With the introduction of the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), businesses must ensure they obtain informed, prior consent from users before processing personal data, including through cookies and tracking technologies. Is your consent management ready for action?
RIDTPPA is a comprehensive data privacy law enacted in Rhode Island to give consumers greater control over their personal data. It mandates transparency in data collection, processing, and sharing, while placing strict obligations on businesses that handle Rhode Island residents' data.
Businesses must implement clear privacy notices, obtain consent where required, enable consumer rights such as data access and deletion, and ensure vendors and service providers are also compliant. RIDTPPA applies to businesses that meet specific revenue or data-processing thresholds. To be compliant, business should:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure consumer rights:
Establish mechanisms to respond to consumer rights requests within 45 days
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
Utilizing tools like consent management platforms (CMPs) can simplify this process and help maintain ongoing compliance.
RIDTPPA applies to businesses operating in Rhode Island or targeting Rhode Island residents, and that meet one or more of the following criteria:
Control or process data of at least 35,000 consumers annually
Derive 25% or more of gross revenue from the sale of personal data.
Consumers are granted the following rights under RIDTPPA:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can find out what third parties have received their data and confirm whether an entity is processing it
Cookies that collect personal or sensitive data are covered under RIDTPPA. Businesses must disclose the purpose of each category of cookies and obtain user consent before enabling non-essential tracking. This includes analytics, advertising, and third-party cookies.
Cookie banners must clearly disclose what data is being collected and allow users to opt out of non-essential cookies.
Non-compliance with RIDTPPA can result in enforcement actions by the Rhode Island Attorney General, including civil penalties. Each violation may carry a fine, and continued failure to comply may increase liability.
Compliance with RIDTPPA Rhode Island can in part by complied with by adhering to a number of data privacy best practices, including:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
RIDTPPA applies to businesses operating in Rhode Island or targeting residents of the state, especially those that collect or process the personal data of more than 35,000 consumers or earn significant revenue from data sales.
Personal data includes any information that is linked or reasonably linkable to an identified or identifiable individual, such as names, email addresses, IP addresses, and online identifiers.
Sensitive data includes information such as racial or ethnic origin, religious beliefs, sexual orientation, health data, genetic or biometric data, and precise geolocation.
The Rhode Island Attorney General is responsible for enforcing RIDTPPA and handling consumer complaints.
Certain entities are exempt, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act, and data covered by HIPAA or other federal privacy laws.
You can learn more about RIDTPPA by visiting the Rhode Island Attorney General’s official website or reviewing the full legislative text of the act.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
