On June 28, Senate Bill 2500, the “Rhode Island Data Transparency and Privacy Protection Act,” was enacted without the governor’s signature.  This makes Rhode Island the nineteenth state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, New Hampshire,  Kentucky, Nebraska, Maryland, and Minnesota. The Act will go into effect January 1, 2026.

Applicability

The Act applies to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year did any of the following:

  1. Controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
  2. Controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

Exemptions

The following are included in the list of data and entities exempt from the Act:

  1. A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act and its implementing regulations:
  2. Information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
  3. Information or data subject to the Health Insurance Portability and Accountability Act of 1996;
  4. Personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f);
  5. Any entity recognized as a tax exempt organization under the Internal Revenue Code;
  6. A contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.

Additionally, the definition of “customer” excludes “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or  transactions with the controller occur solely within the context of that individual’s role with the  company, partnership, sole proprietorship, nonprofit or government agency.”

Customer Rights

The Act provides a customer with the right to:

  1. Confirm whether their personal data is being processed;
  2. Correct inaccuracies;
  3. Delete personal data provided by, or obtained about, the consumer;
  4. Obtain a portable copy of the personal data processed;
  5. Opt out of the processing of their personal data if for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

Sensitive Data

A controller is prohibited from processing sensitive data without a customer’s consent.

“Sensitive data” is defined as “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise  geolocation data.”

Contract Requirements

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  It must also require that the processor:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality;
  2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required  by law;
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the  obligations of the Act;
  4. After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and;
  5. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures in support of the obligations of the Act.

Data Protection Assessments

A controller must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a customer, including:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers;
  4. The processing of sensitive data.

Enforcement

A violation constitutes a deceptive trade practice, and an intentional disclosure of personal data in violation of the Act may result inf a fine of not less than $100 and no more than $500 for each such disclosure.  The Attorney General has sole authority to enforce the Act, which contains no cure provision.

For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

RMAI previously issued Member Alerts for other states’ comprehensive privacy laws enacted in 2023 and 2024.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.