Three States Will Ring In 2026 With New Privacy Laws

Kentucky, Indiana, and Rhode Island will kick off the new year by effectuating comprehensive consumer data privacy laws, ushering in new compliance obligations for businesses nationwide that meet the new laws' thresholds. These laws – the Kentucky Consumer Data Privacy Act (KCDPA), the Indiana Consumer Data Protection Act (ICDPA), and the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) – reflect the continued momentum of state-level privacy regulation and will bring the total number of states with comprehensive consumer privacy laws in force to 19.

KCDPA and ICDPA closely track the frameworks established by other state privacy regimes, applying to companies that do business in the state and annually either process data from at least 100,000 residents or from at least 25,000 residents while deriving more than 50% of their annual revenue from the sale of personal information. Both laws exempt nonprofits, higher education institutions, and entities already regulated under HIPAA or GLBA. Neither the KCDPA nor the ICDPA creates a private right of action.

While RIDTPPA broadly conforms to this pattern, it deviates in some notable ways. It has a relatively low applicability threshold, applying to companies that do business in the state and annually either process data from at least 35,000 residents, or from at least 25,000 residents while deriving more than 20% of their annual revenue from the sale of personal information, and contains an entity-level exemption for GLBA-regulated entities, but only a data-level exemption with respect to HIPAA data. Perhaps most notably, it requires companies that sell personal information to disclose the identity of all third parties to whom they sell such information (without the need for a consumer to actively request this information, which is common in other state data privacy laws with a similar requirement). RIDTPPA does not create a private right of action.

For companies operating across multiple jurisdictions, these three laws underscore the complexity of the U.S. privacy landscape. Compliance teams will need to update privacy notices, implement mechanisms for responding to consumer rights requests, and evaluate data-sharing practices to avoid enforcement actions. With enforcement beginning on January 1, 2026, businesses should act now to align policies and procedures with these new requirements. Taken together, Kentucky, Indiana, and Rhode Island's laws reinforce the trend toward a patchwork of state privacy statutes, making it increasingly critical for organizations to adopt scalable, nationwide compliance strategies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.