Resources

Rhode Island Data Transparency & Privacy Protection Act (RIDTPPA) Checklist

Surveillance cameras mounted on a building against a clear blue sky.

The Rhode Island Data Transparency and Privacy Protection Act, or RIDTPPA, is in Title 6, Chapter 48.1 of the Rhode Island General Laws. It took effect on January 1, 2026.1

Rhode Island websites can now face specific rules on privacy disclosures, targeted advertising, sensitive-data consent, customer rights requests, vendor contracts, and security practices. The law is enforced by the Rhode Island Attorney General, and violations can also be treated as deceptive trade practices.3, 4, 5, 6, 7, 9, 15

Disclaimer: This page is general information only and is not legal advice. RIDTPPA can apply differently based on your business, your data practices, your vendors, and any exemption that may apply. A Rhode Island attorney should review legal decisions for your business.

Does this apply to me?

  • The website disclosure rules in § 6-48.1-3 can apply to a commercial website or internet service provider doing business in Rhode Island, dealing with customers in Rhode Island, or otherwise subject to Rhode Island jurisdiction.3, 4, 5, 6, 7
  • The larger privacy sections in §§ 6-48.1-4 through 6-48.1-7 apply to a for-profit business that does business in Rhode Island or targets Rhode Island residents and met one of the statute’s thresholds during the preceding calendar year.4, 5, 6, 7
  • The first threshold is processing personal data of at least 35,000 customers. (Personal data processed only to complete a payment transaction does not count toward that 35,000-customer number).4, 5, 6, 7
  • The second threshold is processing personal data of at least 10,000 customers and receiving more than 20 percent of gross revenue from the sale of personal data.4, 5, 6, 7
  • “Customers” are Rhode Island residents who use your website or business for personal, family, or household reasons.
  • “Customers” are not people whose relationship with your business exists only because of work or business activity. That includes employee records, job applicant records, contractor records, vendor contacts, and business-to-business contacts acting in that role.2
  • Personal data means information linked or reasonably linkable to an identified or identifiable person. Publicly available information and de-identified data are excluded from that definition.2
  • Exemptions can change the answer. The chapter excludes or limits coverage for tax-exempt nonprofits, institutions of higher education, many government bodies, GLBA-covered institutions or data, HIPAA covered entities and business associates, and several regulated data sets and activities.3, 7, 8

A basic service site and a large eCommerce site have different compliance work because the data flows are different. A basic site may collect a name, email address, and message. An eCommerce site often adds customer accounts, order history, ad pixels, audience sharing, loyalty features, and more processors. That creates more disclosure obligations, more consent controls, more customer rights requests, and more contract requirements with outside vendors.2, 3, 4, 5, 6, 7

What RIDTPPA requires from a website

A covered commercial website must designate a controller. When the website collects, stores, and sells customers’ personally identifiable information, it must post conspicuous disclosures with the categories of personal data collected, the third parties to whom the data has been or may be sold, and a working email address or online contact method.3

The law also requires a clear and conspicuous disclosure when a controller sells personal data or processes personal data for targeted advertising. RIDTPPA defines a sale as an exchange for monetary or other valuable consideration. It defines targeted advertising as advertising selected from a customer’s activity over time across nonaffiliated sites or apps, with exclusions for first-party activity, a current search query, a current visit, a direct request for information, and ad measurement alone.2, 3

When your business meets the threshold-based sections, the law adds customer rights, request-handling deadlines, sensitive-data consent rules, consent revocation within 15 days, reasonable security safeguards, controller-processor contract requirements, and data protection assessments for higher-risk processing.4, 5, 6, 7

RIDTPPA checklist for Rhode Island websites

Privacy Notice & Disclosure

  • Designate the controller responsible for website privacy decisions.3
  • Update the privacy notice so it matches the tools, forms, scripts, tags, and vendors actually running on the site.2, 3
  • List the categories of personal data the website collects. Include form fields, account details, analytics data, location data, and data collected through embedded tools when those categories apply.2, 3
  • Disclose the third parties to whom customers’ data has been sold or may be sold when that part of the law applies.3
  • Publish a working email address or online contact method for privacy questions.3
  • State clearly whether the site sells personal data or uses personal data for targeted advertising.2, 3
  • List the methods customers can use to submit privacy requests when your business falls under the threshold-based sections.5, 6

