Rhode Island RIDTPPA AI Compliance 2026: The Lowest Threshold in New England
Rhode Island's Data Transparency and Privacy Protection Act took effect January 1, 2026 with a 35,000-consumer threshold — a fraction of the 100,000-consumer bar used by Virginia, Colorado, Indiana, and Kentucky. AI companies that assumed they were too small for state privacy law scope should recheck that assumption specifically for Rhode Island.
Does RIDTPPA Apply to Your AI Product?
RIDTPPA applies to a business that conducts business in Rhode Island or produces products or services targeted at Rhode Island residents, and that during a calendar year controls or processes the personal data of at least 35,000 consumers (not counting data processed solely to complete a payment transaction), or controls or processes the data of at least 10,000 consumers while deriving more than 20% of gross revenue from the sale of personal data.
Both thresholds are meaningfully lower than the pattern set by Virginia, Colorado, Indiana, and Kentucky. A regional AI SaaS tool that never crossed the 100,000-consumer bar nationally could still be fully in scope in Rhode Island alone if it has even a modest New England user base. Don't rely on a single national threshold check across all your state exposure — Rhode Island is the outlier that catches smaller products first.
Consumer Rights and AI Profiling
Profiling opt-out
Consumers can opt out of profiling in furtherance of decisions producing legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.
Targeted advertising opt-out
Consumers can opt out of personal data being used for targeted advertising, including AI-driven ad personalization and lookalike-audience models.
Sale of data opt-out
Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers or data brokers.
Data Protection Assessments
Processing that presents a heightened risk of harm, including high-risk profiling, requires a documented data protection assessment before the processing begins.
No Cure Period Means No Warning Shot
Several state privacy laws gave businesses a temporary 30-day right-to-cure window when they first took effect, then let that window expire on a fixed sunset date written into the statute. RIDTPPA's cure period was structured to expire before the law's own January 1, 2026 effective date, meaning Rhode Island businesses face direct enforcement exposure from day one — there is no automatic notice-and-fix opportunity the way there currently is in Indiana or Kentucky. AI companies operating in Rhode Island should treat compliance as needing to be correct at launch, not correctable after a first warning.
RIDTPPA Compliance Checklist for AI Companies
- ☐Check Rhode Island consumer counts against the 35,000 threshold separately from any national or other-state count
- ☐Check the 10,000-consumer / 20%-revenue-from-data-sales alternate trigger for smaller, data-monetizing products
- ☐Exclude payment-transaction-only data from the consumer count as the statute allows
- ☐Build opt-out flows for profiling, targeted advertising, and data sale
- ☐Support access, correction, deletion, and portability requests within statutory timelines
- ☐Document which AI-driven decisions fall into the legal-or-significant-effect category
- ☐Complete a data protection assessment before deploying any high-risk profiling model
- ☐Retain assessments in case the Attorney General requests them during an inquiry
- ☐Update assessments when the AI model or its training data materially changes
- ☐Do not assume a cure period exists — treat launch-day compliance as final, not draft
- ☐Monitor Rhode Island AG enforcement activity as the law matures past its first year
- ☐Retain records supporting your scope and threshold determinations
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
Why is Rhode Island's threshold so much lower than Indiana's or Kentucky's?
State privacy law thresholds are set independently by each legislature, and there's no federal standard forcing consistency. Rhode Island chose to model its threshold closer to smaller-state laws like Delaware's rather than the 100,000-consumer bar Virginia set as the original template. The practical effect is that Rhode Island reaches AI companies with meaningfully smaller user bases than most other states with comprehensive privacy laws.
If we're already compliant with Virginia's VCDPA, are we automatically compliant with RIDTPPA?
Mostly, but not entirely. The consumer rights (profiling, targeted advertising, and sale opt-outs) and assessment requirements are structurally similar. The threshold test is different and lower, so a company that correctly determined it was out of scope in Virginia may still be in scope in Rhode Island. Always run the threshold test per state rather than assuming one state's exemption transfers to another.
Does the lack of a cure period mean Rhode Island enforces more aggressively than other states?
Not necessarily — enforcement aggressiveness depends on Attorney General priorities and resources, which vary independently of the cure-period rule. What the missing cure period does mean is that there's no statutory backstop giving a business a guaranteed chance to fix a violation before facing enforcement, so the practical risk of a first violation is higher than in a state like Indiana or Kentucky that still has an active cure window.