2026 US State & International Data Privacy Laws Going Live

Kentucky: Kentucky Consumer Data Protection Act (KCDPA)

Effective Date: January 1, 2026

Scope:

Applies to businesses that conduct business in Kentucky or target Kentucky residents and:

• Process personal data of 100,000 or more Kentucky consumers.
• Process personal data of 25,000 or more consumers if over 50% of gross revenue comes from selling personal data.

Consumer Rights:

• Access and Confirmation: Consumers can confirm whether their personal data is being processed and access that data.
• Correction: Right to correct inaccuracies in their personal data.
• Deletion: Right to delete personal data provided to or obtained about them.
• Data Portability: Consumers can obtain a portable copy of their data in a usable format.
• Opt-Out Rights: Ability to opt out of:
  • Sales of personal data
  • Targeted advertising
  • Profiling that produces legal or similarly significant effects

Business Requirements:

• Data Minimization & Purpose Limitation: Collect only what is “adequate, relevant, and reasonably necessary” for disclosed purposes.
• Privacy Notices: Must provide clear, accessible privacy notices detailing data categories, purposes, and consumer rights.
• Data Security: Implement appropriate administrative, technical, and physical security measures.
• Consent for Sensitive Data: Required before processing sensitive data (including racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship status, genetic/biometric data, children’s data).
• Data Protection Impact Assessments (DPIAs): Required for:
  • Targeted advertising
  • Sale of personal data
  • Profiling with reasonably foreseeable risks
  • Processing sensitive data
  • Any processing presenting heightened risk of harm
  • Note: DPIA requirements apply to processing activities created or generated on or after June 1, 2026.

Enforcement:

• Enforcer: Kentucky Attorney General (exclusive authority)
• Cure Period: Permanent 30-day cure provision
• Penalties: Up to $7,500 per violation

Commentary:

Kentucky’s law closely mirrors Virginia’s VCDPA, making it relatively straightforward for businesses already compliant with Virginia-modeled laws. The permanent cure period is business-friendly, and the delayed DPIA requirement (June 2026) gives companies extra preparation time. A March 2025 amendment clarified HIPAA exemptions and narrowed DPIA requirements for profiling to cases involving unlawful disparate impact, demonstrating legislative responsiveness to stakeholder concerns.

Indiana: Indiana Consumer Data Protection Act (INCDPA)

Effective Date: January 1, 2026

Scope:

Applies to entities conducting business in Indiana or targeting Indiana residents and:

• Control or process personal data of 100,000 or more Indiana consumers.
• Control or process personal data of 25,000 or more consumers if over 50% of gross revenue comes from selling personal data.

Consumer Rights:

• Access and Confirmation: Right to confirm whether a controller is processing their personal data and access that data.
• Correction: Right to correct inaccuracies in personal data.
• Deletion: Right to delete personal data provided to or obtained about them.
• Data Portability: Right to obtain a copy of previously provided personal data in a portable format.
• Opt-Out Rights: Ability to opt out of:
  • Sales of personal data
  • Targeted advertising
  • Profiling for decisions producing legal or similarly significant effects

Business Requirements:

• Data Minimization: Limit collection to what is adequate, relevant, and reasonably necessary.
• Privacy Notices: Provide clear notices describing data categories, purposes, sharing practices, and consumer rights.
• Data Security: Maintain reasonable security measures to protect personal data.
• Consent for Sensitive Data: Required before processing sensitive data and children’s data (under 13 years).
• Data Protection Impact Assessments: Required for:
  • Targeted advertising
  • Sale of personal data
  • Profiling activities
  • Processing sensitive data
  • Any processing presenting heightened risk of harm
  • Note: DPIA requirements apply to processing activities created or generated after December 31, 2025 (not retroactive).
• COPPA Compliance: Must comply with federal Children’s Online Privacy Protection Act for known children’s data.

Enforcement:

• Enforcer: Indiana Attorney General (exclusive authority)
• Cure Period: 30-day cure period
• Penalties: Not specified in statute (follows Indiana deceptive trade practices)

Notable Exemptions:

• State entities and political subdivisions
• Financial institutions and data subject to Gramm-Leach-Bliley Act
• HIPAA-covered entities and business associates
• Nonprofit organizations
• Higher education institutions
• Employment-related information

Commentary:

Indiana’s law is considered “business-friendly” due to its extended preparation timeline and alignment with Virginia’s model. The lack of a revenue-only threshold means smaller businesses processing significant volumes of data must comply. Indiana does not require universal opt-out mechanisms, distinguishing it from some other state laws. The generous two-and-a-half-year preparation period (signed May 2023, effective January 2026) demonstrates legislative pragmatism.

Rhode Island: Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Effective Date: January 1, 2026

Scope:

Applies to for-profit entities conducting business in Rhode Island or targeting Rhode Island residents and:

• Control or process personal data of 35,000 or more Rhode Island residents (excluding payment transaction data).
• Control or process personal data of 10,000 or more residents if over 20% of gross revenue comes from selling personal data.

