Rhode Island Data Transparency and Privacy Protection Act (DTPPA)

The Rhode Island Data Transparency and Privacy Protection Act (DTPPA) is a comprehensive privacy law designed to give Rhode Islanders greater control over their personal information, with a central focus on data transparency.

As the latest addition to the growing patchwork of U.S. privacy laws, the DTPPA includes many familiar compliance requirements but deviates from other state laws in some significant ways.

This article breaks down key provisions of the DTPPA, looking at who the law applies to, its compliance obligations, how to implement them, and the penalties for falling short.

What is the Rhode Island Data Transparency and Privacy Protection Act (DTPPA)?

Rhode Island's Data Transparency and Privacy Protection Act (DTPPA) is the state's own comprehensive privacy law. It was created to give Rhode Islanders new rights over their personal data while imposing privacy and transparency obligations on businesses.

The DTPPA was transmitted into law without signature by Rhode Island's Governor, Daniel McKee, on June 25, 2024, and is set to take effect on January 1, 2026. You can find the legal text here: House Bill 7787 and Senate Bill 2500.

Thanks to the DTPPA's passing, Rhode Island is now the 19th state in the U.S. to enact a comprehensive data privacy law.

Key Definitions Under the Rhode Island Data Transparency and Privacy Protection Act (DTPPA)

Before looking more closely at the Data Transparency and Privacy Protection Act (DTPPA) provisions, let's briefly examine how the law defines certain terms used in its text.

Who is a Customer?

Rhode Island's Data Transparency and Privacy Protection Act (DTPPA) defines a customer as "an individual residing in this state acting in an individual or household context."

The definition notably excludes anyone acting in a commercial or employment context, such as employees and contractors.

What is Personal Data and Sensitive Data?

Like many other privacy laws, the Data Transparency and Privacy Protection Act (DTPPA) distinguishes between personal data and sensitive data.

Under the law, personal data is defined as:

"any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information."

While the law doesn't go into examples, personal data typically includes names, mailing and email addresses, phone numbers, ID card numbers, online identifiers like IP addresses and cookies, financial information, and so on.

Sensitive data, on the other hand, refers to personal data that reveals any of the following:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data to uniquely identify an individual
• Personal data collected from a known child
• Precise geolocation data

Who are "Controllers" and "Processors"?

Taking a page from the GDPR's playbook, the Data Transparency and Privacy Protection Act (DTPPA) classifies applicable businesses as either controllers or processors.

The law defines a controller as "an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data."

On the other hand, a processor is "an individual who, or legal entity that, processes personal data on behalf of a controller."

In other words, controllers are the people or entities that decide why and how to use customers' personal data while processors are people or entities that execute the controller's data operations.

What is Processing?

The Data Transparency and Privacy Protection Act (DTPPA) defines processing as:

"any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data."

In short, any and all action carried out on customers' personal data counts as processing under Rhode Island's law.

What is a Sale of Personal Data?

The Data Transparency and Privacy Protection Act (DTPPA) defines a sale of personal data as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party."

Put differently, a sale of personal data occurs when you disclose a customer's data to a third party in return for money or something else of value.

With that said, a sale of personal data doesn't include the following:

• Sharing personal data with a legitimate processor
• Sharing personal data with a third party to deliver a product or service the customer has requested
• Disclosing or transferring personal data to the controller's affiliate
• Disclosing personal data at the instruction of the customer
• Sharing personal data that the customer made public or transferring it to a third party during a merger, acquisition, bankruptcy, or similar transaction where the third party takes control of the business's assets

What is Consent?

The Data Transparency and Privacy Protection Act (DTPPA) defines consent as:

"a clear, affirmative act signifying a customer has freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the customer."

You can obtain consent in writing, electronically, or through any other clear, affirmative action.

That said, consent doesn't include acceptance of general terms along with other unrelated information or agreements obtained through dark patterns. It also doesn't include hovering, pausing, or closing a piece of content.

Who Does the Rhode Island Data Transparency and Privacy Protection Act (DTPPA) Apply to?

Rhode Island's Data Transparency and Privacy Protection Act (DTPPA) applies to for-profit entities that do business in Rhode Island or target its residents to offer products or services and, in the previous calendar year, met one of the following criteria:

1. Controlled or processed the personal data of at least 35,000 customers, excluding data used solely for payment transactions.
2. Controlled or processed the personal data of at least 10,000 customers and derived more than 20% of gross revenue from selling personal data.

Are There Exemptions to the Rhode Island Data Transparency and Privacy Protection Act (DTPPA)?

Rhode Island's Data Transparency and Privacy Protection Act (DTPPA) exempts a considerable number of entities and data types from its scope.

The exempted organizations are as follows:

• Government bodies, authorities, commissions, or agencies of Rhode Island and political subdivisions of the state
• Nonprofit organizations
• Higher education institutions
• National securities associations registered under the Securities Exchange Act (SEC)
• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).

