Rhode Island Data Transparency and Privacy Protection Act: An Overview

Written By Scott Schlimmer

The landscape of data privacy is evolving again, and the Rhode Island Data Transparency and Privacy Protection Act, set to take effect on January 1, 2026, is the latest US privacy law that businesses will need to comply with. This law introduces stringent requirements for businesses that handle the personal data of Rhode Island residents, aiming to promote transparency and safeguard consumer rights.

Introduction to the Act

The Rhode Island Data Transparency and Privacy Protection Act was introduced by Senators DiPalma, Euer, and DiMario to address concerns over how businesses collect, store, and share personal data. The act recognizes the right to privacy as fundamental, protected by the U.S. Constitution, and essential for shielding citizens from cybercrimes and identity theft. As businesses continue to expand their data collection practices, the law steps in to ensure that Rhode Islanders are better informed and in control of their data.

Key Provisions

One of the Act's core features is its emphasis on transparency. Businesses that handle significant volumes of personal data are required to clearly disclose their data collection practices. These disclosures must include:

  • The categories of personal data collected.

  • Whether the data may be sold or shared with third parties.

  • The mechanisms through which consumers can exercise their rights over their data.

A critical threshold for businesses to fall under the Act's scope is processing the personal data of at least 35,000 customers or 10,000 customers if the entity derives 20% of its revenue from data sales. These criteria ensure that both small and large companies are held accountable for their data practices.

Rights Afforded to Consumers

The Act grants Rhode Island residents several rights regarding their personal data, which are crucial for empowering consumers in the digital age. Among these rights is the ability to confirm whether a business is processing their personal data, request corrections, and delete their data. Moreover, consumers have the right to receive their data in a portable format and transmit it to another service provider if needed.

Importantly, the law prohibits businesses from discriminating against consumers who choose to exercise these rights. For instance, a company cannot deny goods or services or charge higher prices solely because a customer opted out of data collection​.

Sensitive Data and Consent Requirements

The law also introduces specific provisions for "sensitive data," including data related to race, religion, health, sexual orientation, and precise geolocation information. Businesses cannot process sensitive data without obtaining explicit consent from consumers​. For data concerning minors, parental consent is required, aligning with the federal Children's Online Privacy Protection Act (COPPA).

Data Security and Breach Protocols

To prevent data breaches, the Act mandates that businesses implement robust administrative, technical, and physical security measures to safeguard personal data. These measures are critical in ensuring the confidentiality and integrity of sensitive consumer information.

If a business fails to comply with the law, penalties include fines ranging from $100 to $500 for each violation. Enforcement is solely under the jurisdiction of the Rhode Island Attorney General, ensuring that violations are treated as deceptive trade practices​.

Impact on Businesses

The Rhode Island Data Transparency and Privacy Protection Act places a significant burden on businesses operating in the state or targeting its residents. Companies will need to reevaluate their data practices, update their privacy policies, and ensure compliance with the law's requirements. Furthermore, entities handling sensitive data must seek consumer consent, which may lead to additional operational costs but is essential for protecting consumer trust.

For businesses, this Act also introduces a new responsibility to assess the risks associated with their data processing activities. They are required to conduct data protection impact assessments, especially when processing sensitive data or engaging in targeted advertising​. These assessments help ensure that businesses are aware of potential harms to consumers and take steps to mitigate those risks.

Conclusion

The Rhode Island Data Transparency and Privacy Protection Act is a forward-thinking piece of legislation that strengthens data privacy protections for consumers while placing new responsibilities on businesses. With its implementation in 2026, businesses that handle personal data will need to be more transparent about their practices, giving Rhode Island residents greater control over their personal information. As data privacy continues to evolve, this Act positions Rhode Island at the forefront of state-level efforts to safeguard consumer rights in the digital age.

Companies must start preparing now to ensure they meet the rigorous standards set forth by this legislation and avoid penalties for non-compliance.

ZenPrivata has Rhode Island in its privacy platform. See all regulations included.

Scott Schlimmer http://ZenPrivata.com
Previous

How Data Mapping Simplifies Compliance with Privacy Regulations
Next

Third Party Privacy Monitoring