A quiet revolution is underway in American privacy law β€” and most people have no idea it happened.

As of January 1, 2026, 20 U.S. states now have comprehensive consumer privacy laws in effect. Three new ones β€” Indiana, Kentucky, and Rhode Island β€” kicked in with the new year. Arkansas joins them in July. And Congress is currently debating whether to override all of them with a single federal law (see our coverage of the SECURE Data Act).

If you live in any of these states, you have privacy rights you may not know about. If you run a business that touches customer data, compliance is no longer optional. This is the map.

The Full List: States with Comprehensive Privacy Laws (2026)

StateLawEffective Date
CaliforniaCCPA/CPRAJan 1, 2020 / Jan 1, 2023
VirginiaCDPAJan 1, 2023
ColoradoCPAJuly 1, 2023
ConnecticutCTDPAJuly 1, 2023
UtahUCPADec 31, 2023
TexasTDPSAJuly 1, 2024
FloridaFDBRJuly 1, 2024
MontanaMCDPAOct 1, 2024
OregonOCPAJuly 1, 2024
DelawareDPDPAJan 1, 2025
IowaICDPAJan 1, 2025
MarylandMODPAOct 1, 2025
MinnesotaMHMDJuly 31, 2025
NebraskaNDPAJan 1, 2025
New HampshireNHPDAJan 1, 2025
New JerseyNJDPAJan 15, 2025
TennesseeTIPAJuly 1, 2025
IndianaInCPAJan 1, 2026
KentuckyKCDPAJan 1, 2026
Rhode IslandRIDPAJan 1, 2026
ArkansasADPPAJuly 1, 2026

The Three New Laws: Indiana, Kentucky, Rhode Island

Indiana (InCPA)

Indiana’s Consumer Privacy Act closely mirrors Virginia’s Consumer Data Protection Act β€” the template most states have followed. It applies to businesses that:

  • Control or process the personal data of 100,000+ Indiana consumers annually, or
  • Derive 50%+ of gross revenue from selling personal data of 25,000+ consumers

Indiana consumers get the core package of rights: access, correction, deletion, data portability, and opt-out of targeted advertising, data sales, and profiling for significant decisions (like credit, employment, or housing).

Notably, Indiana’s law includes a 30-day cure period before enforcement actions can proceed β€” meaning a business gets a chance to fix a violation before being penalized. This is a more business-friendly provision than some states.

Kentucky (KCDPA)

Kentucky’s Consumer Data Protection Act is nearly identical to Indiana’s in structure and thresholds. Same 100,000-consumer applicability threshold, same 50% revenue test, same 30-day cure period.

Where Kentucky diverges: it adds required Data Protection Impact Assessments for high-risk processing activities β€” profiling, sensitive data processing, targeted advertising. Businesses must document why the processing is necessary and how risks are mitigated. This creates a paper trail that regulators can use in enforcement.

Rhode Island (RIDPA)

Rhode Island’s law has the lowest applicability threshold of any state β€” covering entities that process personal data of just 35,000 Rhode Island residents, or 10,000 residents if the business derives more than 20% of gross revenue from selling personal data.

That matters because Rhode Island is a small state. A business with a modest national footprint might hit the 35,000-resident threshold without even realizing it.

What Rhode Island’s law notably lacks is also important: it does not include recognition of universal opt-out mechanisms (like browser-based Global Privacy Control), does not have enhanced children’s privacy provisions, and has no right to cure. The law’s broader reach is somewhat offset by fewer built-in protections for the people it covers.

What Your Rights Actually Mean

Across all 20 state laws, residents share a core set of rights. Here’s what they mean in practice:

Right to Know (Access): You can ask a company what personal data they hold about you and receive a copy. Under California’s CCPA, this includes the categories of data collected, the sources, the purposes, and which third parties received it. Other states have similar, though often narrower, requirements. For a deeper look at what counts as personal information under these laws, see pii.compliancehub.wiki β€” it tracks how each state defines PII and sensitive data.

Right to Correct: If a company has inaccurate data about you, you can request a correction. This right is particularly important for data brokers, who often have demonstrably wrong information β€” wrong addresses, outdated employment, incorrect family relationships β€” that can affect credit decisions, background checks, and more. Your state-by-state rights breakdown is at privacyrights.compliancehub.wiki.

Right to Delete: You can ask a company to erase your personal data. There are exceptions β€” a business can keep data it needs for legal compliance, fraud prevention, or completing transactions you initiated. But for general marketing databases and data broker files, deletion requests must be honored.

Right to Opt Out: You can opt out of the sale of your data, targeted advertising, and profiling for consequential decisions. How you exercise this right varies by state. California supports the Global Privacy Control browser signal β€” businesses must honor it automatically. Most other states require company-specific opt-out mechanisms.

Right to Data Portability: In most states, you can request your data in a portable, machine-readable format β€” which makes it easier to switch services or understand what’s being held.

Sensitive Data: Where Kids and Biometrics Get Special Treatment

Every state law recognizes a category of sensitive data that gets heightened protection. The exact list varies, but the common elements include:

  • Health and medical data
  • Biometric identifiers (fingerprints, facial recognition, voice prints) β€” for a state-by-state breakdown of biometric privacy laws, see biometric.myprivacy.blog
  • Precise geolocation (within a radius, typically 1,750 feet or less)
  • Racial or ethnic origin
  • Sexual orientation or gender identity
  • Financial account information
  • Children’s data

Processing sensitive data generally requires opt-in consent rather than just an opt-out option. This is a meaningful distinction: opt-out means you’re in by default; opt-in means you have to actively agree before data is collected or used.

For children specifically, most state laws either incorporate COPPA (the federal children’s privacy law) or go beyond it. childrenprivacylaws.com tracks exactly how each state handles minors’ data β€” including age verification requirements, parental consent mechanisms, and which states have standalone children’s privacy laws. Earlier this month, we covered the Canvas breach, in which ShinyHunters claimed to have stolen data on 275 million students β€” a reminder of how much sensitive data flows through educational platforms.

What Arkansas Adds in July

Arkansas’s Digital Personal Data Protection Act (ADPPA) goes live July 1, 2026. It follows the Virginia template like Indiana and Kentucky β€” same core rights, similar applicability thresholds. What makes Arkansas notable is context: it joins at the same time Connecticut and Utah expand their enforcement, meaning mid-2026 is a significant compliance deadline for businesses still catching up.

The Enforcement Gap

Having rights on paper and being able to exercise them are different things. No comprehensive state privacy law currently in effect includes a private right of action β€” you cannot sue a company yourself for violating your privacy rights. You have to file a complaint with your state attorney general and hope they act.

State AGs have been ramping up enforcement. California’s AG and the California Privacy Protection Agency have issued several enforcement actions. Texas filed suit against Google over biometric data collection in 2022 and settled for $1.4 billion. But enforcement is still reactive and selective β€” not systematic.

This is why the data broker industry continues to operate largely unchecked despite being nominally subject to most of these laws. Companies like Kochava were only reined in after FTC action β€” not because state privacy laws forced them to stop. Your cannabis dispensary was likely selling your data under exemptions and gray areas that state laws haven’t fully closed.

What This Means for You

If you live in one of these 20 states, you have real rights today. The most actionable ones:

  1. Submit data deletion requests to data brokers. Services like DeleteMe, Privacy Bee, or manual submissions to companies like Acxiom, LexisNexis, and Spokeo can reduce your footprint significantly.

  2. Enable Global Privacy Control in your browser. If you’re in California, Colorado, or Connecticut, businesses must honor this browser signal automatically. Chrome, Firefox, and Brave all support it via extensions.

  3. Read privacy notices carefully. Under all these laws, companies must disclose what they collect, why, and who they share it with. The disclosures aren’t always easy to find, but they’re legally required.

  4. File complaints when rights are violated. If a company refuses a deletion or access request, your state AG’s office wants to hear about it. Enforcement starts with complaints.

The patchwork is imperfect. The rights it grants are real.

For a complete tracker of state-by-state consumer data rights β€” including opt-out mechanisms, cure periods, and enforcement contacts β€” visit privacyrights.compliancehub.wiki.