Law: Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Regulator: The Rhode Island Attorney General (AG)

Summary: The Governor of Rhode Island transmitted the RIDTPPA without signature on June 25, 2024, and will enter into effect on January 1, 2026. The RIDTPPA marks the State's first comprehensive privacy legislation and establishes obligations for controllers and processors including principles for processing personal data such as establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices. The RIDTPPA details data subject rights, including the right to be informed, access, rectification, deletion, data portability, opt-out of processing for targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

In addition, under the Rhode Island Identity Theft Protection Act of 2015, there is a requirement that any person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information notify personal data breaches involving unauthorized access to unencrypted computerized records to affected consumers as well as the AG and consumer reporting agencies, if more than 500 consumers may have been affected by the breach. The AG holds the power to sanction violations of the law and issue penalties.