Does the Rhode Island Data Privacy Act apply to my business?

The RI DTPPA applies to businesses that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents, and that process personal data of 35,000 or more Rhode Island consumers annually, or personal data of 10,000 or more consumers while deriving over 20 percent of gross revenue from the sale of personal data. Exempt categories include state agencies, HIPAA-covered entities, GLBA-regulated financial institutions, and nonprofits.

What consumer rights does the RI DTPPA grant Rhode Island residents?

Rhode Island consumers have the right to: confirm whether a controller processes their personal data and access it; correct inaccurate data; delete personal data provided by or obtained about them; obtain a portable copy in a readily usable format; and opt out of targeted advertising, personal data sales, and profiling with significant legal or similarly significant effects. Controllers must respond within 45 days, with a possible 45-day extension.

What qualifies as sensitive data under the Rhode Island Data Privacy Act?

Sensitive data under the RI DTPPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data processed for unique identification, personal data of children under 13, and precise geolocation data. Processing sensitive data requires explicit consumer consent prior to collection.

What are the penalties for violating the Rhode Island Data Privacy Act?

The Rhode Island AG enforces the RI DTPPA with civil penalties up to $10,000 per violation. There is a 30-day cure period — the AG must notify the controller in writing and allow 30 days to cure the violation before pursuing civil penalties. There is no private right of action under the RI DTPPA. Businesses that fail to respond to consumer requests, lack required privacy notices, or process sensitive data without consent are the most likely enforcement targets.

What data protection assessments does the RI DTPPA require?

The RI DTPPA requires controllers to conduct data protection assessments for processing activities that present a heightened risk — specifically: targeted advertising; personal data sales; certain profiling activities; and processing sensitive data. Assessments must weigh the benefits of the processing against potential risks to consumers and must be available to the AG upon request. Triton documents these assessments as part of RI DTPPA compliance programs.

How does the RI DTPPA compare to Connecticut CTDPA and Massachusetts 201 CMR 17.00?

All three laws apply to New England businesses with regional customers. The RI DTPPA and CTDPA are both consumer privacy laws modeled on the Virginia framework — granting similar consumer rights and requiring similar data protection assessments. Massachusetts 201 CMR 17.00 is a data security law focused on technical safeguards and breach notification rather than consumer rights. Triton builds unified compliance programs for businesses subject to multiple state laws, satisfying all applicable requirements through a single documented framework.

RHODE ISLAND DATA TRANSPARENCY AND PRIVACY PROTECTION ACT IS LIVE

Rhode Island Data Privacy Compliance: Pass the AG Inquiry With Evidence on File.

Rhode Island’s Data Transparency and Privacy Protection Act took effect in 2024-2025, layering on top of the long-standing Identity Theft Protection Act. The AG inspects risk-based security and consumer-rights workflow after any breach involving RI residents. We translate the requirements in a 30-minute call. If your current IT can already produce the evidence, you don’t need us.

Updated May 3, 2026

What do the Rhode Island data privacy laws require?

Rhode Island has two operative laws. The Identity Theft Protection Act of 2015 (R.I. Gen. Laws § 11-49.3) requires risk-based information security programs and breach notification for personal information. The Data Transparency and Privacy Protection Act (effective 2024-2025) layered on consumer rights similar to other state privacy laws — access, correction, deletion, and opt-out of sale and targeted advertising.

The Identity Theft Protection Act applies to any person or entity that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about Rhode Island residents. Personal information is defined similarly to other Northeast states — name plus SSN, driver’s license, financial account, etc. The risk-based safeguards standard requires safeguards appropriate to the firm’s size, scope, type of business, and resources.

The Data Transparency and Privacy Protection Act applies to controllers conducting business in RI or targeting RI residents that meet thresholds — generally aligned with CTDPA but with RI-specific applicability tests. Consumer rights mirror the CTDPA pattern: access, correction, deletion, portability, and opt-out. The right to opt out of profiling that produces “legal or similarly significant effects” is included.

Breach notification timing under the Identity Theft Protection Act is “in the most expedient time possible and without unreasonable delay” — typically within 45 days. Notifications to the AG and major consumer reporting agencies are required for breaches affecting 500+ RI residents.

What does the Rhode Island AG actually inspect?

The AG’s Civil Division inspects four artifacts during a privacy or breach inquiry: the risk-based information security program required by the Identity Theft Protection Act, the consumer-rights workflow required by the Data Transparency and Privacy Protection Act, the breach notification evidence (if a breach occurred), and the vendor management documentation showing third-party safeguards.

The risk-based program is the most-checked artifact. The Identity Theft Protection Act requires safeguards appropriate to firm size and resources — but “appropriate” is evaluated against industry norms when the AG investigates. Sophos endpoint XDR, Microsoft Defender MFA, and tested backup are the SMB industry baseline; firms without those controls argue uphill.

The consumer-rights workflow is the newer focus area. With the Data Transparency and Privacy Protection Act in effect, the AG verifies that consumer requests are received, authenticated, processed within statutory timelines (typically 45 days), and resolved with documented evidence. A workflow that exists on paper but has not been exercised against actual requests is a finding waiting for a complaint.

Compliance is a snapshot, not a destination. The risk assessment from three years ago does not protect you today, and the privacy policy from before the Data Transparency and Privacy Protection Act took effect almost certainly lacks required elements. The AG looks for current artifacts, not historical compliance.

What happens if you fail an RI AG privacy inquiry?

