Rhode Island Has the Toughest New Privacy Law in America. Here’s Why.

When Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA) took effect on January 1, 2026, it came with something most state privacy laws don’t have: teeth from day one.

No cure period. No grace window for companies to fix violations before facing penalties. And fines of up to $10,000 per violation.

For the smallest state in the country, that’s a remarkably aggressive stance on data privacy.

What Makes Rhode Island Different

Most state privacy laws include a 30 or 60-day cure period. This means when a company violates the law, they get a warning and a window to fix it before any penalties apply. Critics argue this effectively gives companies a free pass on their first violation.

Rhode Island eliminated that cushion. If a company violates the RIDTPPA, the Attorney General can pursue penalties immediately. Combined with the $10,000 per-violation fine structure, this makes Rhode Island’s law one of the most consequential in the country for noncompliant companies.

Rhode Island also has some of the lowest applicability thresholds of any state privacy law, meaning more businesses are covered than in states with higher thresholds.

Your Rights Under the RIDTPPA

The standard suite: confirm whether a company is processing your data, access it, correct inaccuracies, delete it, obtain a portable copy, and opt out of targeted advertising, data sales, and profiling.

But the enforcement mechanism is what matters. When you submit a deletion request to a data broker and cite the RIDTPPA, the company knows that noncompliance doesn’t come with a warning. It comes with a potential $10,000 fine. That changes the calculus for companies deciding whether to honor your request.

The Surveillance Landscape

Rhode Island is small, but it’s densely populated and heavily surveilled relative to its size.

License plate readers. Providence and surrounding communities have deployed ALPRs. In a state you can drive across in under an hour, a relatively small number of cameras can capture a significant percentage of vehicle movements.

Facial recognition. There are no statewide restrictions on government use of facial recognition in Rhode Island. Providence Police Department has access to facial recognition tools.

Data brokers. Rhode Island residents’ data is aggregated and sold just like residents of every other state. The difference now is that you have legal tools to demand its deletion.

What Rhode Island Residents Should Do

Step 1: Use the RIDTPPA aggressively. Submit deletion requests to every data broker that has your information. Cite the Rhode Island Data Transparency and Privacy Protection Act by name. Mention the no-cure-period enforcement and $10,000 penalties. This isn’t legal advice — it’s letting companies know you understand the law that applies to them.

Step 2: Run a facial recognition audit. Search yourself on PimEyes, FaceCheck.ID, Google Lens, Yandex, and TinEye. Submit opt-out requests for any databases that have indexed your face.

Step 3: Check your vehicle exposure. Use DeFlock.me to map license plate readers. In a state as small as Rhode Island, you may be surprised how thoroughly your movements can be tracked. Check plate lookup sites and opt out.

Step 4: Disable ad tracking. On iPhone: Settings > Privacy & Security > Tracking > toggle off. On Android: Settings > Privacy > Ads > Delete advertising ID.

Step 5: Harden your digital footprint. Private social media. Disable face tagging. Strip photo metadata. Encrypted messaging. Disconnect linked accounts.

Step 6: Monitor for re-listing. Quarterly re-checks or ongoing monitoring. Data brokers re-acquire information constantly.

The Bottom Line

Rhode Island proved that a small state can pass a tough privacy law. The no-cure-period enforcement and $10,000 per-violation penalties give your deletion requests more weight than in almost any other state.

But the law only works if you use it. Every deletion request you submit that cites the RIDTPPA forces a company to take your privacy seriously — or risk immediate enforcement action from the Attorney General.