Three New State Privacy Laws Take Effect: Indiana, Kentucky, and Rhode Island

Three new state thorough privacy laws took effect on January 1, 2026: the Indiana Consumer Data Protection Act (ICDPA), Kentucky Consumer Data Protection Act (KCDPA), and Rhode Island Data Transparency and Privacy Protection Act (RIDPA). These laws expand the state privacy patchwork to 19 states with thorough data protection requirements. Rhode Island's law introduces unique obligations including mandatory public disclosure of third parties receiving personal data and no cure period for violations. Organizations operating nationally must assess applicability across all three jurisdictions and implement appropriate compliance measures.

Indiana Consumer Data Protection Act scope

The Indiana Consumer Data Protection Act applies to entities controlling or processing personal data of 100,000 or more Indiana residents, or entities processing data of 25,000 or more residents while deriving over 50% of gross revenue from selling personal data. These thresholds align with several other state privacy laws, creating some consistency for multi-state compliance.

Indiana residents gain standard thorough privacy rights under the ICDPA: the right to confirm whether a controller processes their data, access their personal data, correct inaccuracies, delete personal data, and obtain a portable copy. Additionally, residents can opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of automated decisions producing legal or similarly significant effects.

Controllers must provide reasonably accessible privacy notices describing categories of personal data processed, purposes of processing, how consumers can exercise their rights, and categories of third parties with whom data is shared. Data protection impact assessments are required for processing activities presenting heightened risk of harm, including targeted advertising, sale of personal data, processing for profiling, and processing sensitive data.

The Indiana Attorney General has exclusive enforcement authority with no private right of action. Controllers receive a 30-day cure period to address violations before the Attorney General can pursue enforcement action. This cure period provides organizations opportunity to remediate compliance gaps before facing penalties.

Kentucky Consumer Data Protection Act requirements

Kentucky's Consumer Data Protection Act mirrors Indiana's applicability thresholds: 100,000 Kentucky residents or 25,000 residents combined with 50% or more revenue from personal data sales. The similar threshold structure simplifies compliance analysis for organizations already assessing Indiana applicability.

Consumer rights under KCDPA parallel other thorough state laws: access, correction, deletion, data portability, and opt-out rights for targeted advertising, data sales, and profiling. Kentucky provides a 30-day response window for consumer rights requests, consistent with most state privacy laws.

Kentucky offers several business-friendly exemptions distinguishing it from more stringent state laws. The law exempts data subject to sector-specific federal regulations including HIPAA, GLBA, and FERPA. Employment data and business-to-business contact information receive exemptions, reducing compliance burden for organizations processing these data categories.

Notably, Kentucky does not currently require recognition of universal opt-out mechanisms such as Global Privacy Control. This distinction means organizations cannot rely solely on browser-based opt-out signals for Kentucky compliance and must provide separate opt-out methods. Future amendments may align Kentucky with the growing number of states requiring universal opt-out recognition.

Rhode Island unique requirements

Rhode Island's Data Transparency and Privacy Protection Act establishes notably lower applicability thresholds than most state privacy laws. The law applies to entities processing data of 35,000 Rhode Island residents, or 10,000 residents combined with deriving over 20% of gross revenue from personal data sales. These lower thresholds bring smaller organizations into scope compared to other states.

Rhode Island uniquely requires public disclosure of third parties to whom personal data is sold or shared. Controllers must publicly identify the specific third parties receiving personal information, not merely categories of recipients. This transparency requirement exceeds other state laws and creates additional compliance complexity for organizations with complex data sharing arrangements.

The law imposes strict privacy notice requirements for any commercial website targeting Rhode Island residents. Privacy notices must identify categories of personal data processed, purposes of processing, categories of data sold, third parties receiving data, and an active email address for consumer inquiries. The notice must be conspicuously displayed and easily accessible.

Critically, Rhode Island provides no cure period for violations. The Attorney General can immediately pursue enforcement action without providing opportunity for remediation. This approach differs from most state privacy laws and creates heightened compliance urgency for organizations within scope. early compliance is essential given the absence of cure opportunity.

Consumer rights comparison

All three laws provide similar core consumer rights, though implementation details vary. Access rights allow consumers to confirm processing and obtain copies of their data. Correction rights enable consumers to fix inaccuracies in their personal data. Deletion rights allow consumers to request removal of their personal data subject to certain exemptions.

Data portability rights vary in scope across the three laws. Indiana and Kentucky require provision of personal data in readily usable formats. Rhode Island's portability requirements align with this approach but emphasize interoperability with the consumer's chosen services.

Opt-out rights are consistent across all three states for targeted advertising, sale of personal data, and profiling. However, the definition of "sale" varies, affecting which data transfers trigger opt-out requirements. Organizations must carefully analyze their data sharing practices against each state's sale definition.

Appeal rights require controllers to establish processes for consumers to appeal denied rights requests. All three states require appeals mechanisms, though the procedural requirements differ. Organizations should implement consistent appeal processes that satisfy the most stringent state requirements.

