New Year, New Privacy Obligations

California’s new California Consumer Privacy Act (CCPA) regulations are also now operative, with broad impacts on risk assessments, annual cybersecurity audits, automated decision-making technology (ADMT), and insurance-sector applicability that begin to apply beginning on January 1, 2026, and continue through 2030.

Thus far, no state has adopted a general private right of action in a comprehensive privacy law. That could come in 2026. We anticipate a handful of new state laws in 2026 and continued state level legislative efforts to amend existing laws to bring them up to standards enacted in the newer laws, such as those in Maryland, Minnesota, and New Jersey. New Jersey’s draft privacy regulations should also become final this year.

Indiana CDPA – Effective January 1, 2026

The Indiana Consumer Data Protection Act (CDPA) applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents and, during the previous calendar year, did at least one of the following:

1. Controlled or processed the personal data of 100,000 or more Indiana residents (excluding personal data controlled or processed solely to complete a payment transaction).
2. Controlled or processed the personal data of 25,000 or more Indiana residents and derived more than 50% of gross revenue from the sale of personal data.

Indiana follows the Virginia model: The Indiana law is business friendly. It exempts nonprofit organizations and excludes personal data collected during employment, does not require businesses to recognize universal opt-out mechanisms, and allows for a 30‑day cure period. Consumers have no private right of action. Data protection assessments will be required for high‑risk processing activities that are created or generated on or after January 1, 2026; these assessments must be completed before initiating high-risk processing activities.

Kentucky CDPA – Effective January 1, 2026

The Kentucky Consumer Data Privacy Act (CDPA) applies to organizations that conduct business in Kentucky or produce products or services targeted to Kentucky residents and, during a calendar year, do at least one of the following:

1. Control or process the personal data of 100,000 or more Kentucky residents.
2. Control or process the personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.

Kentucky follows the Virginia model: The Kentucky law mirrors much of Indiana’s, with a few distinctions. First, the Kentucky law has a broader definition of biometric data, which includes media-derived biometric identifiers when used for identification. Second, the law delays its data protection assessment requirement; assessments are required for certain high‑risk processing activities created or generated on or after June 1, 2026, even though the rest of the law takes effect January 1, 2026.

Rhode Island DTPPA – Effective January 1, 2026

The Rhode Island Data Transparency and Privacy Protection Act (DTPPA) applies to entities that conduct business in Rhode Island or produce products or services targeted to Rhode Island residents and, during the previous calendar year, did at least one of the following:

1. Controlled or processed the personal data of 35,000 or more Rhode Island residents (excluding personal data controlled or processed solely to complete a payment transaction).
2. Controlled or processed the personal data of 10,000 or more Rhode Island residents and derived more than 20% of gross revenue from the sale of personal data.

Rhode Island follows the Connecticut model: The Rhode Island law is more consumer-friendly than those in both Indiana and Kentucky. The Rhode Island law includes a broader definition of “sale” (in addition to monetary and other valuable consideration), which may capture analytics and advertising services. Unlike many comprehensive privacy laws, Rhode Island’s law does not include a right‑to‑cure period. Rhode Island’s law does not require businesses to honor universal opt‑out mechanisms but does require controllers to conduct data protection assessments for high‑risk processing activities created or generated on or after January 1, 2026.

Comparison: Indiana, Kentucky, and Rhode Island

New California CCPA Regulations — Effective January 1, 2026

California’s new regulations add risk assessments, cybersecurity audits, ADMT disclosures, and insurance updates to existing CCPA compliance obligations. While some requirements are not effective until 2030, the provisions on risk assessments take effect beginning on January 1, 2026. The most significant changes for businesses to be aware of are detailed below.

• Risk Assessments: Every business whose processing of consumers’ personal information presents significant risk to consumers’ privacy must conduct a risk assessment before initiating that processing to determine whether the risks to consumers’ privacy outweigh the benefits to the consumer, the business, other stakeholders, and the public from that same processing (must comply by December 31, 2027). Assessments will need to begin on January 1, 2026, because businesses will be required to submit required summary information to CalPrivacy by Apr 1, 2028, for assessments conducted in 2026–2027.
• Cybersecurity Audit: Every business whose processing of consumers’ personal information presents significant risk to consumers’ privacy must have an independent auditor conduct a cybersecurity audit (compliance timeline depends on revenue, first deadline on April 1, 2028, for businesses with more than $100 million 2026 revenue).
• ADMT Pre-Use Notice: Businesses using ADMT to make “significant decisions,” such as the provision or denial of education, employment, or services, must provide notice at or before the point of collection or before using already-collected personal information for the ADMT purpose (must comply by January 1, 2027).
• Right to Access ADMT and Opt-Out: Businesses using ADMT to make “significant decisions” must provide information about the use of ADMT to a consumer who requests it as well as at least two methods to opt-out (must comply by January 1, 2027).
• Insurance: The CCPA applies to insurance companies where personal information is not governed by the Insurance Code or regulations (e.g., website tracking for marketing).

In addition to the updated CCPA regulations, the California Delete Requests and Opt-Out Platform (DROP) also launches in January. Consumers can access a centralized database and submit a single request to delete their non-exempt personal information across all registered data brokers. This new data broker registration portal opens in California on January 1, 2026.

Additional Milestones in 2026

January 1, 2026

Delaware Opt‑Out Preference Signals: Delaware’s requirement to honor universal opt‑out mechanisms, like the Global Privacy Control, becomes effective.

January 1, 2026

Oregon: Controllers will be required to honor opt‑out preference signals for targeted advertising and sales. Oregon’s right‑to‑cure period also expires.

January 1, 2026

Minnesota: Right‑to‑cure period expires.

April 1, 2026

Montana: Right to cure period expires.

June 1, 2026

Kentucky: Requirement to conductdata protection assessments for certain processing apply to processing activities created or generated after this date.

July 1, 2026

Connecticut: Mid‑year amendments add new disclosure requirements, including a statement in the privacy notice regarding whether the controller collects, uses, or sells personal data for training LLMs, among other updates.

August 1, 2026

California: Data brokers must access the DROP database at least every 45 days to retrieve and process consumer deletion requests.

Key Takeaways

The data privacy legal landscape continues to evolve rapidly. Organizations that fall under the scope of the state comprehensive privacy laws should focus end-of-year efforts on the following priority areas:

• Opt‑outs and signal handling: Ensure consistent honoring of universal opt‑out mechanisms, such as the Global Privacy Control. This is one of the most significant regulatory priorities as enforcement continues to ramp up.
• Privacy notices and disclosures: Refresh state‑specific references and required content for Indiana, Kentucky, and Rhode Island. Prepare for Connecticut’s July 1 changes by adding the LLM training disclosure where applicable.
• Assessments and governance: Incorporate new California regulatory updates that affect existing obligations and initiate new required risk assessments. Map high‑risk processing activities and incorporate CalPrivacy’s content requirements into risk assessment templates. Create or update risk assessment workflows to cover the other new state laws.
• Consumer rights workflows: Confirm that access, correction, deletion, and appeal processes meet each law’s timing and content requirements, including California’s updated requirements (DROP) for opt‑outs.

If you have any questions, please reach out to your ArentFox Schiff contact or a member of the Privacy & Data Security team.

Additional research and writing from Perry Jackson, a law clerk in ArentFox Schiff’s Washington, DC, office.