What the RIDTPPA does for you

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) gives you real control over your personal data. You have the right to know what data businesses collect about you, correct it, delete it, get a portable copy of it, and opt out of its sale or use for targeted advertising. These rights apply to for-profit businesses that handle data on at least 35,000 Rhode Islanders — or at least 10,000 if they earn more than 20% of revenue from selling personal data.

Your rights under the RIDTPPA

Right to Know

You have the right to confirm whether a business is processing your personal data and to access that data. The business must tell you what personal data it holds about you, unless doing so would require revealing a trade secret.

Exceptions: Does not apply if disclosure would require the controller to reveal a trade secret; Does not apply to de-identified data or publicly available information; Does not apply to certain health, financial, and employment data exempt under federal law.

Source: R.I. Gen. Laws § 6-48.1-5(e)(1)

Right to Delete

You have the right to request that a business delete personal data it has about you, whether you provided it or the business obtained it from another source.

Exceptions: Does not apply where deletion would require revealing a trade secret; Does not apply to data the controller cannot reasonably associate with you; Does not apply to data exempt under federal law (e.g., HIPAA, FCRA); A controller that obtained your data from a third party may comply by opting you out of further processing rather than deleting the data.

Source: R.I. Gen. Laws § 6-48.1-5(e)(2); § 6-48.1-6(b)(5)

Right to Correct

You have the right to request that a business correct inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for which it is processed.

Exceptions: Does not apply to data exempt under federal law; Does not apply to de-identified or publicly available information.

Source: R.I. Gen. Laws § 6-48.1-5(e)(2)

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties for monetary or other valuable consideration.

Exceptions: Does not cover transfers to processors acting on the controller's behalf; Does not cover disclosures to affiliates; Does not cover data transfers in the context of a merger or acquisition; Does not apply to data the customer intentionally made public.

Source: R.I. Gen. Laws § 6-48.1-5(e)(4)

Right to Opt Out of Processing

You have the right to opt out of the processing of your personal data for targeted advertising — ads that are selected based on your activity tracked across different websites or apps over time.

Exceptions: Does not apply to ads based on activity within the controller's own website or app; Does not apply to ads based on your current search query or page visit; Does not apply to contextual or requested advertising.

Source: R.I. Gen. Laws § 6-48.1-5(e)(4)

Right to Opt Out of Automated Decisions

You have the right to opt out of profiling used in solely automated decisions that have significant legal or similar effects on you, such as decisions about credit, housing, insurance, employment, healthcare, or access to essential goods and services.

Exceptions: Only applies to profiling that produces legal or similarly significant effects; Does not apply to profiling that is not solely automated.

Source: R.I. Gen. Laws § 6-48.1-5(e)(4); § 6-48.1-2(12)

Right to Data Portability

You have the right to receive a copy of your personal data in a portable, readily usable format so you can transfer it to another business, where the processing is carried out by automated means.

Exceptions: Only applies where processing is carried out by automated means; Controller is not required to reveal any trade secret; Does not apply to data exempt under federal law.

Source: R.I. Gen. Laws § 6-48.1-5(e)(3)

Right to Non-Discrimination

You have the right not to be discriminated against for exercising your privacy rights. A business cannot deny you goods or services, charge you different prices, or provide a different level of quality because you opted out of data collection or use.

Exceptions: If you opt out of data collection required to provide a specific service, the business is not required to provide that service; Businesses may offer different prices or benefits through bona fide loyalty, rewards, discount, or club card programs that customers voluntarily join.

Source: R.I. Gen. Laws § 6-48.1-5(b)(c)(d)

Right to Limit Sensitive Data

Businesses must obtain your consent before processing sensitive personal data about you, including data about your race, ethnicity, religion, health, sexual orientation, immigration status, biometrics, precise location, or data collected from children.

Exceptions: Sensitive data of children must be processed in compliance with COPPA; Does not apply to de-identified sensitive data compliant with HIPAA de-identification standards; Various health, research, and public-interest exemptions may apply.

Source: R.I. Gen. Laws § 6-48.1-4(c); § 6-48.1-2(26)

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a RIDTPPA deletion or opt-out request. Covered businesses have 45 days to respond (R.I. Gen. Laws § 6-48.1-6(b)(1); § 6-48.1-6(b)(4); § 6-48.1-2(2)), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The RIDTPPA mentions authorized agents only in the context of opt-out requests (R.I. Gen. Laws § 6-58 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.

Enforcement and penalties

The RIDTPPA is enforced by Rhode Island Attorney General. Violations are treated as deceptive trade practices under Rhode Island commercial law. If a business intentionally discloses your personal data unlawfully or to a shell company set up to evade the law, it can be fined between $100 and $500 for each such disclosure. Only the Attorney General can bring enforcement actions — there is no private right to sue.

Who does the RIDTPPA apply to?

This law applies to for-profit businesses that operate in Rhode Island or target Rhode Island residents, AND during the prior calendar year either: (1) controlled or processed personal data of at least 35,000 customers (not counting data processed solely to complete a payment), OR (2) controlled or processed personal data of at least 10,000 customers AND earned more than 20% of their gross revenue from selling personal data. Nonprofits, government bodies, institutions of higher education, financial institutions covered by Gramm-Leach-Bliley, and HIPAA-covered entities are exempt.

Frequently asked questions

What kinds of businesses does Rhode Island's privacy law apply to?

The RIDTPPA applies to for-profit businesses that do business in Rhode Island or target Rhode Island residents. To be covered, a business must have processed personal data of at least 35,000 Rhode Island customers in the prior year — or at least 10,000 customers if it earned more than 20% of its gross revenue from selling personal data (R.I. Gen. Laws § 6-48.1-4(a)). Nonprofits, government agencies, universities, financial institutions, and HIPAA-covered health entities are not covered (R.I. Gen. Laws § 6-48.1-3(d)).

How do I ask a company to delete my data?

You can submit a deletion request using the secure mechanism the company is required to describe in its privacy notice (R.I. Gen. Laws § 6-48.1-5(f)). The company must respond within 45 days, though it may take up to 45 additional days if the request is complex (R.I. Gen. Laws § 6-48.1-6(b)(1)). The company may need to verify your identity before acting, so be prepared to provide information to confirm who you are.

Can I stop businesses from selling my personal data?

Yes. Under the RIDTPPA, you have the right to opt out of the sale of your personal data to third parties (R.I. Gen. Laws § 6-48.1-5(e)(4)). You can also opt out of having your data used for targeted advertising and automated profiling that affects important decisions in your life. You can designate an authorized agent to submit opt-out requests on your behalf (R.I. Gen. Laws § 6-48.1-6(b)(7)).

What happens if a company violates my rights under this law?

Violations are treated as deceptive trade practices under Rhode Island commercial law and are enforced exclusively by the Rhode Island Attorney General (R.I. Gen. Laws § 6-48.1-8(b)). If a business intentionally discloses your personal data unlawfully, it can be fined between $100 and $500 per disclosure (R.I. Gen. Laws § 6-48.1-8(a)). There is no private right to sue — you cannot bring your own lawsuit under this law (R.I. Gen. Laws § 6-48.1-8(c)).

When does this law take effect?

The Rhode Island Data Transparency and Privacy Protection Act takes effect on January 1, 2026 (Section 3 of H 7787). Data protection assessment requirements only apply to processing activities created or generated after January 1, 2026, and are not retroactive (R.I. Gen. Laws § 6-48.1-7(i)).

Official resources

• Full statute text (H 7787)
• Rhode Island Attorney General’s office