DATA PROTECTION IMPACT ASSESSMENT (DPIA) (State overlay: RI)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe]; Timeline: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (RIDTPPA): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration; ☐ Genetic/biometric; ☐ Child (under 13); ☐ Precise geolocation. Explicit consent required. 15-day revocation deadline.
• Volume/retention: [records/year], [retention per purpose].
• Processing: [collection, storage, analysis, sale]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on cross-site activities; "Profiling" = automated processing for decisions. Opt-out does not apply to pseudonymous data.

3. Legal Basis, Notices, and Rights

• Primary law: Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), effective January 1, 2026. Enacted June 29, 2024.
• Thresholds: 35,000+ RI consumers OR 10,000+ + >20% revenue from sale. NO revenue minimum. Reflects RI's small population.
• Broad privacy notice requirement: Applies to ANY commercial website/ISP doing business in RI or with RI customers collecting/storing/selling PII (NOT subject to standard thresholds).
• Exemptions: GLBA, HIPAA, nonprofits, higher ed, government, employment data.
• Rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension.
• Explicit consent for sensitive data. 15 days max to suspend processing upon consent revocation.
• NO universal opt-out requirement (no GPC/signal recognition required).
• NO cure period - immediate fines for violations.
• DPA: Required for heightened risk (targeted ads, sales, profiling, sensitive data). Prospective only (activity from Jan 1, 2026+).
• Processor contracts: Instructions, data type, duration, obligations, deletion/return.

4-7. [Data Flow, Security, Risks, Mitigations - Standard sections]

8. Incident Response and Breach Notification

• Statute: RIGL 11-49.3 (Identity Theft Protection Act of 2015); effective July 2, 2016.
• Timeline: 30 days for state/municipal agencies; 45 days for private entities (after confirmation and ability to ascertain notice requirements). Consistent with law enforcement needs.
• AG notice: If 500+ residents, notify AG and major CRAs without delaying consumer notice.
• Triggers: Disclosure/breach posing significant risk of identity theft. PI reasonably believed acquired by unauthorized person/entity.
• Required content: Description (how occurred, number affected), data type, date/date range, remediation services (toll-free/website), police report instructions, security freeze information.
• Exception: Law enforcement delay permitted. Compliance alternative if entity maintains own breach procedures and complies with timing.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (RI)

• Applicability: 35,000+ consumers OR 10,000+ + >20% sale revenue. NO revenue minimum. Broad privacy notice: ANY commercial website/ISP in RI collecting/storing/selling PII (not subject to standard thresholds). Exemptions: GLBA, HIPAA, nonprofits, higher ed, government, employment.
• Sensitive data: 8 categories with explicit consent: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, child (under 13), precise geolocation. 15-day suspension deadline upon revocation.
• Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Opt-out does NOT apply to pseudonymous data. Response: 45 days + extension.
• NO universal opt-out (GPC/signal recognition NOT required).
• Opt-out: Sale, targeted advertising, profiling.
• Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
• DPA triggers: Required for heightened risk (targeted ads, sales, profiling, sensitive data). Prospective only (from Jan 1, 2026).
• Security: Reasonable safeguards.
• Breach notice: 30 days (agencies) or 45 days (private). If 500+, notify AG + CRAs without delaying consumers. Detailed content requirements (description, data type, date, remediation, freeze info).
• Children: Under 13 data is sensitive requiring explicit consent. COPPA compliance.
• Non-discrimination: Cannot deny services, charge different prices, or provide different quality for exercising rights.
• Recordkeeping: NO cure period - immediate penalties. Violations = deceptive trade practice. $10,000 per violation. Intentional disclosure: $100-$500 per disclosure. AG exclusive enforcement. No private right of action.

10-11. [Approvals & Attachments]