The new year brought the most significant expansion of state privacy regulation in U.S. history. On January 1, 2026, three new comprehensive privacy laws took effect simultaneously: Indiana Consumer Data Protection Act (ICDPA), Kentucky Consumer Data Protection Act (KCDPA), and Rhode Island Data Transparency and Privacy Act (DTPPA). These laws join 17 existing state privacy regimes, bringing the total to 20 states with comprehensive consumer privacy protections covering over 200 million Americans. But the changes extend far beyond new state activations. California launched its Delete Requests and Opt-Out (DROP) platform—a centralized system allowing consumers to delete their data from all registered data brokers with a single request. Oregon banned the sale of precise geolocation data and youth information. Connecticut became the first state to regulate neural data from brain-computer interfaces. The message is unmistakable: State privacy law is now the default national standard, and businesses operating across state lines must comply with a patchwork of requirements that grows more complex each quarter.
⚠️ Important: 🚨 COMPLIANCE DEADLINE ALERT: If your business processes data from residents of Indiana (6.8M), Kentucky (4.5M), or Rhode Island (1.1M), you must comply immediately. Rhode Island has NO cure period—violations trigger instant $10,000 fines. Kentucky upgraded from breach-only to comprehensive privacy law. Indiana pharmaceutical and racing industries face strict requirements. Check your customer base NOW.
Indiana Consumer Data Protection Act (ICDPA): Pharma & Racing Hub Compliance
Law Overview:
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Applicability Threshold: Businesses processing 100,000+ Indiana residents' data OR 25,000+ with 50%+ revenue from data sales
• Enforcement: Indiana Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 30 days for good-faith violations
• Private Right of Action: No (AG enforcement only)
Who Must Comply:
Business Criteria:
• Conduct business in Indiana OR target Indiana residents
• Process personal data of 100,000+ Indiana consumers annually
• OR process data of 25,000+ Indiana consumers with 50%+ revenue from data sales
• Applies regardless of physical presence in Indiana (e-commerce, SaaS, apps all covered)
Key ICDPA Requirements:
1. Consumer Rights (Must Honor Within 45 Days):
• Access: Confirm whether processing consumer's data, provide copy
• Deletion: Delete consumer's personal data upon request
• Correction: Correct inaccurate personal data
• Data Portability: Provide data in portable, readily usable format
• Opt-Out: Right to opt out of data sales, targeted advertising, profiling
2. Privacy Notice Requirements:
• Clear, conspicuous notice must disclose:
• Categories of data collected
• Purposes of processing
• Categories of data shared with third parties
• How to exercise consumer rights (access, deletion, opt-out)
• Contact information for privacy inquiries
3. Data Protection Assessments:
• Required for processing activities presenting heightened privacy risk:
• Targeted advertising
• Sale of personal data
• Profiling with legal/significant effects
• Sensitive data processing (health, financial, biometric, genetic, precise geolocation)
• Processing data of children under 13
• Must document:
• Benefits of processing
• Privacy risks to consumers
• Safeguards implemented to mitigate risks
4. Sensitive Data Consent:
• Opt-in consent required before processing:
• Health data (outside HIPAA)
• Financial information
• Biometric data (fingerprints, facial recognition, voice)
• Genetic data
• Precise geolocation (within 1,750 feet)
• Child data (under 13)
• Sexual orientation, citizenship, immigration status
5. Universal Opt-Out Recognition:
• Must recognize browser/device signals indicating opt-out preference
• Examples: Global Privacy Control (GPC), browser privacy settings
• Cannot require consumer to create account or log in to exercise opt-out
Industry-Specific Impact:
Pharmaceutical Industry (Eli Lilly Headquarters):
• Clinical trial data requires data protection assessments
• Patient recruitment platforms must honor opt-out rights
• Research databases containing health data require opt-in consent
• Manufacturing employee data covered under ICDPA
Racing Industry (Indianapolis Motor Speedway):
• Fan databases (ticket purchases, merchandise, loyalty programs)
• Racing telemetry and driver biometrics (if identifiable to individuals)
• Hospitality and VIP guest information
• Mobile app user tracking and targeted advertising
Manufacturing Sector:
• Employee monitoring systems (productivity tracking, time clocks)
• Supply chain partner data
• Customer order and delivery information
• Industrial IoT device data (if linked to individuals)
30-Day Cure Period (Good Faith Compliance):
Indiana AG must provide 30-day cure opportunity before imposing penalties if:
• Business makes good-faith effort to comply
• Violation is not willful or reckless
• Business cures violation within 30 days of notice
No cure period if:
• Repeated violations after previous cure
• Willful or reckless disregard for ICDPA
• Egregious violations (massive data breach, intentional sale of children's data)
Immediate Compliance Actions:
Week 1-2 (January 2026):
• Inventory Indiana customer base: Do you exceed 100,000 residents?
