FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionRIDTPPA

Rhode Island Data Transparency and Privacy Protection Act: Smallest State, No Cure Period

By Basel IsmailMay 16, 2026

Rhode Island Data Transparency and Privacy Protection Act: Smallest State, No Cure Period

Rhode Island's comprehensive privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), was signed by Governor McKee on June 28, 2024, and takes effect January 1, 2026. It covers the usual ground you would expect from a state privacy law in 2024: consumer rights, data minimization obligations, opt-out mechanisms, and controller/processor distinctions. But there is one structural choice that sets it apart from nearly every peer statute, and it has real operational consequences for regulated companies.

No Cure Period. At All.

Most state privacy laws give businesses a window to fix violations before enforcement kicks in. Virginia's VCDPA started with a 30-day cure period. Colorado's CPA included one that sunsets in 2025. Connecticut's CTDPA gave 60 days, stepping down over time. Even Texas, which got aggressive with its TDPSA, included a 30-day cure provision.

Rhode Island did not include a cure period. The Attorney General can bring an enforcement action under the RIDTPPA without first giving you a chance to remediate. Section 6-48.1-9 of the Act grants the AG authority to enforce violations as unfair or deceptive trade practices under R.I. Gen. Laws 6-13.1, which means penalties of up to $10,000 per violation. No warning letter. No 30-day clock. If you are out of compliance on January 1, 2026, you are exposed from day one.

This is not a theoretical concern. Rhode Island AG Peter Neronha has been active on consumer protection enforcement generally, and the office has signaled interest in data privacy as a priority area. For companies operating across multiple states and relying on cure periods as a de facto compliance buffer, Rhode Island breaks that assumption.

Who Is Covered

The RIDTPPA applies to persons that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents, and that during the preceding calendar year either (a) controlled or processed personal data of at least 35,000 consumers, or (b) controlled or processed personal data of at least 10,000 consumers and derived more than 20% of gross revenue from the sale of personal data. Those thresholds are relatively standard, but the 35,000 consumer threshold is on the lower end, which matters for a state with a population of roughly 1.1 million. Proportionally, it catches a wider swath of businesses than a 100,000-consumer threshold would in a state like Texas or California.

Exemptions track familiar territory: HIPAA-covered entities and their business associates are exempt at the entity level (not just for PHI), as are entities subject to GLBA, nonprofits, higher education institutions, and data governed by a handful of federal statutes including FERPA, FCRA, and COPPA. If you are a healthcare or financial services company already subject to those federal frameworks, you likely have a carve-out, but read the exemptions carefully. They are entity-level for HIPAA and GLBA, which is more generous than some states that only exempt the regulated data rather than the entire entity.

The AI Provisions Worth Reading Closely

Where the RIDTPPA gets genuinely interesting is its treatment of automated decision-making. Section 6-48.1-5 gives consumers the right to opt out of profiling in furtherance of decisions that produce legal effects or effects of similar significance. This language mirrors the Connecticut and Colorado approach, but Rhode Island layers it with a transparency obligation that is more specific than most.

Controllers must provide consumers with a meaningful description of the types of profiling they engage in, the logic involved, and the likely outcomes. If you are deploying AI models for credit decisioning, insurance underwriting, employment screening, or similar consequential determinations, you need to be able to articulate what the model does in terms a consumer can actually understand. Vague references to "algorithmic processing" will not cut it.

There is also a data protection assessment requirement under Section 6-48.1-8 that explicitly covers profiling activities. These assessments must weigh the benefits of the processing against potential risks to consumers, and the AG can demand them in the course of a civil investigative demand. If your data protection impact assessments are boilerplate documents that nobody updates, this is the statute that could turn them into litigation exhibits.

Sensitive Data Gets Heightened Protection

The RIDTPPA defines sensitive data to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, personal data of known children, and precise geolocation data. Processing sensitive data requires affirmative opt-in consent. Not a buried toggle in a settings menu. Actual consent that is freely given, specific, informed, and unambiguous.

For companies in healthcare-adjacent spaces that handle health data outside of HIPAA's scope (wellness apps, employee health platforms, consumer health tools), this is a meaningful obligation. The same goes for edtech companies processing student data that falls outside FERPA's protections, or fintech companies handling data that does not neatly fit under GLBA.

Practical Implications for Multi-State Compliance

By January 2026, somewhere around 20 states will have comprehensive privacy laws in effect. The temptation is to build compliance programs to the lowest common denominator and then layer on state-specific requirements. The RIDTPPA complicates that approach in a few ways.

No cure period means no grace period for remediation. If your compliance program relies on cure windows as a safety net, you need to treat Rhode Island as a jurisdiction where you must be fully compliant at launch. This changes your project timeline.
The profiling transparency requirements are more prescriptive. If you are using AI tools in any consumer-facing decision process that touches Rhode Island residents, your privacy notices and opt-out mechanisms need to specifically address profiling, not just data collection and sharing.
Data protection assessments are enforceable documents. The AG can compel production. Treat them as documents that will be read by a regulator, not as checkbox exercises filed away in a SharePoint folder.
The 35,000-consumer threshold is low. If you have any meaningful digital presence reaching Rhode Island residents, run the numbers. You may be covered even if you do not have a physical presence in the state.

One more wrinkle: the RIDTPPA includes a provision allowing the AG to consider the controller's "good faith efforts to comply" as a mitigating factor in enforcement. This is not a cure period, but it does mean that documented, genuine compliance efforts could matter if you end up in the AG's crosshairs. Building and maintaining that documentation trail is not optional.

How FirmAdapt Addresses This

FirmAdapt's platform is built for exactly this kind of multi-jurisdictional complexity. The compliance mapping engine tracks obligations across state privacy laws, including cure period availability (or absence), threshold calculations, and sensitive data consent requirements, so teams can see where Rhode Island's requirements diverge from peer statutes and adjust their controls accordingly. For the RIDTPPA's profiling and automated decision-making provisions specifically, FirmAdapt's AI governance module helps organizations document model logic, generate consumer-facing transparency disclosures, and maintain data protection assessments that are audit-ready.

The no-cure-period reality in Rhode Island means compliance cannot be reactive. FirmAdapt's architecture assumes that posture by default, continuously monitoring data processing activities against applicable obligations rather than waiting for a violation to trigger remediation workflows. If your organization processes data of Rhode Island residents and deploys AI in any consequential decision-making context, the platform provides the documentation and control framework to demonstrate the good faith compliance efforts the statute contemplates.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free