Consumer Rights (called “Customers” in this law):

• Access and Confirmation: Right to confirm whether personal data is being processed and access that data.
• Correction: Right to correct inaccuracies in personal data.
• Deletion: Right to delete personal data.
• Data Portability: Right to obtain a copy of personal data in a portable format.
• Opt-Out Rights: Ability to opt out of:
  • Sales of personal data
  • Targeted advertising
  • Profiling that presents risks of unfair/deceptive treatment, financial/physical injury, or intrusion

Business Requirements:

• Universal Privacy Notice Requirement: ANY commercial website or internet service provider that “collects, stores, and sells” personally identifiable information must:
  • Designate a controller
  • Post a privacy notice identifying:
    • All categories of personal data collected
    • Third parties to which data has been or may be sold
    • Online mechanism to contact the controller
  • This applies regardless of volume thresholds
• Data Minimization: Limit collection and processing to what is adequate, relevant, and reasonably necessary.
• Data Security: Maintain reasonable administrative, technical, and physical security practices.
• Consent for Sensitive Data: Required before processing sensitive data (racial/ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, genetic/biometric data, known children’s data, precise geolocation).
• Data Protection Impact Assessments: Required for:
  • Targeted advertising
  • Sale of personal data
  • Profiling with unreasonably foreseeable risks
  • Processing sensitive data
  • Any processing presenting heightened risk of harm
  • Note: Applies only to processing activities from January 1, 2026 onward (not retroactive).
• Third-Party Data Sales Disclosure: Must “clearly and conspicuously disclose” if selling data or processing for targeted advertising.

Enforcement:

• Enforcer: Rhode Island Attorney General (exclusive authority, no private right of action)
• Cure Period: NONE – Unique among state laws
• Penalties:
  • $100 to $500 per intentional disclosure violation
  • Up to $10,000 per violation under Rhode Island’s deceptive trade practices law

Notable Features:

• Terminology: Uses “customers” instead of “consumers”
• No Universal Opt-Out Requirement: Unlike some states, Rhode Island does not require recognition of universal opt-out mechanisms
• 15-Day Consent Revocation: Controllers must suspend processing within 15 days when consent is revoked
• Broad Privacy Notice Applicability: The privacy notice requirement applies to virtually all commercial websites/internet service providers that sell data, not just those meeting volume thresholds

Commentary:

Rhode Island’s law stands out for its lack of a cure period, making it potentially the strictest enforcement regime among state laws. The broad privacy notice requirement creates compliance obligations for many small businesses that wouldn’t otherwise fall under state privacy laws. Consumer advocates criticized the law for not meaningfully limiting data collection or use, but the absence of a cure period and relatively low applicability thresholds (35,000 consumers) demonstrate genuine privacy protections. The law’s drafting has some ambiguities, particularly around undefined terms like “personally identifiable information.”

Key Themes Across 2026 Privacy Laws

Convergence with Virginia Model

All three 2026 laws follow the Virginia VCDPA framework rather than California’s CCPA approach, creating consistency for businesses already compliant with Virginia-style regulations.

Lower Thresholds = Broader Impact

• Kentucky & Indiana: 100,000/25,000 thresholds
• Rhode Island: 35,000/10,000 thresholds (among the lowest nationally, alongside Delaware, Maryland, and New Hampshire)
• These lower thresholds bring mid-sized businesses into compliance scope

Sensitive Data Protection

All three laws require opt-in consent for sensitive data processing, including:

• Racial/ethnic origin
• Religious beliefs
• Health information
• Sexual orientation
• Citizenship/immigration status
• Genetic and biometric data
• Children’s data
• Precise geolocation (Rhode Island)

Data Protection Impact Assessments (DPIAs)

All three laws mandate DPIAs for high-risk processing activities, with prospective-only requirements (not retroactive to existing processing).

Enforcement Variations

• Kentucky & Indiana: 30-day cure periods
• Rhode Island: No cure period (immediate enforcement)
• All three: Attorney General exclusive enforcement (no private right of action)

No Universal Opt-Out Requirement

Unlike states such as California, Colorado, and Connecticut, these 2026 laws do not require businesses to recognize universal opt-out mechanisms (e.g., Global Privacy Control).

Implications for Businesses

Multi-State Compliance Complexity

With 20+ states now having comprehensive privacy laws (and more pending), businesses face an increasingly complex patchwork. Companies must:

• Map which state laws apply based on their operations and consumer base
• Implement systems to handle varying requirements for notice, consent, and opt-outs
• Maintain separate compliance programs or adopt the most stringent requirements universally

Small Business Impact

The absence of revenue thresholds in Kentucky and Indiana, combined with Rhode Island’s broad privacy notice requirements, means small and mid-sized businesses must now seriously consider privacy compliance, not just large enterprises.

Preparation Timeline

Businesses had generous lead times:

• Kentucky: Signed April 2024, effective January 2026 (21 months)
• Indiana: Signed May 2023, effective January 2026 (31 months)
• Rhode Island: Signed June 2024, effective January 2026 (19 months)

Those who waited until late 2025 will need to move quickly to achieve compliance.

