U.S. state privacy enforcement activity is headed for an uptick as the calendar turns to 2026. The expected momentum stems from 1 Jan. effective dates for a slate of California privacy measures and comprehensive privacy laws in Indiana, Kentucky and Rhode Island.
Much-discussed California Consumer Privacy Act regulations for automated decision-making technology, risk assessments and cybersecurity audits became applicable at the start of the new year. Additionally, the California Delete Act's delete request and op-out platform launched, raising new data broker requirements and penalties beyond those associated annual broker registration by the 31 Jan. deadline.
The three comprehensive laws coming online in the state privacy patchwork will not raise any tide-turning nuance for covered entities. However, the potential for additional coordinated enforcement among state attorneys general creates urgency around understanding the scope of each law.
California ups the ante
California's new regulations are particularly in focus for companies as they clarify or amend prior CCPA compliance programs.
Rules specific to ADMT require opt-outs when those defined technologies are used in decisions that "replace or substantially replace human decision-making." With human oversight obligations, anyone reviewing automated decisions must be able to interpret ADMT-driven outputs and have the authority to change or correct the final decision.
New risk assessment requirements apply anytime a business processes data that might present a risk to consumers' privacy. Among the potential scenarios triggering an assessment are the selling or sharing of personal information; processing sensitive personal information; using ADMT for a significant decision concerning a consumer; using personal information to train ADMT for certain uses; and using automated processing to infer attributes about someone during education, job seeking, employment or independent contracting for a business.
The cybersecurity audit rule clarifies what constitutes a "significant risk" that necessitates an audit while outlining "reasonable" security measures for personal information. IAPP Cybersecurity Law Center Managing Director Jim Dempsey analyzed the details and implications of the audit rule.
On the data broker front, California's DROP system will require significant attention in the face of heavy scrutiny of the broker landscape from the California Privacy Protection Agency.
Defined brokers under the Delete Act are obligated to honor opt-out and deletion requests submitted through the DROP system portal, which will apply requests to all brokers on California's registry. Additionally, brokers will conduct 45-day deletion sweeps once a request is submitted.
The per-violation penalty scheme for noncompliance will prove costly and create heftier fines than simple nonregistration.
"The fact you did not register doesn't get you off the hook for the USD200 per-incident fine." CalPrivacy Executive Director Tom Kemp told the IAPP in a July 2025 interview. "Let's say one million or two million Californians are in a data broker's database and they have not registered and/or done the deletion mechanism. Those USD200 fines will quickly add up, and will far outweigh what we've seen in terms of prior fines."
CalPrivacy published a December 2025 enforcement advisory noting data brokers may not be disclosing all of their trade names or websites on the state's registry, making it difficult for consumers to know who has their data. The agency warned brokers must comply and register independently, not just as their parent company or affiliated entity.
The comprehensive side
Laws coming into effect in Indiana, Kentucky and Rhode Island were enacted in 2023 and 2024. The time between enactment and applicability, paired with provisions found widely among other comprehensive state laws, will ease any major compliance burdens for a majority of businesses.
Coverage thresholds under Kentucky and Indiana's laws mirror that of Virginia's Consumer Data Protection Act. Entities in scope control or process personal data on 100,000 consumers or derive 50% of revenue from selling the data of more than 25,000 consumers.
Both laws include required data protection impact assessments, requirements for processing deidentified or pseudonymous data, user opt outs for targeted advertising and data sales, and a 30-day cure provision.
Ahead of the 1 Jan. effective date, the Indiana attorney general's office released the Data Consumer Bill of Rights, which outlined consumer rights and business obligations under the state's comprehensive statute. The office covered 15 notable consumer rights and explicitly outlined key definitions and provisions under the law. The guidance includes an FAQ section applicable to consumer and businesses inquiries.
Rhode Island's law applies to entities that control or process the personal information of more than 35,000 state residents or more than 10,000 residents while generating 20% of gross revenue from personal data sales.
The law carries some commonality to other state laws — data subject rights and required data protection assessments among them — however, Rhode Island state lawmakers opted for notable provisional exclusions. Recognition of universal opt-out mechanisms, enhanced children's privacy protections, a definition for personally identifiable information and the right to cure are among the most glaring items not included in the statute.
Additionally, phased implementation and updates to Oregon's comprehensive privacy law took effect at the start of the year after the bulk of the law had been applicable since 1 July 2024. Covered entities must now recognize UOOM signals, adhere to updated data processing restrictions for children under age 16 and cease all sales of geolocation data.
The IAPP U.S. State Comprehensive Privacy Laws Report includes details on all 19 enacted comprehensive state laws, showing their points of convergence and where they differ.
Joe Duball is the news editor for the IAPP.
