Three New U.S. State Privacy Laws Take Effect: What Changed on 1 January 2026

On 1 January 2026, three additional U.S. state-level comprehensive privacy laws came into force: Indiana, Kentucky, and Rhode Island. While each law broadly follows the now-familiar ‘Virginia-style’ consumer privacy model, focused on controller and processor responsibilities rather than individual litigation, the differences between them matter. Together, these laws continue the steady expansion of the U.S. state privacy patchwork and further raise the compliance bar for organisations handling U.S. personal data. 

Indiana: Incremental but Operationally Significant

Indiana’s Consumer Data Protection Act applies to organisations that conduct business in Indiana (or target Indiana residents) and meet data-processing thresholds tied to either scale or revenue from data sales. Like many peer laws, it excludes employment and business-to-business data and provides standard exemptions for regulated data such as health and financial information.

From a consumer perspective, Indiana residents gain rights to access, correct and delete copies of their personal data, as well as the ability to opt out of targeted advertising, the sale of personal data, and certain profiling activities. Controllers must also provide an appeals process when requests are denied.

For organisations, the most significant operational impact lies in governance. Controllers must implement clear privacy notices, apply data minimisation principles, maintain reasonable security safeguards, and obtain opt-in consent before processing sensitive data. Data protection impact assessments are required for higher-risk processing activities carried out on or after the law’s effective date. Enforcement sits exclusively with the Indiana Attorney General, includes a 30-day cure period, and carries civil penalties of up to $7,500 per violation.

Kentucky: Familiar Structure with a Delayed Assessment Requirement

Kentucky’s Consumer Data Protection Act mirrors Indiana’s structure closely, both in scope and in substance. It applies to organisations meeting similar processing thresholds and likewise excludes employment and B2B data. Consumer rights follow the same core pattern: access, correction, deletion, portability, opt-out rights for targeted advertising and sales, and the right to appeal a controller’s decision.

Sensitive data processing requires opt-in consent, and children’s data is aligned with established federal parental-consent standards. Controllers must provide clear privacy notices, apply data minimisation principles, and maintain reasonable security controls.

Where Kentucky stands out is timing. While the law itself took effect on 1 January 2026, its data protection assessment requirements do not apply until later in the year. This provides organisations with a short grace period to formalise risk-assessment processes for activities such as targeted advertising, and the sale of personal data. As with Indiana, enforcement is reserved to the state Attorney General, includes a 30-day cure period, and allows for penalties of up to $7,500 per violation. In practice, the 30-day cure period means organisations are given formal notice of an alleged violation and a defined window to correct non-compliant practices before fines or other enforcement measures can be pursued.

 Rhode Island: Lower Thresholds and Stronger Transparency

Rhode Island’s Data Transparency and Privacy Protection Act is the most distinctive of the three. It applies to organisations processing data about a significantly smaller number of individuals and introduces a lower revenue threshold tied to data sales. As a result, many organisations that fall below the radar in other states may still be in scope in Rhode Island.

Consumer rights broadly align with those in Indiana and Kentucky, but Rhode Island places particular emphasis on transparency. Controllers must publish conspicuous privacy notices that not only describe what data is collected and why, but also identify third parties to whom personal data has been sold, or may be sold, a forward-looking disclosure requirement that goes beyond many other state laws.

The law also introduces clearer expectations around consent management. Sensitive data requires opt-in consent, consent must be revocable, and processing must cease shortly after revocation. Rhode Island explicitly addresses deceptive patterns, reinforcing that consent must be freely given and not manipulated. Data protection impact assessments are required for higher-risk processing activities conducted from 1 January 2026 onward.

From an enforcement standpoint, Rhode Island is stricter than its peers. There is no statutory cure period, penalties can reach higher per-violation amounts, and additional fines may apply for unauthorised disclosures. As with the other states, enforcement authority rests solely with the Attorney General.

 Why These Laws Matter

Taken together, the Indiana, Kentucky, and Rhode Island laws represent a continuing trend in U.S. privacy regulation: convergence in core consumer rights, paired with meaningful divergence in thresholds and enforcement mechanics. For organisations, compliance can no longer rely on a single ‘one-size-fits-all’ U.S. privacy approach. The Data Management Lifecycle must now be flexible enough to accommodate state-specific nuances.