Law: Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Regulator: The Rhode Island Attorney General (AG)

Summary: The Governor of Rhode Island transmitted the RIDTPPA without signature on June 25, 2024, and will enter into effect on January 1, 2026. The RIDTPPA marks the State's first comprehensive privacy legislation and establishes obligations for controllers and processors including principles for processing personal data such as establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices. The RIDTPPA details data subject rights, including the right to be informed, access, rectification, deletion, data portability, opt-out of processing for targeted advertising, profiling, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

In addition, under the Rhode Island Identity Theft Protection Act of 2015, under §11-49.3 et seq. of the State of Rhode Island General Laws, there is a requirement that any person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information must notify affected consumers of any personal data breaches involving unauthorized access to unencrypted computerized records, as well as the AG and consumer reporting agencies if more than 500 consumers may have been affected by the breach. The AG holds the power to sanction violations of the law and issue penalties. The Identity Theft Act was amended following the passage of Senate Bill 5684 An Act relating to Criminal Offenses – Identity Theft Protection Act of 2015, which entered into effect on June 19, 2023.

You can follow legislative developments in the US through the USA State Law Tracker.