The new year brought the most significant expansion of state privacy regulation in U.S. history. On January 1, 2026, three new comprehensive privacy laws took effect simultaneously: Indiana Consumer Data Protection Act (ICDPA), Kentucky Consumer Data Protection Act (KCDPA), and Rhode Island Data Transparency and Privacy Act (DTPPA). These laws join 17 existing state privacy regimes, bringing the total to 20 states with comprehensive consumer privacy protections covering over 200 million Americans. But the changes extend far beyond new state activations. California launched its Delete Requests and Opt-Out (DROP) platform—a centralized system allowing consumers to delete their data from all registered data brokers with a single request. Oregon banned the sale of precise geolocation data and youth information. Connecticut became the first state to regulate neural data from brain-computer interfaces. The message is unmistakable: State privacy law is now the default national standard, and businesses operating across state lines must comply with a patchwork of requirements that grows more complex each quarter.
⚠️ Important: 🚨 COMPLIANCE DEADLINE ALERT: If your business processes data from residents of Indiana (6.8M), Kentucky (4.5M), or Rhode Island (1.1M), you must comply immediately. Rhode Island has NO cure period—violations trigger instant $10,000 fines. Kentucky upgraded from breach-only to comprehensive privacy law. Indiana pharmaceutical and racing industries face strict requirements. Check your customer base NOW.
Indiana Consumer Data Protection Act (ICDPA): Pharma & Racing Hub Compliance
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Applicability Threshold: Businesses processing 100,000+ Indiana residents' data OR 25,000+ with 50%+ revenue from data sales
• Enforcement: Indiana Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 30 days for good-faith violations
• Private Right of Action: No (AG enforcement only)
• Conduct business in Indiana OR target Indiana residents
• Process personal data of 100,000+ Indiana consumers annually
• OR process data of 25,000+ Indiana consumers with 50%+ revenue from data sales
• Applies regardless of physical presence in Indiana (e-commerce, SaaS, apps all covered)
• Access: Confirm whether processing consumer's data, provide copy
• Deletion: Delete consumer's personal data upon request
• Correction: Correct inaccurate personal data
• Data Portability: Provide data in portable, readily usable format
• Opt-Out: Right to opt out of data sales, targeted advertising, profiling
• Clear, conspicuous notice must disclose: • Categories of data collected • Purposes of processing • Categories of data shared with third parties • How to exercise consumer rights (access, deletion, opt-out) • Contact information for privacy inquiries
• Required for processing activities presenting heightened privacy risk: • Targeted advertising • Sale of personal data • Profiling with legal/significant effects • Sensitive data processing (health, financial, biometric, genetic, precise geolocation) • Processing data of children under 13
• Must document: • Benefits of processing • Privacy risks to consumers • Safeguards implemented to mitigate risks
• Opt-in consent required before processing: • Health data (outside HIPAA) • Financial information • Biometric data (fingerprints, facial recognition, voice) • Genetic data • Precise geolocation (within 1,750 feet) • Child data (under 13) • Sexual orientation, citizenship, immigration status
• Must recognize browser/device signals indicating opt-out preference
• Examples: Global Privacy Control (GPC), browser privacy settings
• Cannot require consumer to create account or log in to exercise opt-out
• Clinical trial data requires data protection assessments
• Patient recruitment platforms must honor opt-out rights
• Research databases containing health data require opt-in consent
• Manufacturing employee data covered under ICDPA
• Fan databases (ticket purchases, merchandise, loyalty programs)
• Racing telemetry and driver biometrics (if identifiable to individuals)
• Hospitality and VIP guest information
• Mobile app user tracking and targeted advertising
• Employee monitoring systems (productivity tracking, time clocks)
• Supply chain partner data
• Customer order and delivery information
• Industrial IoT device data (if linked to individuals)
• Business makes good-faith effort to comply
• Violation is not willful or reckless
• Business cures violation within 30 days of notice
• Repeated violations after previous cure
• Willful or reckless disregard for ICDPA
• Egregious violations (massive data breach, intentional sale of children's data)
• Inventory Indiana customer base: Do you exceed 100,000 residents?
• Update privacy policy to include ICDPA-required disclosures
• Implement consumer rights request process (access, deletion, correction, portability, opt-out)
• Enable Global Privacy Control (GPC) recognition on website
• Conduct data protection assessments for targeted advertising, profiling, sensitive data
• Review vendor contracts: Do third-party processors comply with ICDPA?
• Train customer service team on handling ICDPA rights requests
• Set up tracking system for 45-day response deadline
• Audit sensitive data collection: Is opt-in consent obtained?
