The bill introduces the Rhode Island Data Transparency and Privacy Protection Act, which seeks to enhance privacy protections for individuals in Rhode Island by regulating the collection, storage, and sale of personally identifiable information by commercial websites and internet service providers. It requires these entities to inform customers about the types of personal data collected, the third parties to whom the data may be sold, and how customers can contact the controller of their data. The bill also mandates that entities obtain customer consent before selling personal data or using it for targeted advertising, and it prohibits the use of deceptive practices known as "dark patterns." Additionally, the bill outlines exemptions for certain entities and types of information, such as those covered by federal regulations like HIPAA, and it does not apply to state or political subdivisions, nonprofits, or institutions of higher education.

The bill sets specific criteria for entities that must comply with its provisions, based on the volume of personal data they control or process and the revenue they derive from selling personal data. It establishes customer rights, including the right to access, correct, delete, and obtain a copy of their personal data, and the right to opt out of data processing for targeted advertising or profiling. Entities must respond to customer requests within 45 days and provide a process for appeals. The bill also requires controllers and processors to maintain reasonable data security practices, conduct data protection assessments for high-risk processing activities, and ensure that de-identified data cannot be associated with individuals. Violations of the act are considered deceptive trade practices, with fines for each violation, and the act is set to take effect on January 1, 2026.