The U.S. state privacy landscape continues to evolve rapidly, with significant new compliance obligations taking effect at the start of 2026, including new comprehensive consumer data privacy laws now in effect in Indiana, Kentucky, and Rhode Island, as well as new California Consumer Privacy Act (“CCPA”) regulations addressing risk assessments and automated decision-making technology (“ADMT”).
New Comprehensive Privacy Laws in Indiana, Kentucky, and Rhode Island
As of January 1, 2026, Indiana, Kentucky, and Rhode Island have joined the growing number of states with data privacy laws, bringing the total number of states with such laws in force to 19. Businesses should review the new laws to assess their applicability and be sure to roll them into existing privacy compliance programs.
All three states’ laws grant consumers similar core rights: the right to access, correct, and delete personal information; the right to obtain portable copies of their data; and the right to opt out of targeted advertising, profiling, and data sales. Each law requires opt-in consent for processing sensitive personal information. However, the laws differ in their applicability thresholds, enforcement mechanisms, and certain definitions.
The Indiana Consumer Data Protection Act and the Kentucky Consumer Data Protection Act share identical applicability thresholds, applying to businesses that either process personal information of 100,000 or more state consumers, or process data of at least 25,000 consumers while deriving 50 percent or more of gross revenue from data sales. The Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”), however, sets considerably lower thresholds, applying to businesses that process data of 35,000 or more consumers, or process data of at least 10,000 consumers while deriving more than 20 percent of gross revenue from data sales.
Enforcement also varies among the three states’ laws. Indiana and Kentucky both provide a 30-day cure period before enforcement action and impose maximum penalties of $7,500 per violation. Rhode Island offers no cure period and imposes higher penalties of up to $10,000 per violation. Businesses should also note certain definitional differences. For example, Kentucky’s definition of biometric data is broader than Indiana’s, and Rhode Island’s definition of “sale” includes “other valuable consideration” beyond monetary consideration, potentially capturing analytics and advertising services. The RIDTPPA also has a stand-alone requirement that any commercial websites or internet service providers doing business in Rhode Island or serving Rhode Island customers must designate a “controller” and comply with specific privacy notice requirements if they collect, store, and sell customers’ personally identifiable information.
Although these three new laws are broadly aligned with existing state privacy frameworks, variations in definitions, thresholds, and related requirements make it critical to review each law’s specific obligations.
New California CCPA Regulations – Risk Assessments and Automated Decision-Making Technology
In addition to the new state laws, California has finalized new regulations under the CCPA effective January 1, 2026, requiring risk assessments in certain circumstances and establishing rules for the use of automated decision-making technology (“ADMT”).
Risk Assessments
Businesses must conduct risk assessments before processing personal information that presents “significant risk” to consumer privacy. Processing activities that trigger this requirement include selling or sharing personal information, processing sensitive data, using ADMT for significant decisions, and certain training of ADMT or biometric technologies. Risk assessments for pre-existing processing activities must be completed by December 31, 2027. Each risk assessment must identify the categories of personal information to be processed, the purposes for processing, the benefits of the processing to the business, consumer, and public, and the potential negative impacts on consumers’ privacy. Businesses must weigh these benefits against the negative impacts and identify safeguards to address identified risks, including whether the business considered and rejected less invasive alternatives. Assessments must be reviewed and updated at least once every three years and whenever there is a material change to the processing activity. Businesses must also maintain records of risk assessments and submit certain information related to the assessments to the California Privacy Protection Agency.
Automated Decision-Making Technology
The regulations establish requirements for businesses using ADMT for “significant decisions” or decisions that result “in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” Importantly, ADMT is defined within the regulations as “any technology that processes personal information and uses computation to replace human decision making, or substantially replace human decision making.” Businesses should evaluate their use of artificial intelligence or other automated decision-making to determine whether it may be considered ADMT under these new regulations. Beginning January 1, 2027, businesses subject to the new ADMT rules must provide pre-use notices explaining how ADMT will be used, offer consumers the right to opt out of ADMT use with exceptions, and provide access to certain information about how ADMT was used in decisions affecting them.
Key Takeaways and Recommended Actions
These developments underscore the accelerating trend toward state-level privacy regulation and increase the complexity of the U.S. privacy compliance landscape. Companies should:
- Review applicability. Evaluate whether the new state privacy laws in Indiana, Kentucky, and Rhode Island apply based on consumer‑volume thresholds and revenue from data sales, and whether the CCPA risk assessment and ADMT requirements apply.
- Update privacy notices and rights operations. Ensure privacy notices address any state-specific and ADMT notice requirements, and confirm rights‑request workflows recognize consumers in the new states.
- Implement risk‑assessment workflows. Identify processing that may require risk assessments and implement processes to complete, document, and periodically update those assessments.
- Prepare for California ADMT compliance. Inventory ADMT use in significant decisions and implement required notices, opt-out mechanisms, and access disclosures by January 1, 2027.
If you have questions about the applicability of these laws to your company or need assistance with privacy compliance, please contact Kate Campbell or your Neal Gerber Eisenberg attorney.
The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal, Gerber & Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.
