2026 state privacy laws: what Indiana, Kentucky & Rhode Island mean for you
Three new state frameworks took effect in 2026, expanding consumer rights and creating new compliance obligations for businesses that process personal data.
Quick comparison table
| State law (2026 effective date) | Business threshold snapshot | Core consumer rights |
|---|---|---|
| Indiana | Controller-level volume thresholds and revenue/data-sale trigger | Access, delete, correct, portability, opt-out of targeted ads/sale/profiling |
| Kentucky | Consumer-volume threshold plus percentage-of-revenue trigger tied to data sale | Access, delete, correction, portability, and key opt-out rights |
| Rhode Island | Broader applicability to controllers/processors above statutory data thresholds | Access, delete, correction, portability, and limits on targeted advertising/sales |
How these laws compare to California
California remains the most mature framework because of the CPRA ecosystem, broad definitions of sharing/selling, and stronger rulemaking and enforcement maturity. Indiana, Kentucky, and Rhode Island follow a Virginia-style rights model in many areas, but each still increases baseline obligations for notice, rights handling, and vendor controls.
What families should do now
- Submit opt-out requests for targeted advertising and data sale where available.
- Run periodic checks for data broker exposure tied to home address and phone numbers.
- Document requests and follow up when rights responses are incomplete.
What small businesses should do now
- Confirm whether processing volume crosses state thresholds.
- Add intake workflows for access, correction, deletion, and opt-out requests.
- Review processor agreements and targeted-ad tooling for compliance gaps.
- Publish clear privacy notices that map rights by state.
What is coming next
Additional states continue to debate omnibus privacy bills, children-focused privacy bills, and stricter data broker requirements. The practical takeaway is clear: state-by-state rules will keep expanding, so teams should maintain an update cadence instead of one-time policy refreshes.
Next step
Families can start by mapping current exposure with Hardline's Free Exposure Scan, then prioritize removals and opt-outs based on risk.
Run Free Exposure Scan
Identify where personal data is exposed before state-level rights requests are submitted.
Run Free Exposure Scan