Rhode Island Data Privacy Law: A Guide for Small Businesses
RIDTPPA explained for small businesses: low thresholds, consumer rights, penalties, and a compliance checklist for Rhode Island's 2026 privacy law.
Last updated: 2026-02-08
If you are a small business that assumed state privacy laws only matter to big companies, Rhode Island's new data privacy law is a wake-up call. The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) took effect on January 1, 2026, and it carries some of the lowest applicability thresholds of any US state privacy law. That means businesses that comfortably flew under the radar of California's CCPA or even Virginia's VCDPA may find themselves squarely in scope. With thresholds similar to Delaware and New Hampshire, Rhode Island is part of a growing wave of states making privacy compliance a reality for smaller operations. This guide explains exactly what the RIDTPPA requires, who it applies to, and how to prepare your business.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Rhode Island Data Transparency and Privacy Protection Act (R.I. Gen. Laws chapter 6-48.1), as of the date of publication.
Does the RIDTPPA Apply to Your Business?
The RIDTPPA applies to businesses that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents, and meet at least one of two thresholds:
- Control or process the personal data of at least 35,000 Rhode Island consumers during a calendar year (excluding data processed solely to complete a payment transaction).
- Control or process the personal data of at least 10,000 Rhode Island consumers and derive more than 20% of gross revenue from the sale of personal data.
These thresholds are dramatically lower than the 100,000-consumer benchmark used by California and Virginia. Rhode Island is a small state with roughly 1.1 million residents, so 35,000 consumers represents about 3% of the population. If your website or app has moderate Rhode Island traffic, you could be in scope without realizing it.
Consider a practical example: a mid-sized e-commerce company with a nationwide customer base might have 2 million unique visitors per year. If even 2% of those visitors are from Rhode Island, that is 40,000 consumers -- above the threshold. An email marketing platform with 500,000 subscribers nationwide might have 15,000 in Rhode Island, and if data sales represent more than 20% of revenue, the second threshold kicks in.
The 20% revenue threshold for the second prong is also notably lower than the 50% used by Virginia and several other states. This means businesses with a moderate (not majority) reliance on data sales could be covered even with a relatively small Rhode Island consumer base.
The RIDTPPA exempts state and local government entities, nonprofits, higher education institutions, entities regulated under HIPAA, and financial institutions covered by the Gramm-Leach-Bliley Act. Data types already regulated by federal laws like the Fair Credit Reporting Act are also exempt.
The law applies to both controllers (businesses that decide why and how data is processed) and processors (businesses that process data on a controller's behalf). Processor obligations must be governed by a written contract.
What Rights Do Consumers Have?
The RIDTPPA grants Rhode Island residents a comprehensive set of rights over their personal data. These rights largely mirror the framework established by other state laws like Delaware's DPDPA and New Hampshire's NHPA, but they are worth understanding in detail because your response obligations are specific.
Consumers have the right to access the personal data a controller has collected about them. They can request correction of inaccurate data. They can request deletion of their personal data. They have the right to data portability, meaning they can obtain their data in a portable, commonly used format. They can opt out of the sale of personal data, opt out of targeted advertising, and opt out of profiling that produces legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | Yes | Consumer can request all personal data held by the controller |
| Correction | Yes | Consumer can request inaccurate data be fixed |
| Deletion | Yes | Consumer can request their data be erased |
| Portability | Yes | Data provided in a portable, usable format |
| Opt-out of sale | Yes | Consumer can stop sale of their personal data |
| Opt-out of targeted advertising | Yes | Consumer can opt out of targeted ads |
| Opt-out of profiling | Yes | Applies to profiling with legal or significant effects |
| Private right of action | No | Enforcement is exclusively through the Attorney General |
When a consumer submits a request, you have 45 days to respond. An extension of up to 45 additional days is available if reasonably necessary, provided you notify the consumer of the extension and the reason within the initial period. If you decline a request, you must explain the reason and inform the consumer of their right to appeal. If the appeal is denied, you must provide information on how to contact the Rhode Island Attorney General.
The RIDTPPA also requires that consumers can exercise their opt-out rights through a universal opt-out mechanism, such as the Global Privacy Control (GPC). This is an important technical requirement -- your website must be able to recognize and honor these browser-level signals.
What Your Business Must Do
Beyond responding to consumer requests, the RIDTPPA imposes several proactive obligations on covered businesses.
Privacy notice: You must maintain a reasonably accessible, clear privacy notice that discloses the categories of personal data you process, the purposes for processing, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties. If you sell data or process it for targeted advertising, that must be clearly stated.
Data minimization: Personal data collection must be limited to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes. You cannot collect data "just in case" or for vaguely defined future uses.
Purpose limitation: Processing must be limited to the purposes disclosed in your privacy notice unless you obtain the consumer's consent for additional purposes.
Security practices: You must implement and maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the personal data you process. While the law does not prescribe specific controls, the "reasonableness" standard means you need demonstrable security measures.
Consent for sensitive data: Processing sensitive personal data requires the consumer's opt-in consent. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, data from a known child, and precise geolocation data.
Data protection assessments: You must conduct and document data protection assessments for processing activities that present a heightened risk to consumers. This includes targeted advertising, data sales, certain profiling activities, and processing sensitive data.
