Extract from Isha Marathe’s article “Rhode Island’s Data Privacy Statute Has Key Differences, Depending on Its Interpretation”
In a speedy, under-the-radar move, Rhode Island became the 20th U.S. state to enact a comprehensive data privacy statute, adding to the patchwork of such legislation.
The Rhode Island Data Transparency and Privacy Protection Act was signed into law by Gov. Daniel McKee on June 29, and will go into effect on Jan. 1, 2026.
The RIDTPPA is, in many ways, similar to most non-California data privacy laws, but has a handful of key differences that stakeholders should take note of, said Andrea Maciejewski, an associate at Greenberg Traurig.
For her, two provisions are of particular note: a separate section in the legislation that applies to any commercial website or internet service provider conducting business in Rhode Island, and the absence of a cure period in the text.
Scope
The RIDTPPA applies to any for-profit entity that conducts business in Rhode Island or targets its products or services to Rhode Island residents.
It includes businesses which, in the preceding calendar year, had either controlled or processed personal data of at least 35,000 Rhode Island residents; or controlled or processed personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data.
