New in 2026: State privacy laws in Indiana, Kentucky, and Rhode Island

January 1, 2026, isn’t just another date on the privacy calendar; it’s the moment three new state privacy laws snap into place and expand the already-complex U.S. privacy patchwork. Indiana, Kentucky, and Rhode Island are each stepping into the arena with comprehensive privacy acts that echo familiar frameworks while adding their own twists.

For privacy, compliance, and security professionals, this moment is both a challenge and an opportunity. A challenge because the operational complexity grows. An opportunity because privacy leaders are now shaping business strategy, not simply supporting it. And, like every great origin story, 2026 rewards the teams who prepare early, act decisively, and embrace accountability as a competitive advantage.

Welcome to the next chapter of state privacy evolution. New year, new laws, and a renewed proving ground for privacy excellence.

Understanding the new 2026 state privacy laws

Three states, three statutes, one expanding patchwork

The Indiana Consumer Data Protection Act (INCDPA), the Kentucky Consumer Data Protection Act (KCDPA), and the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) all take effect Jan. 1, 2026. Together, they reinforce a clear trend: comprehensive privacy laws aren’t slowing down. They’re accelerating.

Each law introduces familiar pillars such as consumer rights, transparency, assessments, and vendor accountability, while refining scope, thresholds, and obligations in ways that privacy teams will need to understand and operationalize.

Many organizations start this work by strengthening their data inventory, and tools like TrustArc Data Mapping & Risk Manager can streamline that process early in the journey.

Who’s covered

Across the three laws, businesses generally fall in scope if they:

• Conduct business in the state or target residents.
• Process or control personal data above the defined consumer thresholds.
• Sell personal data or process sensitive information.

Thresholds vary, but the overarching theme remains the same: if you’re handling consumer data at scale, these laws apply.

Why these 2026 laws matter

Three forces make this trio significant:

1. Momentum. More than 20 states now have comprehensive privacy laws, with additional bills advancing each year.
2. Convergence. While each state individualizes its law, the broad similarities make a unified compliance framework more realistic than ever.
3. Maturity. These laws reinforce that privacy is a full-scale governance requirement.

For organizations already feeling the strain of multistate compliance, 2026 inspires a strategic shift from reactive scrambling to proactive standardization.

Compliance dates and readiness milestones

Effective date: Jan. 1, 2026

All three laws go live on the same day. And, as every seasoned privacy leader knows, the effective date is never the starting line. With 2025 effectively in the rearview mirror, organizations are now in the final stretch of tightening controls, validating processes, and reinforcing the operational muscle needed for day-one compliance.

Your final readiness checklist

A unified data inventory should now be in place, thresholds should be evaluated, and any remaining compliance gaps should be resolved. Privacy notices must reflect accurate disclosures and jurisdiction-specific requirements. Rights-request workflows should be end-to-end functional, vendor contracts should be updated, and data protection impact assessment (DPIA) processes should be established and actively running.

Cross-functional readiness matters

Teams across Marketing, Legal, Engineering, Security, and Product should already be trained on their roles and escalation paths. These laws reward operational discipline, and the final weeks before January are the moment to validate that everything works under real conditions.

Think of this as the last practice lap before the flag drops: the moment when precision, coordination, and preparation determine how confidently you enter 2026.

DPDPA rights and obligations at a glance

Consumer rights across the laws

Across all three states, consumers gain:

• The right to access personal data.
• The right to correct inaccuracies.
• The right to delete data (with contextual exceptions).
• The right to confirm processing.
• The right to obtain a copy of their data.
• The right to appeal rights request decisions.
• The right to opt out of:
  • targeted advertising,
  • sale of personal data, and
  • automated profiling with certain risk considerations.

Indiana, Kentucky, and Rhode Island largely align on these rights, though differences in scope, response timeframes, and consent requirements require careful attention.

Individual Rights Manager helps teams meet these differing timelines at scale, especially when states like Rhode Island introduce accelerated turnaround requirements.

Controller duties and transparency requirements

Across all three laws, controllers are expected to uphold a set of core responsibilities that reinforce transparency, fairness, and accountability. Organizations must limit the personal data they collect to what is adequate, relevant, and reasonably necessary for the purposes they disclose.

They also need to maintain clear, accessible privacy notices that explain their data practices in plain language. Strong safeguards are essential, with technical, administrative, and physical measures that match the sensitivity and volume of the data they hold.

Just as important is nondiscrimination. Businesses cannot disadvantage consumers for exercising their privacy rights, whether those rights involve access, deletion, correction, or opting out.

High-risk processing activities require thoughtful evaluation through DPIAs, ensuring risks are identified and mitigated before issues arise. And because no organization operates alone, controllers must establish contracts with processors that define responsibilities, restrict use, and reinforce security expectations.

These obligations function as the privacy equivalent of good business hygiene, serving as fundamental, foundational, and nonnegotiable principles for any organization committed to responsible data practices.

Assessment Manager streamlines this work by automating DPIAs, PIAs, and TIAs with built-in legal logic aligned to state-specific triggers.

