I know, I know. It feels like just yesterday we published the “8 new privacy laws coming in 2025” blog. Yet, here we are on the cusp of 2026, and (just as in the last several years) many privacy laws are scheduled to go into effect this quickly approaching year.
In 2026, three new state privacy laws will go into effect:
- Kentucky Consumer Data Protection Act
- Rhode Island’s Data Transparency and Privacy Protection Act (DTPPA)
- Indiana Consumer Data Protection Act
These laws grant residents of the above states new rights over their personal information and may require businesses and websites to modify their website policies.
In addition to the three new laws, two existing laws (the Australia Privacy Act 1988 and the Connecticut Data Privacy Act) will also have changes that will go into effect in 2026.
NOTE: Your business doesn’t have to be located in one of these states or countries for the laws to apply to you. Simply doing business with or collecting data from residents of Kentucky, Rhode Island, Indiana, Connecticut, or Australia could result in your website needing to comply with that particular law.|
In this blog, we are going to cover each new law and look at:
- When it goes into effect
- Who must comply
- How “personal data” is classified
- Consumer privacy rights
- Privacy Policy requirements
- Enforcement and penalties
P.S. We will discuss the changes to existing laws at the end of the blog and how to prepare for all this at the end of the blog.
Table of Contents
The Three New Laws for 2026
1. When Each Law Takes Effect
| State | Law | Effective Date |
| Kentucky | Kentucky Consumer Data Protection Act | January 1, 2026 |
| Rhode Island | DTPPA | January 1, 2026 |
| Indiana | Indiana Consumer Data Protection Act | January 1, 2026 |
2. Who Must Comply
| Requirement | Kentucky Consumer Data Protection Act | Rhode Island DTPPA (privacy rights) | Rhode Island DTPPA (Privacy Policy requirement) | Indiana Consumer Data Protection Act (privacy rights) |
| Applies to | Those who do business in Kentucky or target residents of Kentucky | Those who do business in Rhode Island or target residents of Rhode Island | Any commercial website that does business in Rhode Island or with customers of Rhode Island | Those who do business in Indiana or target residents of Indiana |
| Thresholds | Process the data of 100,000 residents, or; 25,000 residents and derive 50% of gross revenue from data sales. | Process the data of 35,000 residents, or; 10,000 residents and derive 20% of gross revenue from data sales. | Process the data of 1 Rhode Island resident | Process the data of 100,000 residents, or; 25,000 residents and derive 50% of gross revenue from data sales. |
| Nonprofits | Exempt | Exempt | Exempt | Exempt |
While Kentucky and Indiana’s new privacy laws are similar in that they mostly apply to larger businesses, Rhode Island’s privacy law will impact businesses of all sizes.
That’s because, unlike other privacy laws, the requirement to have a Privacy Policy under this law will apply to any commercial website that does business in Rhode Island or with customers in Rhode Island. This means that any website that sells goods, services, or digital products to residents of the State will need to provide a Privacy Policy that complies with the requirements of this privacy law.
3. How “Personal Data” is Classified
All three privacy laws define “personal data” as any information linked or reasonably linkable to an individual, such as:
- Name
- Phone number
- Physical address
- IP address or cookie identifiers
- Location data
- Device IDs or browsing behavior
This personal data is often collected via contact forms, analytics tools, eCommerce tools, and third-party plugins.
