Learn About The Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Current as of January 01, 2026 | Updated by Findlaw Staff
(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:
(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
(b) The controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
(c) The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter.
(d) The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers.
(e) The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation.
Cite this article: FindLaw.com - Rhode Island General Laws Title 6. Commercial Law--General Regulatory Provisions § 6-48.1-4. Processing of information - last updated January 01, 2026 | https://codes.findlaw.com/ri/title-6-commercial-law-general-regulatory-provisions/ri-gen-laws-sect-6-48-1-4/
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)