Skip to main content

Legal Updates

New Consumer Data Privacy Laws and Rules for 2026

Author

Kathryn C. Nadro

Date

January 7, 2026

Read Time

6 minutes

Share

As the new year begins, the data privacy regulatory landscape continues to change rapidly. New consumer data privacy laws in Kentucky, Rhode Island, and Indiana have taken effect as of January 1, 2026. In addition, California has made updates to its existing consumer privacy law and claims under the California Invasion of Privacy Act which continue to pressure businesses of all sizes. Below is a summary of what businesses need to know and do to implement compliant policies and practices and mitigate litigation risk. 

New State Data Privacy Laws Effective January 1, 2026

Indiana Consumer Data Protection Act (ICDPA)

Like many other state data privacy laws passed in recent years, this law will introduce significant privacy obligations for businesses that handle the personal data of Indiana residents. The ICDPA applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents and that control or process data of 100,000 Indiana residents annually, or just 25,000 residents if more than 50% of the business’ revenue comes from selling personal data.

Certain organizations are exempt under the ICDPA, such as government entities, entities regulated by HIPAA or the Gramm-Leach-Bliley Act, and nonprofit organizations. Certain types of data are also exempt from the ICDPA, including business-to-business data and employment-related data. Businesses that believe an exemption may apply should review their data to confirm whether any exemption is a partial or complete exemption under the ICDPA.

Business Obligations

Under the ICDPA, businesses determining the purpose and means of processing personal data (called “controllers”) must:

  • Provide a clear privacy notice detailing their data practices.
  • Implement data protection impact assessments for use of sensitive data, targeted ads, sales, and profiling.
  • Obtain opt-in consent from individuals prior to processing sensitive data.
  • Maintain reasonable data security practices.
  • Maintain contracts with vendors governing personal data handling.
  • Create a process for Indiana residents to exercise their data rights.

Consumer Rights

The ICDPA provides Indiana residents with certain rights over their personal data. Indiana residents can:

  • Access and confirm processing of their personal data by a business.
  • Correct inaccuracies in their personal data.
  • Delete personal data (with some exceptions).
  • Obtain a portable copy of their personal data.
  • Opt out of:
    • Sale of personal data
    • Targeted advertising
    • Certain profiling activities
  • Appeal decisions made regarding consumer requests.

Penalties for Non-Compliance

The Indiana Attorney General enforces the ICDPA and can impose penalties of up to $7,500 per violation. Unlike data privacy laws in other states such as California, businesses have a 30-day cure period following notice of a violation. There is also no private right of action under the ICDPA (consumers cannot directly sue a business under the law).

Kentucky Consumer Data Protection Act (KCDPA)

The KCDPA includes the same thresholds as the Indiana law, applying to businesses that control or process data of 100,000 Kentucky residents or just 25,000 if more than 50% of the business’ revenue comes from selling personal data. The KCDPA:

  • Grants similar consumer rights to the Indiana law: the right to know what information has been collected and shared; the right to access their information; the right to correct inaccuracies; the right to instruct a company to delete information; and the right to opt-out of sale, targeted advertising, and profiling.
  • Requires opt-in consent for the handling of sensitive data and children’s data.
  • Will be enforced by the Attorney General with a 30-day cure period.

Rhode Island Data Transparency and Privacy Act (RIDTPPA)

The RIDTPPA applies to businesses that control or process the data of 35,000 residents, or just 10,000 residents if 20% or more of the business’ revenue comes from selling personal data. The RIDTPPA:

  • Includes consumer rights similar to other state laws: the right to know what information has been collected and shared; the right to access their information; the right to correct inaccuracies; the right to instruct a company to delete information; and the right to opt-out of sale, targeted advertising, and profiling.
  • Requires disclosure of all third parties to whom personal data is sold or may be sold.
  • Will be enforced by the Attorney General. It’s important to note that the RIDTPPA does not offer a cure period.

Businesses operating in Indiana, Kentucky, and/or Rhode Island, or who have customers in these states, should confirm whether any of these new laws apply to them and update their compliance and privacy policies accordingly.

Another Key Update: California Consumer Privacy Act (CCPA)

In addition to the new laws taking effect, new regulations under the CCPA became effective January 1, 2026, including clarification on:

  • The expanded definition of sensitive personal information to include neural data (defined as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information”) and data from minors under 16.
  • Disclosure requirements related to automated decision-making technology (ADMT) and consumers’ opt-out and access rights related to this technology.
  • Mandatory opt-out confirmation mechanisms and links in mobile apps.
  • Consumer rights related to making corrections to errors in their data.
  • When insurance companies need to comply with the CCPA.
  • When businesses need to perform required privacy risk assessments.
  • When businesses need to conduct independent, annual cybersecurity audits.

California Invasion of Privacy Act and Wiretapping, Eavesdropping Claims

Businesses should also be alert for potential class action litigation claims brought under decades-old wiretapping and eavesdropping statutes asserting that website tracking technologies such as cookies, pixels, beacons, and software development kits illegally record a website user’s activity.

Claims brought under the California Invasion of Privacy Act (CIPA) and similar wiretapping laws such as the federal Video Privacy Protection Act rose in 2025, and this activity is expected to continue in 2026. These claims generally assert that website tracking technologies (such as Google Analytics, Meta Pixel, and LinkedIn’s Insight Tag) “record” a user’s activities on a website without the user’s consent, acting as an unlawful “pen register” or “trap and trace” device. These tracking technologies may capture information such as IP addresses and browsing activity from website users without explicit consent, which plaintiffs allege violates the CIPA. Under the CIPA, companies may face civil penalties, including statutory damages of $5,000 per violation.

Any company operating a website using these tracking technologies that receives website visitors from California is a potential target for CIPA litigation. Companies should review their use of website tracking technologies, ensure their website privacy notices provide adequate disclosure of the uses of these technologies, and consider deploying a cookie consent manager to gather consents from website visitors.

Given the complexity of these new laws and updates, this article provides an overview but not an exhaustive list of all requirements. Please reach out to Kathryn Nadro or another member of LP’s Corporate Group to assess and update your compliance and privacy policies accordingly.

Filed under: Corporate, Cybersecurity

Related insights

July 09, 2025

The One Big, Beautiful Bill’s Key Provisions

Read More

May 21, 2025

New Delaware Law Requires Businesses to Re-Register Trade Names (DBAs)

Read More