6 New State Privacy Laws Take Effect in 2026

The Privacy Law Landscape Expands

2026 marks a significant expansion of the US state privacy law landscape, with six new states having their comprehensive privacy laws take effect. This brings the total number of states with active privacy laws to over 20, covering a majority of the US population.

New Laws Taking Effect in 2026

• Indiana (INCDPA) — Effective January 1, 2026. Applies to businesses processing data of 100,000+ Indiana consumers or 25,000+ consumers while deriving 50%+ revenue from data sales.
• Kentucky (KCDPA) — Effective January 1, 2026. Similar thresholds to Indiana with a 30-day cure period for violations.
• Rhode Island (RIDTPPA) — Effective January 1, 2026. Notable for lower thresholds (35,000 consumers) reflecting the state's smaller population.

What This Means for Businesses

If your business operates across multiple states, the compliance burden continues to grow. The good news: most new state laws follow a similar framework to Virginia's VCDPA, meaning businesses already compliant with existing laws will find it easier to adapt.

Key Differences to Watch

While the laws share common elements, important differences exist in consumer thresholds, cure periods, and enforcement mechanisms. Use our comparison tool to see exactly how these new laws differ from existing ones.