Three More States to Throw the Switch on Comprehensive Privacy Rules in 2026.

The Kentucky Consumer Data Privacy Act (KCDPA), and Indiana Consumer Data Protection Act (ICDPA) are modeled on laws in California and elsewhere in that they apply to businesses operating in their respective states that process data from at least 100,000 residents annually, or 25,000 residents if the business derives half or more of its revenue from the sale of personal information.

Both laws exempt nonprofits, higher education institutions, and entities regulated under HIPAA or GLBA, per an overview from Cozen O’Connor. As in other states, neither law creates a private right of action, relying instead on state privacy agencies and attorneys general for enforcement.

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) sets a lower threshold for the amount of data processed. The law applies to company that process data on 35,000 residents, or 25,000 if 20% of more of a business’ revenue comes from selling personal data. The exemption for HIPAA-regulated entities is also narrower, limited to only data explicitly covered by the health information privacy law.

Related: G7 Ministers Outline Policy Blueprint to Accelerate SME Adoption of AI

For companies operating across multiple jurisdictions, the three new state regimes add to the growing complexity of the regulatory landscape of data privacy, increasing the compliance burden. While the legislative momentum behind state-level privacy laws slowed somewhat toward the end of 2025, with bills failing in Alabama, Georgia, Oklahoma, Maine, and Vermont, enforcement actions by state agencies and AGs was stepped up.

In April, regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon formed the Consortium of Privacy Regulators, later joined by Minnesota and New Hampshire, to share expertise and resources and coordinate enforcement. Nearly half of the states with comprehensive privacy statutes now share resources and investigative strategies.

For entities that process personal data, a violation in one of those states can lead to liability in all of them, raising the stakes for carefully monitoring compliance in each.

Even states that lack comprehensive privacy statutes have stepped up scrutiny of privacy violations using existing unfair and deceptive acts and practices (UDAP) laws. New York, Michigan, and Nebraska all brought in actions in 2025 alleging undisclosed data monetization or misleading interface design.

Still others have amended child-protection laws already on the books to cover new, AI-related use cases.

The use of those laws means entities cannot model compliance systems merely on statutes like the California Consumer Privacy Act (CCPA), but must also consider whether their data-processing activity could implicate traditional consumer protection laws.

As with artificial intelligence regulations, the growing patchwork of state privacy regimes is amping up pressure on Congress to enact a comprehensive federal framework that would preempt state laws. To date, however, lawmakers on Capitol Hill have failed to come up with an agreed-on standard, settling for a piecemeal approach, such as bills aimed at deep fakes or protecting minors.

The International Association of Privacy Professionals (IAPP) tracked 20 privacy-related bills introduced in Congress in 2025, although none of them aimed to establish fundamental privacy rights for Americans.