Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA) took effect January 1, 2026. It arrived with something most state privacy laws lack: immediate consequences.
No cure period. No grace window. $10,000 per violation from day one.
Most states give companies a 30 or 60-day cure period after a violation. A warning shot. Time to clean up. Rhode Island eliminated that entirely. The Attorney General can pursue penalties the moment a company violates the law. For the smallest state in the country, that is an aggressive move.
Rhode Island also set some of the lowest applicability thresholds of any state privacy law. More businesses are covered. Fewer loopholes.
What You Get
The standard rights: access your data, correct it, delete it, get a portable copy, opt out of targeted advertising, data sales, and profiling. Nothing new there.
What matters is the enforcement behind it. When you cite the RIDTPPA in a deletion request, the company knows noncompliance does not come with a warning. It comes with a $10,000 fine. That changes the math fast.
Surveillance in a Small State
Rhode Island is densely populated and heavily surveilled relative to its size. Providence and surrounding areas run ALPRs. You can drive across the state in under an hour — a small number of cameras captures a large percentage of vehicle movement. No statewide restrictions on government facial recognition exist. Providence PD has access to those tools. Data brokers sell Rhode Island residents’ information like everyone else’s. The difference now is you have legal leverage to demand deletion.
What to Do
Use the RIDTPPA aggressively. Submit deletion requests to every data broker holding your data. Cite the law by name. Mention the no-cure-period enforcement and $10,000 penalties.
Audit your face. Search yourself on PimEyes, FaceCheck.ID, Google Lens, Yandex, TinEye. Opt out of any database that indexed you.
Check vehicle exposure. Use DeFlock.me to map plate readers near you. Check plate lookup sites and opt out.
Kill ad tracking. iPhone: Settings > Privacy & Security > Tracking > off. Android: Settings > Privacy > Ads > Delete advertising ID.
Harden everything else. Private social media. Disable face tagging. Strip photo metadata. Encrypted messaging. Disconnect linked accounts.
Monitor. Data brokers re-acquire information constantly. Quarterly re-checks minimum.
Rhode Island proved a small state can write a law with teeth. But the law only works if you use it. Every deletion request citing the RIDTPPA forces a company to take you seriously — or face the AG with no grace period and no excuses.
— J. Daniel, Dark Scrub