The year 2026 has begun with a major expansion of the US data privacy patchwork as three new comprehensive state laws—the Indiana Consumer Data Protection Act (INCDPA), the Kentucky Consumer Data Protection Act (KCDPA), and the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)—all officially went into effect on January 1, 2026. This "New Year Shift" marks a turning point for mid-sized and large businesses operating in the Midwest and New England, as they must now navigate a triad of regulations that, while similar to the "Virginia-style" framework, contain unique nuances that could trigger significant penalties. For the first time, residents in these states have been granted the legal power to access, correct, and delete the digital footprints they leave behind, fundamentally altering the relationship between consumers and the multi-billion-dollar data brokerage industry.

The Scope of 2026 Compliance: Who Is Covered?

Unlike the broad reach of California’s privacy law, the 2026 laws in Indiana, Kentucky, and Rhode Island are primarily targeted at large-scale data controllers.

• Indiana and Kentucky: Both states share identical thresholds. A business must comply if it conducts business in the state and annually processes the data of at least 100,000 residents, or processes the data of at least 25,000 residents while deriving over 50% of its gross revenue from data sales.

• Rhode Island: The RIDTPPA has a much lower barrier for entry, making it the most stringent of the three. It applies to companies processing the data of only 35,000 residents, or 10,000 residents if the company derives more than 20% of its revenue from selling personal information. This lower threshold in Rhode Island means that many regional businesses that were previously "too small" to worry about privacy compliance now find themselves under the direct supervision of the Rhode Island Attorney General.

The "Proactive Disclosure" Rule in Rhode Island

While Indiana and Kentucky follow a standard "Notice-on-Request" model, Rhode Island has introduced a groundbreaking Proactive Disclosure requirement. Under the RIDTPPA, any commercial website or internet service provider that sells personal data must explicitly name the specific third parties to whom the data may be sold in their privacy policy. Most other states only require businesses to list the "categories" of third parties (e.g., "marketing partners" or "data analytics firms"). Rhode Island’s 2026 mandate for naming specific entities by their legal names represents one of the most aggressive transparency requirements in the country, effectively forcing companies to "out" their data-sharing partners publicly without a consumer even needing to ask.

Consumer Rights: The "Power to Opt-Out"

The 2026 laws grant a standardized set of rights to consumers in Indiana, Kentucky, and Rhode Island, often referred to as the "Privacy Five."

1. Right to Confirm/Access: Consumers can ask if a business has their data and request a copy of it.

2. Right to Correction: The ability to fix inaccurate personal information held by a company.

3. Right to Deletion: The right to request that a business erase the personal data it has collected about them.

4. Right to Portability: The right to obtain their data in a "readily usable" format to move it to another service.

5. Right to Opt-Out: Consumers can opt out of the sale of personal data, targeted advertising, and profiling that could result in "legal or similarly significant effects." In 2026, businesses have 45 days to respond to these requests, though they can extend this period by another 45 days if the request is particularly complex.

Data Protection Impact Assessments (DPIAs)

Starting in 2026, all three states require businesses to conduct and document Data Protection Impact Assessments (DPIAs) for high-risk processing activities. This includes any processing related to targeted advertising, data sales, or the handling of "Sensitive Data."

• Sensitive Data: This category includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, and biometric/genetic data. Under the 2026 rules, businesses cannot process sensitive data without the consumer’s explicit "Opt-In" consent. The Attorney Generals in these states have the power to request copies of these DPIAs at any time to verify that the business has properly weighed the risks of data collection against the benefits to the consumer.

Enforcement and the "Right to Cure"

Enforcement for all three laws rests solely with the State Attorney General’s office; there is no private right of action, meaning individual consumers cannot sue businesses for a violation. However, the penalties for non-compliance are severe.

• Indiana and Kentucky: The Attorney General can seek civil penalties of up to $7,500 per violation. Both states offer a permanent 30-day "Right to Cure," giving businesses a one-month window to fix a violation before fines are officially levied.

• Rhode Island: Violations can result in fines of up to $10,000 per violation. Unlike the others, Rhode Island’s enforcement is managed through its "Unfair and Deceptive Acts or Practices" authority, which can be broader in scope. The 2026 shift toward aggressive AG enforcement suggests that businesses should prioritize "Reasonable Security" measures, as a single data breach could result in millions of dollars in cumulative fines if it is determined that privacy protections were not in place.

The Role of "Agentic AI" in 2026 Compliance

To manage the influx of data requests, many mid-sized companies are turning to the Agentic AI systems that became a mainstay of small business operations in 2026. These autonomous agents are being deployed to "map" data across various software platforms, ensuring that when a consumer in Fort Wayne or Louisville hits "Delete," the data is actually scrubbed from every corner of the business's server. Because the 2026 laws also regulate Automated Decision Making (ADMT), these AI agents are being programmed to provide "Reasoning Summaries" whenever a consumer asks why an automated system denied them a service or changed their pricing, meeting the new 2026 standards for "Algorithmic Transparency."

Conclusion

Navigating the data privacy laws of Indiana, Kentucky, and Rhode Island in 2026 requires more than just a simple update to a website’s footer. With Rhode Island’s proactive disclosure rules and the universal requirement for DPIAs, businesses must treat data privacy as a core operational capability rather than a yearly legal checkup. For residents, these laws represent the dawn of a new "Digital Sovereignty" era, where they finally hold the keys to their own personal information. As we move through 2026, the success of these laws will likely be measured by how many businesses choose to adopt a "National Baseline" for privacy, rather than attempting to manage the complexity of the ever-growing state-by-state patchwork.

FAQs

When do the Indiana, Kentucky, and Rhode Island laws take effect?

All three laws became enforceable on January 1, 2026. Businesses that meet the consumer thresholds in these states must be in compliance immediately.

What is the "Right to Cure" in Indiana and Kentucky?

The Right to Cure is a 30-day grace period. If the Attorney General notifies you of a violation, you have 30 days to fix the issue and provide a written statement that the problem is resolved to avoid penalties.

Do I need to name my data buyers in Rhode Island?

Yes. If your business sells personal data and is subject to the RIDTPPA, you must disclose the specific names of all third parties to whom you have sold or may sell data in your privacy notice.

Are non-profits exempt from these 2026 laws?

In Indiana and Kentucky, most non-profit organizations and institutions of higher education are exempt. In Rhode Island, the law generally applies to "commercial" entities, but the specific definitions for non-profit exemptions are narrower.

What happens if I don't respond to a data request within 45 days?

You may be in violation of the law. However, you can extend the deadline by an additional 45 days if you notify the consumer within the initial period and explain why the extension is necessary.