Rhode Island’s Strict Enforcement

The lack of a cure period in Rhode Island creates significant risk. A single violation could result in immediate fines without opportunity to remediate. This may lead to:

• Higher compliance investment for Rhode Island specifically
• Increased insurance costs for businesses operating in the state
• More cautious data practices overall

Alignment Opportunities

Because all three laws follow the Virginia model, businesses that have already implemented Virginia-compliant programs will find adaptation relatively straightforward. Core requirements are consistent:

• Opt-out model (not opt-in for general data)
• Similar consumer rights (access, deletion, correction, portability, opt-out)
• DPIA requirements for the same categories of processing
• Similar exemptions for HIPAA, GLBA, nonprofits, etc.

What You Need to Do About the 2026 Privacy Laws

Immediate Actions (If Not Already Complete):

1. Applicability Assessment: Determine if your business meets the thresholds for Kentucky, Indiana, and/or Rhode Island based on:
   • Number of state residents whose data you process
   • Revenue derived from data sales
   • Whether you target products/services to these states
2. Data Mapping: Conduct comprehensive data inventory to understand:
   • What personal data you collect
   • Where it comes from
   • How you use it
   • Who you share it with
   • Where it’s stored
3. Update Privacy Notices: Ensure your privacy policies include all required elements:
   • Categories of data collected
   • Purposes for processing
   • Third parties with whom data is shared
   • Consumer rights and how to exercise them
   • Opt-out mechanisms for sales and targeted advertising
4. Implement Consumer Rights Mechanisms:
   • Create systems to verify consumer identity
   • Establish processes to respond to access, deletion, correction, and portability requests within 45 days
   • Set up appeal processes (60-day response requirement)
   • Prepare to report denied appeals to state Attorneys General
5. Consent Management for Sensitive Data:
   • Identify all sensitive data processing
   • Implement opt-in consent mechanisms
   • Ensure consent is “clear, affirmative, freely given, specific, informed, and unambiguous”
6. Data Protection Impact Assessments:
   • Conduct DPIAs for:
     • Targeted advertising
     • Data sales
     • Profiling activities
     • Sensitive data processing
     • Any high-risk processing
   • Document assessments and keep them confidential
   • Remember: Kentucky DPIAs required for activities after June 1, 2026; Indiana and Rhode Island from January 1, 2026
7. Security Measures:
   • Implement appropriate administrative, technical, and physical safeguards
   • Ensure compliance with reasonable security standards
8. Vendor Contracts:
   • Review and update processor agreements to ensure GDPR-style contractual provisions
   • Ensure vendors commit to assisting with consumer rights requests and security obligations
9. Rhode Island-Specific:
   • If you operate ANY commercial website selling data in Rhode Island, designate a controller and post required privacy notice regardless of volume
   • Implement 15-day maximum timeline for suspending processing after consent revocation
   • Prepare for enforcement without cure period (strict compliance required)
10. Training:
    • Train employees on new privacy requirements
    • Ensure customer-facing teams understand consumer rights
    • Educate legal and compliance teams on state-specific variations

Strategic Considerations:

Option 1: State-by-State Compliance Implement different requirements for each state based on consumer location. This is complex but may be more cost-effective for businesses with limited exposure to certain states.

Option 2: Harmonized Compliance Adopt the strictest requirements across all operations (e.g., treat all consumers as if they have Rhode Island-level protections). This simplifies compliance but may impose unnecessary restrictions in some jurisdictions.

Option 3: Multi-Tiered Approach Create compliance tiers based on risk profiles:

• Tier 1: States with cure periods and less stringent enforcement (Kentucky, Indiana)
• Tier 2: States without cure periods or stricter requirements (Rhode Island)
• Tier 3: States with private rights of action (currently none in 2026 laws, but California has this)

Ongoing Obligations:

• Annual DPIAs: Conduct assessments annually or when processing activities change significantly
• Privacy Notice Updates: Review and update notices whenever data practices change
• Consumer Request Monitoring: Track and respond to consumer requests within required timeframes
• Compliance Audits: Regularly assess adherence to all applicable state laws
• Legislative Monitoring: Stay informed about new state laws and amendments to existing laws

The 2026 laws represent continued momentum in U.S. state-level privacy regulation. With 20 states now having comprehensive privacy laws and more considering legislation in 2026-2027, businesses should anticipate:

• Further state legislation from Massachusetts, Michigan, Pennsylvania, and others
• Amendments to existing laws (e.g., Connecticut’s July 2026 amendments lowering thresholds to 35,000)
• Increased enforcement activity as laws mature and Attorneys General gain experience
• Potential federal legislation that could preempt state laws (though prospects remain uncertain)
• Technology-specific regulations focusing on AI, biometric data, and children’s privacy

The lack of federal comprehensive privacy legislation means the state patchwork will continue growing, making proactive compliance and scalable privacy programs essential for businesses of all sizes.