Title 6
Commercial Law — General Regulatory Provisions

Chapter 48.1
Rhode Island Data Transparency and Privacy Protection Act [Effective January 1, 2026.]

§ 6-48.1-10. Construction. [Effective January 1, 2026.]

(a) Nothing in this chapter shall be deemed to apply in any manner to a financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and its implementing regulations, or to information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191.

(b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.

(c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-exempt organization under the Internal Revenue Code.

(d) Nothing in this chapter shall be construed to mandate and/or require the retention or disclosure of any specific individual’s personally identifiable information.

(e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product sales summaries or statistical information or aggregate customer data that may include personally identifiable information.

(f) Nothing in this chapter shall be construed to apply to any personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f). Provided, further, nothing in this chapter shall be construed to require any entity to collect, store, or sell personally identifiable information, and furthermore, nothing in this chapter shall be construed to require a controller to provide a good or service that requires the personal data of a customer that the controller does not collect or maintain. This chapter is intended to apply only to covered entities that choose to collect, store, and sell or otherwise transfer or disclose personally identifiable information. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under the law of this state. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a customer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.