On June 25, 2024, the Ocean State dove into the growing sea of state consumer data privacy laws with the Rhode Island Data Transparency and Privacy Protection Act (RIDPA), becoming the 19th state to pass a comprehensive privacy law. While RIDPA generally follows the model set by other state data privacy laws, particularly the Utah Data Privacy Act, privacy advocates have criticized its relative laxity compared to the laws of states like Connecticut or Colorado. RIDPA, which is set to go into effect on January 1, 2026, also contains several significant nuances, as we detail below.
RIDPA's first significant nuance is the structure of its applicability standards. The RIDPA's first applicability threshold, which is largely consistent with other state privacy laws' thresholds, applies to for-profit entities that conduct business in—or produce products or services that are targeted to—residents of Rhode Island and, in the last calendar year, either:
-
controlled or processed the personal data of 35,000 or more Rhode Island customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or
-
controlled or processed the personal data of at least 10,000 Rhode Island customers and derived more than 20% of their gross revenue from the sale of personal data.
The numerical thresholds are a bit more generous than those adopted recently by some other state data privacy laws, with 35,000 residents representing ~3% of Rhode Island's population (for comparison, Maryland's new data privacy law applies to entities that process the personal data of only ~0.5% of the state's residents).
RIDPA's second applicability standard is, at first blush, much broader: "[a]ny commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction shall designate a controller" (emphasis added). The law defines controller to mean someone that determines the "purpose and means of processing personal data." Although the foregoing would appear to create a remarkably broad threshold, the text of RIDPA goes on to provide that: the controller of such an entity must post a privacy notice only if it "collects, stores, and sells customers' personally identifiable information." The and in the foregoing statutory language becomes extremely material, as RIDPA contains no other requirement regarding the posting of a privacy notices–as a result, as written, an entity that engages in only two of the three (e.g., collects and stores but does not sell) enumerated activities is technically not required to post such a privacy notice. It is also noteworthy that the foregoing language uses the term personally identifiable information, which RIDPA does not define–RIDPA only provides a definition for the term personal data. It is unclear whether this nomenclature represents an intentional or unintentional drafting choice on the part of Rhode Island's legislature.
As is the case with many other state privacy laws, RIDPA contains a number of exemptions, including non-profit organizations and entities regulated by either the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPPA). It also does not apply to data governed by either the Fair Credit Reporting Act or the Federal Educational Rights and Privacy Act. The rights created by RIDPA also follow the approach set by other states: customers are afforded the right to know if a business is collecting their data, to access such data, have that data deleted, and opt out of the sale of their personal data or its processing for targeted advertising or profiling purposes. RIDPA also imposes a data minimization standard applicable to controllers, found in Section 6-48.1.7. Controllers must limit processing to what is "reasonably necessary in relation to the purposes to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section."
RIDPA vests sole enforcement authority to the state's Attorney General. A violation of the law constitutes a deceptive trade practice under Title 6 of Rhode Island's Commercial Law and is subject to a civil fine of up to $10,000 per violation. The law does not create a private right of action.
Overall, RIDPA, in its current form, imposes fewer obligations than many other state consumer privacy laws and is more similar to the Utah Data Privacy Act than it is to comparable privacy laws in Connecticut or Virginia. However, companies doing business in Rhode Island should still carefully evaluate whether they are subject to the law.