Consent & Sensitive-Data

  • Identify whether the website collects sensitive data. RIDTPPA includes health condition or diagnosis, race or ethnicity, religious beliefs, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data used to identify a person, known child data, and precise geolocation in that category.2
  • Use clear opt-in consent before processing sensitive data.4
  • Make sure consent comes from an affirmative act. RIDTPPA says consent does not include acceptance through dark patterns, broad terms of use, hovering, muting, pausing, or closing content.2, 4
  • Provide a working method to revoke consent. After revocation, processing must stop as soon as practical and no later than 15 days after receipt.4
  • Use COPPA-aligned parental consent procedures when the website processes data from a known child.4

Customer Rights Requests

  • Prepare to handle requests for access, correction, deletion, portability, and opt out rights when the threshold-based sections apply.5
  • Set up secure and reliable request channels and describe them in the privacy notice.5, 6
  • Track the 45-day response deadline. The law allows one extra 45-day extension when reasonably necessary, with notice and a reason given during the first 45 days.6
  • Prepare to give one free response per customer during a 12-month period and document any decision to charge a reasonable fee or refuse a request as manifestly unfounded, excessive, or repetitive.6
  • Do not require authentication for a standard opt-out request. A controller may deny an opt-out only when it has a reasonable and documented belief the request is fraudulent, followed by notice that explains the reason for the denial.6
  • Accept authorized-agent opt-out requests when you can verify the customer’s identity and the agent’s authority.5, 6
  • Build an appeal process for denied requests and answer appeals in writing within 60 days.6

Security, Vendors, & Documentation

  • Maintain reasonable administrative, technical, and physical safeguards for the confidentiality, integrity, and accessibility of personal data.4, 7
  • Review contracts with analytics providers, CRM tools, email platforms, chat tools, scheduling tools, and ad platforms that process personal data for you. RIDTPPA requires specific controller-processor contract terms.7
  • Document deletion or return terms, confidentiality duties, subprocessor controls, and compliance support duties in those vendor contracts.7
  • Inventory any profiling or automated decision tools tied to housing, credit, insurance, employment, education, healthcare, or access to essential goods and services.2, 5, 7
  • Complete data protection assessments for higher-risk processing such as targeted advertising, sale of personal data, certain profiling, and sensitive-data processing. Rhode Island applies this duty to processing activities created after January 1, 2026.7
  • Write down any exemption your business relies on because the controller carries the burden of showing the exemption applies.7

Common Issues

  • The privacy notice does not match the tools running on the site.
    Build a page-by-page inventory of scripts, plugins, forms, embeds, tags, and third-party services, then update the notice so the data categories, purposes, and third-party disclosures match what the site actually does.2, 3
  • The site uses retargeting or targeted advertising, but the disclosure is missing or too vague.
    Add plain language that states whether the site uses targeted advertising or sells personal data, identify the categories of data involved, and point visitors to the opt-out method in the privacy notice.2, 3, 5
  • Ad or analytics scripts fire before the visitor gives consent, even though the site presents a banner.
    Configure the consent tool or tag manager so nonessential scripts stay blocked until consent is recorded, then test the site in a fresh browser session and confirm the scripts do not load early.4, 10, 11, 12, 13, 14
  • Intake, booking, quote, or contact forms collect sensitive data without clear opt-in consent.
    Remove any field you do not need, add a separate consent step for any remaining sensitive-data fields, and explain why the data is being collected before the form is submitted.2, 4
  • The site has no working path for consent revocation within 15 days.
    Add a visible preference center or privacy request path, route the request to the correct team, and connect it to the systems that stop analytics, advertising, or other consent-based processing.4, 6
  • The privacy notice does not explain how a customer can send an access, deletion, correction, portability, or opt-out request.
    Publish a dedicated privacy email address, a web form or portal, and a short explanation of what information the business may need to process the request.5, 6
  • The request process ends with a denial and gives no appeal path.
    Add appeal instructions to the denial notice, route appeals to a second reviewer, and track the 60-day deadline for the written appeal response.6
  • The business has never documented whether it met the 35,000-customer threshold or the 10,000-customer plus revenue threshold in the previous calendar year.
    Create a written threshold memo, document how Rhode Island customers were counted, remove payment-only data from the 35,000-customer count, and document any revenue tied to the sale of personal data.2, 4, 5, 6, 7
  • Vendor agreements do not contain the processor terms Rhode Island requires.
    Amend processor agreements so they cover instructions, purpose, duration, confidentiality, deletion or return, subprocessor controls, compliance information, and assessment cooperation.7
  • High-risk processing is active, but no data protection assessment exists for that activity.
    Complete a documented assessment for targeted advertising, sale of personal data, high-risk profiling, or sensitive-data processing and keep it with the supporting records for that activity.7

