Rhode Island Privacy Law (RIDPPA): What Small Businesses Need to Know

The Rhode Island Data Transparency and Privacy Protection Act (RIDPPA) takes effect January 1, 2026 and applies to any business processing the personal data of 35,000 or more Rhode Island consumers in a calendar year — among the lowest thresholds in any US state — with no annual revenue threshold. The secondary trigger captures businesses processing data of just 10,000 Rhode Island consumers and deriving 20% or more of revenue from data sales — among the most expansive secondary thresholds in the country, alongside Delaware and Maryland. The Rhode Island Attorney General is the sole enforcement authority. RIDPPA joins Connecticut, Delaware, Maryland, and New Hampshire in the "low threshold" tier of state privacy laws.

Does RIDPPA Apply to My Business?

RIDPPA applies to any person that conducts business in Rhode Island or produces products or services targeted to Rhode Island residents AND meets one of two thresholds:

• Controls or processes personal data of 35,000 or more Rhode Island consumers during a calendar year (excluding personal data processed solely to complete a payment transaction), OR
• Controls or processes personal data of 10,000 or more Rhode Island consumers AND derives more than 20% of gross revenue from the sale of personal data.

The threshold logic is OR, with no revenue floor under either path.

Rhode Island accounts for roughly 0.3% of the US population — the second smallest state by population. Reaching 35,000 Rhode Island consumers from a national e-commerce store typically requires very substantial volume. The 10,000 + 20% data sale path is a much lower bar that catches mid-size businesses with ad tech revenue.

What Does RIDPPA Require?

RIDPPA grants Rhode Island consumers a comprehensive set of rights and includes specific requirements around data transparency.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising and sale of personal data. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of personal data processed, purposes, third-party sharing, rights, and appeals process. RIDPPA's "data transparency" emphasis means privacy notices must be especially clear about what data is collected and what is done with it.

Operational practices you must implement. Conduct data protection assessments for high-risk processing. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable security practices.

How RIDPPA Affects Small Businesses

Rhode Island's January 1, 2026 effective date means businesses currently in scope under Connecticut, Delaware, Maryland, or New Hampshire — all "low threshold" states with similar structures — should treat RIDPPA as a routine extension of existing compliance work. The privacy notice updates and rights workflow are largely additive once those other states are addressed.

For Shopify merchants and direct-to-consumer brands, the practical takeaway: Rhode Island is in the same tier as the other 35,000-consumer states. If you are in scope under Connecticut CTDPA or Delaware DPDPA, expect to be in scope under RIDPPA on the same population basis. The compliance work is largely a matter of confirming Rhode Island-specific privacy notice references.

The 10,000 + 20% data sale secondary path catches the same set of ad tech-monetized businesses that Delaware and Maryland catch. If you have already evaluated those secondary thresholds for those states, the same analysis applies to Rhode Island.

Key Differences from Other State Privacy Laws

RIDPPA closely tracks the "low threshold" tier of state privacy laws — Connecticut, Delaware, Maryland, and New Hampshire. The key distinguishing features are administrative rather than substantive:

Effective date. RIDPPA takes effect January 1, 2026 — among the most recent state privacy laws to come online.

Secondary threshold matches Delaware and Maryland. The 10,000 consumer + 20% data sale revenue path is identical to Delaware DPDPA and Maryland MODPA. This is one of the most expansive secondary thresholds in any US state privacy law.

Data transparency emphasis. The law's name and structure emphasize transparency in data practices. Privacy notices must be especially clear and accessible.

Compared to Connecticut CTDPA, Rhode Island has the same primary threshold (35,000) but a more aggressive secondary (10K + 20% vs 25K + 25%). Compared to Delaware DPDPA, the structures are nearly identical. Compared to Maryland MODPA, Rhode Island lacks the strict data minimization requirements but has the same threshold structure.

How to Comply with RIDPPA

If RIDPPA will apply to your business when it takes effect in January 2026, the following steps establish a baseline.

1. Confirm scope at the lower threshold. Calculate Rhode Island consumer count from analytics and customer records. Treat 35,000 as the primary trigger, or 10,000 if 20%+ of revenue comes from data sales.
2. Update your privacy notice to include Rhode Island-specific references. Emphasize transparency — what data is collected, what it is used for, and who it is shared with.
3. Add opt-out mechanisms for targeted advertising and sale of personal data.
4. Build a consumer rights request workflow with the 45-day response deadline tracked.
5. Build a denial appeals process with timely written response.
6. Implement opt-in consent for sensitive data.
7. Conduct data protection assessments for high-risk processing activities.
8. Document reasonable security practices appropriate to data volume.
9. Be ready by January 1, 2026. Have your compliance program operational before the enforcement start date.

RIDPPA Enforcement and Penalties

The Rhode Island Attorney General has exclusive enforcement authority for RIDPPA. There is no private right of action — Rhode Island consumers cannot sue businesses directly. The AG may seek civil penalties under Rhode Island's existing consumer protection statutes, with penalties of up to $10,000 per knowing or reckless violation.

RIDPPA includes a cure period structure that gives businesses time to address violations before formal enforcement. The Rhode Island AG has not yet signaled a public enforcement posture given the law's January 2026 effective date.

Frequently Asked Questions

When does Rhode Island's privacy law take effect?

Rhode Island's Data Transparency and Privacy Protection Act (RIDPPA) takes effect January 1, 2026. The Rhode Island Attorney General will be the sole enforcement authority.

Does RIDPPA have a revenue threshold?

No. RIDPPA applies based on consumer data volume only: 35,000 or more Rhode Island consumers annually, or 10,000 or more consumers if 20% or more of revenue comes from data sales. There is no annual revenue minimum.

What are Rhode Island's privacy law thresholds?

RIDPPA's primary threshold is 35,000 Rhode Island consumers, matching Connecticut, Delaware, Maryland, and New Hampshire as the lowest in the US. The secondary threshold of 10,000 consumers + 20% data sale revenue is one of the most expansive in any state privacy law and matches Delaware and Maryland exactly.

What are the penalties for RIDPPA violations?

The Rhode Island AG can seek civil penalties of up to $10,000 per knowing or reckless violation under existing consumer protection statutes. There is no private right of action.

Is RIDPPA similar to Connecticut CTDPA?

Yes, structurally similar. Both have 35,000 primary consumer thresholds with no revenue floor. The main difference is the secondary threshold: Rhode Island uses 10,000 consumers + 20% data sale revenue (matching Delaware and Maryland), while Connecticut uses 25,000 + 25%. Rhode Island's secondary is more aggressive.

Should I start preparing for RIDPPA now?

Yes. With a January 1, 2026 effective date, the most efficient path is to extend existing multi-state privacy compliance work to cover Rhode Island before the law takes effect. If you are already complying with Connecticut, Delaware, or New Hampshire, the work is largely additive.

Check if RIDPPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.