LawSnap
Privacy Artificial Intelligence

New Privacy Laws Take Effect in Indiana, Kentucky, Rhode Island on Jan 1, 2026

Published
Source National Law Review open_in_new
Score
11

Why it matters

On January 1, 2026, comprehensive consumer privacy laws activated in Indiana (Consumer Data Protection Act, IN SB 5), Kentucky (Consumer Data Protection Act, KY HB 15), and Rhode Island (Data Transparency and Privacy Protection Act, RI HB 7787/SB 2500), bringing the total to 20 U.S. states with such statutes.[1][2][3][4][6] These laws grant consumers rights to access, correct, delete, and opt out of data sales/sharing, with nuances like Rhode Island's low applicability thresholds (35,000 consumers or 10,000 if >20% revenue from data sales) and Kentucky's amendments on health data exemptions and profiling assessments.[2][4] Concurrently, updates in states like Oregon (mandatory universal opt-out signals, bans on selling minors' or precise geolocation data), California (automated decision-making regs, data broker expansions), Connecticut, Arkansas, and Utah heightened restrictions on minors' data, AI profiling, and opt-outs.[1][4][5][6]

Key players include state legislatures passing the laws, attorneys general for enforcement (e.g., fines of $7,500–$20,000 per violation, escalating for minors or per consumer), and agencies like California's CPPA (first enforcement actions in 2025 against Tractor Supply, Honda).[1][4][5][6] Businesses face compliance burdens for data inventories, consent mechanisms, processor agreements, and Global Privacy Control (GPC) recognition, amid multi-state AG sweeps on opt-outs.[2][5][6] No federal law exists, forcing a patchwork approach modeled partly on Virginia's framework.[2][3]

This stems from California's 2018 CCPA pioneering state-level protections, with steady growth (no new laws in 2025, first pause since 2018) amid rising public demand for data control post-high-profile breaches and AI concerns.[3][6] Timeline: Laws signed pre-2026; Indiana/Kentucky/Rhode Island effective Jan 1; Oregon cure period ends; California assessments due 2028.[1][4]

Newsworthy as these activations demand immediate multi-state compliance amid intensifying enforcement (e.g., 2025 GPC sweeps by CA/CO/CT AGs/CPPA, looming audits on minors' data/AI), amplifying the "compliance tightrope" without federal uniformity—especially timely days after Jan 1 amid 16 states eyeing bills.[3][5][6][7]

Sources

[1] https://www.smarsh.com/blog/thought-leadership/data-privacy-laws/
[2] https://www.bassberry.com/news/countdown-to-compliance-navigating-2026-privacy-laws-and-regulations/
[3] https://www.dataprivacyandsecurityinsider.com/2025/12/new-state-privacy-laws-expand-consumer-data-control-in-2025/
[4] https://www.multistate.us/insider/2026/2/4/all-of-the-comprehensive-privacy-laws-that-take-effect-in-2026
[5] https://www.afslaw.com/perspectives/privacy-counsel/new-era-us-privacy-enforcement-has-only-just-begun-2025-trends-and
[6] https://www.whitecase.com/insight-alert/privacy-and-cybersecurity-2025-2026-insights-challenges-and-trends-ahead
[7] https://www.nelsonmullins.com/insights/alerts/privacy_and_data_security_alert/all/from-privacy-impact-assessments-to-algorithmic-accountability-2026-s-top-privacy-and-ai-compliance-priorities
[8] https://ktslaw.com/en/Blog/GlobalPrivacy-and-CybersecurityLaw/2026/1/Looking-Ahead-to-Privacy-and-Similar-Issues-for-2026
mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.