Main Menu
SPARCS - Topic Of The Week

New Privacy Laws to Look Out For - 2026

Somehow we have already found ourselves through the first quarter of the year, and even more shockingly, it is already the end of April… Apologies for the jump scare! Even though we have found ourselves nearing May, the year is still new, and there are new privacy laws (or amendments to existing privacy laws that we can look forward to seeing over the remainder of the year). Who doesn’t like more rules, right? Let’s dig into some of the changes we can anticipate seeing in the privacy world within the United States.

New Privacy Laws Within the U.S.

There are three new state laws for 2026, related to Kentucky, Indiana, and Rhode Island consumers. All took effect as of January 1, 2026.

Kentucky Consumer Data Protection Act (KCDPA)

  • This law applies to any businesses that control or process data for 100,000 consumers within Kentucky, OR at least 25,000 consumers if they are deriving 50% or more of their revenue from the sale of that data.
  • Businesses are required to provide privacy notices, and they must obtain consent from the consumer to opt-in for sensitive data processing.
  • The penalties for not adhering to this law consist of $7,500 in fines per violation, and allow a 30-day “cure” period (time to get in compliance).

Indiana Consumer Data Protection Act (ICDPA)

  • This law applies to businesses that control or process data for 100,000 consumers within Indiana, OR at least 25,000 consumers if they are deriving 50% or more of their revenue from the sale of that data.
  • This law requires businesses to provide privacy notices, and they must obtain consent from the consumer to opt-in for sensitive data processing.
  • The penalties for not adhering to this law are the same as the KCDPA.

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) differs a bit from the above two. This law:

  • Applies to businesses that control or process data for at least 35,000 Rhode Island consumers OR 10,000 Rhode Island consumers if the business derives 20% or more of its revenue from the sale of that data.
  • Requires businesses to disclose what third-parties they are selling personal information to without the consumer requesting that information.
  • Requires security notices and for consumers to be able to opt-in to sensitive data processing.
  • Has penalties up to $10,000 per violation.

In all three state laws, consumers maintain the right to access, modify, delete, or opt-out of data processing for targeted advertising or sales.

Updated State Laws for 2026

The updates to existing laws affect California, Connecticut, and Oregon.

California Consumer Privacy Act (CCPA) - Changes in effect as of January 1, 2026

  • Businesses must complete cybersecurity audits and have certifications submitted to the California Privacy Protection Agency. This is only required for businesses that make 50% of their revenue from selling or sharing personal information of California residents, OR if they exceed $26.625 million in revenue while processing data for over 250,000 consumers.
  • Risk assessments are required for high-risk processing activities (this includes data sales, sensitive data, automated decision-making, profiling, AI training, and facial/emotional recognition).
  • There are new categories of sensitive data–these consist of data for minors under 16, neural data, and government-issued IDs. The processing of this data requires consent.
  • Businesses using automated decision-making technology are required to ensure that there is human oversight in the decision-making process.

Connecticut Data Privacy Act (CDPA) - Changes will go into effect as of July 1, 2026

  • The law will be expanded to be applicable to businesses that process data for more than 35,000 consumers, control or process sensitive data of Connecticut consumers, OR sell/trade the personal data of Connecticut consumers.
  • Consumers gain the right to access their personal data, as well as contest certain automated decisions.
  • Businesses must only collect and process sensitive personal data that is reasonably necessary, and this must be disclosed to consumers.
  • Targeted advertising to minors is prohibited.

Oregon Consumer Privacy Act (OCPA) - Changes in effect as of January 1, 2026

  • Rules surrounding the processing of sensitive information for Oregon minors (consumers under 16) were enhanced. Businesses are not permitted to engage in targeted advertising, sales of personal data, or perform automated profiling without consent from the consumers who are minors.
  • The sale of Oregon consumer geolocation data (within 1,750 feet of the consumer) has been banned.
  • It is now considered a crime if someone discloses another individual's personal information with the intent to stalk or harm that individual or damage their personal property.

Our society continues to advance technologically, and with that advancement we should expect laws and regulations to follow suit. Businesses need to stay informed and aware of what changes are happening and how they may impact the way they process data. Without this awareness, businesses are subject to financial, legal, and reputational harms. Consumers should also keep an eye on data privacy laws so they understand the risks and protections involved with sharing their data. To stay informed, consider subscribing to a privacy newsletter--or simply set a reminder to regularly google changes in data privacy laws and regulations. Stay informed, and stay secure!

On
Back to Top