TL;DR: Starting today, January 1, 2026, residents of Indiana, Kentucky, and Rhode Island can demand companies delete their data, correct inaccuracies, and opt out of tracking. California launched a centralized platform to delete your info from all data brokers at once. Your rights just expanded.
Indiana, Kentucky, Rhode Island Join the Privacy Club
Three states flipped the switch on comprehensive privacy laws today. If you live in Indiana, Kentucky, or Rhode Island, you just gained rights similar to what California and Virginia residents already have. Companies operating in these states now face legal requirements to respect your data choices.
The laws target larger businesses. Indiana's Consumer Data Protection Act applies to companies processing data from 100,000 or more Indiana residents annually, or 25,000 residents if the company makes over half its revenue from selling personal data. Kentucky uses the same thresholds. Rhode Island set a lower bar: 35,000 consumers, or 10,000 if data sales bring in 20% or more of revenue.
That means local businesses with small customer lists don't have compliance headaches. But every major tech platform, retailer, and data broker operating in these states? They're covered.
What You Can Actually Do
All three state laws grant you five core rights:
Access Your Data
Request a copy of what they've collected about you. Companies have 45 days to respond in most cases. They have to tell you what categories of data they hold, how they use it, and who they share it with.
Fix Inaccuracies
Wrong address in their system? Outdated employment info floating around data broker networks? You can demand corrections. Companies must either fix it or explain why they won't.
Delete Your Data
Tell them to wipe your records. Exceptions exist for legal obligations, fraud prevention, and completing transactions. But your random browsing history from three years ago? Fair game for deletion.
Opt Out of Sales
Companies can't sell your personal data if you tell them not to. "Sale" includes trading data for "other valuable consideration" in Rhode Island's law, potentially catching analytics partnerships other states miss.
Opt Out of Targeting
Block targeted advertising based on your behavior across different websites and apps. Companies must provide clear opt-out methods, not buried three menus deep.
Opt Out of Profiling
Refuse automated decision-making that affects your access to housing, credit, employment, education, or healthcare. If an algorithm makes significant decisions about your life, you can say no.
The Devil in the Details
Kentucky gave companies a permanent cure period. If you file a complaint and the Kentucky Attorney General investigates, companies get 30 days to fix violations before facing penalties. That's business-friendly. Rhode Island went the opposite direction: no cure period at all. Violate the law, face consequences immediately.
Indiana and Kentucky don't require companies to honor universal opt-out signals like Global Privacy Control. Rhode Island does. That means if you set GPC in your browser, Rhode Island companies must respect it automatically.
Data protection assessments differ too. Indiana and Kentucky require risk assessments for high-risk processing activities starting today. Kentucky delays its assessment requirement until June 1, 2026. Rhode Island mandates assessments for activities involving sensitive data or profiling with legal effects.
California's DELETE Platform Goes Live
California launched something bigger today: the Delete Request and Opt-out Platform, or DROP. It's a centralized system where California residents submit one deletion request that reaches every registered data broker simultaneously.
Before DROP, you had to contact data brokers individually. There are hundreds of them. Acxiom, Epsilon, Oracle Data Cloud, LiveRamp, TransUnion, Experian, plus dozens you've never heard of. Each had its own opt-out process. Some made it easy. Most didn't. Some ignored requests.
Now you authenticate once through DROP, submit your deletion request, and the California Privacy Protection Agency distributes it to all registered brokers. Data brokers must check DROP every 45 days, process requests, and report status updates within 45 days of receiving each request.
The penalties bite. Failure to delete information costs $200 per deletion request per day. That adds up fast when you're ignoring thousands of requests.
California also imposed new risk assessment requirements today. Companies processing personal data in ways that present significant privacy risks must conduct and document assessments. This includes the new Automated Decision-Making Technology (ADMT) regulations, which force companies to evaluate their "robot bosses" for bias. The first cybersecurity audits by independent auditors come due April 1, 2028, giving businesses time to prepare.
Who Enforces This
State attorneys general hold enforcement power in Indiana, Kentucky, and Rhode Island. No private right of action means you can't sue companies directly for violations. You file complaints with the AG, who decides whether to investigate and prosecute.
California's Privacy Protection Agency proved it takes enforcement seriously in 2025. They launched a Data Broker Enforcement Strike Force in November, issued fines against marketing firms selling custom audiences without proper registration, and settled cases against Honda and Todd Snyder. The agency means business.
Use Your New Rights
Check company privacy policies for instructions on submitting data requests. Look for sections titled "Your Privacy Rights," "State-Specific Rights," or similar. Indiana, Kentucky, and Rhode Island residents should see updated language acknowledging new rights.
California residents: visit the CPPA website to access DROP once it's fully operational. The platform went live today, though there may be initial rollout issues as data brokers integrate their systems.
For targeted advertising opt-outs, install Privacy Badger or enable Global Privacy Control in browsers that support it. Rhode Island companies must honor GPC automatically. Indiana and Kentucky companies don't have to, but many will to simplify compliance across states.
Document your requests. Save confirmation emails. Screenshot response deadlines. If companies ignore you past 45 days (or whatever deadline their policy specifies), file complaints with your state attorney general. These laws only work if people use them.
Fifteen States and Counting
With today's additions, fifteen US states now have comprehensive consumer privacy laws. That's not federal protection, but it's momentum. Companies increasingly build privacy infrastructure that works nationwide because maintaining fifty different compliance systems is expensive.
The pattern is clear: once a few states pass laws, others follow. California led in 2018 with the CCPA. Virginia followed in 2021. Then Colorado, Connecticut, Utah. Then the flood: Montana, Oregon, Texas, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee. Now Indiana, Kentucky, Rhode Island.
Congress still hasn't passed federal privacy legislation. State laws fill the gap, creating a patchwork that's better than nothing but worse than a unified national standard. Until federal law happens, check whether your state gives you rights. If it does, use them.
References
- Ketch - Data privacy laws: what to expect for 2026
- ComplyAuto - State Privacy Law Deadline: January 1, 2026
- ArentFox Schiff - New Year, New Privacy Obligations
- California Privacy Protection Agency - California Approves Delete Act Regulations
- Hunton Andrews Kurth - California's New Delete Request Tool Impacts Data Brokers and Residents
- Benesch - The Era of Centralized Deletion Is Here: Understanding CalPrivacy's DROP Platform