BizTech Law Blog

Though there remains no comprehensive nationwide, federal privacy law on the books, several states in the U.S. have passed their own privacy statues to fill in the gap. As of 2025, at least 17 states have enacted some form of general consumer privacy laws. These states include: (1) California; (2) Colorado; (3) Connecticut; (4) Delaware; (5) Florida; (6) Iowa; (7) Maryland; (8) Minnesota; (9) Montana; (10) Nebraska; (11) New Hampshire; (12) New Jersey; (13) Oregon; (14) Tennessee; (15) Texas; (16) Utah; and (17) Virginia.

At the start of the new year, three other states join the list as the following acts became effective on January 1, 2026: (1) the Indiana Consumer Data Protection Act; (2) the Kentucky Consumer Data Protection Act; and (3) the Rhode Island Data Transparency and Privacy Protection Act. Additionally, many state legislatures are carrying forward or expected to introduce privacy-related bills (or revisions to preexisting legislation) into their 2026 sessions.

Indiana’s statute was enacted three years prior on May 1, 2023. Kentucky enacted the Kentucky Consumer Data Privacy Act (“KCDPA”) nearly one year later on April 4, 2025. Both the Indiana Consumer Data Protection Act (“INCDPA”) and KCDPA apply to persons that do business in Indiana or Kentucky, respectively, or produce products or services that target the particular residents of such states. If said persons control or process the personal data of either 100,000 consumers in Indiana or Kentucky or 25,000 consumers based in Indiana or Kentucky – if such persons also derive more than 50% of their gross revenue from the sale of such consumers’ personal data – then INCDPA or KCDPA applies.

INCDPA and KCDPA define personal data as information linked to or reasonably linkable to an identified or identifiable individual, excluding de-identified data and lawfully obtained publicly available information. INCDPA also excludes aggregate data from the definition of personal data. Indiana and Kentucky-based consumers whose data is protected by INCDPA or KCDPA, as applicable, have certain rights to access, correct, delete, and transfer their data, as well as opt out of personal data sales, targeted advertising, or profiling for decisions producing legal or similarly significant effects.

Like Kentucky, Rhode Island also enacted its new data privacy law back in 2024. The Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) grants Rhode Island residents acting as consumers in their individual capacities more control over their personal data. RIDTPPA applies to entities conducting business in the state or producing products or services that target Rhode Island residents that, during the preceding calendar year: (a) controlled or processed the personal data or either 35,000 or more Rhode Island consumers, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or (b) 10,000 or more Rhode Island consumers, and derived more than 20% of their gross revenue from personal data sales.

RIDTPPA defines personal data similarly to Indiana and Kentucky’s data privacy laws, whereas personal data includes information linked to or reasonably linkable to an identified or identifiable individual. The term “personal data” excludes de-identified data and publicly available information like INCDPA and KCDPA. RIDTPPA grants Rhode Island consumers the right to confirm whether an entity is processing their personal data, access their data, correct inaccuracies related to their personal data, request deletion of their data, obtain a copy of their personal information, and/or opt out of personal data sales, targeted advertising, or profiling.

Certain exclusions from the new statues in Indiana, Kentucky, and Rhode Island apply to certain state and local governmental entities, nonprofits, educational institutions, employment-related data, and personal data governed by other preexisting statutes, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), the Securities Exchange Act, or the Fair Credit Reporting Act (“FRCA”), to name a few.

These emerging consumer data privacy laws are resulting in significant enforcement actions for applicable entities nationwide. Just in 2025, it is estimated that reported fines and penalties reached as much as $1.4 billion imposed against domestic, U.S.-based companies in the technology industry, automotive sector, and apparel industries alone. The new data privacy statutes in Indiana, Kentucky, and Rhode Island add to the available penalties entities governed by these laws may face.

INCDPA violations may result in potential civil penalties of up to $7,500 per violation and reasonable expenses, including attorneys’ fees. The same goes for violations under KCDPA, where persons in breach of the terms of the statute can suffer civil penalties of up to $7,500 per violation. RIDTPPA provides its attorney general with exclusive enforcement authority, though a private right of action does not exist for individual consumers. The Rhode Island attorney general may seek fines of between $100 and $500 for each intentional disclosure of a Rhode Island consumer’s personal data in violation of RIDTPPA.

At Foster Swift, we are committed to remaining informed on the evolving legal and regulatory landscape surrounding nationwide and state-specific consumer data privacy laws. For questions related to data privacy or technology law, please contact an attorney in our Business, Technology, Intellectual Property, or Litigation practice groups for more information.