• Update privacy policy to include ICDPA-required disclosures
• Implement consumer rights request process (access, deletion, correction, portability, opt-out)
• Enable Global Privacy Control (GPC) recognition on website
Week 3-4 (Late January 2026):
• Conduct data protection assessments for targeted advertising, profiling, sensitive data
• Review vendor contracts: Do third-party processors comply with ICDPA?
• Train customer service team on handling ICDPA rights requests
• Set up tracking system for 45-day response deadline
Month 2-3 (February-March 2026):
• Audit sensitive data collection: Is opt-in consent obtained?
• Test consumer rights request workflow (mock requests)
• Monitor for AG enforcement actions, adjust compliance based on early cases
• Document all compliance efforts for potential AG inquiry
Kentucky Consumer Data Protection Act (KCDPA): From Breach-Only to Comprehensive Privacy
Law Overview:
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Upgrade: Previously had breach notification only, now comprehensive privacy law
• Applicability Threshold: 100,000+ Kentucky residents OR 25,000+ with revenue from data sales
• Enforcement: Kentucky Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 30 days for first violations
Major Expansion from Previous Law:
Before KCDPA (2025 and earlier):
• Only required breach notification (notify consumers if data compromised)
• No consumer rights (access, deletion)
• No restrictions on data sales or sharing
• No privacy policy requirements
After KCDPA (2026 onward):
• Full consumer rights (access, deletion, correction, portability, opt-out)
• Privacy policy mandates
• Sensitive data consent requirements
• Data protection assessments
• Universal opt-out recognition
• Restrictions on data sales and targeted advertising
This is a fundamental shift for Kentucky businesses—going from minimal obligations to comprehensive compliance regime.
Key KCDPA Requirements:
1. Consumer Rights (New for Kentucky):
• Access: Consumers can request what data you have about them
• Deletion: Consumers can demand you delete their data
• Correction: Consumers can fix inaccurate information
• Data Portability: Consumers can get data in machine-readable format to transfer to competitor
• Opt-Out: Consumers can stop data sales, targeted ads, profiling decisions
2. Privacy Policy (Now Mandatory):
• Must disclose:
• What data you collect (categories)
• Why you collect it (purposes)
• Who you share it with (third parties)
• How consumers exercise rights
• If you sell data or do targeted advertising
3. Sensitive Data Consent (New Category):
• Cannot process these data types without opt-in consent:
• Health information
• Financial data
• Biometric data (face scans, fingerprints)
• Genetic data (DNA tests)
• Precise geolocation (GPS tracking)
• Data from children under 13
• Sexual orientation, citizenship status
Industry-Specific Impact:
Bourbon & Distillery Industry:
• Distillery tours and tasting room customer databases
• Bourbon club memberships and subscription services
• E-commerce platforms selling bourbon (age verification data)
• Marketing lists for bourbon enthusiasts
• Must now: Obtain consent for targeted ads, honor deletion requests, disclose data practices
Automotive Manufacturing (Toyota, Ford):
• Employee monitoring systems (time tracking, productivity)
• Dealer network customer data
• Connected car data (if not exempted under other laws)
• Supply chain partner information
Healthcare (Baptist Health, Norton Healthcare):
• Patient portals (beyond HIPAA-covered data)
• Marketing databases (prospective patients)
• Employee health and wellness programs
• Non-HIPAA health apps and services
Coal & Energy Transition:
• Worker safety monitoring data
• Environmental compliance data linked to individuals
• Renewable energy customer enrollment
AG Enforcement Priorities (Announced January 2026):
Kentucky Attorney General announced focus areas:
• Data brokers: Companies selling consumer data without disclosure
• Health apps: Fitness trackers, mental health apps, telehealth platforms
• Social media: Platforms targeting Kentucky youth