• Test consumer rights request workflow (mock requests)
• Monitor for AG enforcement actions, adjust compliance based on early cases
• Document all compliance efforts for potential AG inquiry
Kentucky Consumer Data Protection Act (KCDPA): From Breach-Only to Comprehensive Privacy
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Upgrade: Previously had breach notification only, now comprehensive privacy law
• Applicability Threshold: 100,000+ Kentucky residents OR 25,000+ with revenue from data sales
• Enforcement: Kentucky Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 30 days for first violations
• Only required breach notification (notify consumers if data compromised)
• No consumer rights (access, deletion)
• No restrictions on data sales or sharing
• No privacy policy requirements
• Full consumer rights (access, deletion, correction, portability, opt-out)
• Privacy policy mandates
• Sensitive data consent requirements
• Data protection assessments
• Universal opt-out recognition
• Restrictions on data sales and targeted advertising
• Access: Consumers can request what data you have about them
• Deletion: Consumers can demand you delete their data
• Correction: Consumers can fix inaccurate information
• Data Portability: Consumers can get data in machine-readable format to transfer to competitor
• Opt-Out: Consumers can stop data sales, targeted ads, profiling decisions
• Must disclose: • What data you collect (categories) • Why you collect it (purposes) • Who you share it with (third parties) • How consumers exercise rights • If you sell data or do targeted advertising
• Cannot process these data types without opt-in consent: • Health information • Financial data • Biometric data (face scans, fingerprints) • Genetic data (DNA tests) • Precise geolocation (GPS tracking) • Data from children under 13 • Sexual orientation, citizenship status
• Distillery tours and tasting room customer databases
• Bourbon club memberships and subscription services
• E-commerce platforms selling bourbon (age verification data)
• Marketing lists for bourbon enthusiasts
• Must now: Obtain consent for targeted ads, honor deletion requests, disclose data practices
• Employee monitoring systems (time tracking, productivity)
• Dealer network customer data
• Connected car data (if not exempted under other laws)
• Supply chain partner information
• Patient portals (beyond HIPAA-covered data)
• Marketing databases (prospective patients)
• Employee health and wellness programs
• Non-HIPAA health apps and services
• Worker safety monitoring data
• Environmental compliance data linked to individuals
• Renewable energy customer enrollment
• Data brokers: Companies selling consumer data without disclosure
• Health apps: Fitness trackers, mental health apps, telehealth platforms
• Social media: Platforms targeting Kentucky youth
• E-commerce: Online retailers with significant Kentucky customer base
• Businesses with no privacy policy
• Businesses selling data without opt-out mechanism
• Apps collecting sensitive data without consent
• Business demonstrates good-faith compliance effort
• Violation is promptly cured
• No prior KCDPA violations
• Repeat violators
• Willful violations (intentionally ignoring KCDPA)
• Serious data breaches with no security measures
• Draft KCDPA-compliant privacy policy
• Include all required disclosures (data collected, purposes, sharing, rights)
• Publish prominently on website
• Link from homepage footer
• Create "Do Not Sell My Personal Information" link
• Implement Global Privacy Control (GPC) recognition
• Set up system to honor opt-out requests within 15 days
• Designate privacy contact email
• Train team to handle access, deletion, correction requests
• Implement 45-day response timeline tracking
• Test workflow with internal mock requests
Rhode Island DTPPA: Strictest State Law with No Cure Period
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Applicability Threshold: 35,000+ RI residents OR 10,000+ with 20%+ revenue from data sales (LOWEST NATIONALLY)
• Enforcement: Rhode Island Attorney General
• Penalties: Up to $10,000 per violation (HIGHEST AMONG NEW LAWS)
• Cure Period: NONE (IMMEDIATE PENALTIES)
• Private Right of Action: No
• Most state laws: 100,000 residents
• Rhode Island: 35,000 residents
• With only 1.1M population, 35K = 3.2% market penetration
• Small regional businesses easily hit threshold
• Under most state laws: Not covered (below 100K threshold)
• Under Rhode Island DTPPA: MUST COMPLY (exceeds 35K threshold)
• Indiana: 30-day cure for good-faith violations
• Kentucky: 30-day cure for first violations
• Rhode Island: $10,000 penalty immediately, no cure opportunity
• Indiana: $7,500 per violation
• Kentucky: $7,500 per violation
• Rhode Island: $10,000 per violation
• Multiply by number of affected consumers for massive potential fines
• Potential fine: 500 violations × $10,000 = $5 million
• Access, deletion, correction, portability, opt-out (same as Indiana/Kentucky)
• Must respond within 45 days
• Opt-in required for health, financial, biometric, genetic, geolocation, child data
• Required for targeted ads, profiling, sensitive data, data sales
• All data brokers operating in Rhode Island must register annually
• $100 registration fee
• Failure to register = separate violation with penalties
• Privacy policy must be "clear and conspicuous" (stricter standard)
• Must use plain language, avoid legalese
• Large font requirements for opt-out mechanisms
• Law explicitly states AG "may" bring action immediately
• No statutory cure period like other states
• AG has sole discretion whether to offer informal resolution
• Companies with no privacy policy on January 1, 2026
• Companies with no opt-out mechanism
• Data brokers failing to register
• Apps collecting geolocation without consent
• Regional retailers with 35K+ RI customers
• Online marketplaces shipping to Rhode Island
• Subscription box services
• Direct-to-consumer brands
• Brown University medical research
• Rhode Island Hospital patient portals
• Health apps marketed to Rhode Islanders
• Telemedicine platforms
• Newport tourism businesses (hotels, restaurants, attractions)
• Coastal resorts collecting guest data
• Vacation rental platforms (Airbnb, VRBO hosts)
• Universities with 35K+ RI resident interactions
• Online education platforms
• Student information systems
• Count Rhode Island customers: Do you exceed 35,000?
