State Privacy Laws Taking Effect in 2026

Somewhat surprisingly, 2025 was a “quiet” year for state privacy laws from a legislative perspective, with no new laws being passed. 2025 did see eight new laws go into effect:

• Delaware
• Iowa
• Nebraska
• New Hampshire
• New Jersey
• Tennessee
• Minnesota
• Maryland

Three state privacy laws will go into effect in 2026: Indiana, Kentucky, and Rhode Island. Here is a summary of the applicability thresholds and requirements for each new law. All three of these laws go into effect on January 1^st, 2026.

Indiana

The Indiana privacy law applies to for-profit businesses that control or process personal data on at least 100,000 Indianans or that derive more than 50% of their gross revenue from selling the data of 25,000 or more Indiana consumers. It only applies to consumers, excluding employees and job applicant data, as well as data used in a commercial or business-to-business context.

The following consumer rights are included in the Indiana law:

• Consumers can request confirmation of whether a business is processing their personal data, the type of data being processed, and how it’s being processed.
• Consumers can request to view their personal data. Businesses have the option to provide copies of raw data or a representative summary of the data collection. Consumers can make this request once a year.
• Consumers can request that inaccurate data be corrected. They can request data obtained by a business be deleted.
• Consumers can opt out of the processing of their data for targeting advertising, the sale of their data, or profiling.

The law contains the following business requirements:

• Provide detailed privacy notices
• Service provider agreements
• The obligation to only process data if necessary
• Reasonable data security
• Establish a consumer appeals process
• Non-retaliation

Businesses that are covered by the law are required to conduct a data protection impact assessment (DPIA) for the following data processing activities:

• The processing of personal data for purposes of targeted advertising
• The sale of personal data
• The processing of personal data for purposes of profiling
• The processing of sensitive data
• Any processing activities involving personal data that present a heightened risk of harm to consumers

There is no private right of action. The Attorney General is responsible for all enforcement. There is a 30-day right to cure that does not sunset. Fines will be up to $7500 per violation.

Kentucky

The Kentucky Consumer Data Privacy Act (KCDPA) applies to organizations that control or process the personal data of at least 100,000 consumers, or control or process the personal data of 25,000 or more consumers and derive more than 50% of their gross revenue from the sale of personal data. The KCDPA has an exemption for organizations and data subject to HIPAA and the GLBA. The law also includes exemptions for non-profit organizations, institutions of higher education, and organizations using data to assist law enforcement in investigating insurance-related crime.

Kentucky’s law gives consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller
• Opt out of the processing of personal data for targeted advertising, the sale of personal data, or certain types of profiling

The KCDPA includes the following obligations for businesses:

• Provide a detailed privacy notice
• Limit collection and processing of personal data to what is adequate, relevant and reasonably necessary to the purposes for which the data was processed
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Gain the consumer’s consent before collecting or processing data
• Do not discriminate against a consumer for exercising any of the consumer rights
• Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, mental and physical health conditions, sexual information, citizenship status, precise geolocation data, and data collected from a known child.
• Conduct a DPIA of the following activities:
  • Processing personal data for targeted advertising
  • Processing data for selling
  • Processing data for profiling
  • Processing sensitive data
  • Processing data that presents a heightened risk of consumer harm

The Kentucky Attorney General has enforcement authority. The law does not include a private right of action. There is a 30-day right-to-cure period. Penalties can be up to $7500 per violation.

Rhode Island

The Rhode Island Data Transparency and Privacy Protection Act applies to organizations that control or process the data of 35,000 or more Rhode Island consumers or control or process the data of 10,000 or more consumers and derive more than 20% of their gross revenue from the sale of personal data.

The Rhode Island privacy law gives consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller
• Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling
• Consumers can designate another person to serve as their authorized agent

Business obligations in the law include:

• Provide a detailed privacy notice
• Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, health conditions, sexual information, and citizenship status. Processing the data of a known child must be done in accordance with COPPA.
• Conduct a data protection assessment where the processing presents a heightened risk of harm
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Cannot discriminate against a consumer for exercising any of the consumer rights
• Provide consumers with a mechanism to grant and revoke consent

The Rhode Island Attorney General is responsible for enforcement. The law does not include a private right of action or a right-to-cure period.

CompliancePoint is always monitoring regulatory updates, so be sure to check our blog page and follow us on LinkedIn to stay up to date on any new laws. The CompliancePoint team of privacy professionals can help your organization comply with all state laws and avoid the associated risks. Contact us today at connect@compliancepoint.com to learn more about how we can help you.