The DTPPA also exempts the following types of information from its scope:

• Protected health information under HIPAA
• Patient-identifying information for substance abuse treatment
• Certain information related to human research subjects
• Identifiable private information used in clinical trials and medical research
• Information protected under the Health Care Quality Improvement Act and the Patient Safety and Quality Improvement Act
• De-identified healthcare data under HIPAA
• Credit reporting information regulated by the Fair Credit Reporting Act (FCRA)
• Personal data covered by the Driver's Privacy Protection Act (DPPA)
• Personal data regulated under the Family Educational Rights and Privacy Act (FERPA)
• Personal data covered by the Farm Credit Act (FCA)
• Personal data relating to job applications and employment purposes
• Personal data relating to airline services regulated by the Airline Deregulation Act (ADA)

How Does the Rhode Island Data Transparency and Privacy Protection Act (DTPPA) Affect Consumers?

The DTPPA significantly enhances customers' controls when it comes to their personal data. Under the law, Rhode Islanders now have the following rights:

• Access and Confirmation: Customers can confirm if your business is processing their data and, if so, request access to their data. The sole exception is if disclosing the customer's data requires revealing your trade secrets.
• Correction and Deletion: Customers can request that you correct their inaccurate information or ask that you delete their personal data entirely, taking into account the type of personal data in question and how it's being processed.
• Data Portability: Customers can obtain a copy of their data in a portable, usable format for transfer to another controller, as long as it doesn't involve disclosing your trade secrets.

• Opt-Out Rights: Customers can opt out of certain data processing activities, including:

  • Targeted advertising
  • The sale of personal data
  • Automated profiling that has legal or similarly significant effects

Here's an example from Upwork, showing how you can present these rights in practice:

To help customers exercise these rights, you'll need to set up secure methods for customers to submit their requests. Note that customers can designate an authorized agent to exercise these rights on their behalf.

For children's data, parents or legal guardians can exercise these rights on their behalf. Similarly, guardians can act on behalf of individuals under protective arrangements.

How Does the Rhode Island Data Transparency and Privacy Protection Act (DTPPA) Affect Businesses?

Applicable businesses under Rhode Island's Data Transparency and Privacy Protection Act (DTPPA) will have to comply with several data protection and transparency obligations.

If your business falls under the DTPPA's scope, you must observe the following requirements:

• Update your Privacy Policy to reflect the DTPPA's requirements
• Implement effective data security safeguards
• Observe the rules of consent
• Honor customers' requests promptly
• Conduct data protection assessments (when necessary)
• Establish data processing agreements

We'll look more closely at these requirements below.

How Do You Comply with the Rhode Island Data Transparency and Privacy Protection Act (DTPPA)?

To comply with Rhode Island's Data Transparency and Privacy Protection Act, take note of the following obligations:

Update Your Privacy Policy

The DTPPA places a significant emphasis on data transparency. This essentially means all entities that collect, store, and sell customers' personally identifiable information must maintain a compliant, publicly accessible Privacy Policy.

Interestingly, the DTPPA only defines "personal data," not "personally identifiable information," so it's unclear exactly what type of data is covered. With this in mind, it's best to err on the side of caution and explicitly outline any and all customer data you collect in a Privacy Policy.

If you already maintain a Privacy Policy, you'll have to update it to reflect the DTPPA's provisions. To that end, your Privacy Policy must clearly explain the following:

• What data you collect: Outline all the types of personal data you collect about customers through your website or online service.
• Who you share data with: Identify all third parties with whom you have sold or may sell customers' personally identifiable information.
• How to contact you: Provide an active email address or a similar online contact method for customers to reach you with questions or concerns.

Note that if you sell customers' personal data or process it for targeted advertising purposes, you must clearly and prominently disclose this in your Privacy Policy.

Let's see how you can present each of the DTPPA's key disclosures in practice.

Here's how Airbnb's Privacy Policy outlines the types of personal information it collects:

Here's how Oracle clarifies the categories of third parties with whom it may disclose customers' personal information:

And here's how Etsy presents its various contact methods:

Implement Effective Data Security Safeguards

Another key requirement under Rhode Island's DTPPA is for controllers to implement reasonable data security measures to protect customers' personal data.

This law specifically requires that you have the following safeguards:

• Administrative safeguards: Develop effective security policies, train your team on privacy and security practices, assign responsibility for data protection (e.g., appointing a Data Protection Officer), etc.
• Technical safeguards: Set up data encryption, firewalls, multi-factor authentication, and similar security measures to protect your systems and customers' data.
• Physical safeguards: Limit access to sensitive areas like server rooms, store records securely to prevent unauthorized access, properly dispose of unnecessary personal data, and so on.