Enforcement mechanisms

All three states vest enforcement authority exclusively in the Attorney General with no private right of action. This enforcement model limits litigation exposure compared to states like California that permit private claims for certain violations. However, Attorney General enforcement can result in significant penalties and injunctive relief.

Indiana and Kentucky provide 30-day cure periods before enforcement actions can proceed. This cure period provides organizations with opportunity to address compliance gaps when violations are identified. Documented remediation efforts during the cure period can mitigate enforcement risk.

Rhode Island's absence of a cure period creates different enforcement dynamics. Organizations must maintain early compliance since no opportunity exists to remediate once violations are identified. This approach incentivizes preventive compliance investment rather than reactive correction.

Penalty structures vary but can include substantial civil penalties for non-compliance. Repeat violations and willful disregard for requirements can result in enhanced penalties. Organizations should assess enforcement risk based on their data processing activities and compliance posture in each state.

Multi-state compliance strategies

Organizations subject to multiple state privacy laws should consider harmonized compliance approaches. Building privacy programs to satisfy the most stringent requirements across applicable states reduces operational complexity while ensuring broad compliance. This approach often means implementing Rhode Island's transparency requirements and early compliance posture universally.

Privacy notice consolidation can simplify disclosure obligations. A single thorough privacy notice addressing all applicable state requirements is generally preferable to state-specific notices. The notice should clearly identify all categories of information required by each applicable law.

Consumer rights request handling should use unified workflows. While response timeframes and specific requirements vary, centralized request intake and processing improves consistency and reduces error risk. Automated systems can apply state-specific logic while maintaining unified underlying processes.

Data inventory and mapping efforts should encompass all states where organizations may be subject to privacy law requirements. Understanding what personal data is collected, processed, shared, and sold enables accurate applicability assessments and appropriate compliance measures across jurisdictions.

60-day priority list

• Assess applicability of Indiana, Kentucky, and Rhode Island privacy laws based on processing thresholds.
• Review and update privacy notices to address Rhode Island's specific disclosure requirements.
• Implement third-party disclosure mechanisms required by Rhode Island.
• Evaluate existing consumer rights request processes against all three states' requirements.
• Update data protection impact assessment practices to cover required processing activities.
• Assess cure period implications and adjust compliance monitoring accordingly.
• Brief legal counsel on multi-state compliance obligations and risk assessment.
• Document compliance measures to demonstrate good faith efforts if enforcement occurs.

Bottom line

The January 2026 effective dates for Indiana, Kentucky, and Rhode Island privacy laws continue the expansion of state thorough privacy requirements. Organizations must assess applicability based on varying thresholds across states and implement appropriate compliance measures. Rhode Island's unique requirements for public third-party disclosure and absence of cure period warrant particular attention.

Multi-state compliance complexity continues to grow as more states enact thorough privacy laws. Organizations should consider building privacy programs to the highest common denominator, satisfying the most stringent requirements across applicable jurisdictions. This approach reduces operational complexity while ensuring broad compliance.

Rhode Island's lower applicability thresholds and stricter enforcement approach may influence future state privacy legislation. Organizations should monitor legislative developments for similar trends in other states. early compliance investment now positions organizations well for continued regulatory expansion.

This analysis recommends that organizations conduct prompt applicability assessments for all three new laws and implement compliance measures appropriate to their data processing activities. The absence of a private right of action reduces litigation exposure, but Attorney General enforcement remains a meaningful compliance driver requiring ongoing attention.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 71/100 · February 14, 2023

CPPA files final CPRA regulations with California OAL

California's CPPA filed final CPRA regulations in February 2023, adding implementation detail to the statute. Risk assessments, automated decision-making disclosures, and updated privacy notice requirements. The…

Compliance · Credibility 90/100 · July 7, 2021

Colorado Privacy Act Signed

Full update on Colorado’s Consumer Privacy Act and Attorney General rules, detailing scope, consumer rights, universal opt-out mechanics, assessments, processor contracts, and practical setup steps for controllers…

Compliance · Credibility 71/100 · August 14, 2020

California CCPA regulations approved and effective immediately

California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.

Compliance · Credibility 86/100 · July 1, 2020

California Consumer Privacy Act

Detailed playbook for the July 1, 2020 launch of California Attorney General enforcement of the CCPA, spotlighting notice obligations, request-handling mechanics, cross-border data controls, and continuous improvement…

Compliance · Credibility 71/100 · July 1, 2020

California begins enforcing the CCPA

The California Attorney General started enforcing the California Consumer Privacy Act on 1 July 2020, compelling businesses to honor consumer rights requests and update data-handling disclosures.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• SOX Modernization Control Playbook

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.

• Global Privacy Enforcement Readiness Guide

  Build privacy programs that withstand GDPR, CPRA, LGPD, and Singapore PDPA enforcement by integrating regulator expectations, data governance, and cross-border response playbooks.

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

Further reading

1. Three States, One Date: Ringing In The New Year With Indiana, Kentucky, and Rhode Island — mondaq.com
2. New Consumer Data Privacy Laws and Rules for 2026 — lplegal.com
3. State Privacy Laws Expand in 2026 — sourcepoint.com