RIDTPPA

Rhode Island Data Transparency and Privacy Protection Act

Flag of US
Rhode Island, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2026
Enacted
June 28, 2024
Enforcing Authority
Rhode Island Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
For-profit entities in RI or targeting RI residents: 35,000+ consumers OR 10,000+ consumers and 20%+ revenue from selling PI. Also applies to commercial websites and ISPs with RI customers regardless of thresholds.

Overview

Rhode Island's RIDTPPA has no cure period and applies more broadly than most state laws by covering commercial websites and ISPs with Rhode Island customers even without meeting standard numerical thresholds. Under-18 data is classified as sensitive, and additional penalties apply for intentional unauthorized disclosure.

What This Means for Your Website

  • No cure period — the AG can take immediate enforcement action
  • Opt-in consent required for sensitive data (including under-18 data)
  • Applies to commercial websites and ISPs with RI customers regardless of numerical thresholds
  • Additional penalties of $100-$500 per intentional unauthorized disclosure
  • Consumer requests must be fulfilled within 45 days (extendable by 45)

Key Requirements

The Rhode Island AG enforces the RIDTPPA with penalties up to $10,000 per violation, plus additional per-disclosure penalties for intentional unauthorized disclosure. The broad applicability — covering commercial websites and ISPs regardless of thresholds — makes this law relevant to more businesses than typical state privacy laws.

How ConsentStack Handles This

ConsentStack detects Rhode Island visitors and applies opt-in consent for sensitive data categories including under-18 data, ensuring compliance with the RIDTPPA's broad applicability.

Penalties

$10,000 per violation; additional $100-$500 per intentional unauthorized disclosure.

Maximum Fine
$10,000 per violation

Key Requirements

  • Opt-in consent for sensitive data
  • Consumer rights: access, correct, delete, portability, opt-out
  • 45-day response window extendable by 45 days
  • Privacy notice requirements
  • No cure period — immediate enforcement
  • Data protection assessments for high-risk processing

Notable Provisions

  • No cure period
  • Additional $100-$500 per unauthorized disclosure
  • Under-18 data is sensitive
  • Applies to commercial websites/ISPs regardless of thresholds

US State Specifics

Private Right of Action
No
Global Opt-out Required
No
Sensitive Data Opt-in
Yes
Children Provisions
Under 18 data classified as sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Does Rhode Island have a cure period?

No. The RIDTPPA allows immediate enforcement action with no cure period for violations.

How broadly does the RIDTPPA apply?

Beyond standard thresholds, it also covers commercial websites and ISPs with Rhode Island customers regardless of numerical thresholds — broader than most states.

How does Rhode Island protect minors?

Under-18 data is classified as sensitive, requiring opt-in consent.

What are the RIDTPPA penalties?

$10,000 per violation, plus $100-$500 per intentional unauthorized disclosure of personal information.

Stay compliant with RIDTPPA

ConsentStack helps you implement Opt-out consent for Rhode Island, United States automatically.

Get started free