On June 28, Rhode Island became the nineteenth state to enact a comprehensive consumer data privacy law. The "Rhode Island Data Transparency and Privacy Protection Act" (Senate Bill 2500) was enacted and will take effect on January 1, 2026.
Who Does This Law Apply To?
The Act applies to for-profit entities doing business in Rhode Island or targeting Rhode Island residents, if they met either of these criteria in the preceding calendar year:
- Controlled or processed personal data of 35,000 or more customers (excluding data used solely for payment transactions).
- Controlled or processed personal data of 10,000 or more customers and derived over 20% of gross revenue from selling personal data.
Key Exemptions
The Act exempts several types of data and entities, including:
- Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act.
- Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
- Data handled by customer reporting agencies as defined by federal law.
- Tax-exempt organizations.
- Government contractors when working for state or local agencies.
Importantly, the Act's definition of "customer" excludes individuals acting in commercial, employment, or official capacities.
Customer Rights Under the New Law
The Act grants customers the following rights:
- Confirmation of personal data processing.
- Correction of inaccuracies.
- Deletion of personal data.
- Obtaining a portable copy of processed personal data.
- Opting out of personal data processing for targeted advertising, sales, or automated profiling that significantly affects the customer.
Handling Sensitive Data
The law prohibits processing sensitive data without customer consent. Sensitive data includes information about race, ethnicity, religious beliefs, health, sexual orientation, citizenship status, genetic or biometric data, children's data, and precise geolocation.
Contractual Requirements
Contracts between controllers and processors must clearly outline:
- Data processing instructions
- Nature and purpose of processing
- Type of data being processed
- Duration of processing
- Rights and obligations of both parties
The processor must also agree to:
- Ensure that all individuals handling personal data follow strict confidentiality rules.
- Delete or return all personal data to the controller at the end of the service, as requested, unless the law requires it to be retained.
- Provide the controller with all information needed to demonstrate compliance with the Act's obligations when reasonably requested.
- Before engaging any subcontractor, allow the controller to object, then use a written agreement that ensures the subcontractor meets the processor's obligations for personal data.
- Cooperate with reasonable assessments by the controller or their chosen assessor, or arrange for an independent, qualified assessor to evaluate the processor's policies and measures that support the Act's requirements.
Data Privacy Assessments
Controllers must perform and document data privacy assessments for high-risk processing activities, including:
- Using personal data for targeted advertising.
- Selling personal data.
- Processing personal data for profiling that could lead to unfair treatment, unlawful impacts, or substantial harm to customers, including financial, physical, or reputational damage, or intrusions into privacy that a reasonable person would find offensive.
- Processing sensitive data.
Enforcement
Violating the Act is deemed a deceptive trade practice. Intentionally disclosing personal data against the Act may result in fines between $100 and $500 per disclosure. The Attorney General has exclusive enforcement authority, and the Act does not include a cure provision.
This new data privacy law is a significant step toward protecting consumer data rights. Financial service businesses that operate in or target Rhode Island residents should review these requirements carefully to ensure compliance by the 2026 effective date. By understanding and applying these measures, businesses can build trust with customers while avoiding potential legal issues.
The landscape of data privacy keeps evolving. Staying informed and proactive about legislative changes is essential for financial service providers. This law underscores the growing importance of responsible data handling and transparency in customer relationships, and it reflects a broader trend toward increased data protection across the United States.
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.