Skip to content

Compliance

Rhode Island Introduces Comprehensive Data Privacy Law with Key Exemptions

On June 28, Rhode Island became the nineteenth state to enact a comprehensive consumer data privacy law. The Rhode Island Data Transparency and Privacy Protection Act (Senate Bill 2500) takes effect on January 1, 2026. Here is who it covers, its key exemptions, and what businesses must do to comply.

← All articles
Filed under Compliance

On June 28, Rhode Island became the nineteenth state to enact a comprehensive consumer data privacy law. The "Rhode Island Data Transparency and Privacy Protection Act" (Senate Bill 2500) was enacted and will take effect on January 1, 2026.

Who Does This Law Apply To?

The Act applies to for-profit entities doing business in Rhode Island or targeting Rhode Island residents, if they met either of these criteria in the preceding calendar year:

  1. Controlled or processed personal data of 35,000 or more customers (excluding data used solely for payment transactions).
  2. Controlled or processed personal data of 10,000 or more customers and derived over 20% of gross revenue from selling personal data.

Key Exemptions

The Act exempts several types of data and entities, including:

  1. Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act.
  2. Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
  3. Data handled by customer reporting agencies as defined by federal law.
  4. Tax-exempt organizations.
  5. Government contractors when working for state or local agencies.

Importantly, the Act's definition of "customer" excludes individuals acting in commercial, employment, or official capacities.

Customer Rights Under the New Law

The Act grants customers the following rights:

  1. Confirmation of personal data processing.
  2. Correction of inaccuracies.
  3. Deletion of personal data.
  4. Obtaining a portable copy of processed personal data.
  5. Opting out of personal data processing for targeted advertising, sales, or automated profiling that significantly affects the customer.

Handling Sensitive Data

The law prohibits processing sensitive data without customer consent. Sensitive data includes information about race, ethnicity, religious beliefs, health, sexual orientation, citizenship status, genetic or biometric data, children's data, and precise geolocation.

Contractual Requirements

Contracts between controllers and processors must clearly outline:

  • Data processing instructions
  • Nature and purpose of processing
  • Type of data being processed
  • Duration of processing
  • Rights and obligations of both parties

The processor must also agree to:

  1. Ensure that all individuals handling personal data follow strict confidentiality rules.
  2. Delete or return all personal data to the controller at the end of the service, as requested, unless the law requires it to be retained.
  3. Provide the controller with all information needed to demonstrate compliance with the Act's obligations when reasonably requested.
  4. Before engaging any subcontractor, allow the controller to object, then use a written agreement that ensures the subcontractor meets the processor's obligations for personal data.
  5. Cooperate with reasonable assessments by the controller or their chosen assessor, or arrange for an independent, qualified assessor to evaluate the processor's policies and measures that support the Act's requirements.

Data Privacy Assessments

Controllers must perform and document data privacy assessments for high-risk processing activities, including:

  1. Using personal data for targeted advertising.
  2. Selling personal data.
  3. Processing personal data for profiling that could lead to unfair treatment, unlawful impacts, or substantial harm to customers, including financial, physical, or reputational damage, or intrusions into privacy that a reasonable person would find offensive.
  4. Processing sensitive data.

Enforcement

Violating the Act is deemed a deceptive trade practice. Intentionally disclosing personal data against the Act may result in fines between $100 and $500 per disclosure. The Attorney General has exclusive enforcement authority, and the Act does not include a cure provision.

This new data privacy law is a significant step toward protecting consumer data rights. Financial service businesses that operate in or target Rhode Island residents should review these requirements carefully to ensure compliance by the 2026 effective date. By understanding and applying these measures, businesses can build trust with customers while avoiding potential legal issues.

The landscape of data privacy keeps evolving. Staying informed and proactive about legislative changes is essential for financial service providers. This law underscores the growing importance of responsible data handling and transparency in customer relationships, and it reflects a broader trend toward increased data protection across the United States.

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

Rhode Island Requires Student Loan Servicers to Register

Licensing

Rhode Island Requires Student Loan Servicers to Register

Rhode Island's "Student Loan Bill of Rights," requires that student loan servicers register with the state. The Bill of Rights calls upon the attorney general and state Department of Business Regulation to examine business practices and enact penalties for violations of the borrower's rights. The law became effective when it was signed by Governor Gina [...]

Rule 68 - Dead or Alive?

Licensing

Rule 68 - Dead or Alive?

Can an unaccepted Rule 68 offer of judgment be used to strip a Federal Court of subject matter Jurisdiction? A divided U.S. Supreme Court recently answered the question, no, in Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663 (U.S. 2016). Article III of the US Constitution limits federal court jurisdiction to "cases" and "controversies." If [...]

S Corporation Explained: Benefits, Drawbacks & Formation

Business Formation

S Corporation Explained: Benefits, Drawbacks & Formation

An S corporation (S corp) is a special tax classification under Subchapter S of the Internal Revenue Code that allows eligible small businesses to avoid double taxation by passing income, losses, deductions, and credits directly to shareholders. How an S Corporation Works An S corporation is not a business structure by itself but a tax [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.