Rhode Island, Indiana, and Kentucky Join the Growing List of Comprehensive State Privacy Laws

Rhode Island, Indiana, and Kentucky Join the Growing List of Comprehensive State Privacy Laws

January demonstrates that regulators continue to focus on privacy in 2026. In January alone, Rhode Island, Indiana, and Kentucky have each enacted comprehensive consumer privacy laws. There are now 20 states with their own unique comprehensive privacy laws. The three new laws have differences in scope and thresholds.

Consumer Rights

All three laws give consumers the right to confirm whether a controller is processing their personal data, access that data, correct inaccuracies, delete personal data provided by or obtained about them, and obtain a portable copy of their data .

Each law also grants consumers the right to opt out of targeted advertising, the sale of personal data, and certain types of profiling. However, Rhode Island explicitly lists profiling as an opt out right, while Indiana and Kentucky include profiling in the context of high risk processing activities rather than as a standalone opt out in the same way .

Controller and Processor Obligations

All three laws impose similar baseline obligations on controllers.

• Administrative, technical, and physical security safeguards: Controllers are required to implement reasonable organizational, technical, and physical measures designed to protect personal data from unauthorized access, disclosure, or misuse.
• Disclosure obligations: Controllers must describe categories of personal data collected, purposes of processing, data sharing practices, consumer rights, and the methods for exercising those rights.

Further Obligations

Further obligations include the following in Indiana and Kentucky, but not Rhode Island:

• Data minimization requirements: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary to achieve the purposes disclosed to the consumer.
• Purpose limitation: Personal data may not be processed for purposes that are incompatible with the original disclosed purpose unless the controller obtains the consumer’s consent.

Controllers must obtain consumer consent before processing sensitive data, and must comply with the Children’s Online Privacy Protection Act when processing data related to known children. Rhode Island goes a step further by requiring a clear mechanism for consumers to revoke consent and requiring controllers to cease processing within 15 days of revocation.

Processors and subprocessors must be bound by written contracts that impose confidentiality, security, and data use restrictions consistent with the controller’s obligations across all three laws.

Data Protection Assessments

Each law requires data protection impact assessments for processing activities that present a heightened risk of harm. These include targeted advertising, the sale of personal data, processing sensitive data, and high risk profiling activities .

Indiana and Rhode Island both clarify that these assessment requirements are not retroactive and apply only to processing activities beginning in 2026.

Applicability and Thresholds

Indiana and Kentucky use nearly identical applicability thresholds. Both laws apply to organizations that control or process personal data of at least 100,000 state residents, or at least 25,000 residents if more than 50 percent of gross revenue is derived from the sale of personal data .

The Rhode Island law applies to entities that process personal data of at least 35,000 Rhode Island residents, excluding data processed solely to complete a financial transaction, or at least 10,000 residents if more than 20 percent of gross revenue comes from the sale of personal data. This lower threshold and reduced revenue percentage may bring smaller organizations into scope compared to Indiana and Kentucky.

Exemptions

All three laws include broad exemptions that will feel familiar to organizations already complying with other state privacy laws.

Each statute exempts state and local government entities, nonprofit organizations, institutions of higher education, financial institutions subject to the Gramm Leach Bliley Act, and HIPAA covered entities and business associates .

Kentucky’s law includes some additional carve outs, including exemptions for certain insurance related fraud prevention activities, small telephone utilities, and municipally owned utilities that do not sell or share personal data with third party processors.

Key Takeaways

For organizations already familiar with Virginia style privacy laws, compliance with the Indiana and Kentucky statutes will feel largely routine. Rhode Island’s law follows the same general framework but applies to a smaller population threshold and introduces some additional notice and consent management requirements.

Common Sense Privacy

At Common Sense Privacy, we’re passionate about helping organizations stay current with evolving privacy regulations and helping companies implement best practices. Schedule a consultation today to learn how our software can help protect your business and your users.

‍