State Regulatory Developments

Rhode Island Enacts Consumer Data Privacy Law

Rhode Island recently enacted a comprehensive consumer data privacy act, following many other states, which will go into effect January 1, 2026.

Scope

The Act applies to for-profit entities doing business in Rhode Island or targeting products or services towards Rhode Island consumers that (during the preceding calendar year) controlled or processed the personal data of either: (i) at least 35,000 consumers, excluding data processed solely for completing payment transactions; or (ii) at least 10,000 consumers if over 20% of the entity’s gross revenue is from selling personal data.  “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual,” but excludes “de-identified data or publicly available information.”

The Act does not apply to certain entities, including, among others, (i) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; and (ii) covered entities and business associates as defined by 45 C.F.R. Section 160.103 of HIPAA.  Also, certain kinds of data are exempt, such as protected health information under HIPAA, and personal information related to credit, if regulated and authorized by the Fair Credit Reporting Act.

Consumer Rights

The Act grants consumers certain rights with respect to their personal data.  Consumers may request: (i) confirmation of whether the controller is processing the consumer’s data and access to that data, unless doing so reveals a trade secret; (ii) correction of inaccuracies; (iii) deletion of the data obtained; (iv) a copy of the personal data processed by the controller in a portable and, if feasible, readily usable format for the data to be transmitted to another processor; and (v) an opt-out of any processing for targeted advertising, profiling, or sale of the consumer’s data.

The controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are required to be provided for free once a year.

Notice Requirements and Other Obligations

The Act has broad notice requirements.  Any commercial website or internet service provider conducting business in or with customers in the state must designate a controller.  If these entities collect, store, or sell consumer personal data, a notice must be provided in the customer agreement or other location where these notices are normally found, such as the website, including the following: (i) categories of personal data collected; (ii) third parties that were sold or may be sold this information; and (iii) an email address for a customer to contact the controller.

The Act also imposes other requirements, including requirements for contracts between controllers and processors, and requirements on controllers to conduct and document a data protection assessment on processing activities that present heightened consumer risk of harm.

Penalties and Enforcement

There is no private right of action in the Act.  The Rhode Island Attorney General has exclusive enforcement authority.  The Act does not provide for a notice and cure period, unlike some other state consumer data privacy laws.