What businesses must do to comply with the Indiana CDPA

The Indiana CDPA mirrors Virginia, Utah, and Iowa in several important ways, but includes unique definitions and thresholds that have operational significance.

Practical steps for organizations

• Data mapping. Indiana’s thresholds are based on volume, making an accurate data inventory critical.
• Rights workflows. Build or refine intake, verification, and response mechanisms.
• Notice updates. Disclose categories, purposes, rights, and opt-out methods clearly.
• Consent for sensitive data. Explicit opt-in is required.
• Appeals process creation. Indiana mandates clear escalation paths.
• Universal opt-out mechanisms. While not as prescriptive as other states, Indiana still expects functional opt-out tools.
• Vendor contract alignment. Processors must follow instructions, support rights requests, and implement safeguards.

Common areas where companies struggle

Organizations often encounter friction when interpreting Indiana’s narrower definition of “sale,” which aligns with Virginia and Utah by focusing strictly on monetary exchanges. This stands in contrast to broader states like California, where “valuable consideration” significantly expands the scope.

Many teams also underestimate the breadth of profiling activities and the situations in which those activities trigger a DPIA, leading to compliance blind spots that surface later in the implementation process.

Even more foundational is the challenge of maintaining an accurate data inventory; without a clear picture of what data exists and where it flows, determining thresholds, obligations, and risk becomes guesswork.

Data Mapping & Risk Manager helps reduce that guesswork with automated flow mapping and real-time risk scoring tied directly to Indiana’s applicability criteria.

Indiana’s law ultimately reinforces that even so-called “lighter” privacy statutes carry meaningful operational expectations that demand rigor, visibility, and a well-structured compliance program.

If you need a deeper breakdown of Indiana’s requirements, thresholds, and obligations, explore our full guide to the Indiana Consumer Data Protection Act.

Preparing for the Kentucky KCDPA: Key operational priorities

Kentucky’s law mirrors Virginia, Tennessee, and Indiana, making it part of the “VCDPA family.” Its obligations may look familiar, but familiarity doesn’t equal simplicity.

Key requirements to operationalize

• Collect only data necessary for the disclosed purpose.
• Avoid undisclosed secondary use unless consent is obtained.
• Maintain security controls that match data sensitivity.
• Provide detailed privacy notices.
• Obtain consent for sensitive data processing.
• Uphold consumer rights without discrimination.

Contract refresh priorities

Vendor agreements must include:

• processing instructions,
• confidentiality guarantees,
• support for rights requests,
• use limitations, and
• security obligations.

Mixed footprint complexity

Companies operating across Kentucky, Virginia, Colorado, and California must reconcile differences across:

• opt-out mechanisms,
• profiling restrictions,
• notice requirements,
• DPIA triggers, and
• definitions of “sensitive data.”

Why early standardization matters

Kentucky rewards companies that adopt a baseline privacy posture that can be replicated across states, rather than being reinvented for each new law.

For a closer look at Kentucky’s requirements, definitions, and readiness considerations, explore our full guide to the Kentucky Consumer Data Protection Act.

How the 2026 laws compare: Indiana vs. Kentucky (and where Rhode Island fits)

Privacy pros are natural comparison shoppers, and for good reason. Understanding the nuances helps prevent misapplication, over-application, or conflicting controls.

Applicability thresholds

• Indiana: 100,000 consumers or 25,000 with 50% revenue from data sales.
• Kentucky: Identical thresholds to Indiana.
• Rhode Island: 35,000 consumers (excluding payment transaction data) or 10,000 consumers with more than 20% revenue from data sales.

Rhode Island uses the lowest threshold, resulting in big implications for mid-sized businesses.

Consumer rights

While all three grant core rights, Rhode Island includes unique timing and revocation-related requirements, including ceasing processing within 15 days of revoked consent.

Individual Rights Manager includes deadline-based routing and automated tracking that simplify compliance with accelerated requirements like Rhode Island’s revocation timeline.

Opt-out scope

All three include opt-outs for targeted advertising, sale, and profiling.

Enforcement

• Indiana: Up to $7,500 per violation; AG enforcement; 30-day cure.
• Kentucky: Up to $7,500; AG enforcement only; 30-day cure.
• Rhode Island: Up to $10,000 per violation; no private right of action; AG enforcement.

Rhode Island carries the highest risk exposure.

DPIA triggers

All require assessments for:

• targeted advertising,
• data sales,
• profiling with foreseeable risk,
• sensitive data, and
• other high-risk processing.

Rhode Island explicitly requires DPIAs for activities posing a high risk to customer privacy.

For a deeper look at Rhode Island’s thresholds, rights, and high-risk processing requirements, explore our full guide to the Rhode Island Data Transparency and Privacy Protection Act.

What the 2026 laws mean for business operations and vendor risk

Privacy leaders don’t just interpret laws—they operationalize them. And the 2026 statutes reshape how organizations work across every major function, often in ways that demand new levels of coordination and clarity.

