US State Privacy Laws Expand: New Regulations & Amendments Effective 2026

The first quarter of 2026 has ushered in a new era for data privacy in the United States, marked by a significant surge in comprehensive US State Privacy Laws and crucial amendments to existing regulations. This escalating patchwork of legislation is rapidly reshaping the compliance landscape for businesses operating nationwide, demanding heightened vigilance and proactive adaptation. From new enactments in Indiana, Kentucky, and Rhode Island to substantial updates in Connecticut and Oregon, the focus is increasingly on enhancing consumer rights, safeguarding sensitive data, and fostering greater transparency in data processing practices.

A Shifting Tide: New Comprehensive US State Privacy Laws Emerge

The year 2026 commenced with a notable expansion of the comprehensive privacy law map. As of January 1, 2026, Indiana, Kentucky, and Rhode Island officially joined the ranks of states with robust consumer data protection frameworks. These new laws, largely tracking the model established by the Virginia Consumer Data Protection Act (VCDPA), introduce significant obligations for businesses and empower consumers with expanded rights over their personal information.

Indiana Consumer Data Protection Act (ICDPA)

Effective January 1, 2026, the Indiana Consumer Data Protection Act (ICDPA) applies to entities conducting business in Indiana or targeting Indiana residents that meet specific thresholds. These thresholds include controlling or processing the personal data of at least 100,000 Indiana consumers, or at least 25,000 consumers if more than 50% of gross revenue is derived from the sale of personal data. While the law is officially in effect, Indiana has provided a six-month enforcement grace period, delaying active enforcement until July 1, 2026.

Key provisions of the ICDPA for businesses, known as “controllers,” include:

• Providing a clear and accessible privacy notice detailing data practices.
• Implementing data protection impact assessments (DPIAs) for high-risk processing activities, such as targeted advertising, sale of personal data, certain profiling, and processing sensitive data.
• Obtaining opt-in consent for processing sensitive data. Sensitive data encompasses racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data.
• Maintaining reasonable data security practices and establishing contracts with vendors governing personal data handling.
• Creating a process for Indiana residents to exercise their data rights, which include the right to access, correct, delete, obtain a portable copy of their personal data, and opt-out of targeted advertising, the sale of personal data, and profiling for decisions with significant effects.

The ICDPA offers a mandatory 30-day cure period for violations, a feature that distinguishes it from some other state privacy laws.

Kentucky Consumer Data Protection Act (KCDPA)

Kentucky’s new consumer data privacy law, the KCDPA, also took effect on January 1, 2026. Its applicability thresholds are similar to Indiana’s: controlling or processing the personal data of at least 100,000 Kentucky consumers annually, or 25,000 consumers if more than 50% of gross revenue comes from selling personal data.

Under the KCDPA, Kentucky consumers are granted rights such as confirming whether their personal data is being processed, accessing, correcting, deleting, and obtaining a portable copy of their data. They also have the right to opt-out of the processing of their personal data for targeted advertising, the sale of personal data (defined as a sale for monetary consideration only), and certain automated decision-making. Like the ICDPA, the KCDPA requires opt-in consent for processing sensitive data and provides a 30-day cure period for violations.

A significant development in Kentucky is the passage of an amendment to its consumer data privacy law. House Bill 692, passed by the Kentucky House of Representatives on March 16, 2026, reclassifies “automatic content recognition” (ACR) data collected by smart TVs as sensitive data. ACR technology tracks viewing behavior across various inputs (broadcast, cable, streaming, external devices) by analyzing audio or video fingerprints. This amendment, if signed, would require opt-in consent from consumers before manufacturers or streaming services can collect such data, with an effective date of July 1, 2027. This is a critical move towards giving consumers more control over how their viewing habits are monitored and utilized.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) also became effective on January 1, 2026. This law applies to businesses that conduct business in Rhode Island or offer products/services to Rhode Island residents, and either control or process personal data of at least 35,000 consumers (excluding payment transaction data), or 10,000 consumers if over 20% of gross revenue comes from selling personal data.

The RIDTPPA empowers Rhode Island consumers with rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and profiling that produces significant effects. It mandates opt-in consent for sensitive data processing, which includes health information, racial or religious beliefs, and geolocation data. A notable difference from other state laws is the RIDTPPA’s lack of a specific data minimization rule and the absence of a cure period for violations, allowing the Attorney General to pursue penalties of up to $10,000 per violation immediately. Furthermore, it uniquely requires businesses to disclose not only the third parties to whom data is sold but also those to whom it “may” be sold.

