Global Privacy Control?
No. The RIDTPPA does not require controllers to honour universal opt-out mechanisms like GPC. Customers must submit individual opt-out requests to each business.
What is the penalty for violating the Rhode Island privacy act?
Each violation may incur a civil penalty of up to $10,000. Intentional disclosure of personal data carries a separate fine of $100 to $500 per incident.
Is there a cure period under the RIDTPPA?
No. Rhode Island does not offer businesses a right to cure violations before the Attorney General pursues enforcement. This makes it stricter than most other state privacy laws.
Do I need cookie consent for Rhode Island visitors?
The RIDTPPA uses an opt-out model for most personal data. You must provide opt-out mechanisms for data sales and targeted advertising. Sensitive data requires opt-in consent before collection.
Does the Rhode Island privacy law apply to small businesses?
It applies to for-profit entities that processed the data of at least 35,000 Rhode Island residents, or at least 10,000 residents while deriving over 20% of revenue from data sales. Small businesses below these thresholds are not covered.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