Marketing

Marketing teams will feel the impact through tighter restrictions on targeted advertising and a heightened expectation for transparency. Clear, functioning opt-out mechanisms become essential, turning marketing workflows into front-line expressions of consumer trust.

Engineering and Product

Engineering and product teams must incorporate DPIAs into their development cycles, building privacy assessment into the earliest stages of design.

Consent workflows for sensitive data become part of the core architecture, and systems must evolve to support deletion, correction, and other consumer rights without friction.

Security

For security teams, the laws reinforce the need for stronger safeguards that match the sensitivity of the data they protect. Incident response processes must also align tightly with each law’s notice requirements, ensuring timeframes and escalation paths are well understood.

Legal and Compliance

Legal and compliance professionals face an expanded portfolio, including refreshing contracts to meet state-specific obligations, updating privacy notices for clarity and accuracy, and strengthening documentation to demonstrate ongoing accountability. The burden isn’t simply to comply; it is to demonstrate compliance consistently and transparently.

Vendor risk

Vendor management becomes increasingly complex, particularly under Rhode Island’s additional requirements for ISPs and commercial websites. All three laws elevate expectations around due diligence, clear data handling instructions, breach responsibilities, subprocessor oversight, and strict limits on how processors may reuse data. The mandate is simple: trust, but verify. And then verify again.

Assessment Manager and Data Mapping & Risk Manager work together to document vendor responsibilities, surface risks, and support processor due diligence across all three states.

Governance considerations across multiple 2026 laws

Privacy governance is no longer a back-office safety net. It has become the center of business strategy, shaping decisions, influencing design, and strengthening trust at every level of the organization.

Centralize where possible

A unified governance framework streamlines operations by reducing policy sprawl, eliminating duplicative assessments, and preventing inconsistencies across notices and disclosures. When governance is centralized, complexity gives way to clarity, and teams can execute with confidence rather than constantly recalibrating for each new jurisdiction.

To strengthen centralization with a proven governance model, explore the Nymity Privacy Management Accountability Framework.

Standardize definitions and processes

Standardization is where consistency becomes power. Establishing shared definitions for terms like personal data, sensitive data, profiling, sale, and targeted advertising creates a common language across the enterprise. Only when a specific law requires differentiation should teams diverge from these standards. This approach maintains operational alignment while respecting the nuances of each statute.

Build consistency across jurisdictions

Consistency delivers both procedural clarity and psychological confidence. When stakeholders understand the rules and see the same expectations repeated across state lines, compliance becomes predictable instead of reactive. Predictability, in turn, strengthens accountability and minimizes the operational “surprises” that often trigger risk.

Governance that drives executive-level visibility

Effective privacy governance elevates visibility at the highest levels. Boards gain clarity when they can see accountability maps, DPIA tracking, vendor inventories, risk metrics, and incident response readiness presented in a structured, repeatable way. This transparency reassures leadership that privacy risks are understood, managed, and continuously monitored.

Privacy leaders safeguard the organization and position it to thrive in a rapidly evolving regulatory landscape. Strong governance is the infrastructure that keeps companies steady as privacy laws continue to expand and evolve.

Turning the 2026 laws into a forward-looking privacy advantage

Indiana, Kentucky, and Rhode Island are expanding the U.S. privacy landscape in 2026, and privacy leaders who plan ahead can turn this next wave into a competitive edge. Success hinges on visibility, operational discipline, and the kind of automation that makes multi-state compliance repeatable rather than reactive. TrustArc provides that foundation through three purpose-built products: Data Mapping & Risk Manager, Assessment Manager, and Individual Rights Manager.

Data Mapping & Risk Manager gives organizations the clarity these new laws demand. Automated inventory creation, AI-assisted data flow mapping, third-party discovery, and intelligent risk scoring create a real-time understanding of where data sits, how it moves, and where risk concentrates. This level of visibility helps teams align their program with thresholds in Indiana, sensitive data triggers in Rhode Island, and core controller duties across all three states.

Assessment Manager operationalizes the impact assessments required for high-risk processing. Automated triggers, expert-built templates, gap analysis, and remediation tracking streamline DPIAs, PIAs, and TIAs and ensure documentation keeps pace with evolving obligations. When connected to Data Mapping & Risk Manager, assessments become part of a unified risk lifecycle that supports profiling reviews, cross-border evaluations, and sensitive data governance.

Individual Rights Manager helps organizations meet consumer rights obligations at scale. Automated request intake, identity verification, system integrations, and law-specific workflows help teams fulfill access, deletion, correction, and opt-out requests with speed and consistency. Capabilities like deadline-based routing and audit-ready reporting support unique requirements such as Rhode Island’s compressed timeline for revoked consent.

A platform designed for the next chapter of U.S. privacy

Together, these products form a modern privacy workspace that strengthens compliance today and builds resilience for whatever comes next. With visibility, assessments, and rights fulfillment unified under one platform, privacy leaders can enter 2026 with confidence—prepared not only to comply with Indiana, Kentucky, and Rhode Island, but also to set a higher bar for trust and accountability across the organization.