The Patchwork Just Got Heavier
First, software was eating the world; now it is privacy law, and the data used to create that software, that is eating the world. Either way, the point is the same: if your business touches personal data, the regulatory surface area keeps expanding.
As of January 1, 2026, three more states joined the growing list of comprehensive privacy regimes: Indiana, Kentucky, and Rhode Island. That is not a theoretical milestone. It is a live compliance problem.
And yes, the compliance problem is still the same one it always is. Do you know where the data is? Do you know who gets it? Do you know why they get it? Do you know whether your privacy notice, vendor contracts, retention schedule, and request workflow all say the same thing? If the answer is “sort of,” that is usually how the trouble starts.
The good news, if one can call it that, is that these laws are not mysterious. They are familiar in structure. They require the usual cocktail of privacy notices, consumer rights handling, data security, controller-processor contracts, and opt-out workflows. The bad news is that familiarity breeds complacency, and complacency is where compliance teams go to get mugged.
What Changed on January 1
Indiana’s Consumer Data Protection Act is now in effect. Kentucky’s Consumer Data Protection Act is now in effect. Rhode Island’s Data Transparency and Privacy Protection Act is now in effect. Three states, three different statutes, one very familiar question: are you actually ready, or were you just hoping 2025 would go on forever?
The thresholds are not identical, which is where the fun starts.
Indiana and Kentucky both follow a familiar model for applicability, with coverage generally tied to organizations doing business in the state or targeting residents and processing personal data above a threshold. Indiana’s Attorney General says the CDPA applies to businesses processing the personal data of 100,000 Indiana residents, or 25,000 Indiana residents when more than 50% of gross revenue comes from the sale of personal data. Kentucky’s Attorney General describes the same basic structure for the KCDPA.
Rhode Island is narrower in one sense and sharper in another. The statute applies to for-profit entities doing business in the state or targeting Rhode Islanders if they process personal data of at least 35,000 customers, or 10,000 customers and derive more than 20% of gross revenue from the sale of personal data.
That is the first practical point: this is not just a “big tech” issue. It is a mid-market issue, a PE portfolio issue, a vendor-management issue, and, frankly, an issue for anybody who has been treating state privacy law like a future project.
The Enforcement Part Is Not a Joke
Privacy laws are easy to ignore right up until they are not.
Kentucky’s Attorney General says the Office of Data Privacy can seek civil penalties of up to $7,500 per violation if a controller does not cure within the 30-day period. That cure period is useful, but it is not a get-out-of-jail-free card. It is more like a temporary grace period with a stopwatch attached.
Rhode Island is even less interested in hand-holding. A violation of the law is also a deceptive trade practice under Rhode Island commercial law, and the state’s deceptive trade practices statute allows for civil penalties of up to $10,000 per violation. Rhode Island also has a separate fine of $100 to $500 per intentional disclosure in certain circumstances. In other words, the state did not exactly design this law to be gentle.
Indiana’s enforcement framework is different, but the lesson is the same. The Attorney General has already said the CDPA is live and enforceable as of January 1, 2026. That means the question is no longer whether the law will matter. It already does.
So what happens when a company says, “We have a privacy policy”? That is nice. Really. Also irrelevant by itself.
A privacy policy is not a compliance program. A cookie banner is not a compliance program. A vendor spreadsheet that somebody updates when they remember is not a compliance program. A compliance program is a set of operating controls, and the state laws expect that the controls actually work.
The Common Failure Points
The three laws are similar enough that the same mistakes will trip people up in all of them.
The first mistake is not knowing your data map. If you cannot identify which products, systems, and vendors touch resident data, you cannot scope the laws correctly. That is not a legal problem at first. It is an inventory problem. But it becomes a legal problem quickly.
The second mistake is confusing notice with process. The laws require notices that explain what categories of data are processed, why they are processed, what gets shared, and how consumers can exercise rights. That sounds simple until your privacy notice, your internal retention policy, your ad tech stack, and your DSR intake form all tell different stories.
The third mistake is treating consumer rights like a mailroom issue. Access, deletion, correction, portability, opt-out, appeal. Those are not one-off tickets. They are operational workflows. If your team can process one clean request but collapses under volume, duplicates, authentication questions, or vendor dependencies, the law is going to notice long before you do.
The fourth mistake is vendor drift. State privacy laws do not care that your processor contract was “pretty good” in 2023. If your processor terms do not match current obligations, if subprocessor language is stale, or if your data sharing terms do not line up with your actual practices, you are building a paper trail to nowhere.
And the fifth mistake is the oldest one in the book: assuming that “reasonable security” means whatever was in place when the last audit finished. Like most risks, this one does not go away when we ignore it. It just compounds quietly in the background until somebody asks uncomfortable questions.
What To Do Now
If you want to avoid turning January into a long-form apology, the right move is to treat these laws as a multi-state privacy compliance problem, not three separate emergencies.
Start with a few boring, useful things:
- Build or refresh your data inventory and tag resident data by state.
- Review your privacy notices to make sure the required categories, purposes, sharing disclosures, and rights instructions are actually there.
- Check your DSR workflow end to end, including authentication, appeals, deadlines, and handoff to vendors.
- Review controller-processor and vendor agreements so the privacy commitments match the actual data flows.
- Confirm your retention and deletion logic is documented, implemented, and not just aspirational.
- Make sure your security baseline is aligned with what the laws expect, because privacy and security are still conjoined twins whether teams like it or not.
This is the point where a practical privacy, security & compliance program pays for itself. Not because it sounds impressive in a slide deck, but because one clean operating model is cheaper than reinventing the wheel three times while the state AGs are already reading the same laws you are.
If you already have a SOC 2 or ISO 27001 readiness effort, good. If you have GDPR or CCPA muscle memory, also good. If you are in the middle of an AI governance push, even better, because data governance, model governance, and privacy compliance are increasingly the same conversation wearing different badges.
The Real Takeaway
Three new state privacy laws did not appear to make your life interesting. They appeared because states are done waiting for companies to get serious on their own.
That is the signal here. Not panic, not theater, not regulatory poetry. Just a clear message: the compliance clock is already running.
Indiana, Kentucky, and Rhode Island are now part of the operating environment. If your business touches residents in any of those states, this is the moment to tighten the privacy program, not the moment to start sketching one.
The statutes and official guidance are public if you want to read the source material directly: Indiana’s Consumer Data Protection Bill of Rights, Kentucky’s Office of Data Privacy guidance, and Rhode Island’s Data Transparency and Privacy Protection Act.
Related posts
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read moreCycloneDX 1.7: Patents, Provenance, and the Next Generation of SBOMs
CycloneDX 1.7 turns SBOMs from static inventories into richer evidence packs with patent metadata, citations, and better cryptographic transparency.
Read more