Key Takeaways: This article provides an overview of three new state privacy laws taking effect on January 1, 2026 in Indiana, Kentucky, and Rhode Island. These laws expand consumer rights, impose new compliance obligations, and establish enforcement mechanisms. Businesses subject to these laws must provide clear privacy notices, obtain opt-in consent for sensitive data, and conduct Data Protection Impact Assessments for high-risk processing. Consumers will gain rights to access, correct, delete, and obtain copies of their personal data, as well as opt-out rights for targeted advertising, sale of personal data, and certain profiling activities. Enforcement will be handled by each state’s Attorney General, with penalties up to $7,500 per violation in Indiana and Kentucky and $10,000 per violation in Rhode Island. Cure periods for violations of the laws vary, with Indiana and Kentucky allowing 30 days, while Rhode Island provides no cure period.

As of January 1, 2026, three states: Indiana, Kentucky, and Rhode Island will join the growing list of states with comprehensive consumer data privacy laws. These laws introduce new compliance obligations for businesses and expand consumer rights in significant ways. Below is an overview of each law.

Indiana Consumer Data Protection Act

Effective January 1, 2026, Indiana’s new state privacy law is more business-friendly than some other state privacy laws and largely tracks the requirements of the Virginia Consumer Data Protection Act.

On May 1, 2023, Indiana became the seventh state to enact a comprehensive state privacy law. The Indiana Consumer Data Protection Act (“ICDPA”) applies to legal entities conducting business in Indiana or producing products or services targeted to Indiana consumers that either (1) control or process the personal data of 100,000 or more Indiana consumers, or (2) control or process the personal data of at least 25,000 Indiana consumers and derive 50 percent of their revenue from the sale of personal data. The law applies only to consumer data.

Consumer rights under the law are consistent with the majority of other state privacy laws and consist of the right to access, right to correct, right to data portability, right to delete, and right to opt out of processing personal data for targeted advertising, profiling and selling of personal data. Like Colorado, Connecticut, and Virginia, the ICDPA requires opt-in consent in order to process sensitive data. Data controllers must conduct data protection impact assessments in some instances and must enter into data processing agreements with third parties to whom they transfer data. The law includes a 30-day window to cure violations, after which time the Indiana attorney general can enforce violations by issuing an injunction for uncured violations and/or seeking a civil penalty of up to $7,500 per violation.

Kentucky Consumer Data Protection Act

Kentucky became the fifteenth state to enact comprehensive consumer data privacy legislation. The Kentucky Consumer Data Protection Act (“KCDPA”) was passed by the Kentucky Legislature on March 27, 2024, and signed into law by Gov. Andy Beshear on April 4, 2024. The KCDPA bears notable similarities to Virginia’s Consumer Data Protection Act (“VCDPA”), which was enacted in 2021. The KCDPA has an effective date of January 1, 2026.

The KCDPA applies to businesses operating in Kentucky or offering products or services targeted towards Kentucky consumers that either (1) control or process the personal data of 100,000 or more Kentucky consumers annually, or (2) control or process the personal data of 25,000 or more Kentucky residents while deriving over 50 percent of their gross revenue from the sale of personal data annually. There is no revenue threshold for applicability.

Consumer rights under the KCDPA include the right to access, correct, delete, obtain a copy, and opt out of data processing used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Opt-in consent is required for processing sensitive data, which includes racial or ethnic origin, religious beliefs, mental or physical health condition, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data. Controllers must provide a privacy notice, conduct data protection impact assessments for certain activities, and comply with obligations related to processors. The Kentucky Attorney General has exclusive enforcement authority, with a 30-day cure period and penalties of up to $7,500 per violation.

Rhode Island Data Transparency and Privacy Protection Act

On June 29, 2024, the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) was passed as Governor Daniel McKee transmitted the bill without signature. The RIDTPPA is fairly consistent with other state privacy laws and will take effect on January 1, 2026.

The RIDTPPA applies to businesses that conduct business in Rhode Island, produce products, or provide services to Rhode Island residents, provided the business (1) during a calendar year, controls or processes personal data of at least 35,000 Rhode Island consumers (excluding personal data controlled or processed for the sole purpose of completing payment transactions), or (2) controls or processes personal data of at least 10,000 Rhode Island consumers and derives more than 20 percent of gross revenue from the sale of personal data.

Consumer rights under the RIDTPPA include the right to know and access personal data processed by a controller, the right to correct inaccurate personal data, the right to delete personal data, the right to obtain a copy of personal data in a portable format, and the right to opt out of processing for targeted advertising, sale of personal data, or profiling that has certain significant consequences. Sensitive data processing requires prior consent. Controllers must maintain reasonable security practices and conduct data protection impact assessments for high-risk processing. The Rhode Island Attorney General has sole enforcement authority, with penalties up to $10,000 per violation. No cure period is provided.

The addition of these three laws underscores the accelerating trend toward state-level privacy regulation. Businesses should review their data practices, update privacy notices, and prepare to honor expanded consumer rights.

Koley Jessen is committed to staying informed about developments related to state data privacy law compliance and will offer guidance as new information emerges. If you are unsure about your business' compliance needs, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for assistance.

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}