RI Businesses Face New Privacy Laws

- The "Rhode Island Data Transparency and Privacy Protection Act" is set to take effect on January 1, 2026. This makes Rhode Island the 19th state to enact a comprehensive data privacy law. - The law grants Rhode Island residents several new rights concerning their personal data, including the right to access, correct, and delete their data, as well as the right to opt out of the sale of their personal information and targeted advertising. - Businesses will be required to conduct data protection assessments for any processing activities that present a heightened risk of harm to consumers, such as selling personal data or processing sensitive information. - The law defines "sensitive data" to include information about racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship or immigration status, and genetic or biometric data. Businesses must obtain consumer consent before processing this type of information. - Enforcement of the new law falls exclusively to the Rhode Island Attorney General, with businesses facing potential fines of up to $10,000 per violation. Notably, the act does not include a "right to cure," meaning businesses will not have a grace period to fix violations before penalties are issued. - The law applies to businesses that conduct business in Rhode Island or produce products or services targeted to its residents and meet certain thresholds. These thresholds include controlling or processing the personal data of at least 35,000 consumers or controlling or processing the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data. - Unlike privacy laws in some other states, Rhode Island's law will not require businesses to recognize universal opt-out mechanisms like the Global Privacy Control, meaning consumers will need to opt out on a site-by-site basis.