• If YES, immediately publish DTPPA-compliant privacy policy
• Add "Do Not Sell My Personal Information" opt-out link
• If data broker, submit registration to RI AG
• Implement consumer rights request system
• Set up 45-day response tracking
• Review sensitive data collection: Is opt-in consent obtained?
• Enable Global Privacy Control (GPC)
• Conduct data protection assessments
• Audit vendor contracts for DTPPA compliance
• Train team on DTPPA requirements
• Document all compliance efforts for potential AG inquiry
• Monitor for RI AG enforcement actions
• Adjust compliance based on early cases
• Consider legal counsel if AG contacts business
• Prepare for potential investigation or penalties
Is Your Website Compliant with New 2026 Privacy Laws?
Indiana, Kentucky, and Rhode Island privacy laws are active NOW. Our privacy scanner checks for GDPR, CCPA, and state law compliance issues including missing privacy policies, cookie consent, and third-party trackers.
Run Free Privacy Scan →California DROP Platform & Other Major 2026 Privacy Changes
• Centralized database where California consumers submit ONE request to delete data from ALL registered data brokers
• Managed by California Privacy Protection Agency (CPPA)
• Launched January 1, 2026
• Game-changer for consumer privacy rights
• Visit California DROP website
• Submit single deletion request with identity verification
• Request automatically distributed to all registered data brokers
• Data brokers must delete data within 30 days
• Must register on DROP platform by January 31, 2026 (DEADLINE SOON)
• Pay annual registration fee
• Receive deletion requests via DROP API
• Must process and confirm deletion within 30 days
• Failure to register = $200/day penalty (doubled from previous $100/day)
• Business that collects and sells consumer data it did NOT collect directly from consumers
• Examples: People search sites, marketing list providers, data aggregators
• NOT required: Businesses selling data they collected firsthand from customers
• Failure to register: $200 per day per violation
• Example: Data broker operates 60 days without registration = $12,000 fine
• Failure to process DROP deletion requests: Additional CCPA violations ($2,500-$7,500 per violation)
• Cannot sell geolocation data accurate within 1,750 feet
• Applies to GPS tracking, cell tower triangulation, Wi-Fi positioning
• Targets: Advertising networks, data brokers buying/selling location data
• Cannot sell personal data from consumers under 16 years old
• Cannot use data from minors under 16 for targeted advertising
• Requires age verification for platforms with youth users
• Must recognize browser/device signals (Global Privacy Control)
• No login required to exercise opt-out
• Effective immediately for all Oregon businesses
• Data generated by brain-computer interfaces (BCIs)
• Examples: Neuralink, EEG headsets, brain activity monitors
• Highly sensitive: Reveals thoughts, emotions, cognitive states
• Neural data classified as "sensitive data" requiring opt-in consent
• Enhanced data protection assessments for BCI processing
• Must disclose use of neural data in privacy policy
• Cannot sell neural data without explicit consent
• First state to regulate brain-computer interface data
• As BCIs become mainstream (gaming, medical devices, productivity tools), neural data regulation will expand
• Sets precedent for other states
• California (CCPA/CPRA)
• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Iowa (ICDPA)
• Indiana (ICDPA) - NEW
• Tennessee (TIPA)
• Montana (MCDPA)
• Oregon (OCPA)
• Texas (TDPSA)
• Delaware (DPDPA)
• New Hampshire (NHDPA)
• New Jersey (NJDPA)
• Nebraska (NCDPA)
• Minnesota (CDPA)
• Maryland (MODPA)
• Kentucky (KCDPA) - NEW
• Rhode Island (DTPPA) - NEW
• Maine (pending effective date Q2 2026)
• New York (comprehensive privacy bill in legislature)
• Illinois (beyond BIPA biometric law)
• Pennsylvania (active legislative discussions)
• Massachusetts (expanding 201 CMR 17.00)
• Florida (tourism industry driving need)
• Michigan (automotive data focus)
• Federal comprehensive privacy law remains stalled in Congress
• State patchwork continues to expand
• Businesses face compliance with 20+ different state regimes
• Industry groups lobbying for federal preemption
January 1, 2026 marks a watershed moment in American privacy regulation. With Indiana, Kentucky, and Rhode Island activating comprehensive consumer privacy protections, 20 states representing 65% of the U.S. population now enforce detailed privacy regimes that fundamentally reshape how businesses can collect, use, and monetize personal data. California's DROP platform launch—enabling centralized deletion requests across all data brokers—demonstrates that state privacy enforcement is evolving from individual rights to systemic consumer empowerment. Oregon's geolocation sales ban and Connecticut's neural data regulation prove states aren't just copying each other—they're innovating new protections for emerging technologies and data types.
