Rhode Island’s New Privacy Law Is Here, Is Your Business Compliant?

What The Rhode Island Data Transparency and Privacy Protection Act Means for Your Business

SecureScan
Written By: SecureScan
Updated
Providence, Rhode Island

While businesses have long navigated federal privacy regulations like HIPAA or the GLBA, a new era of state-level enforcement has arrived in the Ocean State. The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) officially took effect on January 1, 2026.

The requirements for how you handle, share, and disclose customer data have fundamentally changed. If your business hasn’t yet audited its privacy policy or data storage practices, you may be operating under a new set of legal risks.

What Is the RIDTPPA?

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) is a comprehensive state law designed to give Rhode Island residents (referred to as customers) more control over their digital footprint.

Unlike some other state laws that focus heavily on complex data-sharing math, the RIDTPPA is built on a foundation of transparency. It places strict obligations on businesses to be crystal clear about exactly what data they are collecting and, critically, who they might share or sell that data to in the future. It also grants residents the right to access, correct, or delete their information upon request.

Who Does It Apply To?

What makes Rhode Island’s law unique is its dual-threshold system. While most state laws only apply to large-scale data processors, Rhode Island includes a requirement that applies to virtually any business serving the state via the web.

Here is how the two tiers work:

Tier 1: The Privacy Notice Requirement (Applies Very Broadly)

Any commercial website or internet service provider conducting business in Rhode Island that collects and sells customers’ personally identifiable information must clearly identify the following in their privacy policy:

  • All categories of personal data being collected.
  • All third parties to whom the data has been, or may be sold.
  • An active contact mechanism for customers (such as an email address).

Note: Unlike the rest of the law, this tier can apply even if you don’t meet the high volume thresholds of Tier 2, provided you are engaged in the sale of data.

Tier 2: Full Compliance Obligations

A business is subject to the full range of DTPPA obligations if, during the previous calendar year, it met either of these criteria:

  • Controlled or processed the personal data of at least 35,000 Rhode Island residents.
  • Controlled or processed the data of at least 10,000 residents while deriving more than 20% of gross revenue from selling personal data.

These thresholds are low compared to other states and will pull in many mid-sized businesses that might not expect to be covered.

Obligations for Covered Businesses

For those subject to the full compliance tier, the law requires several proactive steps:

  • Consent for Sensitive Data: You must obtain explicit consent before processing sensitive data. This includes information on race, religion, health conditions, sexual orientation, citizenship, and genetic or biometric identifiers.
  • Honoring Consumer Rights: Residents have the right to access, correct, and delete their data, or opt out of targeted advertising and data sales. Businesses must respond to these requests within 45 days.
  • Consent Revocation: If a customer withdraws their consent for data processing, the RIDTPPA requires you to stop processing that data as soon as possible, but no later than 15 days after receiving the request.
  • Future-Proof Disclosures: Unlike most states that only require you to list who you currently share data with, Rhode Island requires you to disclose third parties to whom you may sell data in the future.
  • Data Protection Impact Assessments: For high-risk activities (like selling sensitive data or targeted advertising), businesses must conduct and document formal risk assessments. These are required for any new high-risk processing initiated after January 1.

No Cure Period: Why Compliance is Urgent

The most important thing to understand about the RIDTPPA is that it is less forgiving than many other state laws. Most privacy regulations give businesses a “cure period,” which is a 30 or 60 day window to fix a violation before being fined.

Rhode Island does not provide this grace period. The Attorney General has the power to enforce the law immediately upon discovery of a violation. Under the law, a failure to comply is treated as a deceptive trade practice.

Civil penalties can reach up to $10,000 per violation. For a company with a single compliance gap affecting thousands of customers, these fines can escalate into a massive liability very quickly. Because there is no “right to cure,” proactive compliance is your only real defense.

What This Means for Your Physical Records

While most privacy guides focus on “the cloud,” the RIDTPPA applies to personal information regardless of where it lives. The law defines data processing as any operation performed on information by either automated or manual means. This means your physical filing cabinets are subject to the same scrutiny as your digital databases.

