2026 U.S. Data Privacy Law Mid-Year Recap

Privacy Compliance is a Defensible Business Requirement

The first half of 2026 has delivered significant developments in U.S. privacy regulations. Indiana, Kentucky, and Rhode Island officially joined the growing list of state-level comprehensive privacy laws, while California and Maryland have introduced major operational compliance obligations that significantly raise expectations for businesses handling personal data.

At the same time, regulators, plaintiffs’ firms, and consumers are increasingly shifting their focus away from whether organizations simply maintain privacy policies and disclosures, and toward whether privacy controls actually function operationally in practice (See Plaintiff-Acquisition Funnels). Cookie consent mechanisms, universal opt-out signals, vendor governance, data-sharing disclosures, tracking technologies, and consumer rights workflows are all receiving heightened scrutiny.

2026 also marks a major turning point in AI governance and automated decision-making regulation. States are increasingly imposing requirements around profiling, algorithmic accountability, risk assessments, transparency, and automated processing oversight. Organizations deploying AI systems without documented governance controls now face expanding regulatory and litigation exposure.

The broader trends becoming more visible in 2026:

• Increased litigation involving session replay tools, pixels, beacons, SDKs, and tracking technologies
• Expanded enforcement activity tied to deceptive consent interfaces and dark patterns
• Growing scrutiny around AI-driven profiling and automated decision-making technologies
• Heightened expectations for defensible privacy governance programs
• Increased operational requirements around consent validation and opt-out mechanisms
• Expanding biometric privacy litigation under BIPA and similar frameworks
• More states require recognition of universal opt-out mechanisms and Global Privacy Control (GPC)
• Greater regulatory focus on whether privacy controls function as represented
• Continued expansion of privacy obligations for organizations without large revenue thresholds

In this mid-year recap focuses on the most significant U.S. state privacy law developments shaping compliance requirements in 2026 and the operational risks organizations must now address.

New U.S. Comprehensive Data Privacy Laws Effective in 2026

A growing number of states continue adopting comprehensive privacy frameworks that closely resemble the Virginia Consumer Data Protection Act (VCDPA) model while introducing state-specific operational and enforcement differences.

While many of these laws contain similar consumer rights and transparency requirements, several 2026 laws stand out because they:

• Apply to organizations without traditional revenue thresholds
• Increase operational obligations around sensitive data
• Narrow available cure periods
• Imposing stronger accountability requirements for profiling and targeted advertising

Indiana Consumer Data Protection Act (INCDPA)

The INCDPA became effective on January 1, 2026 and applies to organizations conducting business in Indiana or targeting products or services to Indiana residents that:

• control or process the personal data of at least 100,000 Indiana consumers during a calendar year, or
• control or process the personal data of at least 25,000 Indiana consumers while deriving more than 50% of gross revenue from the sale of personal data.

Notably, the law does not contain a revenue threshold, meaning relatively small organizations may still fall within scope if they process sufficient consumer data.

The Indiana Attorney General maintains exclusive enforcement authority under the law. Organizations are currently provided a 30-day cure period, with penalties reaching up to $7,500 per violation.

Key operational requirements:

• Consumer rights to access, delete, correct, and obtain copies of personal data
• Opt-out rights for targeted advertising and data sales
• Mandatory privacy notices
• Data protection assessments for high-risk processing activities
• Consent requirements for processing sensitive personal data

Like many newer state privacy laws, Indiana places increased emphasis on operational accountability rather than solely written disclosures.

Kentucky Consumer Data Protection Act (KCDPA)

The KCDPA also became effective on January 1, 2026 and generally mirrors several aspects of the Virginia privacy framework. The law applies to organizations conducting business in Kentucky or targeting Kentucky residents that:

• control or process the personal data of at least 100,000 Kentucky consumers during a calendar year, or
• control or process the personal data of at least 25,000 Kentucky consumers while deriving more than 50% of gross revenue from the sale of personal data

Like Indiana, Kentucky does not impose a revenue threshold.

Employee and B2B data are excluded because the law only applies to individuals acting in a personal or household context.

The Kentucky Attorney General enforces the law and organizations are currently entitled to a 30-day cure period. Violations may result in penalties of up to $7,500 per violation.

Key requirements:

• Consumer rights to access, correct, and delete personal data
• Data portability rights
• Opt-out rights for targeted advertising and data sales
• Mandatory privacy notices
• Data minimization obligations
• Consent requirements for processing sensitive personal data

Kentucky’s law reinforces the broader national trend toward operational data governance and defensible privacy management practices.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

The RIDTPPA became effective on January 1, 2026 and introduced one of the more aggressive enforcement frameworks among newly effective state privacy laws.

