Rhode Island Introduces Comprehensive Data Privacy Law with Key Exemptions

July 9, 2024
By Cornerstone Staff

On June 28, Rhode Island became the nineteenth state to enact a comprehensive consumer data privacy law. The “Rhode Island Data Transparency and Privacy Protection Act” (Senate Bill 2500) was enacted and will take effect on January 1, 2026.

Who Does This Law Apply To?

The Act applies to for-profit entities doing business in Rhode Island or targeting Rhode Island residents, if they meet either of these criteria in the preceding calendar year:

  1. Controlled or processed personal data of 35,000 or more customers (excluding data used solely for payment transactions).
  2. Controlled or processed personal data of 10,000 or more customers and derived over 20% of gross revenue from selling personal data.

Key Exemptions

The Act exempts several types of data and entities, including:

  1. Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act.
  2. Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
  3. Data handled by customer reporting agencies as defined by federal law.
  4. Tax-exempt organizations.
  5. Government contractors when working for state or local agencies.

Importantly, the Act’s definition of “customer” excludes individuals acting in commercial, employment, or official capacities.

Customer Rights Under the New Law

The Act grants customers the following rights:

  1. Confirmation of personal data processing.
  2. Correction of inaccuracies.
  3. Deletion of personal data.
  4. Obtaining a portable copy of processed personal data.
  5. Opting out of personal data processing for targeted advertising, sales, or automated profiling that significantly affects the customer.

Handling Sensitive Data

The law prohibits processing sensitive data without customer consent. Sensitive data includes information about race, ethnicity, religious beliefs, health, sexual orientation, citizenship status, genetic or biometric data, children’s data, and precise geolocation.

Contractual Requirements

Contracts between controllers and processors must clearly outline:

  • Data processing instructions
  • Nature and purpose of processing
  • Type of data being processed
  • Duration of processing
  • Rights and obligations of both parties

The processor must also agree to:

  1. Ensure confidentiality of those processing personal data.
  2. Delete or return all personal data to the controller as requested at the end of the service.
  3. Provide the controller with all information necessary to demonstrate compliance.
  4. Allow for, and contribute to, reasonable audits and inspections by the controller.
  5. Engage subcontractors only with the controller’s prior written authorization.

This new data privacy law in Rhode Island represents a significant step towards protecting consumer data rights. Financial service businesses operating in or targeting Rhode Island residents should carefully review these requirements to ensure compliance by the 2026 effective date. By understanding and implementing these new data privacy measures, businesses can build trust with their customers while avoiding potential legal issues.

As the landscape of data privacy continues to evolve, staying informed and proactive about such legislative changes is crucial for financial service providers. This law underscores the growing importance of responsible data handling and transparency in customer relationships, reflecting a broader trend towards increased data protection across the United States.

  1. Guarantee that all individuals handling personal data adhere to strict confidentiality rules.
  2. When instructed by the controller, erase or send back all personal data upon service completion, unless legally required to retain it.
  3. Provide the controller with all necessary information to prove compliance with the Act’s obligations when reasonably requested.
  4. Before engaging any subcontractor, allow the controller to object, then use a written agreement ensuring the subcontractor meets the processor’s obligations regarding personal data.
  5. Cooperate with reasonable assessments by the controller or their chosen assessor, or arrange for an independent, qualified assessor to evaluate the processor’s policies and measures supporting the Act’s requirements.

Data Privacy Assessments

Controllers must perform and document data privacy assessments for high-risk processing activities, including:

  1. Using personal data for targeted advertising.
  2. Selling personal data.
  3. Processing personal data for profiling that could lead to unfair treatment, unlawful impacts, or substantial harm to customers, including financial, physical, or reputational damage, or intrusions into privacy that a reasonable person would find offensive.
  4. Processing sensitive data.


Violating the Act is deemed a deceptive trade practice. Intentionally disclosing personal data against the Act may result in fines between $100 and $500 per disclosure. The Attorney General has exclusive enforcement authority, and the Act doesn’t include a cure provision.

The Rhode Island data privacy law aims to set clear guidelines for businesses. As data privacy concerns continue to grow, staying ahead of legislative changes is crucial. This law reflects the increasing importance of compliant data handling and transparency with customers. Financial service providers must ensure they’re compliant with these new regulations to avoid legal issues.



Cornerstone Staff

| Cornerstone
Free Yourself from the Burden of Licensing