On June 13, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) (H. 7787/S. 2500), with the bill passing into law on June 29. This bill is the nineteenth state comprehensive privacy law to be enacted and will take effect on January 1, 2026. Though the Act generally adheres to the standard model exemplified by most non-California state comprehensive privacy laws, it departs from that model in several ways that companies should take note of, including the broad applicability of its privacy notice requirements (which apply to all commercial websites and internet service providers, even ones not subject to the Act’s other requirements), its potentially expansive disclosure requirements regarding sales of personal data to third parties, and its lack of a cure period provision for potential violations.
In this post, we summarize notable provisions of the RIDTPPA and highlight key takeaways for companies looking to understand how this bill will affect their privacy compliance obligations. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
KEY TAKEAWAYS
The RIDTPPA largely tracks the model used by most non-California state comprehensive privacy laws. However, the Act departs from this model in several notable ways:
- Broad Applicability of Privacy Notice Requirements: Though most of the Act’s provisions are subject to fairly standard applicability thresholds (as with many states, based primarily on the amount of data processed by the entity), the Act’s privacy notice requirements apply broadly to “[a]ny commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction” that “collects, stores and sells customers’ personally identifiable information.”
- Broad Disclosure Requirements for Third-Party Data Sales: The Act’s privacy notice provisions require that controllers of commercial websites and internet service providers disclose “all third parties to whom the controller has sold or may sell customers’ personally identifiable information.” Notably, the statute does not define “personally identifiable information,” instead referring to “personal data” (which is defined) in most of its provisions. Thus, it is unclear precisely how broadly this provision sweeps. Nonetheless, the requirement that companies’ privacy notices include a list of all third parties to which the company “has sold or may sell” personal information is a unique one, and one that has the potential to impose an onerous burden on companies that engage in a substantial volume of such sales.
- Lack of Cure Period: The Act does not include a cure period provision, meaning that the state attorney general (AG), the entity tasked with enforcing the Act, will not be required to give entities determined to have violated the Act time to correct their non-compliant practices. Accordingly, companies should take extra care to ensure compliance with the Act’s requirements, as they will have less flexibility in responding to potential enforcement actions.
KEY PROVISIONS
- Key Definitions:
- Customer: The Act’s definition of “customer” (analogous to the term “consumer” used in most state comprehensive privacy laws) excludes individuals “acting in a commercial or employment context.”
- Sale of personal data: The Act defines “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party” (emphasis added).
- Applicability Thresholds: The Act generally applies to for-profit entities that conduct business in Rhode Island or target products or services to Rhode Island residents and satisfied at least one of the following two thresholds in the previous calendar year: (1) controlled or processed personal data of at least 35,000 Rhode Island residents; or (2) controlled or processed personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from sale of personal data.
- The Act’s privacy notice requirements (see below), however, are not subject to these applicability thresholds.
- Exemptions: The Act exempts various entities and information types, including: state entities and state political subdivisions; nonprofit organizations; institutions of higher education; national securities associations; financial institutions and data subject to the GLBA; HIPAA covered entities, business associates, protected health information, and other information subject to HIPAA; other types of health and medical research-related information; information governed by FCRA, the Driver’s Privacy Protection Act, FERPA, and the Farm Credit Act; and certain employment-related information.
- Privacy Notices: The Act requires the controller of any commercial website or internet service provider that “collects, stores, and sells” Rhode Island customers’ personally identifiable information to make available a privacy notice that describes: (1) all categories of personal data collected; (2) the third parties to which “personally identifiable information” (a term left undefined in the bill) has been sold or may be sold; and (3) an online mechanism through which customers may contact the controller. In addition, if personal data is sold or processed for targeted advertising, the controller must “clearly and conspicuously disclose such processing.
- As noted above, these privacy notice requirements, unlike the rest of the bill’s provisions, apply to all controllers of commercial websites or internet service providers that “collect[], store[] and sell[] customers’ personally identifiable information.”
- The scope of this provision is somewhat unclear. As mentioned previously, the Act does not define “personally identifiable information.” Additionally, the statute seems to indicate that this privacy notice requirement applies only to a commercial website or Internet service provider that “collects, stores and sells” personally identifiable information (emphasis added), making it unclear whether the requirement would also apply to commercial websites or Internet service providers that disclose personally identifiable information to third parties, but do not “sell” such information within the meaning of the statute.
- Opt-In for Sensitive Data Processing: The Act requires that entities obtain a customer’s consent before processing their sensitive data.
- Consent Revocation: The Act requires that entities “provide customers with a mechanism to grant and revoke consent where consent is required.”
- Customer Data Rights: The Act creates a fairly standard set of data rights for customers, including: (1) the right to confirm whether a controller is processing their personal data and to access said data; (2) the right to correct inaccurate personal data; (3) the right to delete personal data; (4) the right to data portability; and (5) the right to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.”
- Data Protection Assessments: The Act requires that controllers perform data protection assessments for certain types of data processing that “present[] a heightened risk of harm to a customer,” including the processing of personal data for targeted advertising, the sale of personal data, the processing of personal data for certain types of profiling, and the processing of sensitive data.
- Unlike some other states’ comprehensive privacy laws, the RIDTPPA does not specify what factors the controller should consider when conducting these assessments.
- Data Processing Agreements for Processors: The Act requires that a processor’s data processing activities on behalf of a controller be governed by a contract.
- Enforcement and Violations: A violation of the Act constitutes a violation of Rhode Island commercial law and further constitutes a deceptive trade practice.
- Civil penalties. In addition, any intentional disclosure of personal data in violation of the Act will result in a fine between $100 and $500 for each disclosure.
- No private right of action. The Act does not create a private right of action; rather, it grants the Rhode Island AG sole enforcement authority.
- Effective Date: The Act will take effect on January 1, 2026.
Nathan Choe, a summer associate, also contributed to this article.