Three New State Privacy Laws Take Effect in 2026

The patchwork of American privacy law continues to grow. In 2026, three more states will begin enforcing comprehensive data privacy legislation, each with its own requirements and quirks that businesses need to understand.

Indiana's law took effect January 1. Kentucky's follows on January 1, 2026. Rhode Island rounds out the year with a January 1, 2026 effective date. Together with existing laws in 20 other states, they're reshaping how companies handle personal data across America.

Indiana Consumer Data Protection Act

Effective: January 1, 2026

Indiana's law applies to businesses that either control or process personal data of at least 100,000 Indiana consumers, or control or process data of at least 25,000 consumers while deriving more than 50% of gross revenue from selling personal data.

The law grants Indiana residents several rights:

• Right to confirm whether a business is processing their personal data
• Right to access their personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to obtain a portable copy of their data
• Right to opt out of targeted advertising, data sales, and profiling

Indiana includes a 30 day cure period, giving businesses time to fix violations before facing penalties. The Attorney General has exclusive enforcement authority.

Kentucky Consumer Data Protection Act

Effective: January 1, 2026

Kentucky's thresholds match Indiana: businesses processing data of 100,000 or more consumers, or 25,000 consumers combined with significant revenue from data sales.

What makes Kentucky notable is its permanent cure period. Unlike other states that phase out the opportunity to fix violations, Kentucky's 30 day cure period doesn't sunset. Businesses will always have the chance to remedy problems before facing enforcement action.

Consumer rights under Kentucky's law mirror most other state frameworks:

• Access to personal data
• Correction of inaccurate data
• Deletion requests
• Data portability
• Opt out of targeted advertising and data sales

The Kentucky Attorney General handles enforcement, with penalties up to $7,500 per violation.

Rhode Island Data Transparency and Privacy Protection Act

Effective: January 1, 2026

Rhode Island takes a different approach with lower thresholds. The law applies to businesses processing personal data of 35,000 or more consumers, or 10,000 consumers if more than 20% of revenue comes from data sales.

These lower thresholds mean smaller businesses may be subject to Rhode Island's requirements even if they're exempt under other state laws.

Rhode Island's law includes standard consumer rights plus some additional requirements:

• Businesses must conduct data protection assessments for high risk processing
• Contracts with data processors must include specific protective provisions
• Heightened requirements for sensitive data processing

The state provides a cure period through January 1, 2026, after which the Attorney General can pursue violations without offering correction opportunities.

Other State Privacy Updates in 2026

Beyond these three new laws, several states are amending their existing privacy frameworks:

Connecticut: Amendments expanding consumer rights and controller obligations take effect throughout 2026.

Oregon: The Oregon Consumer Privacy Act adds new provisions for nonprofit organizations and adjusts processing thresholds.

Texas: The Texas Data Privacy and Security Act amendments clarify small business exemptions and processing requirements.

Virginia: Updates to the Virginia Consumer Data Protection Act address data broker requirements.

Nebraska and Arkansas: Both states have new laws taking effect that follow the Virginia model closely.

The Compliance Challenge

With 23 states now having comprehensive privacy laws, businesses face a complex compliance landscape. Each law has different thresholds, rights, exemptions, and enforcement mechanisms.

For most businesses, the practical approach is building systems that meet the strictest requirements. California's CCPA/CPRA remains the most demanding, so compliance with California often covers other states by default.

Key universal requirements across all state laws:

• Clear privacy notices explaining data collection and use
• Mechanisms for consumers to exercise their rights
• Reasonable security measures for personal data
• Contracts with service providers handling personal data
• Opt out mechanisms for targeted advertising

What This Means for Consumers

If you live in Indiana, Kentucky, or Rhode Island, you now have formal rights over your personal data that you can enforce against businesses.

In practice, this means you can:

• Ask companies what data they have about you
• Request they delete your information
• Stop them from selling your data or using it for targeted ads
• Get a copy of your data in a portable format

Companies are required to respond to these requests within 45 days in most states. If they refuse or ignore you, you can file complaints with your state Attorney General.

The Federal Question

The continued growth of state privacy laws increases pressure for federal legislation. Businesses operating nationally must navigate an increasingly complex web of requirements, while consumers have vastly different protections depending on where they live.

Whether Congress acts remains uncertain. Until then, expect more states to pass their own laws. By some estimates, more than 30 states could have comprehensive privacy legislation by 2028.

For now, 2026 marks another step toward a future where data privacy is the norm rather than the exception in American law.