The U.S. privacy regulation landscape in 2026 will be shaped by three forces: (1) new comprehensive state privacy laws, (2) major amendments to existing laws, and (3) the most aggressive enforcement climate in U.S. privacy history.
Businesses must upgrade compliance programs to manage expanding consumer rights, youth-protection duties, precise geolocation restrictions, universal opt-out signals, and detailed rulemaking across states.
The state of the U.S. privacy in 2026
| Category |
States |
What Changes in 2026 |
Why It Matters |
| New comprehensive privacy laws |
Indiana, Kentucky, Rhode Island |
New full consumer privacy frameworks |
Expands U.S. baseline from ~15 to 18 comprehensive-law states |
| Children’s privacy & social media laws |
Virginia, Texas, Utah, Arkansas |
Age verification, time limits, parental controls, ad restrictions |
Most aggressive youth privacy requirements in U.S. history |
| Sensitive & neural data expansions |
Connecticut |
Neural data added to sensitive category |
Requires new data classification standards |
| Precise geolocation restrictions |
Oregon |
Sale banned; teen advertising prohibited |
Direct impact on ad-tech and location-based apps |
| Universal opt-out expansion |
Oregon (2026), several others |
Must honor GPC/universal signals |
Requires technical integration and auditing |
| New portability/interoperability mandates |
Utah |
Social-graph portability + open protocols |
Requires engineering effort similar to GDPR portability but broader |
With no federal privacy law in sight, states continue to drive privacy regulation through new statutes, youth-safety acts, and high-impact enforcement actions.
The United States remains without a comprehensive federal privacy law. Legislative efforts such as the American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA) stalled due to disagreements over preemption and private rights of action.
In the absence of federal standards, states are filling the gap, producing a complex regulatory landscape.
State lawmakers are accelerating privacy activity, passing laws modeled on “Virginia-style” frameworks while adding provisions that address sensitive data, minors’ online safety, neural data, and geolocation. These expansions increase compliance complexity and require more detailed operational controls.
Given this environment, 2026 will demand higher privacy maturity, including automated governance, jurisdiction-aware signals, precise data mapping, and auditable consent UX.
3 new state privacy laws effective in 2026
Three new comprehensive privacy laws—Indiana, Kentucky, and Rhode Island—take effect on January 1, 2026, expanding the number of states that regulate consumer data rights, sensitive data, and opt-out mechanisms.
What U.S. state privacy laws are taking effect in 2026?
In 2026, three U.S. comprehensive state privacy laws take effect on January 1: the Kentucky Consumer Data Privacy Act, Indiana’s Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act.
Dates vary across the 3 new laws. Here’s when each new law goes into effect:
- Kentucky Consumer Data Privacy Act (Kentucky) – effective January 1 2026.
- Indiana Consumer Data Protection Act (Indiana) – effective January 1 2026.
- Rhode Island Data Transparency & Privacy Protection Act (Rhode Island) – effective January 1 2026
Here’s what you need to know about the nuances of these laws.
Indiana Consumer Data Protection Act (INCDPA)
Effective January 1, 2026
The Indiana CDPA applies to businesses that process the data of 100,000 consumers annually, or 25,000 when revenue is derived from selling personal data. The law introduces rights to access, delete, correct, and opt out of targeted advertising, data sales, and profiling.
Indiana follows the Virginia-model framework but reinforces controller duties such as data minimization, purpose limitation, and secure processing. Enforcement authority sits with the Indiana Attorney General.
Kentucky Consumer Data Protection Act (KCDPA)
Effective January 1, 2026
Kentucky’s law applies similar thresholds as Indiana and Virginia. It includes access, deletion, correction, and opt-out rights, but is considered business-friendly due to a permanent cure period and no universal opt-out requirement.
Organizations operating in Kentucky should align their practices with their Virginia-style compliance baseline and maintain evidence that rights requests are fulfilled accurately and promptly.
