TL;DR: On January 1, 2026, three new comprehensive state privacy laws took effect: Indiana, Kentucky, and Rhode Island. If you live in these states, you now have new rights: access your data, correct it, delete it, opt out of targeted advertising and data sales. Companies must comply or face fines up to $7,500-$10,000 per violation. Rhode Island is the strictest: no cure period for businesses, highest potential penalties. With 20+ states now having privacy laws, the US patchwork continues expanding while federal legislation remains stalled.

What Happened

As of January 1, 2026, residents of Indiana, Kentucky, and Rhode Island gained substantial new privacy rights. These three states join a growing list of states with comprehensive consumer data protection laws, now totaling over 20 states with some form of privacy legislation.[1]

All three laws share common features inspired by the Virginia Consumer Data Protection Act model, but each has unique provisions. Here's what you need to know:

Indiana Consumer Data Protection Act (ICDPA)

Effective: January 1, 2026[2]

Who It Applies To

Businesses that:

  • Conduct business in Indiana OR produce products/services targeted at Indiana residents, AND
  • Control or process personal data of at least 100,000 consumers, OR
  • Control or process data of at least 25,000 consumers AND derive over 50% of revenue from selling personal data

Your New Rights

  • Access: Confirm whether a company has your data and access it
  • Correction: Fix inaccurate personal data
  • Deletion: Request deletion of your personal data
  • Portability: Get a copy of your data in a usable format
  • Opt-out: Stop targeted advertising, data sales, and certain profiling

Key Provisions

  • Opt-in consent required for processing sensitive data (race, health, precise geolocation, etc.)
  • Data protection impact assessments required for high-risk processing
  • 30-day cure period for businesses to fix violations before penalties
  • Penalties up to $7,500 per violation, enforced by Indiana Attorney General

Kentucky Consumer Data Protection Act (KCDPA)

Effective: January 1, 2026[3]

Who It Applies To

Same thresholds as Indiana:

  • Businesses in Kentucky or targeting Kentucky residents
  • 100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales

Your New Rights

Same as Indiana:

  • Access, correct, delete, and port your data
  • Opt out of targeted advertising, data sales, and profiling

Key Provisions

  • Opt-in consent for sensitive data processing
  • Privacy notice requirements with clear disclosure of data practices
  • Data protection assessments for processing that presents heightened risk
  • 30-day cure period before enforcement action
  • Penalties up to $7,500 per violation

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Effective: January 1, 2026[4]

Who It Applies To

Rhode Island has lower thresholds, meaning more businesses are covered:

  • For-profit entities in Rhode Island or targeting residents
  • 35,000+ consumers OR 10,000+ consumers with 20%+ revenue from data sales

Your New Rights

  • Confirm whether data is being processed
  • Access, correct, delete, and port your data
  • Opt out of targeted advertising and data sales

Key Provisions: Rhode Island Is Stricter

  • No cure period: Unlike Indiana and Kentucky, businesses don't get a grace period to fix violations
  • Higher penalties: Up to $10,000 per violation (vs. $7,500 in other states)
  • Intentional violations: $100-$500 per intentional disclosure of personal data
  • Privacy notices must disclose specific third parties receiving data
  • Data security practices required by law
  • Attorney General enforcement

How They Compare

Feature Indiana Kentucky Rhode Island
Consumer Threshold 100K 100K 35K
Revenue Threshold 50% 50% 20%
Cure Period 30 days 30 days None
Max Penalty $7,500 $7,500 $10,000
Private Right of Action No No No

Rhode Island stands out: lower thresholds (more businesses covered), no cure period (immediate enforcement possible), and higher penalties. If you're a Rhode Island resident, you have slightly stronger protections.

What This Means for You

Exercise Your Rights

Companies must respond to your requests within 45 days. Submit access, deletion, or opt-out requests. Many companies now have dedicated privacy portals. Use them.

Opt Out of Data Sales

You now have the explicit right to stop companies from selling your data. Look for "Do Not Sell My Personal Information" links in privacy policies.

Stop Targeted Advertising

Tired of creepy ads following you? You can now opt out of targeted advertising. Companies must honor these requests within 15 days.

File Complaints

If companies don't comply, file complaints with your state Attorney General. These offices enforce the laws, but only if they know about violations.

What These Laws Don't Do

Before celebrating, understand the limitations:

  • No private right of action: You can't sue companies directly, only the Attorney General can enforce
  • Government exemptions: These laws don't cover state agencies or law enforcement surveillance
  • Small business exemptions: Many businesses fall below the thresholds and don't have to comply
  • Cure periods (IN/KY): Companies get 30 days to "fix" violations before penalties, reducing accountability
  • No data minimization mandate: Companies can still collect more than they need

These are improvement over nothing, but they're not comprehensive privacy protections. Data brokers, surveillance capitalists, and large platforms will find workarounds.

The Bigger Picture

With these three states, we now have 20+ states with some form of privacy legislation. The patchwork continues:[5]

  • 20+ states: Have comprehensive privacy laws (varying strength)
  • 0 federal laws: Still no national privacy standard
  • 2026 growing list: More states considering legislation

For businesses, this creates compliance headaches. For consumers, it creates lottery-style protection: your rights depend on where you live.

The absence of federal privacy legislation means your protections in Indiana aren't the same as in California (stronger) or Texas (weaker). Americans deserve consistent privacy rights regardless of state residence.

What You Should Do Now

Know Your State's Law

If you're in Indiana, Kentucky, or Rhode Island, familiarize yourself with your new rights. Know what companies must do and what you can demand.

Submit Data Requests

Test the system. Request access to your data from companies you do business with. See what they have. Then decide if you want it deleted.

Use Data Broker Removal

These laws give you leverage against data brokers. Submit deletion requests. Use services like California's DROP platform or manual opt-out tools.

Advocate for Federal Law

Contact your federal representatives. The patchwork of state laws creates confusion. A strong federal privacy law would protect all Americans equally.

References

  1. IAPP - State Privacy Legislation Tracker (January 2026)
  2. Indiana Attorney General - Indiana Consumer Data Protection Act
  3. Kentucky Attorney General - Kentucky Consumer Data Protection Act
  4. Rhode Island Attorney General - RIDTPPA Information
  5. DataGrail - State Privacy Laws Taking Effect in 2026