Rhode Island Privacy Law Overview
Rhode Island's privacy law took effect January 1, 2026. Two features stand out: businesses must name the specific third parties to whom they sell or share personal data, and there is no right to cure, so the Attorney General can pursue violations without first giving businesses a chance to fix them.
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island's law provides comprehensive consumer rights with opt-in consent for sensitive data and a notable transparency duty: controllers that sell or share data must disclose the identity of the specific third parties involved. Uniquely, the law provides no right to cure — among the most aggressive enforcement postures of any state.
RIDTPPA: Quick Overview
- Effective Date: January 1, 2026
- Citation: R.I. Gen. Laws § 6-48.1
- Enforced By: Rhode Island Attorney General
- Maximum Penalty: Up to $10,000 per violation; $100–$500 for each intentional disclosure
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: None (no right to cure)
Who Must Comply
The RIDTPPA applies to businesses that meet Rhode Island's applicability thresholds:
- Controls or processes the personal data of 35,000+ Rhode Island residents per year, or
- Processes data of 10,000+ residents and derives more than 20% of gross revenue from selling personal data
What makes Rhode Island different: Rhode Island has no right to cure and requires businesses to name the specific third parties they sell data to.
Consumer Rights Under the RIDTPPA
Rhode Island residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Rhode Island
Rhode Island requires notice to affected residents within 45 days and to the Attorney General when 500 or more residents are affected.
- Deadline to notify residents: No later than 45 days after discovery of the breach
- Attorney General notice: Notify the Rhode Island Attorney General if 500 or more residents are affected
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Rhode Island
Even where Rhode Island law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Rhode Island Privacy Law FAQ
Does Rhode Island's privacy law have a right to cure?
What must Rhode Island businesses disclose about data sharing?
How a Rhode Island Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Rhode Island Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Rhode Island Privacy Attorney?
Whether you are a business working toward compliance or a Rhode Island resident whose privacy has been violated, our network of Rhode Island-licensed attorneys can help.
Find a Rhode Island Privacy Attorney