Who enforces RIDTPPA

The Rhode Island Attorney General has sole enforcement authority under RIDTPPA. Under RIDTPPA itself, individuals generally cannot file their own lawsuit for a violation because the statute does not authorize a private right of action. Consumers can still report a website or business to the Rhode Island Attorney General, including through the office’s consumer complaint process. The law also states that a RIDTPPA violation is a deceptive trade practice, and Rhode Island’s Deceptive Trade Practices chapter allows civil penalties of up to $10,000 per violation. RIDTPPA also sets a separate fine of $100 to $500 for certain intentional disclosures covered by the chapter.6, 9, 15, 16

WordPress tools that can help you get started

WordPress tools can help with consent banners, script blocking, cookie scans, preference centers, and consent records. They do not decide whether RIDTPPA applies to your business, whether a data sale exists under Rhode Island law, or whether your contracts and disclosures are complete.2, 3, 7, 10, 11, 12, 13, 14

  • Complianz offers regional cookie notices, third-party script and iframe blocking, proof of consent, and periodic cookie scans for WordPress.10
  • CookieYes offers a cookie banner, blocking for nonessential scripts until consent, a preference center, consent logging, and cookie scanning. Its plugin page also states that installing the plugin alone does not make a site compliant.11
  • Cookiebot by Usercentrics offers automated cookie scanning, prior-consent cookie blocking, consent storage, and support for Google Consent Mode.12
  • OneTrust offers a WordPress integration for granular consent and preference collection, along with a consent management platform that can discover cookies and trackers, maintain an inventory, block trackers until consent, and store consent receipts.13, 14

We Can Help

Local Robot Web Design Studio can help update privacy pages, consent tools, forms, and tracking settings so your website reflects how it actually collects and uses data. That kind of website work can make privacy changes easier to manage as your tools, plugins, and marketing setup change over time. This support does not replace legal advice, and it does not guarantee compliance.

 

References

  1. Rhode Island General Assembly. (n.d.-a). Chapter 48.1. Rhode Island Data Transparency and Privacy Protection Act. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/
  2. Rhode Island General Assembly. (n.d.-b). § 6-48.1-2. Definitions. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-2.htm
  3. Rhode Island General Assembly. (n.d.-c). § 6-48.1-3. Information sharing practices. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-3.htm
  4. Rhode Island General Assembly. (n.d.-d). § 6-48.1-4. Processing of information. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-4.htm
  5. Rhode Island General Assembly. (n.d.-e). § 6-48.1-5. Customer rights. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-5.htm
  6. Rhode Island General Assembly. (n.d.-f). § 6-48.1-6. Exercising customer rights. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-6.htm
  7. Rhode Island General Assembly. (n.d.-g). § 6-48.1-7. Controller and processor responsibilities. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-7.htm
  8. Rhode Island General Assembly. (n.d.-h). § 6-48.1-10. Construction. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-10.htm
  9. Rhode Island General Assembly. (n.d.-i). § 6-48.1-8. Violations. https://webserver.rilegislature.gov/Statutes/TITLE6/6-48.1/6-48.1-8.htm
  10. Complianz. (n.d.). Complianz – GDPR/CCPA cookie consent. WordPress.org. https://wordpress.org/plugins/complianz-gdpr/
  11. CookieYes. (n.d.). CookieYes – Cookie banner for cookie consent easy to setup GDPR/CCPA compliant cookie notice. WordPress.org. https://wordpress.org/plugins/cookie-law-info/
  12. Cookiebot. (n.d.). Cookiebot by Usercentrics – Automatic cookie banner for GDPR/CCPA & Google Consent Mode. WordPress.org. https://wordpress.org/plugins/cookiebot/
  13. OneTrust. (n.d.-a). WordPress. https://www.onetrust.com/integrations/wordpress/
  14. OneTrust. (n.d.-b). Consent management platform. https://www.onetrust.com/products/consent-management/
  15. Rhode Island General Assembly. (n.d.-j). § 6-13.1-8. Civil penalties. https://webserver.rilegislature.gov/Statutes/TITLE6/6-13.1/6-13.1-8.HTM
  16. Rhode Island Attorney General’s Office. (n.d.). File a consumer complaint. https://riag.ri.gov/forms/consumer-complaint