The Rhode Island Data Privacy Act (RIDPA) represents the state’s entry into the expanding landscape of comprehensive privacy laws across the United States. Designed to give residents more control over their personal information, the law also establishes clear responsibilities for businesses that collect and use that data.
Who Is Covered by the Law
RIDPA applies to businesses and organizations that determine how and why personal data is processed, referred to as “controllers”, and that either operate in Rhode Island or target products or services to its residents.
A controller falls within the law’s scope if it meets at least one of the following thresholds within a calendar year:
- Processes personal data of 35,000 or more Rhode Island residents, excluding data used solely to complete financial transactions;
- Processes data of 10,000 or more residents and derives over 20% of its gross revenue from selling personal data
The law defines personal data broadly as information that can be linked to an identifiable individual. However, it excludes de-identified data and information that is already publicly available.
Exceptions
Certain entities are not subject to RIDPA, including government agencies, nonprofit organizations, higher education institutions, and specific industries already regulated under federal privacy laws. Additionally, several categories of data, such as protected health information and certain education or driver-related records are exempt.
Consumer Rights Under RIDPA
The law grants Rhode Island residents several rights regarding their personal data. Individuals may:
- Confirm whether a business is processing their data and access that information
- Request a copy of their data in a usable format
- Correct inaccuracies in their data
- Request deletion of their personal information
- Opt out of certain types of processing, including targeted advertising, data sales, and profiling
Businesses must respond to these requests within 45 days, with a possible extension if necessary. Generally, at least one request per year must be fulfilled at no cost to the consumer.
If a request is considered excessive or unfounded, the business must justify that determination and may either charge a fee or decline to act.
Employer Guidance
While the Rhode Island Data Privacy Act includes exemptions for certain employment-related data, employers should still align their broader data practices with the law’s core expectations. Employers should also ensure their data processing practices are non-discriminatory and provide a mechanism for individuals to withdraw consent where applicable, honoring those requests within a reasonable timeframe.
In addition, organizations should be mindful of obligations tied to higher-risk data activities, such as conducting data protection assessments where appropriate. Just as important is the oversight of third-party vendors. RIDPA expects formal agreements with service providers that address confidentiality, proper data handling, and accountability. Even where exemptions apply, adopting these practices can help employers strengthen compliance, reduce risk, and stay prepared for the evolving landscape of state privacy laws.
For more information, click here.
GIS is here to support your organization as privacy laws continue to evolve. If you have any questions about your states privacy laws or compliance obligations, please contact us.