Laws & Regulations

State Privacy Laws: Rhode Island

A summary of privacy laws in Rhode Island.

Overview

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) provides Rhode Island residents with enhanced rights over their personal data and establishes responsibilities for businesses that meet specified applicability thresholds. Like many state privacy laws, the Act focuses on consumer data collected in a personal context and excludes employment and business-to-business data. Consumers are granted rights to access, correct, delete, and obtain copies of their personal data, along with the ability to opt out of targeted advertising, the sale of personal data, and certain automated decision-making activities.

Key Dates

  • Signed into law: June 28, 2024
  • Effective date: January 1, 2026

Thresholds

The RIDTPPA applies to “controllers,” defined to mean persons or businesses that, within the preceding calendar year:

  • controlled or processed personal data of at least 35,000 Rhode Island customers; or
  • controlled or processed personal data of 10,000 Rhode Island customers and derived over 20% of their gross revenue from the sale of personal data.

Consumer Rights

  • The right to confirm whether a controller processes their personal data.
  • The right to access their collected personal data (without revealing trade secrets).
  • The right to correct inaccuracies in their personal data.
  • The right to delete their personal data.
  • The right to obtain a portable copy of their personal data held by a controller to the extent feasible.
  • The right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Sensitive Data

The law defines sensitive data to include:

  • Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data used for personal identification
  • Personal data collected from a known child (under 13 years of age)
  • Precise geolocation data

Penalties

Up to $10,000 per violation.

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. RIDTPPA in Rhode Island). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like RIDTPPA in Rhode Island).

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Advanced
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.