The Rhode Island Data Transparency and Privacy Protection Act (the "Act") became effective January 1, 2026. This article addresses the application of the Act to, and obligations of, commercial websites or internet service providers, as well as the enforcement of the Act.
Application to Commercial Websites or Internet Service Providers
The Act applies, subject to certain exceptions, to any commercial website or internet service provider (which the Act does not define) that does the following.
Conducting business in Rhode Island or
With customers in Rhode Island or
Otherwise subject to Rhode Island jurisdiction ("commercial website or internet service provider"). R.I. Gen. Laws §§ 6-48.1-3.(a) and (d)-(e), and 6-48.1-10.(a)-(b).
"Customer" means an individual residing in Rhode Island acting in an individual or household context, but does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit (which the Act does not define, though it defines nonprofit organization, as described below), or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency. R.I. Gen. Laws § 6-48.1-2.(10).
"Controller" means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data. R.I. Gen. Laws § 6-48.1-2.(7). "Nonprofit organization" means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6)S, or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding Internal Revenue Code of the United States, as amended from time to time. R.I. Gen. Laws § 6-48.1-2.(17). Moreover, nothing in the Act shall be construed to apply to any entity recognized as a tax-exempt organization under the Internal Revenue Code. R.I. Gen. Laws § 6-48.1-10.(c).
"Process or processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. R.I. Gen. Laws § 6-48.1-2.(20). "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information. R.I. Gen. Laws § 6-48.1-2.(18). "Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly. R.I. Gen. Laws § 6-48.1-2.(15).
"De-identified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual. R.I. Gen. Laws § 6-48.1-2.(13). "Publicly available information" means information that is lawfully made available through federal, state, or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public. R.I. Gen. Laws § 6-48.1-2.(24).
Obligations of Commercial Websites or Internet Service Providers
First, a commercial website or internet service provider must designate a controller. R.I. Gen. Laws § 6-48.1-3(a).
Second, if a commercial website or internet service provider collects, stores, and sells customers' personally identifiable information (which the Act does not define, though it defines "personal data," as described above), then such controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted must identify the following.
All categories of personal data that the controller collects through the website or online service about customers;
All third parties to whom the controller has sold or may sell customers' personally identifiable information (which the Act does not define, though it defines sale of personal data, as described below); and
An active electronic mail address or other online mechanism that the customer may use to contact the controller. R.I. Gen. Laws § 6-48.1-3(a)(1)-(3).
"Third party" means an individual or legal entity, such as a public authority, agency, or body, other than the customer, controller, or processor, or an affiliate of the processor or of the controller. R.I. Gen. Laws § 6-48.1-2.(28). "Processor" means an individual who, or legal entity that, processes personal data on behalf of a controller. R.I. Gen. Laws § 6-48.1-2.(20). "Affiliate" means any entity that shares common branding with another legal entity directly or indirectly, controls, is controlled by, or is under common control with another legal entity. R.I. Gen. Laws § 6-48.1-2.(1). For this purpose, "control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise controlling influence over the management of a company. R.I. Gen. Laws § 6-48.1-2.(1).
"Sale of personal data" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. R.I. Gen. Laws § 6-48.1-2.(25). However, sale of personal data does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller; the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer; the disclosure or transfer of personal data to an affiliate of the controller; the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, the disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller's assets. R.I. Gen. Laws § 6-48.1-2.(25).
Third, if such controller sells personal data to third parties or processes personal data for targeted advertising, such controller shall clearly and conspicuously disclose such processing. R.I. Gen. Laws § 6-48.1-3(b).
"Targeted advertising" means displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from that customer's activities over time and across nonaffiliated internet websites or online applications to predict such customer's preferences or interests. R.I. Gen. Laws § 6-48.1-2.(27). However, targeted advertising does not include advertisements based on activities within a controller's own internet websites or online applications, advertisements based on the context of a customer's current search query, or current visit to an internet website or online application, advertisements directed to a customer in response to the customer's request for information or feedback, or processing personal data solely to measure or report advertising frequency, performance, or reach. R.I. Gen. Laws § 6-48.1-2.(27).
Nothing in the Act shall be construed to authorize the collection, storage, or disclosure of information or data that is otherwise prohibited or restricted by state or federal law. R.I. Gen. Laws § 6-48.1-3(c).
For-Profit Entity Provisions
The Act also has provisions regarding the processing of information, customer rights, and exercise thereof, and controller and processor responsibilities, which apply, subject to certain exceptions, to for-profit entities that conduct business in Rhode Island, or for-profit entities that produce products or services that are targeted to Rhode Island residents and that during the preceding calendar year controlled or processed the personal data of not less than the following.
35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction and/or
10,000 customers and derived more than 20 percent of their gross revenue from the sale of personal data. R.I. Gen. Laws §§ 6-48.1-4.(a)(1)-(2), 6-48.1-5.(a)(1)-(2), 6-48.1-6.(a)(1)-(2), and 6-48.1-7.(a)(1)-(2), 6-48.1-3 (d)-(e), and 6-48.1-10.(a)-(b).
Enforcement
A violation of the Act constitutes a violation of the general regulatory provisions of commercial law in Title 6 of the Rhode Island General Laws ("Title 6") and shall constitute a deceptive trade practice in violation of Chapter 13.1 of Title 6; provided, further, that in the event that any individual or entity intentionally discloses personal data the following.
