All Blog Posts
Privacy News

Concord Privacy News: 1/13/26

Three new state privacy laws took effect January 1, 2026; Navigating the new data privacy era with DPDP Rules; Lawmakers to Take Fresh Swing at National Privacy Law Early This Year.

Published: Tue Jan 13 2026

Concord Privacy News: 1/13/26
Three New State Privacy Laws Took Effect January 1, 2026: What Businesses Need to KnowA Familiar Framework, with Key NuancesThe 2026 Privacy LawsConsumer Rights Businesses Must SupportData Protection Assessments Are RequiredKey Differences by StateIndianaKentuckyRhode IslandWhat Businesses Should Do NowThe Bottom LineState Privacy LawsOther Privacy News of NoteNavigating the New Data Privacy Era in India with DPDP RulesLawmakers to Take Fresh Swing at National Privacy Law Early This Year

Three New State Privacy Laws Took Effect January 1, 2026: What Businesses Need to Know

The U.S. privacy landscape continues to evolve at the state level. On January 1, 2026, three additional comprehensive privacy laws took effect, covering residents of Indiana, Kentucky, and Rhode Island. While these laws follow a familiar framework, each includes details that matter for compliance planning. Here’s what businesses need to know and what to do next.

A Familiar Framework, with Key Nuances

All three laws reflect the now-common U.S. state privacy model, requiring covered businesses to:

  • Meet specified data volume or revenue thresholds
  • Honor consumer rights such as access, deletion, correction, and opt-out
  • Maintain reasonable data security practices
  • Distinguish between data controllers and processors
  • Respond to enforcement by state Attorneys General (no private right of action)

Despite these similarities, differences in scope, disclosures, and enforcement mean compliance is not one-size-fits-all.

The 2026 Privacy Laws

  • Indiana
    • Law: Indiana Consumer Data Protection Act (INCDPA)
    • Effective Date:Jan. 1, 2026
    • Applicability Thresholds:100,000+ residents’ data, or 25,000+ residents’ data with ≥50% of revenue from data sales
  • Kentucky
    • Law:Kentucky Consumer Data Protection Act (KCDPA)
    • Effective Date:Jan. 1, 2026
    • Applicability Thresholds:Same thresholds as Indiana
  • Rhode Island
    • Law: Data Transparency and Privacy Protection Act (RIDTPPA)
    • Effective Date:Jan. 1, 2026
    • Applicability Thresholds:35,000+ residents’ data, or 10,000+ residents’ data with ≥20% of revenue from data sales

Consumer Rights Businesses Must Support

Under all three laws, consumers gain the right to:

  • Access, correct, and delete their personal data
  • Obtain a copy of their data
  • Opt out of targeted advertising, data sales, and certain profiling activities

Businesses must also provide an appeals process for denied requests and respond within defined timeframes.

Data Protection Assessments Are Required

Each law requires data protection impact assessments for certain high-risk processing activities, including targeted advertising, selling personal data, processing sensitive data, and some profiling activities. For many organizations, this means formalizing assessment processes within product and marketing workflows.

Key Differences by State

Indiana

Indiana’s law closely mirrors Virginia’s approach:

  • Narrow definition of “sale” (generally monetary)
  • Consent required for sensitive data
  • 30-day cure period for alleged violations

This will feel familiar to organizations already compliant with Virginia-style laws.

Kentucky

Kentucky essentially tracks Indiana’s framework, with:

  • Slightly broader sensitive data definitions
  • Some assessment-related requirements phasing in after the effective date

Most organizations can extend existing compliance programs with minimal adjustment.

Rhode Island

Rhode Island introduces more stringent requirements:

  • Some transparency obligations may apply even if standard thresholds aren’t met
  • No cure period for violations
  • More detailed privacy notice disclosures
  • Short timelines for stopping sensitive data processing after consent is revoked

These differences may require additional operational and disclosure updates.

What Businesses Should Do Now

To prepare for these new laws, organizations should:

  1. Map data flows involving Indiana, Kentucky, and Rhode Island residents
  2. Confirm applicability thresholds, especially revenue tied to data sales
  3. Update privacy notices and consumer rights workflows
  4. Review consent and opt-out mechanisms, including appeals
  5. Integrate data protection assessments into high-risk processing activities

The Bottom Line

Indiana, Kentucky, and Rhode Island continue the trend toward comprehensive state privacy regulation, while introducing meaningful differences that businesses can’t ignore. Ensuring compliance with new laws will help reduce compliance risk and build trust with your users.

Concord helps organizations track evolving state privacy laws and turn regulatory requirements into clear, operational action.*

State Privacy Laws

  • Indiana Consumer Data Protection Act (Effective January 1, 2026)
  • Kentucky Consumer Data Protection Act (Effective January 1, 2026)
  • Rhode Island Data Transparency and Privacy Protection Act (Effective January 1, 2026)
  • Minnesota Consumer Data Privacy Act (Effective July 31, 2025)
  • Tennessee Information Protection Act (Effective July 1, 2025)
  • Maryland Online Data Privacy Act (Effective October 1, 2025)
  • New Jersey Data Privacy Act (Effective January 15, 2025)
  • Delaware Personal Data Privacy Act (Effective January 1, 2025)
  • Iowa Consumer Data Protection Act (Effective January 1, 2025)
  • Nebraska Data Privacy Act (Effective January 1, 2025)
  • New Hampshire Consumer Data Privacy Act (Effective January 1, 2025)
  • Montana Consumer Data Privacy Act (Effective October 1, 2024)
  • Florida Digital Bill of Rights (Effective July 1, 2024)
  • Oregon Consumer Privacy Act (Effective July 1, 2024)
  • Texas Data Privacy and Security Act (Effective July 1, 2024)
  • Utah Consumer Privacy Act (Effective December 31, 2023)
  • Colorado Privacy Act (Effective July 1, 2023)
  • Connecticut Data Privacy Act (Effective July 1, 2023)
  • Virginia Consumer Data Protection Act (Effective January 1, 2023)
  • California Consumer Privacy Act (Effective January 1, 2020)

Other Privacy News of Note

The finalization of the Digital Personal Data Protection (DPDP) Rules marks a pivotal moment in India’s digital and regulatory landscape. Under the new Rules, organizations must unify data systems, establish strong governance for AI and investigations, and shift to consent-based customer engagement. The Rules could be an opportunity for organizations to embed privacy into design, strengthen governance, and build trust by proactively redesigning data ecosystems. Read more.

Lawmakers to Take Fresh Swing at National Privacy Law Early This Year

Lawmakers are preparing to introduce data privacy legislation as soon as this month to create new protections for American consumers' data, Politico has exclusively learned. Members of the House Energy and Commerce Committee’s data privacy working group are finalizing bill language that will provide the first glimpse of the latest attempt at a federal privacy law. Read more.