On June 28, the Rhode Island Data Transparency and Privacy Protection Act (DTPPA) was enacted without Governor Dan McKee’s signature, making Rhode Island the twentieth state to enact comprehensive consumer data privacy legislation.

The DTPPA generally follows similar data privacy standards enacted in other states, such as Maryland and Minnesota. While the DTPPA does not impose several controller obligations included under other comprehensive data privacy laws, it does have a broad disclosure requirement that applies to companies beyond the standard applicability threshold. The DTPPA takes effect on January 1, 2026.

Applicability Threshold

The DTPPA applies to for-profit entities that conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents and, in one year, control or process the personal data of either:

  • 35,000 customers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
  • 10,000 customers and derives more than 20% of its gross revenue from the sale of personal data.

Additionally, the DTPPA imposes privacy policy disclosure requirements on any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction. This is a far-reaching obligation, as it applies to any company regardless of size or volume of processing activities. These requirements are set forth in more detail below.

Similar to other consumer data privacy laws, the definition of “customer” in the DTPPA excludes an individual acting in a commercial or employment context.

Exemptions

The DTPPA includes entity-level exemptions similar to most other state comprehensive data privacy laws (including for the disclosure requirements below), including exemptions for government entities, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations, HIPAA covered entities and business associates, institutions of higher education, and national securities associations. Certain data-level exemptions are also included, such as data subject to HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the GLBA.

Privacy Policy Requirements

The DTPPA requires controllers as well as any companies with a commercial website and any internet service providers in Rhode Island who are not otherwise exempt to disclose or provide the following on its website or in its customer agreement:

  • All categories of personal data about customers that are collected through the website or online service.
  • All third parties to whom the controller has sold or may sell customers’ “personally identifiable information.”
  • An active email address or other online mechanism that a customer may use to contact the company.
  • A clear and conspicuous disclosure if the controller sells personal data to third parties for targeted advertising.

Note that although the DTPPA defines “personal data,” in requiring disclosure of sales of data, it does not define “personally identifiable information.” While this may simply be a drafting error, there is some ambiguity as to the intentions of the legislature, as a previous version of the bill included a definition for “personally identifiable information” that was much narrower than the current definition for “personal data.”

Furthermore, the requirement for a controller to identify third parties to whom the company “may sell” a customer’s personally identifiable information is a key difference from other state consumer data privacy laws. This requirement has the potential to be very burdensome on controllers, as previously, controllers have only had to identify the categories of third parties other than in response to requests in Oregon.

Other Controller Obligations

The DTPPA imposes additional controller obligations similar to that of many other state data privacy laws. These obligations include:

  • Implementing and maintaining reasonable administrative, technical and physical data security practices.
  • Not processing “sensitive data” without the customer’s express consent, or in the case of a known child, in accordance with COPPA.
  • Processing data in a non-discriminatory manner as defined under state and federal law.
  • Providing a mechanism for a customer to revoke consent to process personal data where consent was required and to cease processing the data within 15 days of revocation of consent.
  • Offering a privacy policy as set forth above.

The definition of sensitive data includes “biometric data” and personal data collected from a known child. Furthermore, controllers must conduct data protection assessments and establish processes to respond to consumer data requests and appeals.

The DTPPA does not contain data minimization requirements or an obligation for controllers to recognize universal opt-out mechanisms to allow customers to communicate their privacy preferences automatically. Generally, the DTPPA lacks specificity when it comes to the obligations it puts on controllers. For example, there are no requirements on what a controller must consider when conducting data protection assessments. The DTPPA states that a data protection assessment conducted to comply with another applicable law or regulation would be deemed to satisfy the requirements of the DTPPA; however, it does not specify the methods by which a controller must honor customer rights.

Customer Rights

The DTPPA includes similar customer rights as other state data privacy laws, including the right for customers to:

  • Confirm whether or not a controller is processing their personal data.
  • Access their personal data.
  • Obtain a copy of their personal data in a readily usable format.
  • Correct inaccuracies in their personal data.
  • Delete their personal data.
  • Opt out of processing for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce significant effects concerning the customer.
  • Appeal a controller’s refusal to take action.

The DTPPA requires controllers to respond to customer rights requests within 45 days of receipt of the request, with the possibility of a 45-day extension if reasonably necessary. Customers’ opt-out rights do not apply to pseudonymous data under the DTPPA. In cases where a customer request is denied, the customer may appeal the decision through a process established by the controller. Not later than 60 days after receipt of an appeal, a controller must inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the Rhode Island Attorney General.

Enforcement

The DTPPA expressly states that it does not provide a private right of action to customers. Rather, the Rhode Island Attorney General’s Office holds the sole authority to enforce the law. Unlike several other state data privacy laws, the DTPPA does not provide a cure period for controllers to remedy alleged violations. Violations of the DTPPA constitute a deceptive trade practice in violation of Rhode Island’s Commercial Law, which allows for up to $10,000 in civil penalties per violation. Additionally, the DTPPA provides that any individual or entity that intentionally discloses personal data in violation of the DTPPA may be subject to a fine of at least $100 and no more than $500 for each disclosure. There is no rulemaking provision.

Important Date

  • January 1, 2026: DTPAA goes into effect.

Our team will continue to monitor the DTPPA. If you have any questions about the DTPPA or any other state or international privacy laws and how they could affect your business, please contact the authors.

This alert was prepared with substantial assistance from Bass, Berry & Sims summer associate Faheem Ali.