To a shell company or any entity that has been formed or established solely, or in part, for the purposes of circumventing the intent of the Act or
In violation of any provision of the Act, that individual or entity shall pay a fine of not less than $100 and no more than $500 for each such disclosure. R.I. Gen. Laws § 6-48.1-8.(a)(1)-(2).
The Rhode Island attorney general shall have sole enforcement authority of the provisions of the Act and may enforce a violation of the Act pursuant to the following.
The provisions of R.I. Gen. Laws § 6-48.1-8. or
General regulatory provisions of commercial law in Title 6, or both. R.I. Gen. Laws § 6-48.1-8.(b)(1)-(2).
Nothing in R.I. Gen. Laws § 6-48.1-8. shall be construed to authorize any private right of action to enforce any provision of the Act, any regulation thereunder, or any other provisions of law. § 6-48.1-8.(c).
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
The Rhode Island Data Transparency and Privacy Protection Act (the "Act") became effective January 1, 2026. This article addresses the application of the Act to, and obligations of, commercial websites or internet service providers, as well as the enforcement of the Act.
Application to Commercial Websites or Internet Service Providers
The Act applies, subject to certain exceptions, to any commercial website or internet service provider (which the Act does not define) that does the following.
"Customer" means an individual residing in Rhode Island acting in an individual or household context, but does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit (which the Act does not define, though it defines nonprofit organization, as described below), or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency. R.I. Gen. Laws § 6-48.1-2.(10).
"Controller" means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data. R.I. Gen. Laws § 6-48.1-2.(7). "Nonprofit organization" means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6)S, or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding Internal Revenue Code of the United States, as amended from time to time. R.I. Gen. Laws § 6-48.1-2.(17). Moreover, nothing in the Act shall be construed to apply to any entity recognized as a tax-exempt organization under the Internal Revenue Code. R.I. Gen. Laws § 6-48.1-10.(c).
"Process or processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. R.I. Gen. Laws § 6-48.1-2.(20). "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information. R.I. Gen. Laws § 6-48.1-2.(18). "Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly. R.I. Gen. Laws § 6-48.1-2.(15).
"De-identified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual. R.I. Gen. Laws § 6-48.1-2.(13). "Publicly available information" means information that is lawfully made available through federal, state, or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public. R.I. Gen. Laws § 6-48.1-2.(24).
Obligations of Commercial Websites or Internet Service Providers
First, a commercial website or internet service provider must designate a controller. R.I. Gen. Laws § 6-48.1-3(a).
Second, if a commercial website or internet service provider collects, stores, and sells customers' personally identifiable information (which the Act does not define, though it defines "personal data," as described above), then such controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted must identify the following.
"Third party" means an individual or legal entity, such as a public authority, agency, or body, other than the customer, controller, or processor, or an affiliate of the processor or of the controller. R.I. Gen. Laws § 6-48.1-2.(28). "Processor" means an individual who, or legal entity that, processes personal data on behalf of a controller. R.I. Gen. Laws § 6-48.1-2.(20). "Affiliate" means any entity that shares common branding with another legal entity directly or indirectly, controls, is controlled by, or is under common control with another legal entity. R.I. Gen. Laws § 6-48.1-2.(1). For this purpose, "control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise controlling influence over the management of a company. R.I. Gen. Laws § 6-48.1-2.(1).
"Sale of personal data" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. R.I. Gen. Laws § 6-48.1-2.(25). However, sale of personal data does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller; the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer; the disclosure or transfer of personal data to an affiliate of the controller; the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, the disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller's assets. R.I. Gen. Laws § 6-48.1-2.(25).
Third, if such controller sells personal data to third parties or processes personal data for targeted advertising, such controller shall clearly and conspicuously disclose such processing. R.I. Gen. Laws § 6-48.1-3(b).
"Targeted advertising" means displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from that customer's activities over time and across nonaffiliated internet websites or online applications to predict such customer's preferences or interests. R.I. Gen. Laws § 6-48.1-2.(27). However, targeted advertising does not include advertisements based on activities within a controller's own internet websites or online applications, advertisements based on the context of a customer's current search query, or current visit to an internet website or online application, advertisements directed to a customer in response to the customer's request for information or feedback, or processing personal data solely to measure or report advertising frequency, performance, or reach. R.I. Gen. Laws § 6-48.1-2.(27).
Nothing in the Act shall be construed to authorize the collection, storage, or disclosure of information or data that is otherwise prohibited or restricted by state or federal law. R.I. Gen. Laws § 6-48.1-3(c).
For-Profit Entity Provisions
The Act also has provisions regarding the processing of information, customer rights, and exercise thereof, and controller and processor responsibilities, which apply, subject to certain exceptions, to for-profit entities that conduct business in Rhode Island, or for-profit entities that produce products or services that are targeted to Rhode Island residents and that during the preceding calendar year controlled or processed the personal data of not less than the following.
Enforcement
A violation of the Act constitutes a violation of the general regulatory provisions of commercial law in Title 6 of the Rhode Island General Laws ("Title 6") and shall constitute a deceptive trade practice in violation of Chapter 13.1 of Title 6; provided, further, that in the event that any individual or entity intentionally discloses personal data the following.
The Rhode Island attorney general shall have sole enforcement authority of the provisions of the Act and may enforce a violation of the Act pursuant to the following.
Nothing in R.I. Gen. Laws § 6-48.1-8. shall be construed to authorize any private right of action to enforce any provision of the Act, any regulation thereunder, or any other provisions of law. § 6-48.1-8.(c).
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.