Processor contracts: If you engage processors, you must enter into written contracts that clearly specify the processing instructions, data categories, duration, and obligations of both parties. Processors must assist controllers in fulfilling their RIDTPPA obligations.
Universal opt-out recognition: As noted above, your systems must recognize and honor universal opt-out signals like Global Privacy Control. This is a technical implementation requirement that many businesses overlook.
How Is the RIDTPPA Enforced?
The RIDTPPA is enforced exclusively by the Rhode Island Attorney General. There is no private right of action, so individual consumers cannot sue businesses directly for violations.
The law includes a 30-day cure period that gives businesses the opportunity to fix identified violations before the Attorney General can bring an enforcement action. However, this cure period is set to sunset on January 1, 2027, after which the Attorney General can pursue enforcement without first offering a chance to cure. This is an important date to mark on your calendar -- the grace period will not last.
Violations of the RIDTPPA are treated as unfair or deceptive trade practices under Rhode Island's Deceptive Trade Practices Act. The Attorney General can seek injunctive relief and civil penalties of up to $10,000 per violation. Given that a systemic violation could affect thousands of consumers, the potential financial exposure is significant even for small businesses.
Because the law only recently took effect in January 2026, there are no reported enforcement actions yet. However, given the trend across other states where attorneys general have become increasingly active in privacy enforcement, businesses should not treat the current quiet period as a sign that enforcement will be lax.
How the RIDTPPA Compares to Other State Laws
Rhode Island joins Delaware and New Hampshire in a cohort of states with notably low applicability thresholds. This makes them particularly important for small and mid-sized businesses that may have assumed privacy compliance was only for larger operations.
| Feature | Rhode Island (RIDTPPA) | Delaware (DPDPA) | New Hampshire (NHPA) |
|---|---|---|---|
| Effective date | January 1, 2026 | January 1, 2025 | January 1, 2025 |
| Consumer threshold | 35,000 | 35,000 | 35,000 |
| Lower threshold (with revenue %) | 10,000 + 20% revenue | 10,000 + 20% revenue | 10,000 + 25% revenue |
| Right to access | Yes | Yes | Yes |
| Right to delete | Yes | Yes | Yes |
| Right to correct | Yes | Yes | Yes |
| Opt-out of sale | Yes | Yes | Yes |
| Universal opt-out required | Yes | Yes | No |
| Cure period | 30 days (sunsets Jan 2027) | 60 days (sunsets Jan 2026) | 60 days (sunsets Jan 2026) |
| Private right of action | No | No | No |
| Max penalty per violation | $10,000 | $10,000 | $10,000 |
| Enforced by | Attorney General | Attorney General | Attorney General |
If you are already compliant with Delaware's DPDPA or New Hampshire's NHPA, extending compliance to Rhode Island is straightforward. The key differences to watch for are the universal opt-out mechanism requirement and the specific cure period sunset date. Maryland is another state with low thresholds worth monitoring if you are building out a multi-state compliance strategy.
Action Checklist for Small Businesses
Here is what you need to do to get compliant with the RIDTPPA:
-
Check your consumer counts. Determine how many Rhode Island consumers' data you process annually. Remember the 35,000-consumer threshold, or 10,000 consumers plus 20% revenue from data sales.
-
Map your data. Inventory what personal data you collect from Rhode Island consumers, where it lives, why you collect it, and who receives it.
-
Update your privacy notice. Ensure it includes all required disclosures: data categories, processing purposes, consumer rights, third-party sharing, and any data sale or targeted advertising activity.
-
Build your consumer request workflow. Establish processes for receiving, verifying, processing, and responding to all seven types of consumer requests within 45 days.
-
Implement universal opt-out recognition. Configure your website and systems to detect and honor Global Privacy Control and similar universal opt-out signals.
-
Obtain consent for sensitive data. If you process any sensitive data categories, implement an opt-in consent mechanism before processing.
-
Conduct data protection assessments. Document assessments for targeted advertising, data sales, sensitive data processing, and profiling activities.
-
Update vendor contracts. Ensure all processor agreements include RIDTPPA-compliant terms addressing data scope, purpose, duration, and obligations.
-
Train your team. Ensure staff who handle consumer data or requests understand the RIDTPPA requirements and your internal procedures.
-
Mark the cure period sunset. The 30-day cure period expires January 1, 2027. Plan to have your compliance program fully operational before that date.
Key Dates
- June 2024: RIDTPPA signed into law.
- January 1, 2026: RIDTPPA took effect.
- January 1, 2027: 30-day cure period sunsets -- Attorney General can enforce without offering a cure opportunity.
References
- Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA): R.I. Gen. Laws chapter 6-48.1. Full text on Rhode Island General Assembly website
- Rhode Island Deceptive Trade Practices Act: R.I. Gen. Laws chapter 6-13.1.
- Rhode Island Attorney General's Office: Official website
- Delaware Personal Data Privacy Act (DPDPA): Del. Code Ann. title 6, chapter 12D. Full text
- New Hampshire Privacy Act (NHPA): N.H. Rev. Stat. Ann. chapter 507-H. Full text
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need to build a DSAR response process before the RIDTPPA cure period sunsets? Our DSAR Compliance Guide gives you a step-by-step framework for handling consumer requests under Rhode Island's law and every other major state privacy statute. Or start with our DSAR Response Templates for ready-to-use response workflows.