• E-commerce: Online retailers with significant Kentucky customer base
Early enforcement actions expected Q1-Q2 2026 targeting:
• Businesses with no privacy policy
• Businesses selling data without opt-out mechanism
• Apps collecting sensitive data without consent
30-Day Cure Period Caveat:
Kentucky AG will provide 30-day cure for first violations IF:
• Business demonstrates good-faith compliance effort
• Violation is promptly cured
• No prior KCDPA violations
NO cure period for:
• Repeat violators
• Willful violations (intentionally ignoring KCDPA)
• Serious data breaches with no security measures
Immediate Actions for Kentucky Businesses:
Priority 1: Privacy Policy (Week 1):
• Draft KCDPA-compliant privacy policy
• Include all required disclosures (data collected, purposes, sharing, rights)
• Publish prominently on website
• Link from homepage footer
Priority 2: Opt-Out Mechanism (Week 2):
• Create "Do Not Sell My Personal Information" link
• Implement Global Privacy Control (GPC) recognition
• Set up system to honor opt-out requests within 15 days
Priority 3: Consumer Rights Workflow (Week 3-4):
• Designate privacy contact email
• Train team to handle access, deletion, correction requests
• Implement 45-day response timeline tracking
• Test workflow with internal mock requests
Rhode Island DTPPA: Strictest State Law with No Cure Period
Law Overview:
• Effective Date: January 1, 2026 (ACTIVE NOW)
• Applicability Threshold: 35,000+ RI residents OR 10,000+ with 20%+ revenue from data sales (LOWEST NATIONALLY)
• Enforcement: Rhode Island Attorney General
• Penalties: Up to $10,000 per violation (HIGHEST AMONG NEW LAWS)
• Cure Period: NONE (IMMEDIATE PENALTIES)
• Private Right of Action: No
Why DTPPA is the Strictest State Privacy Law:
1. Lowest Applicability Threshold (35,000 Residents)
• Most state laws: 100,000 residents
• Rhode Island: 35,000 residents
• With only 1.1M population, 35K = 3.2% market penetration
• Small regional businesses easily hit threshold
Example: E-commerce company sells to 40,000 Rhode Islanders
• Under most state laws: Not covered (below 100K threshold)
• Under Rhode Island DTPPA: MUST COMPLY (exceeds 35K threshold)
2. NO Cure Period (Immediate Enforcement)
• Indiana: 30-day cure for good-faith violations
• Kentucky: 30-day cure for first violations
• Rhode Island: $10,000 penalty immediately, no cure opportunity
This means: Day 1 violation = Day 1 fine, no warning
3. Highest Penalty ($10,000 Per Violation)
• Indiana: $7,500 per violation
• Kentucky: $7,500 per violation
• Rhode Island: $10,000 per violation
• Multiply by number of affected consumers for massive potential fines
Example: Company fails to honor deletion request for 500 consumers
• Potential fine: 500 violations × $10,000 = $5 million
Key DTPPA Requirements (Identical Consumer Rights, Stricter Enforcement):
Consumer Rights:
• Access, deletion, correction, portability, opt-out (same as Indiana/Kentucky)
• Must respond within 45 days
Sensitive Data Consent:
• Opt-in required for health, financial, biometric, genetic, geolocation, child data
Data Protection Assessments:
• Required for targeted ads, profiling, sensitive data, data sales
What Makes DTPPA Unique:
1. Data Broker Registration:
• All data brokers operating in Rhode Island must register annually
• $100 registration fee
• Failure to register = separate violation with penalties
2. Enhanced Transparency:
• Privacy policy must be "clear and conspicuous" (stricter standard)
• Must use plain language, avoid legalese
• Large font requirements for opt-out mechanisms
3. No Grace Period Language:
• Law explicitly states AG "may" bring action immediately
• No statutory cure period like other states
• AG has sole discretion whether to offer informal resolution
Rhode Island AG Enforcement Posture:
RI Attorney General announced "zero tolerance" approach:
"Rhode Island may be the smallest state, but we will not tolerate businesses treating our residents' privacy as optional. DTPPA enforcement begins immediately on January 1, 2026. Businesses have had months to prepare. Violations will face the full $10,000 per violation penalty."
