New Privacy Laws Just Went Live in Three More States

Three more states just activated comprehensive privacy laws this month—Kentucky, Indiana, and Rhode Island all went live January 1st. That brings the total to 19 states with their own privacy frameworks. California also introduced several significant regulatory updates on the same day.

Here's what changed and what it means for you.

California's New Rules

The state rolled out three major regulatory updates:

Automated Decision Oversight: Companies using AI or automated systems to make significant decisions about people now face additional requirements. A human reviewer must be able to override automated decisions, and consumers gain opt-out rights when these systems replace human judgment.

Privacy Risk Assessments: Organizations must conduct privacy risk assessments in more scenarios—including when trading personal data, processing sensitive information, deploying AI for major decisions, or using algorithms to evaluate job applicants or students.

Cybersecurity Standards: California established specific definitions for what constitutes "reasonable security" and when companies need independent audits, providing clearer guidance than previous regulations.

California's DELETE Button

California launched its DROP platform (Data Broker Opt-Out & Deletion System), which streamlines the data removal process. Previously, removing your information from data broker databases required contacting each company individually. Now California residents can submit one request through the state portal that reaches all registered brokers simultaneously.

Brokers have 45 days to remove requested information. Non-compliance carries a $200 penalty per individual whose data isn't properly handled. As CalPrivacy Executive Director Tom Kemp explained to IAPP, penalties can accumulate quickly when databases contain hundreds of thousands or millions of records.

California has already issued enforcement guidance targeting brokers that failed to list all their websites and business names on the public registry, which prevented consumers from knowing which companies held their data.

Kentucky, Indiana, and Rhode Island Join In

The three new state laws share common features with existing privacy legislation:

Kentucky and Indiana: Both laws apply to businesses handling data on 100,000+ residents, or deriving half their revenue from selling information on 25,000+ people. Residents gain rights to access, delete, and opt out of targeted advertising and data sales. Companies receive a 30-day period to address violations before penalties apply.

Indiana's Attorney General published a detailed guide explaining consumer rights and business obligations under the new law.

Rhode Island: The law covers businesses processing information on 35,000+ Rhode Island residents (or 10,000+ while generating 20% of revenue from data sales). However, Rhode Island's law omits several provisions found in other state laws—including universal opt-out signal recognition, enhanced protections for minors, and violation cure periods.

Oregon Expands Its Law

Oregon's privacy law, which launched in mid-2024, added new requirements in January: businesses must honor universal opt-out signals, follow stricter rules for processing data from individuals under 16, and cannot sell geolocation information.

What This Means

Nineteen states now have comprehensive privacy laws with varying requirements regarding coverage thresholds, data categories, consumer rights, and enforcement mechanisms. Without federal legislation, businesses operating across state lines must navigate different compliance frameworks in each jurisdiction.

State attorneys general are beginning to coordinate enforcement efforts, which means violations could potentially trigger investigations across multiple states.

The Bottom Line

More states are establishing privacy protections, giving residents greater control over their personal information. However, the lack of a unified federal standard means privacy rights and protections vary significantly depending on where you live.

Information compiled from reporting by the International Association of Privacy Professionals (IAPP),

"New year, new rules: US state privacy requirements coming online as2026 begins" by Joe Duball, published January 5, 2026.