Skip to main content
Home/Blog/New US State Privacy Laws in 2026: Indiana, Kentucky and Rhode Island for Advertisers
Back to Intelligence Hub
regulationUnited StatesRisk Level: medium

New US State Privacy Laws in 2026: Indiana, Kentucky and Rhode Island for Advertisers

Three new state privacy laws took effect on January 1, 2026 — in Indiana, Kentucky and Rhode Island — each giving consumers a right to opt out of targeted advertising.

Updated July 8, 2026· Originally published July 8, 202613 min readAuditSocials Research
TweetShare
Quick Answer

On January 1, 2026, comprehensive consumer privacy laws took effect in three more US states: the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act and the Rhode Island Data Transparency and Privacy Protection Act. All three follow the model established by earlier state laws and give consumers a set of rights that includes the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling — the rights most directly relevant to advertisers. The Indiana and Kentucky laws apply to businesses that control or process the personal data of 100,000 or more state consumers, or 25,000 or more while deriving over 50 percent of gross revenue from the sale of personal data; Rhode Island's thresholds are lower, applying at 35,000 consumers, or 10,000 consumers where more than 20 percent of revenue comes from selling personal data. All three require opt-in consent before processing sensitive data, a category that includes information such as racial or ethnic origin, religious beliefs, health conditions, genetic or biometric data and precise geolocation. Enforcement rests with each state's Attorney General: Indiana and Kentucky provide a 30-day period to cure violations with penalties up to $7,500 per violation, while Rhode Island provides no cure period and penalties up to $10,000 per violation. These laws bring the number of US states with comprehensive privacy laws in effect to twenty, within a larger group of enacted laws, so national advertisers face an expanding patchwork rather than a single federal rule. Map exposure across states with the Legal Compliance Scan, audit audience and consent practices with the AI Compliance Audit, and track new laws on the Policy Change Tracker.

New US State Privacy Laws in 2026: Indiana, Kentucky and Rhode Island for Advertisers

Three New State Privacy Laws in 2026

On January 1, 2026, three more US states brought comprehensive consumer privacy laws into effect: the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act. Each follows the general model established by earlier state privacy statutes, and each gives consumers a familiar set of rights — including, most relevantly for advertisers, the right to opt out of having their personal data processed for targeted advertising.

For advertisers and adtech teams, the practical significance is not that any one of these states introduces a novel concept, but that the map of where opt-out obligations apply keeps expanding. Each new state adds a population whose residents can require that their data not be used for targeted advertising, sold, or used for certain profiling, and each adds an enforcement authority. The result is a widening patchwork that national campaigns must accommodate.

"Right to access, correct, delete, obtain a copy, and opt out of data processing used for targeted advertising, the sale of personal data, or profiling.
— Kentucky Consumer Data Protection Act (consumer rights)"

This guide sets out who each law applies to, the rights they grant with a focus on the targeted-advertising opt-out, the sensitive-data consent rules, how each is enforced, and what advertisers should do. For the universal opt-out signal dimension see the US universal opt-out guide, and define terms in the compliance glossary.

Who Each Law Applies To

The first question for any business is whether these laws apply to it, and that turns on each state's applicability thresholds. Indiana and Kentucky share the more common threshold structure, while Rhode Island sets notably lower numbers, which brings smaller businesses into scope.

Applicability Thresholds

StateApplies if a business controls/processes...
Indiana (ICDPA)100,000+ Indiana consumers, or 25,000+ while deriving over 50% of revenue from the sale of personal data
Kentucky (KCDPA)100,000+ Kentucky consumers annually, or 25,000+ while deriving over 50% of gross revenue from the sale of personal data
Rhode Island (RIDTPPA)35,000+ Rhode Island consumers, or 10,000+ while deriving more than 20% of gross revenue from the sale of personal data

The Rhode Island thresholds are the ones most likely to surprise, because the 35,000-consumer floor and the 10,000-consumer-plus-20-percent-revenue alternative are lower than the 100,000/25,000 structure used in Indiana and Kentucky, meaning a business that falls below the threshold in Indiana or Kentucky could still be in scope in Rhode Island. For businesses operating nationally, the correct approach is to test applicability state by state rather than assume a single threshold. Map where a business is in scope across states with the Legal Compliance Scan, and for how these interact with platform data controls see the Meta limited data use guide.

Rights and the Targeted-Advertising Opt-Out

All three laws grant consumers a comparable bundle of rights, and the one that most directly shapes advertising practice is the right to opt out of the processing of personal data for targeted advertising, alongside opt-outs for the sale of personal data and for profiling.

