United States of America: Implemented Rhode Island Data Transparency and Privacy Protection Act (H 7787)

On 1 January 2026 the Rhode Island Data Transparency and Privacy Protection Act entered into force. The Act requires controllers to disclose their data collection, sharing, and processing practices and require them to identify categories of personal data collected, third parties to whom data may be disclosed, purposes for processing data, and categories of data shared with third parties. Controllers will also be required to provide a mechanism for customers to contact them and exercise their consumer rights, including opting out of data sales or targeted advertising. The Act limits data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. Certain entities, such as state bodies and nonprofit organisations, and specific data, including protected health information under HIPAA and patient-identifying information, will be exempted from the Act. The Act will not authorise the collection, storage, or disclosure of information prohibited by state or federal law. Each violation of the Act would be punished with a fine between USD 100 and USD 500.