Think about your storage rooms. Patient intake forms, HR files, signed contracts, and financial records often contain the sensitive data the law protects. Under the principle of data minimization, you should only retain this information as long as it serves a disclosed business purpose.

Paper records are a significant compliance liability under this new law. They are subject to the same 45-day privacy requests and protection requirements as any digital file. If you cannot locate, redact, or delete a physical record within that timeframe, your business is at risk of a violation.

A Practical RIDTPPA Compliance Checklist

Because the RIDTPPA is already in effect and lacks a cure period, businesses should treat compliance as an immediate operational priority. Use the following steps as a baseline to audit your current data practices and identify potential gaps.

  • Assess Your Coverage: Confirm whether you meet the Tier 1 website transparency requirements or the Tier 2 volume thresholds (35,000 residents). Most businesses with a digital presence in Rhode Island will, at minimum, need to address Tier 1.
  • Update Your Privacy Policy: Ensure your notice is conspicuous and clearly lists all categories of data collected. Critically, you must identify any third parties to whom you currently sell data—or may sell data to in the future.
  • Map Your Sensitive Data: Conduct a thorough inventory of where sensitive information lives. This includes digital databases and physical filing cabinets containing health, ethnic, or biometric data.
  • Establish Request Workflows: Build a reliable system to verify identities and fulfill customer requests for data access, correction, or deletion within the mandatory 45-day window.
  • Review Vendor Contracts: Ensure all third-party processors are bound by written agreements that strictly outline their data handling responsibilities and compliance with Rhode Island standards.
  • Audit Physical Archives: Identify paper records that have passed their legal retention period. Scheduling these for certified destruction is the most effective way to minimize your “data footprint” and reduce your compliance risk.

How SecureScan Can Help

The RIDTPPA is the law of the land in Rhode Island. Because there is no cure period for violations, businesses that have not yet audited their data practices are operating at a significant and unnecessary risk.

Managing the transition from paper to a secure, compliant digital environment is our specialty. We help Rhode Island businesses close their compliance gaps and secure their legacy data through high-volume document scanning and the certified destruction of sensitive materials.

Digitizing your records ensures you can fulfill consumer rights requests and verify data minimization within the strict timelines required by law. Contact us to learn how we can help you align your records management with the new landscape of Rhode Island privacy law.

This article is for informational purposes only and does not constitute legal advice. Businesses should consult qualified legal counsel to assess their specific RIDTPPA compliance obligations. SecureScan provides secure document scanning, digitization, and destruction services throughout the Northeast, including Rhode Island.

Get in touch with SecureScan

We're here to help you tackle your paper problems. Contact us for more information, and someone will get back to you as soon as possible.

Speak With Us

Learn More About Document Scanning

Our high volume document scanning and imaging services make it easy to convert your filing cabinets and paper piles into a highly organized, text searchable archive of digital image files.

Start Scanning

You Might Also Like

Auto Dealership
The Modern Dealership Audit: Why Paper Records May Be Your Largest Exposure

For most auto dealerships, meeting the FTC Safeguards Rule requirements is a settled matter. You’ve hired a Qualified Individual, updated your software, and implemented multi-factor authentication. However, there is often one vulnerability that still remains: paper records. While Dealer Management Systems (DMS) and finance platforms have been secured, legacy deal jackets and physical service records

Read Article

CTDPA Readiness
Is Your Connecticut Business CTDPA Ready? New Changes Coming in 2026

Most business owners in Connecticut are well aware that the state takes data privacy seriously. It was the first state outside of California to issue a fine under its own comprehensive privacy law. This year, significant changes are being made to that law, and many businesses may not realize how broadly those updates will apply.

Read Article

Prepare your business records for AI and automation
Preparing Your Businesses Records for AI and Automation Starts With Scanning

For many businesses, the conversation around AI has changed dramatically over the past few years. What once felt experimental is now something business owners are actively exploring to remain competitive. From automated accounting tools to contract analysis software and internal knowledge assistants, more businesses are looking at how these systems can save time, reduce manual

Read Article