On this pageDoes the Rhode Island privacy law apply to your business?
State Law Practice Note

Rhode Island Consumer Privacy Law (RIDTPPA)

The Rhode Island Data Transparency and Privacy Protection Act, effective January 1, 2026, sets information-sharing-practices disclosure duties for commercial websites and broader controller obligations — sensitive-data consent and processor contracts — on for-profit entities above defined customer thresholds, enforced exclusively by the Attorney General with no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawR.I. Gen. Laws § 6-48.1-3; R.I. Gen. Laws § 6-48.1-4; R.I. Gen. Laws § 6-48.1-7; R.I. Gen. Laws § 6-48.1-2; R.I. Gen. Laws § 6-48.1-8

Does the Rhode Island privacy law apply to your business?

It depends which duty you are asking about, because RIDTPPA runs on two tracks. The disclosure duty reaches any commercial website or internet service provider doing business in Rhode Island that collects, stores, and sells customers' personally identifiable information . The broader controller duties apply only to for-profit entities that, in the preceding year, controlled or processed the data of at least 35,000 Rhode Island customers, or at least 10,000 customers while earning more than 20% of gross revenue from selling personal data .

A customer here is an individual residing in Rhode Island acting in an individual or household context, so employees and business contacts do not count toward the thresholds. The split structure is the practical surprise: a small site that sells customer data can owe the disclosure obligations even if it never approaches the 35,000-customer floor that triggers the consent and contracting duties. Financial institutions and GLBA-regulated data, HIPAA-covered entities, nonprofits, and state and local government bodies sit outside the chapter entirely.

Sources for this answer

Primary law

A.1 R.I. Gen. Laws § 6-48.1-3

The information-sharing-practices disclosure duty applies to any commercial website or internet service provider that collects, stores, and sells customers' personally identifiable information.

Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller.

See R.I. Gen. Laws § 6-48.1-3(a).

Primary law

A.2 R.I. Gen. Laws § 6-48.1-4

The broader controller duties apply to for-profit entities that control or process the data of at least 35,000 Rhode Island customers, or 10,000-plus while deriving over 20% of gross revenue from selling personal data.

This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

See R.I. Gen. Laws § 6-48.1-4(a).

What must your Rhode Island privacy notice contain?

If your commercial website or service collects, stores, and sells customers' personally identifiable information, you must — in the customer agreement, an incorporated addendum, or another conspicuous location — identify the categories of personal data you collect, identify the third parties you have sold or may sell that data to, and give an email address or other online way for the customer to reach you . If you sell personal data or process it for targeted advertising, you must also disclose that clearly and conspicuously .

Rhode Island frames this as an information-sharing-practices notice rather than the all-purpose privacy policy other states require, and it is keyed to the act of selling data. The three required disclosures are the content checklist for a compliant Rhode Island notice. Note that the statute uses the term personally identifiable information in this section while using personal data elsewhere, so a notice that maps the data you actually collect and sell is the safer posture.

Sources for this answer

Primary law

B.1 R.I. Gen. Laws § 6-48.1-3

A controller that collects, stores, and sells customers' personally identifiable information must disclose the categories of personal data collected, the third parties it sells to, and a contact mechanism.

(1) Identify all categories of personal data that the controller collects through the website or online service about customers; (2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and (3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.

See R.I. Gen. Laws § 6-48.1-3(a).

Primary law

B.2 R.I. Gen. Laws § 6-48.1-3

A controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that processing.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.

See R.I. Gen. Laws § 6-48.1-3(b).

What must your contracts with processors say?

A contract between a controller and a processor must govern how the processor handles data on the controller's behalf, so a data processing agreement is a statutory requirement, not a best practice . That contract has to set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and each party's rights and obligations, and it must bind the processor to specific duties .

The required processor duties are a confidentiality obligation for everyone handling the data, deletion or return of data at the controller's direction, making compliance information available on request, binding any subcontractor by written contract to the same obligations after giving the controller a chance to object, and cooperating with reasonable assessments. A compliant template tracks each of these. A processor that starts deciding the purposes and means of processing becomes a controller and can itself face enforcement.

Sources for this answer

Primary law

C.1 R.I. Gen. Laws § 6-48.1-7

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller.

See R.I. Gen. Laws § 6-48.1-7(c).

Primary law

C.2 R.I. Gen. Laws § 6-48.1-7

The controller-processor contract must set out processing instructions, nature and purpose, type of data, duration, and the parties' rights and obligations, and must require the processor to keep data confidential and to bind subcontractors.

The contract shall be binding and clearly set forth instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

See R.I. Gen. Laws § 6-48.1-7(c).

Do you need consent to process sensitive data?

Yes. A covered controller may not process a customer's sensitive data without obtaining the customer's consent, and it may not process the sensitive data of a known child unless it gets consent and handles the data under the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify someone; data from a known child; and precise geolocation .

This is an opt-in model: consent must be a clear, affirmative act and cannot be obtained through dark patterns or buried in a broad terms-of-use document. Controllers also have to give customers a way to grant and revoke consent, and must act on a revocation within fifteen days. Processing sensitive data is one of the activities that triggers a documented data protection assessment under the same section.

Sources for this answer

Primary law

D.2 R.I. Gen. Laws § 6-48.1-2

Sensitive data includes data revealing race or ethnicity, religious beliefs, health condition, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify an individual; data from a known child; and precise geolocation.

“Sensitive data” means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.

See R.I. Gen. Laws § 6-48.1-2(26).

Can a customer sue your business under the Rhode Island privacy law?

No. The statute expressly says nothing in it authorizes a private right of action . Enforcement rests solely with the Attorney General, who may proceed under the chapter itself or under the general regulatory provisions of commercial law .

A violation of the chapter is treated as a violation of the general regulatory provisions of commercial law and as a deceptive trade practice under Rhode Island law. The statute adds a targeted penalty for bad actors: anyone who intentionally discloses personal data to a shell company set up to circumvent the chapter, or otherwise discloses it in violation of the chapter, pays a fine of $100 to $500 per disclosure . Because there is no statutory cure period written into the section, the practical posture is to build the disclosure, consent, and contracting controls before a complaint reaches the Attorney General.

Sources for this answer

Primary law

E.1 R.I. Gen. Laws § 6-48.1-8

The statute does not authorize any private right of action to enforce the chapter.

Nothing in this section shall be construed to authorize any private right of action to enforce any provision of this chapter, any regulation hereunder, or any other provisions of law.

See R.I. Gen. Laws § 6-48.1-8(c).

Primary law

E.2 R.I. Gen. Laws § 6-48.1-8

The Attorney General has sole enforcement authority and may enforce under the chapter or under the general regulatory provisions of commercial law.

The attorney general shall have sole enforcement authority of the provisions of this chapter and may enforce a violation of this chapter pursuant to:

See R.I. Gen. Laws § 6-48.1-8(b).

Primary law

E.3 R.I. Gen. Laws § 6-48.1-8

A violation is a violation of the general regulatory provisions of commercial law and a deceptive trade practice, and intentional disclosure to a shell company or in violation of the chapter carries a $100-$500 fine per disclosure.

A violation of this chapter constitutes a violation of the general regulatory provisions of commercial law in this title and shall constitute a deceptive trade practice in violation of chapter 13.1 of this title

See R.I. Gen. Laws § 6-48.1-8(a).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer