In this article you'll see a lay out what’s actually in these three laws—nothing fancy—and point to the parts that are worth preparing for as we get closer to 2026.
Privacy Expands Beyond California
For years, most conversations about U.S. privacy law have centered on California and the CCPA/CPRA. That era has shifted. A growing list of states has moved ahead with their own omnibus privacy laws, each adding its own rules and small twists to the national picture.
What used to feel like a California-only concern has turned into something much broader.
The arrival of the Kentucky Consumer Data Protection Act (KCDPA), the Rhode Island Data Transparency and Privacy Protection Act (RIDTPAA), and the Indiana Consumer Data Protection Act (INCDPA) is part of that broader shift.
Their introduction shows how quickly privacy expectations are spreading across the country—and why companies can’t rely on a single set of standards anymoreA program that works for California alone doesn’t really hold up when several states introduce their own definitions, thresholds, and consent rules.
With that in mind, the next sections walk through what each of the three 2026 laws actually requires.
Kentucky’s Consumer Data Protection Act (KCDPA)
Kentucky’s privacy law takes effect on January 1, 2026. It applies to businesses that operate in Kentucky or target people in the state, but it doesn’t pull in everyone automatically.
A company first has to cross one of these thresholds:
- 100,000 consumers, or
- 25,000 consumers and more than 50% of revenue coming from selling personal data
When a business does meet those thresholds, Kentucky residents get several rights that companies need to be prepared to honor. These rights aren’t complicated on paper, but each of them adds a bit of work behind the scenes:
- access – letting people see the personal data a company already has about them
- correction – updating or fixing information if something is wrong or incomplete
- deletion – removing personal data when the consumer asks or when it’s no longer needed
- data portability – providing a copy of the data in a usable, transferable format
- opt-out of sale of personal data, targeted advertising, and certain types of profiling
Controllers have responsibilities as well. They need a clear privacy notice, they must complete DPIAs for certain higher-risk types of processing, and they have to use processor contracts that spell out what each side is responsible for.
None of this is unusual compared to other states, but it adds structure that companies must follow.
The KCDPA lines up fairly closely with the VCDPA and CPRA, though a few Kentucky-specific pieces stand out.
Most of the differences revolve around what the law does not require:
- no universal opt-out mechanism – companies don’t have to recognize browser-based opt-outs like Global Privacy Control
- 30-day cure period – if the Attorney General flags a violation, the business gets 30 days to fix it
- no private right of action – only the Attorney General can enforce the law
Violations are enforced by the Kentucky Attorney General, who can seek civil penalties of up to $7,500 for each violation.
A later update — HB 473, signed on March 15, 2025 — added a pair of important exemptions. The amendment removes HIPAA-covered healthcare data, including PHI handled by covered entities, from the law’s scope.
It also exempts limited data sets under 45 C.F.R. § 164.514(e). On top of that, it narrowed when a DPIA is needed, limiting the obligation to profiling situations that carry a reasonably foreseeable risk of unlawful disparate impact.
For marketing teams, SaaS companies, and data brokers, most of the preparation comes down to checking whether the thresholds apply, reviewing consent and opt-out flows, looking closely at profiling and targeted-advertising setups, updating privacy notices, and completing DPIAs when the law expects them.
Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island’s privacy law becomes enforceable on January 1, 2026. It applies to for-profit businesses that meet one of the state’s two thresholds:
- processed personal data from 35,000 consumers in the previous year (not counting data tied only to payment transactions), or
- processed 10,000 consumers’ data and earned more than 20% of revenue from selling personal data
Once those thresholds are met, Rhode Island residents gain several rights that organizations need to be prepared to manage.
The list follows the familiar pattern of other state privacy laws, but each item still carries real operational weight:
- confirm whether their data is being processed
- access to the personal data a company holds
- correction of inaccurate information
- deletion of qualifying data
- data portability in a usable format
- opt-out of targeted advertising, the sale of personal data, and certain types of profiling
On the compliance side, controllers have a set of obligations to meet. Sensitive data can only be processed with opt-in consent, and privacy notices must clearly explain what data is collected, why it’s used, and which third parties receive it.
Businesses also need proper controller–processor contracts that outline confidentiality, deletion, and the operational limits placed on processors.
Enforcement is handled solely by the Rhode Island Attorney General. There is no private right of action, and penalties can reach up to $10,000 per violation, with $100 to $500 for each intentional unauthorized disclosure.
A few parts of the RIDTPPA work differently from other state privacy laws and are worth noting on their own:
- Rhode Island does not require universal opt-out signal recognition
- it does not limit data collection to what is strictly “reasonably necessary,” giving businesses a bit more room than some states
- it places strong emphasis on transparency, especially around third-party sharing and processor obligations
For businesses serving Rhode Island consumers—especially marketing teams, SaaS platforms, and companies depending on third-party tools—the practical steps tend to be straightforward.
Consent flows may need updates, opt-in logic for sensitive data has to be in place, third-party disclosures should be reviewed, and contracts with processors may require adjustment.
Teams handling targeted advertising also need to understand how Rhode Island’s opt-out rules apply to their campaigns.
Indiana’s Consumer Data Protection Act (INCDPA)
Indiana’s privacy law goes into effect on January 1, 2026. It applies to companies that operate in Indiana or direct their products or services toward Indiana residents, once they meet one of the following thresholds:
- processed personal data of 100,000 consumers in a calendar year, or
- processed 25,000 consumers’ data and earned more than 50% of revenue from selling personal data
When a business falls under the INCDPA, Indiana residents have several rights that organizations need to be ready to support.
These rights are familiar across state laws, but Indiana’s wording carries a few details worth noting:
- access to personal data
- correction of inaccurate information
- deletion of personal data provided by or obtained about the consumer
- obtain a copy or representative summary of personal data previously provided, in a portable and usable format
- opt-out of the sale of personal data, targeted advertising, and certain types of profiling
Controllers have a set of responsibilities under the law as well. They must maintain clear transparency around their data practices, follow accountability and security expectations, and give consumers a straightforward view of how their information is used.
Indiana uses a narrow definition of “sale”, limited to exchanges involving monetary consideration, similar to the Virginia and Utah approach.
Compared with Kentucky and Rhode Island, Indiana’s thresholds look almost identical to Kentucky’s, while its definition of “sale” tracks closely with the Virginia-style model.
The law also requires opt-in consent for processing sensitive data, though it doesn’t add the extra layers seen in some later state laws, keeping it closer to the original Virginia framework.
Enforcement is handled by the Indiana Attorney General, who may seek civil penalties of up to $7,500 for each violation, consistent with several other state privacy laws.
For data-driven SaaS platforms, online services, and companies relying heavily on analytics or advertising tools, the practical work involves evaluating whether any activity qualifies as a sale or as processing for targeted advertising, preparing opt-out flows that function properly, and ensuring processor contracts reflect Indiana’s rules.
Marketing teams also need a clear understanding of how profiling is treated, since that area tends to create the most uncertainty.
2026 State Privacy Law Comparison: Kentucky, Rhode Island, and Indiana
| Category | Kentucky (KCDPA) | Rhode Island (RIDTPPA) | Indiana (INCDPA) |
|---|---|---|---|
| Effective Date | Jan 1, 2026 | Jan 1, 2026 | Jan 1, 2026 |
| Applicability Thresholds | 100k consumers OR 25k + >50% revenue from data sale | 35k consumers OR 10k + >20% revenue from data sale | 100k consumers OR 25k + >50% revenue from data sale |
| Consumer Rights | Access, correction, deletion, portability, opt-out of sale/targeted ads/profiling | Confirm processing, access, correction, deletion, portability, opt-out of sale/targeted ads/profiling | Access, correction, deletion (provided or obtained), copy or representative summary, opt-out of sale/targeted ads/profiling |
| Sensitive Data Rules | Consent required; HIPAA-covered and limited-data-set exemptions (HB 473) | Opt-in required for sensitive data | Opt-in required for sensitive data (Virginia-style) |
| Definition of “Sale” | Monetary consideration only | Monetary consideration + additional disclosure obligations | Monetary consideration only (Virginia-style) |
| Universal Opt-Out Signals | Not required | Not required | Not required |
| Profiling Opt-Out | Yes | Yes | Yes |
| Targeted Advertising Opt-Out | Yes | Yes | Yes |
| Controller Obligations | Privacy notice, DPIAs for high-risk processing, processor contracts | Privacy notice, controller–processor contracts, opt-in for sensitive data | Transparency, accountability, security measures, processor contracts |
| Third-Party / Processor Transparency | Standard processor contract rules | Stronger transparency requirements for third parties and processors | Standard Virginia-style processor duties |
| Cure Period | 30-day cure period | No cure period | No cure period mentioned (AG enforces) |
| Enforcement | Attorney General | Attorney General | Attorney General |
| Penalties | Up to $7,500 per violation | Up to $10,000 per violation + $100–$500 per intentional unauthorized disclosure | Up to $7,500 per violation |
Multi-State Compliance Challenges
As more states adopt their own privacy frameworks, businesses face a new layer of multi-state complexity that affects everything from consent flows to vendor management.
- Fragmented legal requirements
Even though the three laws share a similar framework, each one uses its own definitions, thresholds, opt-out rules, and processor obligations. Businesses have to track each state individually, which turns compliance into a moving target. - Consent banner and tracking complexity
A consumer in Kentucky may need a different opt-out flow or disclosure than someone in Rhode Island. That means consent banners and tracking behavior must be geo-targeted by state, with wording and logic adjusted for each jurisdiction. - Vendor and processor management
Processor contracts have to meet the strictest requirements across all applicable states. This often means revising agreements to cover the “highest bar” so that cross-state processing doesn’t fall out of compliance. - Data mapping and state-triggering thresholds
To know which rules apply, businesses need a clear map of their data flows and must identify whether they meet each state's thresholds. Rights requests then need to route correctly based on which state law the consumer falls under. - Marketing, profiling, and targeted advertising
Organizations running targeted ads or using profiling tools must build logic that recognizes when a user is covered by one of these laws and adjusts opt-out handling immediately. Missing that step can create enforcement risk. - Audit and enforcement exposure
Because penalties and enforcement approaches vary between states, the risk profile changes depending on where consumers live. This makes compliance documentation and audit trails more important for multi-state businesses. - Timing and readiness pressure
With different states activating new rules, teams can’t push compliance planning off. State-by-state readiness has to be prioritized so systems, notices, and vendor relationships are updated in time. - Operational burden and cost
Multi-state obligations often lead companies to operate at or near the strictest standard just to keep things manageable. This reduces complexity but raises operational costs and can slow down product and marketing experimentation.
How a CMP like CookieScript Simplifies State Compliance
Staying compliant across several state privacy laws can turn into a daily juggling act — different disclosures, different opt-out rules, and different expectations for how tracking should behave.
A Consent Management Platform like CookieScript helps streamline this by handling the technical pieces that change from state to state, while keeping everything consistent for internal teams.
CookieScript Features That Support Multi-State Compliance
- geo targeting — lets businesses show different Cookie Banner content based on the visitor’s state, so notices for Kentucky, Rhode Island, and Indiana can each follow the right legal format.
- User consents recording — maintains a reliable log of approvals, opt-outs, and changes over time, which is crucial for audits or AG inquiries.
- Third-party cookie blocking — prevents tracking scripts from firing until the correct consent or opt-out choice is made.
- Google Consent Mode v2 — adjusts analytics and advertising tools automatically to match a user’s preferences around targeted advertising, profiling, or sale of data.
- Automatic script blocking — stops unknown or unclassified scripts until they’re reviewed, reducing the chance of unintentional data sharing.
- Automatic monthly scans — identifies new cookies, tag changes, or tracking updates that might affect compliance across states.
- Advanced reporting — provides detailed logs and summaries that help demonstrate cross-state compliance and track how consent behavior varies by region.
- Cookie Banner sharing — lets teams reuse and coordinate banner templates across multiple sites or environments without losing state-specific customization.
- Google-certified CMP — ensures compatibility with Google’s latest requirements, which matters for businesses using GA4, Ads, or other Google ad platforms.
- IAB TCF 2.2 integration — helpful for publishers or advertising teams that rely on standardized consent signaling across ad networks.
- 42 languages — important for businesses serving multilingual audiences or operating internationally while still meeting U.S. state requirements.
By implementing CookieScript as a single, flexible layer for consent management, businesses can shift away from patchwork fixes and move toward a setup that adjusts automatically based on where the visitor is located and which law applies.
It’s a cleaner way to keep up with shifting requirements without slowing down marketing, product, or engineering teams.
CookieScript earned its fourth straight Best Consent Management Platform badge from G2 in spring 2025.
Conclusion
The wave of new state privacy laws isn’t slowing down — and 2026 makes that clearer than ever. Kentucky, Rhode Island, and Indiana may not dominate headlines like California, but their laws signal a shift: privacy compliance is no longer something you can “bolt on” once a year. It’s becoming a day-to-day operational discipline.
The companies that handle this well won’t be the ones memorizing every clause. They’ll be the ones that build flexible, transparent systems that adjust as the rules change — and they’ll treat consent as part of the user experience, not a legal chore.
If there’s a takeaway here, it’s simple: the businesses that embrace adaptability now will be the ones that stay ahead of the next round of state laws waiting in the wings.
Frequently Asked Questions
When do the KCDPA, RIDTPPA, and INCDPA take effect?
All three laws — the KCDPA, RIDTPPA, and INCDPA — take effect on January 1, 2026, and CookieScript helps businesses prepare early with tools like geo-targeted consent banners, automatic scans, and state-specific Cookie Banner setups.
Do the KCDPA, RIDTPPA, and INCDPA apply to small businesses?
They only apply if your business crosses the thresholds (Kentucky/Indiana’s 100,000 consumers or 25,000 + sale-revenue test, or Rhode Island’s 35,000 or 10,000 + 20% rule). CookieScript makes it easier to align compliance once you know which laws apply by providing user consents recording, advanced reporting, and state-level banner versions.
Are the KCDPA, RIDTPPA, and INCDPA similar to the CPRA or VCDPA?
Yes — they follow a similar structure of consumer rights and opt-out requirements. CookieScript supports all of these by offering third-party cookie blocking, Google Consent Mode v2, and customizable Cookie Banners that match each law’s specific notices and opt-out rules.
What counts as “sensitive data” under the KCDPA, RIDTPPA, and INCDPA?
Sensitive data often includes biometric, health, precise geolocation, and children’s data. The RIDTPPA requires opt-in for sensitive-data processing, and CookieScript helps meet these rules using geo-targeted banners, state-specific consent flows, and automatic script blocking until proper consent is given.
How can I manage compliance with the KCDPA, RIDTPPA, and INCDPA?
CookieScript simplifies multi-state compliance through geo-targeting, user consents recording, automatic monthly scans, third-party cookie blocking, Google Consent Mode v2, 42 languages, and advanced reporting, all of which help align tracking and consent behavior with each law.
What should I prioritize if I operate in Kentucky, Rhode Island, and Indiana?
Focus on data-mapping, identifying which thresholds you meet, reviewing targeted-advertising and profiling activities, and deploying CookieScript so your Cookie Banner, tracking, and opt-outs automatically adjust based on the visitor’s state.
If I’m already compliant with the CPRA or VCDPA, do I still need updates for the KCDPA, RIDTPPA, and INCDPA?
Usually yes — each state has its own thresholds, definitions, and sensitive-data rules. CookieScript makes updates easier with Cookie Banner sharing, IAB TCF 2.2 integration, Google-certified CMP functionality, and state-specific banner logic that fills the gaps CPRA/VCDPA compliance doesn’t cover.