Expected Early Enforcement Targets:
• Companies with no privacy policy on January 1, 2026
• Companies with no opt-out mechanism
• Data brokers failing to register
• Apps collecting geolocation without consent
AG indicated first enforcement actions likely within 30-60 days of Jan 1, 2026.
Who Is At Risk:
E-Commerce & Retail:
• Regional retailers with 35K+ RI customers
• Online marketplaces shipping to Rhode Island
• Subscription box services
• Direct-to-consumer brands
Healthcare & Biotech:
• Brown University medical research
• Rhode Island Hospital patient portals
• Health apps marketed to Rhode Islanders
• Telemedicine platforms
Tourism & Hospitality:
• Newport tourism businesses (hotels, restaurants, attractions)
• Coastal resorts collecting guest data
• Vacation rental platforms (Airbnb, VRBO hosts)
Education:
• Universities with 35K+ RI resident interactions
• Online education platforms
• Student information systems
CRITICAL: With 35K threshold, small regional businesses are covered under DTPPA despite being exempt from other state laws.
Immediate Compliance Actions (URGENT - No Cure Period):
Day 1 (January 1-2, 2026):
• Count Rhode Island customers: Do you exceed 35,000?
• If YES, immediately publish DTPPA-compliant privacy policy
• Add "Do Not Sell My Personal Information" opt-out link
• If data broker, submit registration to RI AG
Week 1 (January 3-10, 2026):
• Implement consumer rights request system
• Set up 45-day response tracking
• Review sensitive data collection: Is opt-in consent obtained?
• Enable Global Privacy Control (GPC)
Week 2-4 (January 11-31, 2026):
• Conduct data protection assessments
• Audit vendor contracts for DTPPA compliance
• Train team on DTPPA requirements
• Document all compliance efforts for potential AG inquiry
Month 2+ (February 2026 onward):
• Monitor for RI AG enforcement actions
• Adjust compliance based on early cases
• Consider legal counsel if AG contacts business
• Prepare for potential investigation or penalties
Is Your Website Compliant with New 2026 Privacy Laws?
Indiana, Kentucky, and Rhode Island privacy laws are active NOW. Our privacy scanner checks for GDPR, CCPA, and state law compliance issues including missing privacy policies, cookie consent, and third-party trackers.