4. Consumer Privacy Rights Granted
Each law aims to protect the privacy of its residents by providing them with the following privacy rights:
| Kentucky Consumer Data Protection Act | Rhode Island DTPPA | Indiana Consumer Data Protection Act | |
| Right to correct data | Yes ✅ | Yes ✅ | Yes ✅ |
| Right to restrict processing | Yes ✅ | Yes ✅ | No ❌ |
| Right to portability | Yes ✅ | Yes ✅ | Yes ✅ |
| Right to access data | Yes ✅ | Yes ✅ | Yes ✅ |
| Right to delete data | Yes ✅ | Yes ✅ | Yes ✅ |
| Prohibits discrimination | Yes ✅ | Yes ✅ | Yes ✅ |
| Right to withdraw consent | No ❌ | No ❌ | No ❌ |
| Right to opt-out | Yes ✅ | Yes ✅ | Yes ✅ |
| Opt-in consent required | No ❌ | No ❌ | No ❌ |
| Restrictions on profiling and/or automated decision-making | No ❌ | Yes ✅ | Yes ✅ |
5. Privacy Policy Requirements
Each law requires businesses to publish a clear, accessible, and updated Privacy Policy that discloses:
| Kentucky Consumer Data Protection Act | Rhode Island DTPPA | Indiana Consumer Data Protection Act | |
| Categories of data collected/processed | Yes ✅ | Yes ✅ | Yes ✅ |
| The purpose of collecting the data | Yes ✅ | No ❌ | Yes ✅ |
| Whether the data is sold or used for targeted ads | Yes ✅ | Yes ✅ | Yes ✅ |
| The categories of personal data shared with third parties | Yes ✅ | Yes ✅ | Yes ✅ |
| The categories of third parties, if any, with whom the data is shared | Yes ✅ | No ❌ | Yes ✅ |
| Instructions for submitting privacy rights requests and appeals | Yes ✅ | No ❌ | Yes ✅ |
| Whether personal information is sold and how consumers can opt out of such sale | Yes ✅ | No ❌ | Yes ✅ |
| Contact information | No ❌ | Yes ✅ | No ❌ |
| Link to the Privacy Policy must be clear and conspicuous | No ❌ | No ❌ | Yes ✅ |
6. Enforcement and Penalties for Non-Compliance
| Law | Enforcement Authority | Penalty |
| Kentucky Consumer Data Protection Act | Kentucky Attorney General | Up to $7,500 per violation |
| Rhode Island DTPPA | Rhode Island Attorney General | Up to $10,000 per violation |
| Indiana Consumer Data Protection Act | Indiana Attorney General | Up to $7,500 per violation plus any investigation costs |
The Two Changes Coming in 2026
Keeping your website policies up to date isn’t just about addressing new laws, current laws are frequently being amended to address the current state of privacy. For 2026, two laws fall into this category: Australia Privacy Act 1988 and Connecticut Data Privacy Act (CTDPA).
Australia Privacy Act 1988
Australia Privacy Act 1988’s latest batch of changes will go into effect in December 2026. The primary changes are as follows:
1) The Privacy Policy must contain the information below if:
a. The entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision; and
b. The decision could reasonably be expected to significantly affect the rights or interests of an individual; and
c. Personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.
2) If the business engages in automated decision-making, its Privacy Policy must state:
a. The kinds of personal information used in the operation of such computer programs (e.g. name, email, credit score); and
b. The kinds of such decisions made solely by the operation of such computer programs (e.g. loan approvals); and
c. The kinds of such decisions for which a thing, that is substantially and directly related to the making the decision is done by the operation of such computer programs (an algorithm pre-screens applications that a human may later review).
Connecticut Data Privacy Act
CTDPA went into effect in July 2023 and the changes will go into effect July 1, 2026. Those changes include:
1) Adding additional categories of personal information into the definition of “sensitive data,” such as:
- Neural data;
- Information derived from genetic or biometric data;
- Financial information; and
- Government identification information.
2) Expanding who CTDPA applies to. It now applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processes the personal data of 35,000 (was 100,000) or more Connecticut residents; or
- Controlled or processed the personal data of 10,000 (was 25,000) or more residents of Connecticut and derived more than 20% (was 25%) of their gross revenue from the sale of personal data.
3) Providing the right to obtain a list of third parties to whom personal data was disclosed.
4) Requiring opt-in consent for the sale of personal data.
5) Prohibiting social media platforms from requiring individuals to create an account for the exercise of privacy rights of children.
Preparing Your Website for These Changes
Keeping your website compliant in the face of all these new laws and changing laws can seem daunting… because it can be. Here are some steps you can take to make it seem less intimidating:
- Audit your data collection – Map what data your website collects, how it’s used, and who it’s shared with.
- Check your threshold – Determine whether your business meets the resident or revenue criteria.
- Update or create your Privacy Policy – Include all required disclosures and add a visible link to your Privacy Policy to your website.
- Set up a rights request process – Create forms or procedures for access, deletion, and opt-out requests.
- Review vendor contracts – Ensure third-party processors are contractually obligated to follow privacy rules.
- Test and train – Verify opt-out tools work and train your team to handle requests properly.
- Monitor changes – Privacy laws evolve quickly so stay on top of them so you can update your policies BEFORE they go into effect.
Need help?
A Privacy Policy Generator (like Termageddon) is typically a great place to start. While we can’t set up rights request process, review vendor contracts, or test and train your employees, we can handle other aspects.
For example, Termageddon can help you:
- Find out what laws apply to you
- Create the policies your website needs based on those laws
- Monitor changes to privacy laws
- Monitor new laws going into effect
- Automatically update your polices as new laws apply to you
Hopefully you found this blog helpful and we will see you next year when it’s time to see what new laws 2027 will bring!