Oklahoma Consumer Data Privacy Act (OCDPA)

Oklahoma joined the growing list of states with comprehensive privacy laws when Governor Kevin Stitt signed Senate Bill 546 into law on March 20, 2026. This makes Oklahoma the 21st state to enact such legislation. The Oklahoma Privacy Law, which generally follows the VCDPA model, will take effect on January 1, 2027. It applies to controllers or processors conducting business in Oklahoma or targeting Oklahoma residents who annually control or process the personal data of at least 100,000 consumers, or 25,000 consumers if over 50% of gross revenue is derived from the sale of personal data for monetary consideration only.

The OCDPA grants consumers rights to access, correct, delete, and obtain a portable copy of their data, and to opt out of targeted advertising, the sale of personal data, and profiling that leads to legal or similarly significant effects. It also requires opt-in consent for processing sensitive data, defining “sensitive data” to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for identification, personal data from a known child, and precise geolocation data. The law includes a mandatory 30-day “right to cure” period for alleged violations.

Arkansas Children and Teens’ Online Privacy Protection Act (ACTOPPA)

Arkansas enacted the Children and Teens’ Online Privacy Protection Act (ACTOPPA) on April 21, 2025, with an effective date of July 1, 2026. This law is significant as it extends privacy protections, traditionally offered to children under 13 by the federal Children’s Online Privacy Protection Act (COPPA), to older teens aged 13 to 16.

ACTOPPA applies to operators of online services directed at children or teens, or those with actual knowledge of collecting personal information from these age groups. Key features include:

• Strict Data Minimization: Prohibits collecting more personal information than reasonably necessary for the specific service or transaction.
• Prohibition on Targeted Advertising: Bans targeted advertising to minors using their personal information without consent.
• Stronger Parental Consent: Requires parental consent for children under 13, and either teen or parental consent for those aged 13-16.
• Clear Limitations on Profiling: Restricts profiling activities for minors.
• Consumer Rights: Parents have rights to delete accounts and personal information collected from children, refuse further use or collection of data, and challenge the accuracy of personal information.

The Arkansas Attorney General has exclusive enforcement authority, and the law does not create a private right of action.

Amendments Bolster Existing Privacy Frameworks

Beyond new enactments, several states have fortified their existing privacy laws through significant amendments, further complicating the compliance landscape for businesses.

Connecticut Data Privacy Act (CTDPA) Amendments

Connecticut’s privacy law has seen amendments that include features like Global Privacy Control (GPC) signal recognition and heightened protections for minors. Amendments effective in 2026 ban the sale of minors’ personal data and prohibit targeted advertising to anyone under 18. They also require data protection impact assessments (DPIAs) for businesses “profiling” minors. Furthermore, Connecticut, like other states, is increasingly focusing on age-appropriate design code requirements. The state also lowered its applicability thresholds for the CTDPA, expanding its reach from 100,000 to 35,000 consumers.

Oregon Consumer Privacy Act (OCPA) Amendments

Oregon’s amendments to the Oregon Consumer Privacy Act, effective January 1, 2026, significantly impact businesses. Key changes include:

• Ban on Sale of Precise Geolocation Data: Prohibits the sale of geolocation data accurate within a 1,750-foot radius.
• Strict Restrictions on Processing Minors’ Data: Prohibits controllers from selling personal data of consumers under 16 years old or using such data for targeted advertising or certain types of profiling, particularly if the controller has actual knowledge or willfully disregards that a consumer is under 16.
• Universal Opt-Out Recognition: Controllers must now honor consumer opt-out requests made through universal opt-out mechanisms (UOOMs).
• End of Mandatory Cure Period: Oregon’s amendments also signal the end of a mandatory cure period for violations.

California Privacy Rights Act (CPRA) and Data Broker Transparency

California continues to lead in privacy regulation with updates to its California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Effective January 1, 2026, the California Delete Act (SB 362) significantly expands data broker registration requirements. This law mandates that data brokers disclose more detailed information about the personal data they collect, including whether such data is sold to foreign actors, government entities, or generative AI developers. Crucially, the Delete Act introduced the Deletion Request and Opt-Out Platform (DROP), available to consumers since January 1, 2026, enabling California residents to submit a single deletion request to all registered data brokers simultaneously. The daily penalty for non-registration also doubled from $100 to $200 per day. California is one of four states with data broker registration laws, alongside Vermont, Texas, and Oregon, aimed at bringing transparency to this often opaque industry.