Run Free Privacy Scan →California DROP Platform & Other Major 2026 Privacy Changes
California DROP Platform (Delete Requests and Opt-Out):
What It Is:
• Centralized database where California consumers submit ONE request to delete data from ALL registered data brokers
• Managed by California Privacy Protection Agency (CPPA)
• Launched January 1, 2026
• Game-changer for consumer privacy rights
How DROP Works:
For Consumers:
• Visit California DROP website
• Submit single deletion request with identity verification
• Request automatically distributed to all registered data brokers
• Data brokers must delete data within 30 days
For Data Brokers:
• Must register on DROP platform by January 31, 2026 (DEADLINE SOON)
• Pay annual registration fee
• Receive deletion requests via DROP API
• Must process and confirm deletion within 30 days
• Failure to register = $200/day penalty (doubled from previous $100/day)
Who Must Register as Data Broker:
• Business that collects and sells consumer data it did NOT collect directly from consumers
• Examples: People search sites, marketing list providers, data aggregators
• NOT required: Businesses selling data they collected firsthand from customers
DROP Registration Deadline: January 31, 2026 (23 days away)
Penalties for Non-Compliance:
• Failure to register: $200 per day per violation
• Example: Data broker operates 60 days without registration = $12,000 fine
• Failure to process DROP deletion requests: Additional CCPA violations ($2,500-$7,500 per violation)
Oregon OCPA Amendments: Geolocation & Youth Data Bans
Effective Date: January 1, 2026
New Restrictions:
1. Precise Geolocation Sales Banned
• Cannot sell geolocation data accurate within 1,750 feet
• Applies to GPS tracking, cell tower triangulation, Wi-Fi positioning
• Targets: Advertising networks, data brokers buying/selling location data
2. Youth Data Protections
• Cannot sell personal data from consumers under 16 years old
• Cannot use data from minors under 16 for targeted advertising
• Requires age verification for platforms with youth users
3. Universal Opt-Out Mandate
• Must recognize browser/device signals (Global Privacy Control)
• No login required to exercise opt-out
• Effective immediately for all Oregon businesses
Connecticut Neural Data Regulation: Brain-Computer Interface Privacy
Effective Date: January 1, 2026
What Is Neural Data:
• Data generated by brain-computer interfaces (BCIs)
• Examples: Neuralink, EEG headsets, brain activity monitors
• Highly sensitive: Reveals thoughts, emotions, cognitive states
New Connecticut Requirements:
• Neural data classified as "sensitive data" requiring opt-in consent
• Enhanced data protection assessments for BCI processing
• Must disclose use of neural data in privacy policy
• Cannot sell neural data without explicit consent
Why This Matters:
• First state to regulate brain-computer interface data
• As BCIs become mainstream (gaming, medical devices, productivity tools), neural data regulation will expand
• Sets precedent for other states
Other State Updates Effective January 1, 2026:
Utah UCPA Amendment: Expanded sensitive data definition to include sexual orientation data
Virginia VCDPA Update: Enhanced requirements for automated decision-making disclosures
Texas TDPSA Technical Corrections: Clarified applicability thresholds, processor obligations
Arkansas ACPDPA: Removed cure period for repeat violators (first violations still get 60-day cure)
2026 State Privacy Law Landscape:
20 States with Comprehensive Privacy Laws (as of Jan 1, 2026):
• California (CCPA/CPRA)
• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Iowa (ICDPA)
• Indiana (ICDPA) - NEW
• Tennessee (TIPA)
• Montana (MCDPA)
• Oregon (OCPA)
• Texas (TDPSA)
• Delaware (DPDPA)
• New Hampshire (NHDPA)
• New Jersey (NJDPA)
• Nebraska (NCDPA)
• Minnesota (CDPA)
• Maryland (MODPA)
• Kentucky (KCDPA) - NEW
• Rhode Island (DTPPA) - NEW
• Maine (pending effective date Q2 2026)
Combined Population Covered: 215+ million Americans (65% of U.S. population)
Pending State Privacy Laws (Expected 2026-2027):
• New York (comprehensive privacy bill in legislature)
• Illinois (beyond BIPA biometric law)
• Pennsylvania (active legislative discussions)
• Massachusetts (expanding 201 CMR 17.00)
• Florida (tourism industry driving need)
• Michigan (automotive data focus)
National Privacy Law Prospects:
• Federal comprehensive privacy law remains stalled in Congress
• State patchwork continues to expand
• Businesses face compliance with 20+ different state regimes
• Industry groups lobbying for federal preemption
Realistically, expect state-by-state privacy laws to remain the U.S. model for foreseeable future.