As a best practice, your Privacy Policy should highlight the data security measures you have in place, even if you don't go into the details. Here's how GitHub does this:

Observe the Rules of Consent

Not surprisingly, Rhode Island's DTPPA requires controllers to obtain consent before processing sensitive data.

In the case of a known child (i.e., a customer under 13 years old), you must obtain consent before processing their sensitive data and only process their data in compliance with the Children's Online Privacy Protection Act (COPPA).

Note that if you're already compliant with COPPA, you're also considered compliant with the DTPPA's parental consent requirements.

To properly implement this obligation, the law requires that you set up a simple mechanism for customers to grant and withdraw their consent.

The best way to reliably obtain consent is to use clickwrap agreements where customers have to tick an empty "I Agree" checkbox next to a statement that makes it clear that they agree to a specific data processing activity.

Here's an example from Dropbox:

If and when customers withdraw their consent, the DTPPA requires that you stop processing their personal data as soon as practicable, at most 15 days after the withdrawal.

Honor Customers' Requests Promptly

The DTPPA requires that you respond to consumer requests to exercise their rights within 45 days. You can extend this period by another 45 days for complex requests, as long as you notify the consumer within the initial 45-day period.

Keep in mind that you must respond to these requests, "free of charge, once per customer during a 12-month period." That said, you can charge a reasonable fee in cases where requests are "manifestly unfounded, excessive, or repetitive."

Conduct Data Protection Assessments (When Necessary)

The DTPPA requires controllers to conduct and document data protection assessments for processing activities that could pose a heightened risk of harm to customers. These assessments help identify and address potential risks before they become full-blown issues.

Under the law, high-risk activities that necessitate a data protection assessment include the following:

• Processing personal data for targeted advertising
• The sale of personal data
• Profiling that could lead to unfair outcomes, financial or reputational harm, or unwanted intrusion into private affairs
• Processing sensitive personal data

If your business has several similar processing operations, a single data protection assessment can cover them all. Additionally, an assessment carried out for compliance with another law will satisfy the DTPPA's requirements if it's comparable in scope and effect.

Note that Rhode Island's Attorney General can ask to see your data protection assessment if it's relevant to an investigation, so it's important to keep them available and up-to-date.

Lastly, these rules only apply to data processing activities starting after January 1, 2026, so there's no need to assess previous activities.

Establish Data Processing Agreements

The DTPPA requires a contract (i.e., a data processing agreement) to govern the relationship between controllers and processors when it comes to processing customers' personal data.

This contract must be legally binding and clearly outline all relevant aspects of the data processing activity, including its nature and purpose, the type of data being processed, the duration of processing, and each party's rights and responsibilities.

The agreement must also specify that processors keep to the following standards:

• Ensure that all individuals handling data maintain confidentiality
• Delete all personal data or return them to the controller after completing the service (unless legally required to retain it)
• Upon request, provide all necessary information to help the controller demonstrate compliance with the DTPPA
• Engage subcontractors only after getting the controller's approval and hold them to the same data protection standards
• Cooperate with audits or assessments to verify compliance with Rhode Island's DTPPA

To illustrate, here's how Klaviyo provides an overview of its data processing agreement between customers (the controller) and itself (the processor) before going into details further below:

What are the Penalties for Not Complying With the Rhode Island Data Transparency and Privacy Protection Act (DTPPA)?

Non-compliance with the Data Transparency and Privacy Protection Act (DTPPA) is considered a violation of Rhode Island's general regulatory provisions of commercial law and a deceptive trade practice under Rhode Island's law.

For intentionally disclosing personal data in violation of the DTPPA, businesses can expect fines ranging from $100 to $500 per instance of non-compliance.

The DTPPA doesn't allow for a private right of action, which means customers can't sue businesses for violating the law. Instead, Rhode Island's Attorney General (AG) holds exclusive authority to enforce the law.

Moreover, the law doesn't offer a "cure period" for violations. This means the AG may not give non-compliant businesses time to correct their violations before enforcing penalties.

Summary

Thanks to the Data Transparency and Privacy Protection Act (DTPPA), Rhode Island has now joined the growing list of U.S. states with their own comprehensive privacy laws.

Set to take effect from January 1, 2026, the DTPPA applies to for-profit businesses that operate in Rhode Island or cater to its residents and meet certain thresholds.

With the DTPPA's passing, Rhode Islanders now have several new privacy rights, including the right to access, correct, delete, and transfer their personal data, as well as the right to opt out of specific data processing activities.

Applicable businesses, on the other hand, will have to fulfill several new obligations to protect customers' data and operate transparently.

In particular, you'll have to:

• Update your Privacy Policy to reflect the DTPPA's requirements
• Implement effective data security measures
• Observe the DTPPA's consent rules
• Honor customers' requests promptly
• Conduct data protection assessments for high-risk processing activities
• Set up data processing agreements