The Common Rights

  • Access: the right to know about and access the personal data a business holds.
  • Correction: the right to correct inaccurate personal data.
  • Deletion: the right to delete personal data.
  • Portability: the right to obtain a copy of personal data in a portable form.
  • Opt-out: the right to opt out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of certain decisions.

For advertisers, the opt-out right is the operational centre of gravity. When a consumer in one of these states exercises the right to opt out of targeted advertising, the business must stop processing that person's personal data for targeted advertising, which requires the systems and signals to recognise and honour the opt-out. Because the same right appears across many state laws, the efficient design is a consistent mechanism to capture and apply opt-outs rather than a separate build per state. The targeted-advertising and sale opt-outs also connect to universal opt-out signals, which several states require businesses to honour. Audit how audience-building and retargeting respect opt-outs with the AI Compliance Audit, and track how these obligations evolve on the Policy Change Tracker.

Sensitive Data, Enforcement and Penalties

Beyond the opt-out rights, the laws impose an opt-in consent requirement for sensitive data and back the whole framework with state enforcement, and here the three states differ in ways worth noting — particularly Rhode Island's approach to cure periods.

Consent and Enforcement

StateSensitive dataEnforcerCure periodPenalty (up to)
IndianaOpt-in consent requiredIndiana Attorney General30 days$7,500 per violation
KentuckyOpt-in consent requiredKentucky Attorney General30 days$7,500 per violation
Rhode IslandPrior consent requiredRhode Island Attorney GeneralNone provided$10,000 per violation

The sensitive-data rules require opt-in consent before processing categories such as racial or ethnic origin, religious beliefs, health conditions, genetic or biometric data, and precise geolocation, which is a higher bar than the opt-out model used for targeted advertising generally. On enforcement, Indiana and Kentucky each provide a 30-day window to cure a violation before penalties of up to $7,500 per violation, while Rhode Island provides no cure period and penalties of up to $10,000 per violation — a difference that makes proactive compliance in Rhode Island particularly important, since there is no built-in opportunity to fix a violation after the fact. All three are enforced by the state Attorney General rather than through a private right of action of general application. For the broader US framework see the US compliance reference, and screen data categories and copy with the Legal Compliance Scan.

What This Means for Advertisers

The addition of three states does not change the fundamental compliance approach, but it does reinforce the direction of travel and the practical need for a scalable opt-out mechanism. The advertiser priorities are consistent with the broader state-privacy landscape.

Advertiser Priorities

  • Test applicability: check the thresholds state by state, remembering Rhode Island's lower numbers can bring a business into scope where Indiana and Kentucky would not.
  • Honour targeted-advertising opt-outs: ensure systems recognise and apply opt-outs for targeted advertising, sale and profiling for residents of these states.
  • Manage sensitive data: obtain opt-in consent before processing sensitive-data categories.
  • Prioritise Rhode Island discipline: because Rhode Island provides no cure period, treat compliance there as requiring proactive rather than reactive correction.

The strategic message is that the expanding patchwork rewards a single, consistent compliance design over per-state improvisation: a mechanism that captures and honours opt-outs, a consent flow for sensitive data, and an applicability test that runs across states. Building to the common denominator of these state laws — the targeted-advertising, sale and profiling opt-outs, plus sensitive-data opt-in — positions an advertiser to absorb each new state with minimal incremental work. Because thresholds, rights and enforcement details differ and can change, confirm the specifics for each state against official sources. Map multi-state exposure with the Legal Compliance Scan, and track new and amended laws on the Policy Change Tracker.

State Privacy Compliance Checklist

  • [ ] Tested applicability against Indiana, Kentucky and Rhode Island thresholds
  • [ ] Noted that Rhode Island's lower thresholds may apply where Indiana and Kentucky do not
  • [ ] Implemented a mechanism to capture and honour targeted-advertising opt-outs
  • [ ] Extended opt-out handling to sale of personal data and profiling
  • [ ] Built opt-in consent flows for sensitive-data categories
  • [ ] Aligned universal opt-out signal handling with the targeted-advertising opt-out
  • [ ] Applied heightened, proactive compliance discipline for Rhode Island (no cure period)
  • [ ] Documented data-processing purposes to support access, correction and deletion requests
  • [ ] Designed a single cross-state compliance mechanism rather than per-state builds
  • [ ] Confirmed each state's thresholds, rights and enforcement against official sources

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#State Privacy#Indiana CDPA#Kentucky CDPA#Rhode Island#Targeted Advertising#Opt-Out#Sensitive Data#Ad Compliance#US Regulation#2026 Policy#Advertisers#Compliance Guide 2026

Share This Report

TweetShare

Related Posts

Related Resources