Preparing For New And Amended Comprehensive State Data Privacy Laws In 2026

While 17 states currently have comprehensive data privacy laws in place, three new comprehensive laws go into effect on January 1, 2026—the Indiana Consumer Data Protection Act (ICDPA); the Kentucky Consumer Data Protection Act (KCDPA); and the Rhode Island Data Transparency and Privacy Protection Act (RIDPA). Additionally, several states have amended their comprehensive laws, effective throughout 2026.

Generally, each of the new comprehensive state privacy laws is similar to other laws already in effect, so businesses with compliance programs in place for the existing comprehensive state privacy laws will likely not need to make many changes. For example, each law provides a threshold at which the majority of its requirements apply; outlines exclusions for certain entities and certain types of data; provides consumers with specific rights related to their personal data; specifies various compliance requirements for data controllers and processors; and outlines enforcement practices and penalties for noncompliance.

However, small businesses who do not otherwise meet the threshold for any other comprehensive state privacy law should pay close attention to RIDPA. Many of the applicability requirements under RIDPA have a familiar activity-based threshold and only apply to for-profit entities that conduct business in Rhode Island, or produce products or services targeting Rhode Island residents, and either (1) process personal information of at least 35,000 Rhode Island residents; or (2) process personal information of at least 10,000 Rhode Island residents and derive more than 20 percent of gross revenue from the sale of personal information for monetary or other valuable consideration.

RIDPA extends its reach further for any commercial websites and internet service providers that conduct business in Rhode Island, have customers in Rhode Island or are otherwise subject to Rhode Island jurisdiction. Even if they do not meet the standard activity-based threshold, these entities must designate the controller of the data and ensure a notice is posted that (1) identifies all categories of personal data the controller collects through the website; (2) discloses any sale of personal data or processing of personal data for targeted advertising purposes; (3) identifies all third parties to whom the controller has sold or may sell personal data; and (4) identifies an active email address that can be used to contact the controller. While less detailed than typical privacy notice obligations under comprehensive state privacy laws, this creates a standalone privacy notice obligation for any business with a website that may collect data from Rhode Island customers.

Certain amendments to existing comprehensive state privacy laws are also set to go into effect in 2026, including Connecticut and Oregon.

• Beginning January 1, 2026, the Oregon Consumer Privacy Act (OCPA) will prohibit the sale, whether for monetary or other valuable consideration, of precise geolocation data (accurate within 1,750 feet) or data that pertains to a consumer under 16 years old. It will also prohibit the use of data from a consumer under sixteen for targeted advertising.
• Effective mid-2026, amendments to the Connecticut Data Privacy Act (CTDPA) are expansive. For example, the proposed amendments will lower the applicability threshold, making the CTDPA apply to any entity that does business in Connecticut, or produces products or services that are targeted to Connecticut residents, and (1) controls or processes personal data of at least 35,000 Connecticut residents; (2) controls or processes sensitive data from any Connecticut residents; or (3) offers any Connecticut resident data for sale.
  
  The amendments will strengthen consumer rights with respect to profiling in furtherance of any automated decision producing legal or similarly significant effects and require controllers to conduct impact assessments if engaging in profiling. Further, the amendments (1) provide consumers with rights to obtain a list of third parties to whom their data has been sold; (2) prohibit the sale of sensitive data without consent; and (3) require privacy notices to disclose whether data is used for the purpose of training large language models.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.