AG enforcement under the Identity Theft Protection Act is civil, with penalties up to $10,000 per violation. Violations are typically counted per affected RI resident. The Data Transparency and Privacy Protection Act includes its own penalty structure aligned with other state privacy laws.

The path is mechanical. AG receives a complaint or breach notification. Civil Division opens an inquiry with a documentation request. The firm produces the risk-based program, the rights workflow evidence, and the breach response evidence — or fails to. Inadequate response triggers Assurance of Discontinuance negotiation or formal civil action.

For the Providence-Warwick-Cranston business corridor and the Newport hospitality cluster — both with substantial summer-season tourist data flow — RI AG enforcement creates precedent that affects regional reputation. Settlements are public. The consumer-facing narrative around an SMB that “failed to implement risk-appropriate safeguards” affects tourism, customer trust, and recruiting.

For multi-state firms, RI enforcement is increasingly correlated with CT, MA, and NY enforcement. The Northeast AGs share information and frequently parallel each other’s actions when defendants operate across the region. Fix-it-once is the operational answer.

How does Triton get your firm RI privacy law-ready?

We deploy Sophos Endpoint XDR, Microsoft Defender for Endpoint, Sophos Firewall enforcing segmentation, and AWS-backed immutable backup. We then author the risk-based information security program required by the Identity Theft Protection Act, the consumer-rights request workflow required by the Data Transparency and Privacy Protection Act, the privacy notice with all required RI-specific elements, and the breach response procedures with RI notification timing built in.

The stack matters because RI’s risk-based safeguards standard defaults to industry norms when the AG evaluates. Sophos + Microsoft Defender + AWS-backed backup is the industry norm; controllers without those controls struggle to argue their safeguards were appropriate to their resources.

We deploy on AWS because downtime is not an option. When a critical system goes down, AWS support responds with enterprise urgency — not a ticket queue. Every dollar of downtime is regulatory exposure your IT provider owes you an answer for.

Our typical RI privacy readiness engagement delivers the security program, rights workflow, privacy notice, breach response procedures, and technical stack inside 60 days. We coordinate with outside privacy counsel for legal review — the attorney signs off on the documents; we produce and operate the underlying evidence file.

What evidence does the RI AG actually want on file?

Six artifacts the AG inquiry will request, mapped to both RI privacy laws.

Why start now? Because privacy enforcement doesn't wait for you to discover the law.

The Data Transparency and Privacy Protection Act’s implementation has been compressed. Many RI businesses are not aware the law took effect. AG inquiries based on consumer complaints arrive without warning, and the cure window — if any — is narrow.

Rhode Island businesses we have helped through privacy readiness started 60-90 days before any anticipated need. The firms that discovered the requirement during an AG inquiry paid for outside counsel under deadline pressure and produced documentation weaker than they would have under proactive scoping.

Frequently Asked Questions

What is the difference between RI Identity Theft Protection Act and Data Transparency and Privacy Protection Act?

The Identity Theft Protection Act (2015) governs information security and breach notification — risk-based safeguards plus 45-day notification. The Data Transparency and Privacy Protection Act (2024-2025 effective dates) governs consumer rights — access, correction, deletion, portability, opt-out — similar to CTDPA. Both apply concurrently to firms that hold RI-resident personal information.

Does RI privacy law apply to my MA or CT firm?

Yes if you hold RI-resident personal information or target RI residents. Geography of the firm doesn’t control; the data does. A MA accounting firm with even one RI-resident client is in scope for that data.

What is "risk-based" safeguards?

The Identity Theft Protection Act requires safeguards “appropriate to the size and scope of the entity, the nature of the personal information, and the purpose for which the personal information was collected.” In practice, the AG evaluates “appropriate” against industry norms — endpoint protection, MFA, encryption, audit logging are baseline. Latitude exists for very small firms but narrows above 25 employees.

What does RI privacy readiness cost?

Total readiness investment for a 25-100 employee RI-touching firm typically runs $20,000 to $50,000 in the first year. The split: program and policy authoring with outside counsel ($6-15K), rights-request workflow ($4-10K), technical security stack ($8-18K), vendor agreements ($2-7K).

How is the breach notification timing different from other states?

RI requires notification “in the most expedient time possible and without unreasonable delay” — typically interpreted as within 45 days of breach discovery. AG and major consumer reporting agencies must be notified for breaches affecting 500+ RI residents. The timing is comparable to CT and MA but stricter than NY in some scenarios.

Do tourism-dependent businesses (Newport hotels, Block Island operators) have special obligations?

Same baseline obligations apply. The data volume during summer season elevates risk profile — tourist data from across the country flowing through RI systems means breaches affect non-RI residents under their home-state laws plus RI residents under RI law. Multi-state notification and multi-state AG response is the operational reality during peak season breaches.

Does the HIPAA or GLBA exemption apply?

HIPAA-covered entities and GLBA-covered financial institutions have structured exemptions for PHI and financial data covered by those laws respectively. Non-PHI, non-GLBA data handled by the same entities (employee data, marketing) remains in RI privacy law scope.

Do we need dark web monitoring for RI privacy compliance?

No. Dark web monitoring is a notification service, not a risk-based safeguard or a privacy law requirement. The correct investment is the proactive hardening — endpoint protection, MFA, encryption, audit logging, incident response, vendor management. We do not bundle dark web monitoring and it does not appear in any RI evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across Connecticut, Massachusetts, New York, Rhode Island, and beyond. Contact our team today to start a conversation about your technology environment.