← Back to Blog

Rhode Island Privacy Law: The 2026 Law with the Lowest Thresholds

Rhode Island's new privacy law has the lowest applicability thresholds of any state — just 35,000 consumers. Here's what small businesses need to know.

2026-03-05

Rhode Island's Data Transparency and Privacy Protection Act (HB 7787 / SB 2500) took effect on January 1, 2026, and it stands out for one critical reason: it has the lowest applicability thresholds of any US state privacy law.

If you thought your business was too small to worry about state privacy laws, Rhode Island might change that.

Why Rhode Island's Law Matters for Small Businesses

Most state privacy laws set their threshold at 100,000 consumers. Rhode Island's thresholds are significantly lower:

  • Control or process personal data of at least 35,000 Rhode Island consumers, OR
  • Control or process personal data of at least 10,000 Rhode Island consumers and derive more than 20% of gross revenue from selling personal data

That 35,000 threshold is roughly one-third of what Virginia, Indiana, and Kentucky require. And Rhode Island's population is only about 1.1 million, so 35,000 represents a much larger share of the state's residents — meaning even moderately popular websites could hit this threshold.

Consumer Rights

Rhode Island consumers have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension.

Key Requirements

Privacy Notice

Your privacy policy must disclose:

  • Categories of personal data processed
  • Purposes for processing
  • Consumer rights and how to exercise them
  • Third-party data sharing categories
  • Whether you sell data or use it for targeted advertising

Sensitive Data

Opt-in consent is required before processing:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric and genetic data
  • Children's data (under 13)
  • Precise geolocation

Data Protection Assessments

Required for targeted advertising, data sales, profiling, and sensitive data processing.

Enforcement

Enforced by the Rhode Island Attorney General. No private right of action. Rhode Island includes a 30-day cure period, but it is set to expire on January 1, 2027 — after which the AG can pursue enforcement without offering a fix window.

Rhode Island Compliance Checklist

  • Privacy policy with all required disclosures
  • Cookie consent banner with opt-out capabilities
  • Consumer request process — 45-day response window
  • Sensitive data consent — opt-in before processing
  • Data protection assessments for high-risk processing
  • Third-party agreements with data processors

The Trend Toward Lower Thresholds

Rhode Island signals where state privacy law is heading: lower thresholds that catch smaller businesses. If other states follow Rhode Island's lead, the days of "we're too small to worry about privacy compliance" are numbered.

The practical takeaway: even if you're a small e-commerce store, compliance is cheaper than fines. Getting a privacy policy, cookie banner, and opt-out mechanism in place now protects you as more states lower their thresholds.

Check Your Compliance

ClearConsent checks your site against all 19 US state privacy laws — including Rhode Island's new low-threshold law. See exactly where you stand in under 60 seconds.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free