No Slowing Down: Three More State Privacy Laws Take Effect

By Paul Rothermel

Three additional  state privacy laws have recently taken effect, continuing the steady expansion of privacy regulation in the United States. With these additions, the U.S. now has twenty comprehensive state privacy laws on the books.

For companies that collect, use, or share personal information, this growing patchwork of state requirements continues to complicate compliance efforts. Businesses operating across multiple states should assess whether their data practices now fall within the reach of these newly effective laws.

Who is impacted?

Privacy laws in Kentucky, Indiana, and Rhode Island took effect on January 1, 2026, creating new compliance obligations for companies that collect or process personal information in those states. Applicability thresholds do apply, as is the case for most state privacy laws:

• The Indiana Consumer Data Protection Act (ICDPA) applies to for-profit businesses conducting business in Indiana or targeting residents with products or services that process the personal data of either: 
  • (i) 100,000 or more residents of the state, or 
  • (ii) 25,000 or more residents of the state while deriving more than 50% gross revenue from sales of personal data.
• The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) applies to for-profit businesses conducting business in Rhode Island or targeting residents with products or services that, in the previous calendar year, processed the personal data of either: 
  • (i) 35,000 or more residents of the state, or 
  • (ii) 10,000 or more residents of the state while deriving more than 20% gross revenue from sales of personal data.
• The Kentucky Consumer Data Protection Act (KCDPA) applies to entities conducting business in Kentucky or targeting residents, that during the calendar year, processed the personal data of either: 
  • (i) 100,000 or more residents of the state or 
  • (ii) 25,000 or more residents of the state while deriving more than 50% gross revenue from sales of personal data.

What do these laws require?

Like many other comprehensive privacy laws in the U.S., these laws require companies to provide clear disclosures about how personal data is collected, processed, and shared. At the time of collection, companies must disclose key information, including:

• Categories of personal information collected from individuals
• Third parties who receive personal information (either sold or shared)
• Contact information for the company
• Privacy rights available to the individual

Additionally, as a non-exhaustive list, companies subject to these laws must:

• Grant opt-out rights for any sale of personal information, among other data subject rights
• Ensure reasonable data security protections, including administrative, technical and physical security controls, for personal information
• Obtain consent from individuals before processing sensitive personal information (such as health information) and offer means to revoke consent
• Execute a contract with any processors (i.e., service providers/contractors) which process personal information on behalf of the company, including specific terms regarding instructions for processing, duration, limitations and restrictions, rights and obligations of both parties, return/deletion of data upon termination of agreement, confidentiality obligations, audit rights, and cooperation with risk assessments by the company
• Complete data protection risk assessments for “high risk” processing of personal information, including processing of sensitive personal information

Key Takeaways

Affected companies should evaluate their compliance with these laws, along with the other state privacy laws now in effect. Enforcement has already begun, with multiple high-profile settlements with the California Attorney General, amounting to millions of dollars, in just the past 8 months alone.

State privacy laws are in effect for over half of the U.S. population, and regulators and plaintiffs are becoming more vigilant. Companies who take steps to proactively address their privacy risk will be better positioned not only to comply and reduce these risks but also enhance their position in the marketplace with customers, consumers, and strategic partners. 
Paul Rothermel, Managing Attorney

How Gardner Law Can Help

If you need experienced counsel to evaluate your company’s privacy compliance, perform privacy risk assessments, draft data processing agreements, consents, privacy policies, or other matters, contact Gardner Law. Our attorneys have deep experience advising drug and device manufacturers of all sizes on both commercial and pre-commercial privacy, AI, and cybersecurity matters.