Indiana, Kentucky, and Rhode Island join the list of data privacy governing states with January 2026 privacy laws. Businesses now face increased pressure to move beyond policy-driven compliance and toward operational execution. Consumers are becoming more aware of their privacy rights, regulators are more active, and expectations around transparency and accountability continue to rise.  

Targeted advertising, profiling activities, and automated decision-making (particularly when personal data is used) need to be revisited with the new laws in place. As AI-driven and automated systems become more embedded in business operations, organizations must check their usage of PII and assess potential risks. Businesses operating across state lines should unify their compliance approach to avoid state-by-state silos.  

Three Laws. Same Privacy Homework. 

Although enacted by different states, the Indiana Consumer Data Protection Act (INCDPA), Kentucky Consumer Data Protection Act (KCDPA), and Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) follow a converging privacy framework. Beyond core consumer rights such as access, correction, and deletion, these January 2026 privacy laws also introduce clearer expectations around profiling and automated decision-making. They also place greater emphasis on transparency and risk-based accountability, including the need to assess high-risk data processing activities. Below are some notable points across the three laws. 

Indiana’s Consumer Data Protection Act (INCDPA) 

Indiana’s Consumer Data Protection Act establishes a comprehensive privacy framework for residents’ personal data and applies to companies that conduct business in Indiana or target Indiana consumers and meet specific processing thresholds. 

• Expanded consumer rights: Indiana residents have the right to confirm whether their personal data is being processed, access their data (or receive a representative summary), correct inaccuracies, delete personal data, and obtain portable copies. 

• Opt-out rights for profiling and automated decision-making: Businesses must provide clear opt-out mechanisms for targeted advertising, the sale of personal data, and profiling used to support automated decisions that produce legal or similarly significant effects. 

• Transparency and security obligations: Organizations are required to maintain reasonable data security practices and provide transparent disclosures about how personal data is collected, used, shared, and processed. 

• Risk-based accountability through assessments: The law requires businesses to conduct data protection assessments for high-risk processing activities, including the use of profiling and automated decision-making technologies. The law is enforced by the Indiana Attorney General and may result in civil penalties for unresolved violations. 

Kentucky Consumer Data Protection Act (KCDPA) 

Kentucky’s Consumer Data Protection Act imposes modern privacy obligations on businesses that operate in Kentucky or target Kentucky residents and meet defined data processing thresholds. The law closely follows the Virginia-style privacy framework, with added emphasis on accountability for high-impact data uses. 

• Comprehensive consumer rights: Kentucky residents have the right to confirm whether their personal data is being processed, access their data, correct inaccuracies, delete personal data, and obtain portable copies. 

• Opt-out rights for profiling and automated decision-making: Businesses must provide opt-out mechanisms for targeted advertising, data sales, and profiling used to support automated decisions that produce legal or similarly significant effects on consumers. 

• Consent requirements for sensitive data: Processing sensitive personal data requires affirmative opt-in consent, increasing the need for consistent consent management practices. 

• Risk assessments for high-risk processing: The law requires data protection assessments for processing activities that present heightened risk, including the use of profiling and automated decision-making technologies. 

• Transparency and preference management. Businesses must provide clear privacy notices and honor consumer opt-out and consent preferences across processing activities. 

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) 

Rhode Island’s Data Transparency and Privacy Protection Act establishes robust consumer privacy protections with a strong emphasis on transparency and risk-based accountability. The law applies to for-profit entities that conduct business in Rhode Island or target Rhode Island residents and meet defined data processing thresholds 

• Broad consumer rights: Rhode Island residents have the right to confirm whether their personal data is being processed, access their data, correct inaccuracies, delete personal data, obtain portable copies, and opt out of certain processing activities. 

• Opt-out rights for profiling and automated decision-making: Consumers may opt out of processing for targeted advertising, the sale of personal data, and profiling used to support automated decisions that produce legal or similarly significant effects 

• Heightened transparency obligations: Businesses must provide clear and detailed privacy notices describing data collection practices, purposes of processing, third-party data sharing, and the use of profiling or automated decision-making where applicable. 

• Risk-based assessments for high-risk processing: The RIDTPPA requires data protection assessments for high-risk processing activities, including the use of profiling and automated decision-making technologies, reinforcing a proactive approach to identifying and mitigating privacy risks. 

Preparation Beyond Policy Updates

While each of the January 2026 privacy laws has its own nuances, the operational mandates that they introduce are largely the same. Let’s have a look at what businesses need to do.

• Prepare for higher volumes of consumer rights requests. As awareness of privacy rights grows, businesses should expect more access, deletion, correction, and portability requests. Teams need clear intake, verification, and response workflows to meet statutory timelines consistently. 

• Assess and govern automated decision-making and profiling. Businesses using profiling or automated systems for decisions that produce legal or similarly significant effects must evaluate risk, provide transparency, support opt-outs, and document these activities through data protection assessments. 

• Standardize opt-out and consent management. These laws require honoring opt-outs for targeted advertising, data sales, and certain profiling, as well as opt-in consent for sensitive data in some cases. Applying these preferences consistently across systems and jurisdictions is critical. 

• Coordinate data across systems and vendors. Personal data often lives across multiple platforms, service providers, and internal teams. Businesses must be able to locate, retrieve, and act on data accurately to fulfill consumer requests and maintain compliance. 

• Maintain audit-ready documentation and workflows. Regulators may request evidence of compliance, including how requests are handled and how data practices are disclosed. Documented, repeatable processes help businesses respond confidently to inquiries or enforcement actions. 

Preparing for What’s Coming

Indiana, Kentucky, and Rhode Island won’t be the last states to enact comprehensive privacy laws. As regulation continues to evolve, privacy compliance is becoming an ongoing operational function rather than a one-time effort. Businesses that invest now in scalable, adaptable privacy infrastructure will be better positioned to respond to future requirements with confidence.