How to Navigate Evolving State Privacy Laws

Michael Peters

3 hours ago

There isn’t a country-wide privacy law in the U.S., much to the chagrin of states and American businesses that thrive on clarity. While frameworks like GovRAMP exist, they aren’t enforced by the government and serve more as a blueprint than a law. Now, however, state-level privacy regulation has begun to fill the gap.

With multiple state privacy laws taking effect or expanding at the start of the year, privacy is now an operational, security, and governance issue that directly affects how organizations collect, store, share, and protect data. For many businesses, 2026 marks the year when privacy compliance becomes just another cost of doing business.

The New Privacy Reality in 2026

January 2026 seems to be a new start for many states in addressing data privacy. Several of these states have enacted comprehensive privacy statutes, many inspired by California’s CCPA or the EU’s GDPR. States like Indiana, Kentucky, and Rhode Island have added new obligations, further expanding the regulatory footprint for businesses operating nationally.

With the increase in cyberattacks across state, local, and municipal organizations, states are trying to close the gaps in their own security without having a clear federal mandate. Initiatives like GovRAMP do this by porting FedRAMP standards to the state level, but they don’t carry the binding force of law.

For companies that operate across multiple states, this shift shows that compliance requires navigating overlapping obligations, different definitions of sensitive data, and varying consumer rights frameworks.

The Expanding Patchwork of State Privacy Laws

One of the most tangible developments in privacy law is the rise of state-level data privacy laws. These new laws expand the patchwork of state-level requirements businesses must integrate into their compliance programs and, while they address privacy issues, can create headaches for businesses operating across state lines.

Indiana: Indiana Consumer Data Protection Act
Indiana introduced a privacy policy that applies to organizations doing business in the state and processing personal data above specified thresholds. It requires clear data ownership rights, including access, correction, deletion, and portability, as well as opt-out mechanisms for targeted advertising, profiling, and data sales. Data protection assessments and detailed contractual obligations with third parties are also mandatory.

Kentucky: Kentucky Consumer Data Protection Act
Kentucky’s new statute follows a familiar framework similar to other state privacy laws but includes nuances in provisions such as cure periods and enforcement mechanisms. It extends key consumer rights and regulatory duties to covered organizations, emphasizing transparency and control.

Rhode Island: Rhode Island Data Transparency and Privacy Protection Act
Rhode Island’s law grants residents broad rights over their personal information and translates those rights into requirements for businesses in the state, many of which are comparable to other state frameworks. This includes notice requirements, opt-out rights, and enforcement authority through the state attorney general.

State Privacy Developments in 2026

In addition to these new laws, several other states continue to refine their privacy frameworks or enforce existing ones:

California continues to enforce and expand its privacy laws (the CCPA), including tools such as the Delete Request and Opt-Out Platform (DROP), which simplifies deletion requests from data brokers.
Oregon implemented amendments to its Consumer Privacy Act that took effect in 2026, enhancing compliance obligations for businesses operating in the state.
Several states with existing privacy statutes (like Colorado, Connecticut, and Utah) remain active players in enforcement and oversight as their compliance timelines mature.

What’s Changed in 2026 and Why It Matters

While many privacy laws were passed years ago, 2026 is the year they become operationally meaningful. Several developments stand out.

Enforcement is becoming the law at the state and local levels. Regulators now expect organizations to demonstrate real, documented compliance efforts. This includes evidence of data mapping, risk assessments, internal policies, and response procedures for consumer rights requests.
Universal opt-out is more enforceable in more jurisdictions. These tools allow consumers to signal their privacy preferences through browser or device settings. This has significant technical and operational implications, especially for companies reliant on advertising, analytics, or cross-platform data sharing.
Privacy-by-design is expected. Organizations are increasingly expected to incorporate privacy considerations into system architecture, software development, vendor selection, and data governance strategies from the outset.

What This Means for Security, Compliance, and IT Leaders

Privacy compliance is now hand-in-hand with security and data management. Data inventories must align with asset management systems. Privacy risk assessments must integrate with security risk assessments. Incident response plans must account for privacy notification requirements alongside breach response obligations.

If you’ve worked with GDPR in any way, this is probably familiar. However, many of these laws place less burden on organizations across different aspects of privacy (for example, few, if any, require explicit consumer opt-in).

The problem is creating a broad, comprehensive approach to privacy that can adapt to different requirements without you having to reinvent the wheel for each state.

Build the Foundations of Data Privacy with Lazarus Alliance

As state privacy laws continue to expand and mature, the question is no longer whether organizations need to take action. The question is whether they will do so proactively or reactively.

To learn more about how Lazarus Alliance can help, contact us.

[wpforms id=”137574″]