January 1, 2026 marks a watershed moment in American privacy regulation. With Indiana, Kentucky, and Rhode Island activating comprehensive consumer privacy protections, 20 states representing 65% of the U.S. population now enforce detailed privacy regimes that fundamentally reshape how businesses can collect, use, and monetize personal data. California's DROP platform launch—enabling centralized deletion requests across all data brokers—demonstrates that state privacy enforcement is evolving from individual rights to systemic consumer empowerment. Oregon's geolocation sales ban and Connecticut's neural data regulation prove states aren't just copying each other—they're innovating new protections for emerging technologies and data types.
The compliance burden is real and growing. A business operating nationally must now navigate 20 different state privacy laws, each with unique thresholds, requirements, penalties, and enforcement approaches. Rhode Island's $10,000-per-violation penalty with no cure period creates immediate liability risk for businesses processing data from just 35,000 Rhode Islanders—a threshold so low that regional companies face the same compliance requirements as national corporations. Kentucky's upgrade from breach-notification-only to comprehensive privacy law forces thousands of businesses to implement entirely new consumer rights workflows, privacy policies, and data governance frameworks. Indiana's 30-day cure period provides breathing room for good-faith compliance, but only for first violations—repeat offenders face full penalties.
Key Compliance Priorities for 2026:
1. Identify Covered States • Map your customer base by state • Compare against state law thresholds (35K in RI, 100K in most others) • Don't forget revenue-based thresholds (data sales criteria) • Businesses processing data from multiple states need multi-state compliance
2. Implement Consumer Rights Infrastructure • Access, deletion, correction, portability, opt-out mechanisms • 45-day response timeline tracking • Identity verification processes • Vendor coordination (data processors must support rights fulfillment)
3. Update Privacy Policies • State-specific disclosures (California DROP, Rhode Island plain language, etc.) • Sensitive data consent opt-ins • Universal opt-out (Global Privacy Control recognition) • Clear "Do Not Sell" mechanisms
4. Conduct Data Protection Assessments • Targeted advertising activities • Data sales and sharing • Profiling with legal/significant effects • Sensitive data processing (health, financial, biometric, geolocation) • Document risk mitigation measures
5. Register Where Required • California data brokers: Register on DROP by January 31, 2026 • Rhode Island data brokers: Annual registration required • Other states adding data broker registration requirements in 2026
For Data Brokers: California DROP Registration Deadline January 31
If you operate a data broker business (selling consumer data you didn't collect directly), you have 23 days to register on California's DROP platform. Failure to register triggers $200/day penalties immediately. The DROP registration process requires: • Business information and contact details • Categories of data collected and sold • Data sources and third-party recipients • Consumer opt-out process description • Annual registration fee payment
Don't miss this deadline. California Privacy Protection Agency has indicated aggressive enforcement against unregistered data brokers.
Looking Ahead: 2026 Privacy Enforcement Trends
Expect state Attorneys General to prioritize enforcement in 2026: • Rhode Island: Early actions within 30-60 days targeting obvious violations • Kentucky: Focus on data brokers, health apps, social media platforms • Indiana: Pharmaceutical and racing industry scrutiny • California: DROP platform non-compliance, data broker enforcement • All states: Businesses with no privacy policy, no opt-out mechanism face immediate action
The grace period for state privacy compliance ended on December 31, 2025. As of January 1, 2026, businesses must comply with applicable state laws or face penalties. The 30-day cure periods offered by some states (Indiana, Kentucky) only apply to good-faith violations—businesses that knowingly ignore privacy requirements will face immediate enforcement.
National privacy law remains elusive, but state laws have already created de facto national standards. Businesses operating across state lines must comply with the strictest requirements (Rhode Island's 35K threshold, California's DROP registration, Oregon's geolocation ban) to ensure comprehensive coverage. For most businesses, the practical solution is implementing a privacy program that meets all state requirements rather than attempting jurisdiction-specific compliance.
2026 is the year state privacy law becomes the default American privacy framework. Businesses that adapt now will be positioned for success. Those that delay face escalating enforcement risk as 20 state Attorneys General activate their privacy enforcement teams.