Furthermore, new CPRA regulations applicable at the start of 2026 require mandatory risk assessments for processing activities that pose a significant risk to consumer privacy, with initial assessments due by April 1, 2028. Regulations related to notice and opt-out rights for automated decision-making technology will take effect on January 1, 2027. California has also expanded the definition of sensitive personal information to include “neural data” and data from minors under 16.

Key Thematic Shifts and Expanding Regulatory Focus

The recent wave of privacy legislation underscores several overarching trends that businesses must contend with.

Global Privacy Control (GPC) Signal Recognition

The increasing mandate for businesses to recognize Global Privacy Control (GPC) signals is a pivotal shift towards empowering consumers with universal opt-out mechanisms. GPC is a technical standard that allows users to communicate their privacy preferences, such as opting out of the sale or sharing of their personal data, across all websites and online services they visit. Failure to honor GPC signals has already resulted in significant settlements, highlighting the importance of implementing robust technical controls to detect and respect these signals. While Rhode Island does not explicitly require UOOMs, Oregon’s amendments for 2026 do, underscoring this growing trend.

Data Minimization as a Core Principle

Data minimization is emerging as a central tenet of modern privacy laws, requiring companies to limit the collection, use, and retention of personal data to what is “adequate, relevant, and reasonably necessary” for disclosed purposes. While many state laws, including Indiana’s and Oklahoma’s, adopt this “procedural data minimization” approach—where collection is tied to disclosed purposes—some states like Maryland are moving towards “substantive data minimization,” which imposes default limitations on collection to only what is necessary to provide a specific product or service requested by the consumer. Arkansas’s ACTOPPA also features strict data minimization requirements for minors’ data. The absence of an explicit data minimization rule in Rhode Island’s law is a notable exception.

Enhanced Protections for Minors’ Data

The protection of minors’ data is an increasingly critical area of regulatory focus. States like Arkansas, Connecticut, Oregon, and Virginia are enacting and amending laws to create stricter safeguards for children and teens online. This includes:

• Prohibitions or strict restrictions on targeted advertising to minors.
• Stricter parental consent obligations, often extending to teens aged 13-16.
• Requirements for age verification and parental consent for social media use.
• Mandatory data protection impact assessments for processing minors’ data.
• Expanding the definition of sensitive data to include children’s data.

These laws are often inspired by or expand upon the federal Children’s Online Privacy Protection Act (COPPA).

Scrutiny on Automated Decision-Making

Regulatory attention is also increasing on automated decision-making. States are introducing transparency requirements and opt-out rights for consumers when automated decision-making technology is used to make significant decisions about them. This highlights a growing concern about algorithmic fairness and the potential for bias in systems that impact individuals’ lives.

Data Broker Transparency

The push for data broker transparency continues to gain momentum. Beyond the robust framework in California, states like Vermont, Texas, and Oregon also have data broker registration laws. These laws aim to shed light on an industry that historically operates with little oversight, requiring brokers to register with state agencies, pay fees, and disclose their data collection and sharing practices. The California Delete Act, with its centralized deletion platform, represents a significant step towards empowering consumers to manage their data held by these entities.

Challenges and the Path Forward for Businesses

The accelerating pace and varied requirements of US State Privacy Laws present substantial challenges for businesses. Compliance is no longer a one-size-fits-all endeavor but requires a nuanced, state-by-state approach. Key challenges include:

• Patchwork Compliance: The lack of a single federal privacy law means businesses must navigate a complex and evolving patchwork of state-specific regulations, each with unique thresholds, definitions, and enforcement mechanisms.
• Operationalizing New Rights: Implementing the technical and operational infrastructure to honor diverse consumer rights—from access and deletion to opt-outs for targeted advertising and GPC signals—is a significant undertaking.
• Managing Sensitive Data: The expanding definition of sensitive data and the universal requirement for opt-in consent for its processing necessitate careful data mapping and consent management strategies.
• Adapting to Evolving Definitions: Terms like “sale of personal data” can vary, with some states focusing only on monetary consideration while others include broader valuable consideration.
• Proactive Risk Management: Conducting mandatory data protection impact assessments and staying abreast of regulatory guidance, especially concerning new technologies like AI and ACR, is crucial for mitigating legal and reputational risks.

To navigate this intricate landscape, businesses must undertake a proactive and comprehensive strategy. This includes regularly reviewing and updating privacy policies, investing in robust data governance frameworks, implementing advanced consent management platforms, and conducting thorough legal assessments to ensure compliance with each applicable state law. The trend indicates that data privacy will remain a dynamic and increasingly scrutinized area, demanding continuous adaptation and a commitment to consumer trust.