The compliance burden is real and growing. A business operating nationally must now navigate 20 different state privacy laws, each with unique thresholds, requirements, penalties, and enforcement approaches. Rhode Island's $10,000-per-violation penalty with no cure period creates immediate liability risk for businesses processing data from just 35,000 Rhode Islanders—a threshold so low that regional companies face the same compliance requirements as national corporations. Kentucky's upgrade from breach-notification-only to comprehensive privacy law forces thousands of businesses to implement entirely new consumer rights workflows, privacy policies, and data governance frameworks. Indiana's 30-day cure period provides breathing room for good-faith compliance, but only for first violations—repeat offenders face full penalties.
Key Compliance Priorities for 2026:
1. Identify Covered States • Map your customer base by state • Compare against state law thresholds (35K in RI, 100K in most others) • Don't forget revenue-based thresholds (data sales criteria) • Businesses processing data from multiple states need multi-state compliance
2. Implement Consumer Rights Infrastructure • Access, deletion, correction, portability, opt-out mechanisms • 45-day response timeline tracking • Identity verification processes • Vendor coordination (data processors must support rights fulfillment)
3. Update Privacy Policies • State-specific disclosures (California DROP, Rhode Island plain language, etc.) • Sensitive data consent opt-ins • Universal opt-out (Global Privacy Control recognition) • Clear "Do Not Sell" mechanisms
4. Conduct Data Protection Assessments • Targeted advertising activities • Data sales and sharing • Profiling with legal/significant effects • Sensitive data processing (health, financial, biometric, geolocation) • Document risk mitigation measures
5. Register Where Required • California data brokers: Register on DROP by January 31, 2026 • Rhode Island data brokers: Annual registration required • Other states adding data broker registration requirements in 2026
For Data Brokers: California DROP Registration Deadline January 31
If you operate a data broker business (selling consumer data you didn't collect directly), you have 23 days to register on California's DROP platform. Failure to register triggers $200/day penalties immediately. The DROP registration process requires: • Business information and contact details • Categories of data collected and sold • Data sources and third-party recipients • Consumer opt-out process description • Annual registration fee payment
Don't miss this deadline. California Privacy Protection Agency has indicated aggressive enforcement against unregistered data brokers.
Looking Ahead: 2026 Privacy Enforcement Trends
Expect state Attorneys General to prioritize enforcement in 2026: • Rhode Island: Early actions within 30-60 days targeting obvious violations • Kentucky: Focus on data brokers, health apps, social media platforms • Indiana: Pharmaceutical and racing industry scrutiny • California: DROP platform non-compliance, data broker enforcement • All states: Businesses with no privacy policy, no opt-out mechanism face immediate action
The grace period for state privacy compliance ended on December 31, 2025. As of January 1, 2026, businesses must comply with applicable state laws or face penalties. The 30-day cure periods offered by some states (Indiana, Kentucky) only apply to good-faith violations—businesses that knowingly ignore privacy requirements will face immediate enforcement.
National privacy law remains elusive, but state laws have already created de facto national standards. Businesses operating across state lines must comply with the strictest requirements (Rhode Island's 35K threshold, California's DROP registration, Oregon's geolocation ban) to ensure comprehensive coverage. For most businesses, the practical solution is implementing a privacy program that meets all state requirements rather than attempting jurisdiction-specific compliance.
2026 is the year state privacy law becomes the default American privacy framework. Businesses that adapt now will be positioned for success. Those that delay face escalating enforcement risk as 20 state Attorneys General activate their privacy enforcement teams.