On January 1, 2026, broad new privacy laws will take effect in Kentucky, Indiana, and Rhode Island, granting consumers in those states greater control over their personal data. With these additions, 19 states now have comprehensive privacy laws in place, which is a significant shift in the data privacy landscape since California led the way in 2018 with the nation’s first such law.

Steady Growth in State Privacy Protections

The move by Kentucky, Indiana, and Rhode Island reflects a consistent trend: an increasing number of states are establishing their own rules for how companies handle and protect personal information. The multiplication of these laws since 2018 demonstrates growing legislative momentum and increasing public awareness of data privacy issues.

Despite this progress, 2025 marked a pause in new laws being enacted, the first year since 2018 without any additional states signing new privacy measures into law. However, this lull appears temporary: 2026 is shaping up to be a pivotal year for privacy advocates, with 16 state legislatures, including those in Massachusetts, Georgia, and Pennsylvania, introducing comprehensive privacy bills that will be carried forward for discussion.

A Patchwork Approach in the Absence of Federal Law

While the various state privacy laws introduced since California’s landmark 2018 legislation share common features (such as giving consumers the right to access, delete, or restrict the use of their data), they often differ in key details. Differences might include the types of data covered, the kinds of businesses regulated, or the specific rights and remedies available to consumers.

These small but significant variations have created a patchwork of compliance requirements. In the absence of a uniform federal privacy law, businesses operating across state lines must keep up with constantly evolving and often unique obligations in each jurisdiction.

Looking Ahead

The continued spread of comprehensive privacy legislation at the state level signals a growing demand for increased consumer protection and transparency. As more states introduce and update their laws, both consumers and businesses should stay informed and prepare for further changes.

For companies, this means adapting compliance programs to address a diverse set of rules, which is an ongoing challenge until (or better yet, if) a federal privacy framework is established. For consumers, these laws represent expanding rights and greater control over their digital lives.

Stay tuned for more updates on state privacy law developments, and how they might impact your business or personal data rights.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less