Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review
Back to Checklists

Rhode Island Data Transparency and Privacy Protection Act

Comprehensive compliance checklist for organizations operating in Rhode Island or serving Rhode Island customers under Title 6, Chapter 48.1 of the General Laws.

Key Provisions

6-48.1-3: Information Sharing Practices

Does your organization operate in Rhode Island (or serve RI customers) and have you designated a controller responsible for handling customer personal data?

Have you clearly disclosed in your customer agreement, privacy policy, or website notice the categories of personal data collected, third parties to whom data is sold, and whether data is sold or used for targeted advertising?

Do you provide a working contact mechanism (email/online form) for customers, and are your data practices consistent with state/federal privacy laws?

6-48.1-4: Processing of Information

Does your organization meet the threshold requirements: control/process ≥35,000 customer records OR control/process ≥10,000 customer records and derive >20% revenue from data sales?

Have you implemented reasonable administrative, technical, and physical safeguards to protect personal data, and do your data practices comply with state/federal anti-discrimination and privacy laws?

Do you obtain consent before processing sensitive data (or parental consent under COPPA for children's data) and provide customers with a mechanism to grant/revoke consent within 15 days?

6-48.1-5: Customer Rights

Do you ensure customers are not discriminated against for exercising their rights, except where data is essential to provide the service?

If you offer loyalty/reward/premium/discount programs, are they voluntary and bona fide (not disguised penalties for opting out)?

Do you provide mechanisms for customers to access, correct/delete, port, and opt-out of personal data use?

Do you provide customers (or their authorized agents/guardians) with a secure and clearly described method in your privacy notice to exercise their rights?

6-48.1-6: Exercising Customer Rights

Do you respond to customer rights requests within 45 days, with one possible 45-day extension? If declining a request, do you provide justification and clear appeal instructions?

Do you provide responses free once every 12 months, charging only for manifestly unfounded, excessive, or repetitive requests?

Do you authenticate customer requests before acting? For opt-outs, do you skip authentication unless fraud is suspected?

Have you established a clear and conspicuous appeal process, with written responses issued within 60 days, informing customers of their right to complain to the Attorney General if denied?

6-48.1-7: Controller and Processor Responsibilities

Is there a binding written contract that sets out processing instructions, nature and purpose, type of data, duration, rights/obligations, confidentiality duties, subcontracting restrictions, deletion/return of data, and audit/assessment rights?

If a processor independently determines the purposes and means of processing, does it acknowledge its role as a controller and accept corresponding liability?

Are Data Protection Assessments conducted and documented for high-risk activities such as targeted advertising, sale of personal data, profiling with risks, and processing of sensitive data?

When processing de-identified or pseudonymous data, are safeguards in place to prevent re-identification, with a public commitment not to re-identify?

Does the controller have mechanisms to respect customer rights while avoiding unnecessary re-identification?

Are data uses limited to legally permitted exemptions and not exceeding what customers would reasonably expect?

When sharing with third parties or processors, does the controller ensure there is no knowledge of violations, and are proportionate safeguards applied?

Does processing avoid infringing First Amendment rights and exclude personal or household activities from scope?

6-48.1-8: Violations

Does the organization avoid intentionally disclosing personal data to shell companies or entities formed to circumvent the law?

Has the organization ensured that it does not intentionally disclose personal data in violation of any provision of this chapter?

Compliance Checklist

Information Sharing Practices

✓ If Yes:

  • • Ensure the controller's role is documented and visible
  • • Review disclosures periodically for accuracy
  • • Maintain compliance records and test contact mechanism regularly

✗ If No:

  • • Appoint a controller immediately
  • • Update policies to make disclosures clear and conspicuous
  • • Establish contact methods and review data practices for legal gaps

Processing of Information

✓ If Yes (Threshold Met):

  • • You are subject to this law; proceed to next checks
  • • Keep policies documented and review annually
  • • Test consent mechanism regularly

✗ If No:

  • • Document exemption rationale
  • • Adopt/strengthen security program and conduct legal compliance review
  • • Build/update consent management tools and align with COPPA

Customer Rights

✓ If Yes:

  • • Maintain records of how opt-outs are handled
  • • Test the mechanism regularly and document requests

✗ If No:

  • • Revise practices to prevent penalties for rights exercise
  • • Adjust to ensure fairness and voluntariness
  • • Implement secure channels and update privacy notice

Exercising Customer Rights

✓ If Yes:

  • • Ensure appeal rights are always communicated
  • • Keep authentication/fraud assessment logs
  • • Test appeal process regularly

✗ If No:

  • • Ensure speedy response to requests
  • • Adjust practices to comply
  • • Implement authentication/fraud notice procedure
  • • Create/update appeal process

Controller and Processor Responsibilities

✓ If Yes:

  • • Periodically review/update agreements to reflect evolving law
  • • Monitor role boundaries and update responsibilities in contracts
  • • Maintain records, align with GDPR/CCPA, and refresh assessments regularly
  • • Periodically test safeguards and enforce contractual controls with partners
  • • Keep justification records and review proportionality regularly

✗ If No:

  • • Draft/execute compliant contracts immediately
  • • Train processors on limits, amend contracts
  • • Establish a DPA protocol and integrate with enterprise risk processes now
  • • Introduce technical/contractual barriers and publish a no-reidentification policy
  • • Build/upgrade rights-management tools and ensure authentication safeguards
  • • Re-map processing activities and restrict use to clearly documented exemptions

Violations

✓ If Yes:

  • • Maintain audit logs, update staff training annually
  • • Periodically test controls to demonstrate adherence

✗ If No:

  • • Immediately stop such disclosures, review existing contracts
  • • Perform a gap assessment against the chapter
  • • Introduce strict approval workflows for data sharing
  • • Remediate any unlawful practices without delay

Need Help with Rhode Island Compliance?

Our team of privacy experts can help you navigate the Rhode Island Data Transparency and Privacy Protection Act requirements and ensure your organization is fully compliant.

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief