Privacy Law Updates for 2026: Kentucky, Rhode Island, and Indiana

Introduction

In 2026, three significant state privacy laws will come into effect that will reshape privacy protection, consumer rights, and data practices across the United States: the Kentucky Consumer Data Protection Act (KCDPA), the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), and the Indiana Consumer Data Protection Act (INCDPA). These laws mark a growing shift toward comprehensive privacy laws at the state level, creating standards for processing personal data and processing sensitive data, while granting new consumer rights over their information.

Businesses operating in Kentucky, Indiana, and Rhode Island must prepare to comply with new privacy laws taking effect on January 1, 2026.

Across all three jurisdictions, businesses that conduct business, offer goods or services to residents, or otherwise process personal data of individuals within the state must prepare for compliance to avoid civil penalties, reputational harm, and enforcement actions by the state attorney general. These laws integrate familiar protections such as rights to access, correct, delete, and port personal data, as well as opt-out mechanisms for activities like targeted advertising, data sales, and high-risk profiling.

The new privacy laws grant residents rights over their personal information, requiring businesses to modify their policies and practices accordingly.

For privacy professionals and businesses, understanding these state laws is essential for a modern privacy compliance strategy, especially given new obligations such as data protection assessments, data processing agreements, and robust security measures. This article provides a detailed exploration of each state’s requirements, how they affect business operations, and what companies must do to comply by January 1, 2026.

Kentucky Consumer Data Protection

The Kentucky Consumer Data Protection Act (KCDPA) creates a new framework regulating how businesses collect, handle, and protect the personal data of Kentucky residents. This law is part of a growing wave of state consumer privacy laws that adopt modern privacy protections modeled on earlier statutes such as the Virginia Consumer Data Protection Act.

Under the KCDPA, processing sensitive data, such as children’s information, health details, sexual orientation, immigration status, biometric identifiers, and exact geolocation, requires obtaining the consumer’s opt-in consent. Businesses must implement additional safeguards when handling these categories of sensitive information.

The KCDPA also defines the sale of personal data as a sale for monetary consideration only, clarifying that an exchange must involve monetary value to be considered a sale under this law.

Scope and Applicability

The KCDPA applies to entities that conduct business in Kentucky or target Kentucky residents and that meet defined data volume thresholds. Specifically, a business is in scope if it controls or processes personal data of at least 100,000 consumers in a calendar year, or 25,000 consumers where the business derives more than 50% of its gross revenue from the sale of personal data.

Notably, certain categories of data and entities are exempted, including information governed by federal laws such as HIPAA and GLBA, as well as data used exclusively for employment or business-to-business purposes. The KCDPA includes broad exemptions for specific categories of entities and data types, which can significantly reduce the scope of the law depending on the circumstances. This aligns Kentucky’s scope with fixtures of other state privacy laws while clarifying that not all data types or processors are subject.

Consumer Rights and Obligations

Under the KCDPA, Kentucky residents specifically gain a suite of consumer rights:

• Right to access personal data and confirm whether it is being processed.
• Right to correct inaccuracies in personal data.
• Right to delete personal data in certain circumstances.
• Right to data portability, enabling consumers to obtain copies of their data in a usable format.
• Right to opt-out of processing for targeted advertising, the sale of personal data, and certain types of profiling.
• The law requires opt-in consent for processing sensitive data.

The law also introduces opt-in consent requirements before businesses may process sensitive data, which includes categories like biometric data, genetic data, and other sensitive personal information.

Business Requirements

To support these rights and protect personal data, the KCDPA obligates controllers to:

• Provide clear and concise privacy notices outlining personal data collection, purposes, and data sharing practices.
• Implement data protection assessments for high-risk processing activities, including processing sensitive data, targeted advertising, and the sale of personal data.
• Enter into data processing agreements with third parties that handle personal data on their behalf, ensuring confidentiality and compliance with controller instructions.
• Maintain reasonable security measures to safeguard personal data against unauthorized access or disclosure.
• Provide consumers with an online mechanism to submit complaints to the Attorney General, ensuring consumers have a direct channel for recourse.

Despite granting important consumer protections, the KCDPA does not require businesses to recognize universal opt-out mechanisms (e.g., Global Privacy Control or similar browser-based signals), which are seen in other state laws. This means opt-out requests must be processed through mechanisms established directly by the business.

Enforcement

Enforcement falls exclusively to the Kentucky Attorney General, and while there is no private right of action, violations may result in civil penalties of up to $7,500 per violation after a mandatory 30-day cure period.

For businesses that do not currently comply with existing state privacy standards, preparing for the KCDPA involves updating privacy notices, consent flows, data protection assessments, and internal request-handling procedures. Given its intersection with other state laws, a holistic privacy compliance approach is advisable.

Rhode Island Data Protection

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) represents Rhode Island’s inaugural comprehensive state privacy legislation, taking effect on January 1, 2026. This statute applies to businesses operating in Rhode Island and creates comprehensive protections for Rhode Island residents, introducing detailed requirements impacting how businesses collect, disclose, and manage personal data. Rhode Island’s law uniquely requires companies that sell data to list all third parties to whom data is sold.

Applicability and Thresholds

The RIDTPPA applies to any for-profit entity that:

• Conducts business in Rhode Island or provides products/services to Rhode Island residents, and
• Controlled or processed the personal data of at least 35,000 residents during the prior calendar year; or
• Controlled or processed data of at least 10,000 residents and derived 20% or more of gross revenue from selling personal data.

Notably, unlike many state laws, a commercial website or online service provider that collects, stores, or sells personal information must provide a privacy notice tailored to Rhode Island requirements, regardless of whether it meets the full applicability threshold.

Consumer Rights and Consent

Rhode Island residents will enjoy a familiar and robust set of consumer rights, including:

• Access to personal data being processed and confirmation of such processing.
• Correction of inaccurate personal data.
• Deletion requests.
• Data portability, in a clear, usable format.
• Opt-out of processing personal data for targeted ads, data sales, and profiling used for automated decisions with legal or similar effects.

For sensitive personal information, which includes categories such as sexual orientation, genetic or biometric data, precise geolocation, and children’s data (personal data collected from known children under 13), as well as other high-impact categories, controllers are required to obtain opt-in consent before processing. Sensitive data can only be processed with opt-in consent under the new privacy laws in Kentucky, Indiana, and Rhode Island.

Notice and Transparency Obligations

A distinctive element of the RIDTPPA is its prescriptive notice requirements for commercial websites and internet service providers. This includes:

• Identification of categories of personal data collected via online services.
• Listing all third parties to whom personal data has been or may be sold.
• Providing an active contact mechanism (such as an email address) for consumer inquiries.

Unlike some other state privacy statutes, the RIDTPPA does not require the recognition of universal opt-out mechanisms, meaning that businesses must implement opt-out systems directly.

Processor and Controller Responsibilities

Under the RI law, entities that determine purposes and means of processing (controllers) and those processing on their behalf (processors) must:

• Enforce data processing agreements that define scope, duration, and confidentiality duties.
• Assist with consumer request handling and data protection assessments for high-risk activities, such as selling personal data or targeted advertising.
• Maintain reasonable administrative, technical, and physical safeguards to protect personal data.

Controllers must respond to verified rights requests within 45 days, with a possible extension of another 45 days for complex scenarios. An appeals process must be made available for denials, and consumers may escalate unresolved complaints to the Rhode Island Attorney General.

Enforcement and Penalties

The Rhode Island attorney general holds exclusive enforcement authority. Unlike many state laws, the RIDTPPA does not provide a cure period for violations; non-compliance can immediately trigger penalties.

Civil penalties can reach $10,000 per violation, and intentional unauthorized disclosures of personal data can incur additional fines between $100 and $500 per incident.

Given the RIDTPPA’s broad scope and operational requirements, especially for companies with commercial websites or online services, organizations must ensure transparency in data practices, update privacy notices, adopt clear opt-in and opt-out mechanisms, and align data flows with consumer rights workflows by the effective date.

Indiana Consumer Data Protection

The Indiana Consumer Data Protection Act (INCDPA) is Indiana’s first comprehensive privacy statute, bringing another set of consumer privacy laws into force as of January 1, 2026. It aligns closely with other mid-Atlantic and Midwest privacy frameworks while offering business-oriented structuring of requirements.

Scope and Thresholds

Similar to Kentucky, the INCDPA applies to entities that:

• Conduct business in Indiana or target Indiana residents.
• Control or process the personal data of at least 100,000 consumers annually, or
• Control or process the personal data of at least 25,000 consumers and derive at least 50% of gross revenue from data sales.

All three laws apply to businesses that control or process the personal data of a specified number of consumers annually.

In Indiana, the sale of personal data is defined as a sale for monetary consideration only.

Consumer Protections

Under the INCDPA, Indiana residents gain important consumer rights over their personal information:

• Access and audit trails related to the processing of personal data.
• Correction of inaccurate information.
• Deletion rights.
• Data portability or provision of a representative summary of data held.
• Opt-out of processing for the sale of personal data, targeted advertising, and certain profiling activities.

Indiana also requires that businesses obtain consent before processing sensitive data, aligning with other state privacy laws like Kentucky and Rhode Island.

Business and Compliance Requirements

Controllers under the INCDPA must provide:

• Clear privacy notices detailing categories of personal data collected, processing purposes, and rights afforded to consumers.
• Mechanisms to handle consumer requests reliably, including opt-out, access, deletion, and portability workflows.

In addition, businesses must implement data protection assessments for activities that may present elevated risk, particularly those involving targeted advertising or profiling with automated decision-making that may have similarly significant effects on individuals.

Third-party vendor arrangements must include data processing agreements to ensure processors adhere to controller instructions and required security measures, as Kentucky and Rhode Island require.

Enforcement

Enforcement is entrusted to the Indiana Attorney General, with a 30-day cure period similar to Kentucky. Penalties for violations can reach $7,500 per violation, and there is no private right of action for consumers.

Indiana’s law intentionally aligns many requirements with those in other states to facilitate cross-jurisdictional compliance, but businesses should still evaluate specific obligations regarding universal opt-out signals, consent mechanisms, and profiling disclosures early in their compliance efforts.

Compliance Strategy for New Laws

In anticipation of the January 1, 2026, effective date, a comprehensive compliance strategy is critical. At a minimum, businesses should:

• Conduct data mapping to identify all personal and sensitive data flows across systems.
• Inventory vendor and third-party relationships, ensuring data processing agreements align with new statutory obligations.
• Update privacy notices to reflect detailed disclosures for each state where personal data is processed, or residents are targeted.
• Review existing laws that may be amended or impact compliance, such as the Connecticut Data Privacy Act, to ensure all requirements are met.
• Seek further details through webinars or events to stay updated on compliance requirements for Kentucky, Rhode Island, Indiana, and other relevant jurisdictions.

Handling Consumer Requests

Mechanisms must be tested and validated for:

• Access and data portability requests
• Correction requests
• Deletion requests
• Opt-out mechanisms for targeted advertising and sales of personal data

Systems should support reliable verification and timelines to meet statutory response windows (e.g., Rhode Island’s 45-day rule).

Security and Training: Robust data protection measures such as encryption, access controls, audit trails, and incident response play a central role in compliance. Employee training on privacy obligations, consumer interaction processes, and escalation paths is necessary.

Ongoing Review: Laws evolve. Regularly monitoring developments in other state privacy laws and updating compliance frameworks helps prevent gaps, especially as standards such as universal opt-out mechanisms and new consumer rights feature more prominently over time.

Where interpretations are complex, such as automated decision making, similarly significant effects, and the classification of data as “sensitive”, organizations should consult legal counsel to define risk exposure and refine operational requirements.

Conclusion

The Kentucky Consumer Data Protection Act, Rhode Island Data Transparency and Privacy Protection Act, and Indiana Consumer Data Protection Act collectively usher in a new era of state privacy laws effective in early 2026. By expanding consumer rights, mandating privacy protection practices, and enforcing compliance through state attorneys general, these laws will shape how businesses collect, process, and protect personal data in a landscape without a comprehensive federal privacy standard.

To prepare, organizations must adopt robust privacy compliance strategies, update operational procedures, and ensure that privacy practices reflect both state-specific and cross-jurisdictional requirements. Legal counsel and privacy professionals should be engaged early to navigate nuances in consent models, risk assessments, security obligations, and evolving standards. With the right approach, businesses can turn compliance into a competitive advantage while honoring the fundamental privacy rights that consumers increasingly demand.