20 US States Enforce Privacy Laws in 2026 After Indiana, Kentucky, and Rhode Island Go Live

Summary

Indiana, Kentucky, and Rhode Island each activated comprehensive consumer privacy statutes on January 1, 2026. MultiState counts 20 states with active comprehensive privacy laws this year, with additional enforcement dates arriving mid-2026 for Connecticut, Arkansas, and Utah amendments.

Key Details

The Indiana Consumer Data Protection Act and Kentucky Consumer Data Protection Act share similar coverage thresholds: businesses that control or process personal data on 100,000 or more consumers, or derive 50% of revenue from selling data on more than 25,000 consumers. Both grant 30-day cure periods before enforcement penalties apply. Indiana's attorney general published a "Data Consumer Bill of Rights" outlining 15 specific consumer rights.

Rhode Island's Data Transparency and Privacy Protection Act sets a lower bar-entities handling data on 35,000 state residents or 10,000 residents while earning 20% of gross revenue from data sales. Rhode Island provides no cure period, making immediate enforcement possible. The state also omits universal opt-out mechanism recognition, unlike 12 other states that now require businesses to honor Global Privacy Control signals.

Related reading: Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA explains the next step for teams working on this workflow.

Penalties reach $7,500 per violation in Indiana and Kentucky and $10,000 per violation in Rhode Island. All three laws grant enforcement authority exclusively to the state attorney general with no private right of action.

California simultaneously expanded its privacy regime on January 1, 2026, adding regulations for automated decision-making technology, mandatory risk assessments, and cybersecurity audits. Oregon's phased updates now restrict geolocation data sales and tighten children's privacy protections for users under 16.

Why This Matters

Businesses operating across state lines must now reconcile consent requirements, opt-out mechanisms, and data subject rights across 20 distinct jurisdictions. Rhode Island's lack of a cure period means companies face immediate liability for noncompliance. The IAPP tracks additional state privacy bills advancing through legislatures in 2026, signaling continued expansion of the patchwork.

For businesses collecting personal data through waivers, registration forms, or intake workflows across state lines, jurisdiction-specific consent language and data handling disclosures are now mandatory in 20 states-making adaptable digital consent workflows essential for multi-state compliance.

Sources

• IAPP - New year, new rules: US state privacy requirements coming online as 2026 begins
• MultiState - All of the Comprehensive Privacy Laws That Take Effect in 2026
• Koley Jessen - New State Privacy Laws Effective January 1, 2026