New State Privacy Laws Coming In 2026

 

New State Privacy Laws to Watch in 2026 

As we saw in Part 1 of this series, 2025 brought several important changes to state privacy laws, but more will arrive in the new year.  In 2026, three more state privacy laws take effect, and two states will roll out sweeping amendments. Here’s what to expect:

New laws effective January 1, 2026: Indiana, Kentucky, and Rhode Island

Each of these three states will add to the growing patchwork of comprehensive state privacy laws. If these laws will apply to your organization, and you have not already begun preparing, you should do so now. Below are the highlights:

• The Indiana Consumer Data Protection Act will apply if 100,000 residents' personal information is collected by a company (or just 25,000, if 50% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with a 30 day cure period available). 

• The Kentucky Consumer Data Privacy Act applies if 100,000 residents' personal information is collected by a company (or just 25,000, if 50% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, the right to have data deleted, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information and children’s information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with a 30 day cure period available). 

• The Rhode Island Data Transparency and Privacy Act applies if just 35,000 residents' personal information is collected by a company (or just 10,000, if 20% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, the right to have data deleted, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information and children’s information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with no right to cure). 

Upcoming Amendments: Connecticut

The Connecticut Data Privacy Act was amended in a variety of important ways.

• The Act’s applicability threshold will be reduced to just 35,000 residents, but there is no minimum threshold when it comes to processing sensitive data or selling consumer personal data.
• The exemption for financial institutions subject to the Gramm-Leach-Bliley Act (federal financial law) is removed and replaced with a data-level exemption for personal financial information subject to GLBA.
• Connecticut expanded the definition of "consumer health data“ to include “health status.” The definition of sensitive data now includes disability or treatment, status as nonbinary or transgender, information derived from genetic or biometric information, neural data, certain financial account and payment card data, and government ID numbers (like SSN). Sensitive personal data processing will require consent. Consumers will have the right to obtain a list of third parties to whom personal data was sold.
• Consumers will have the right to question profiling results, be informed of the reasons for profiling decisions, review personal data used for profiling, and correct incorrect data used in profiling decisions about housing.
• Consent will be required for processing or selling sensitive data.
• Minors under 18 will be treated as children for purposes of the sale of data or targeted advertising.
• Impact assessments will be required for processing related to profiling.
• Privacy notices will require detailed information, such as categories of personal data sold and disclosures about targeted advertising. Importantly, companies must give notice if they are collecting personal data for the purpose of training an LLM.

Amendments to the Oregon Consumer Data Privacy Act (effective January 1, 2026) focus on minors and automobiles: 

• The covered age for a minor increases to 15.
• It prohibits processing personal data for targeted advertising, sale, or profiling used for legally significant decisions when the controller knows that the consumer is a minor (or willfully disregards age).
• Motor‑vehicle manufacturers and affiliates are specifically covered for personal data collected from the use of a vehicle or any vehicle component. Automakers must honor a consumer's request to (i) delete personal data, (ii) provide a copy of their data, and (iii) stop selling their data or using it for targeted advertising.
• The amendments also prohibit "selling" data about a person's precise geolocation without consent.
• These five state law changes in particular will affect the privacy law landscape in the U.S. in ways that will have meaningful effects on many companies.  

In the next post in this series, we'll look at state cybersecurity law changes in 2025 and 2026.