Three States, One Date: Ringing In The New Year With Indiana, Kentucky, And Rhode Island

Indiana, Kentucky, and Rhode Island rang in the new year with their comprehensive privacy laws taking effect on January 1, 2026. Almost half of US states now have these fairly similar laws in place. Nuances exist from jurisdiction to jurisdiction, making it more relevant than ever to have an adaptive approach to privacy compliance.

While not a lot in these states is new, there are nuances worth noting. Indiana and Kentucky join seven other states with an opportunity to cure a violation of the law. Which cure period does not expire. Rhode Island, on the other hand, does not give an opportunity to cure. Rhode Island's law applies if the company has information of 35,000 residents. While this is a lower threshold than many other states, the state itself is less populated.

Other requirements to keep in mind are that consumers in those locations will now have access, correction, deletion, and portability rights. In Indiana, the correction obligations are limited to information the person submitted. Companies should also keep in mind that these residents now have certain controls over targeted advertising and sensitive data (e.g., health, religion). As in all states except Iowa and Uta,, high-risk profiling, sensitive information, selling data, and targeted advertising triggers a Data Protection Impact Assessment.

Putting it into Practice: These three are among the more "business-friendly" of the comprehensive privacy laws. Nevertheless, as the number of states with this obligations grow, having an adaptive and principles-based approach to compliance gives companies more flexibility. This is especially true as several states (for example, California, Colorado, Connecticut, Montana, and Oregon) have demonstrated a willingness to amend laws after taking effect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.