The law applies to organizations conducting business in Rhode Island or targeting Rhode Island residents that:

• control or process the personal data of at least 35,000 Rhode Island consumers during the preceding calendar year, excluding data processed solely for payment transactions, or
• control or process the personal data of at least 10,000 consumers while deriving more than 20% of gross revenue from the sale of personal data

Rhode Island also does not impose a revenue threshold. This is setting a theme that small businesses must be cautious of. One of the most notable operational differences is the elimination of the cure period after January 1, 2026. Organizations may therefore face more immediate enforcement exposure compared to several other states.

The Rhode Island Attorney General maintains enforcement authority, with penalties reaching up to $10,000 per violation.

Key operational obligations:

• Consumer rights to access, correct, delete, and obtain copies of personal data
• Opt-out rights for targeted advertising, data sales, and certain profiling activities
• Consent requirements for processing sensitive personal data
• Mandatory data protection assessments for high-risk processing activities
• Controller and processor contractual requirements
• Transparency obligations related to targeted advertising and third-party data sharing
• Requirements to maintain secure and reliable consumer rights request mechanisms

Rhode Island’s lower applicability thresholds and more aggressive enforcement posture may create compliance exposure for smaller organizations that historically operated outside broader privacy law requirements.

Additional 2026 Privacy Regulatory Developments

California

California continues to lead the United States in operational privacy enforcement and AI governance requirements. In 2026, the California Privacy Protection Agency (CPPA) expanded its focus on privacy risk assessments, automated decision-making technologies (ADMT), cybersecurity auditing, and operational accountability.

Organizations subject to the CCPA and CPRA are now facing heightened scrutiny around:

• AI-driven profiling
• Consumer opt-out mechanisms
• Dark patterns
• Sensitive personal information processing
• Whether consent mechanisms function as represented

California’s evolving regulations demonstrate that regulators are increasingly evaluating operational privacy governance rather than relying solely on written disclosures or privacy policies; setting a trend that many states are adopting.

Maryland

While the Maryland Online Data Privacy Act (MODPA) became effective in late 2025, many of the law’s operational processing obligations began applying in 2026.

MODPA quickly became recognized as one of the strictest state privacy laws in the United States because it introduces aggressive data minimization standards and stronger restrictions surrounding sensitive personal data.

The law also requires organizations to recognize universal opt-out mechanisms such as Global Privacy Control (GPC), further increasing operational compliance expectations for organizations using targeted advertising or behavioral tracking technologies.

Maryland’s framework signals a growing trend toward stricter operational accountability, particularly around profiling, consent validation, and data governance practices.

Arkansas, Utah, Connecticut & Oregon

Several additional states are introducing privacy regulations in 2026 that organizations should continue to monitor.

• Arkansas is implementing its first-in-the-nation Children and Teens’ Online Privacy Protection Act (HB 1717) on July 1, 2026. While not a traditional “comprehensive” law for all age groups, it expands consumer privacy by extending strict, COPPA-like protections to teens aged 13 through 16.
• Utah is expanding the Utah Consumer Privacy Act (UCPA via HB 418). This will grant Utah residents the statutory right to request that businesses correct inaccuracies in their personal data. The right to correct will officially take effect on July 1, 2026.

Connecticut and Oregon are both expanding their comprehensive privacy frameworks to enforce stricter guidelines across four pillars.

• Minors’ data
• Profiling activities
• Universal opt-out mechanisms
• Sensitive personal data processing

Building Defensible Privacy Operations with Clarip

State-level privacy regulations will continue to evolve. Regulators, plaintiffs’ firms, and consumers are now actively evaluating everyday whether privacy controls function operationally in real-world environments. Organizations must be aware that privacy compliance is no longer simply a legal documentation exercise.

Organizations must manage:

• Consent Validation
• Universal Opt-out Mechanisms
• Global Privacy Controls Signal Recognition
• Vendor Governance
• Tracking Technology Audits
• Scalable Consumer Rights Operations
• AI Governance
• Scalable Defensible Privacy Program

Clarip helps organizations build scalable and defensible privacy operations programs that align legal, technical, and operational privacy governance.

Under one unified platform, Clarip Offers:

• Consent Management
• Privacy Audits
• Governance Controls
• Consumer Rights Management
• Data Privacy Operations
• Total Data Privacy Compliance Defensibility

Clarip helps organizations reduce litigation exposure, strengthen compliance readiness, improve governance maturity, and operationalize privacy compliance in an increasingly complex regulatory environment.

Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?