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Effective January 1, 2026
Rhode Island introduces a comprehensive regime requiring clear disclosures, data protection assessments for high-risk activities, and consumer rights to access, delete, and opt out of targeted ads and personal data sales.
The Rhode Island AG enforces this law through the state’s deceptive trade practices authority, meaning noncompliance may carry reputational and financial consequences beyond privacy-specific penalties.
Major amendments and children privacy laws effective in 2026
2026 also brings a second wave of regulatory changes, including expanded definitions of sensitive and neural data, strengthened youth protections and children privacy, restrictions on geolocation data, and new obligations for social media platforms and app stores.
Nebraska: Parental Rights in Social Media Act (PRISMA - effective July 1, 2026)
Nebraska introduces a standalone youth-protection law targeting social media platforms:
- Mandatory age verification for all users
- Verifiable parental consent required for users under 18
- Parental rights to manage, monitor, and revoke consent for minor accounts
PRISMA applies specifically to social media services and operates independently of comprehensive state privacy frameworks.
Connecticut: CTDPA amendments (effective July 1, 2026)
Connecticut’s updates expand the definition of “sensitive data” to include neural data and strengthen minors’ rights. The amendments prohibit requiring a child to create a social media account to exercise privacy rights and adjust thresholds to broaden who must comply.
These changes mean privacy programs must include neuro-sensitive data classification, youth-specific DPIAs, and new interface design patterns to accommodate minors’ rights.
Oregon: OCPA amendments (effective January 1, 2026)
Updated obligations significantly affect businesses:
- Ban on sale of precise geolocation data (defined with a 1,750-foot radius).
- Strict restrictions on processing data of consumers under 16 for targeted advertising, sales, or certain profiling.
- End of mandatory cure period for violations.
- Universal opt-out recognition becomes required in 2026.
Businesses relying on geolocation and teen-focused advertising must implement new technical controls to ensure compliance.
Texas: App Store Accountability Act (effective January 1, 2026)
Texas introduces requirements for app stores to:
- Verify user age before account creation
- Obtain parental consent for minors
- Transmit age-related signals to developers
- Enforce age ratings and restrictions
This law operates alongside but separately from the Texas Data Privacy and Security Act, with significant implications for app distribution and user onboarding flows.
Utah: Digital Choice Act (effective July 1, 2026)
Utah introduces social-media-specific data portability and interoperability standards:
- Users must be able to transfer social graph data to other platforms
- Controllers must enable interoperable protocols
- Additional rights apply to social content and connection data
These requirements necessitate architectural updates to support API-based portability.
Virginia: VCDPA Social Media Amendments (effective January 1, 2026)
Virginia imposes one of the strictest youth-protection laws:
- Platforms must determine if a user is under 16
- Minors may only use social platforms for one hour per day, unless parents consent to longer sessions
- Profiling and targeted advertising to minors face tighter restrictions
These rules create significant operational and technical implications for any platform with youth users.
Arkansas: Children and Teens’ Online Privacy Protection Act (effective July 1, 2026)
ACTOPPA extends protections up to age 16:
- Strict data minimization
- Prohibition on targeted advertising to minors without consent
- Stronger parental consent obligations
- Clear limitations on profiling activities
This law requires businesses to redesign experiences for teens and parents.
Compare U.S. state privacy laws side-by-side
Here’s a side-by-side comparison of the key aspects of the upcoming privacy legislation to help you identify overlaps and differences:
New comprehensive privacy laws (Effective January 1, 2026)
| State |
Law |
Effective Date |
Scope / Applicability |
Key Consumer Rights |
Notable Requirements |
Enforcement |
| Indiana |
Indiana Consumer Data Protection Act (INCDPA) |
Jan 1, 2026 |
100k consumers / 25k consumers + 50% data-sale revenue |
Access, correction, deletion, portability, opt-out of targeted ads, data sales, profiling |
Follows Virginia model; adds controller duties (data minimization, purpose limitation, security) |
Indiana Attorney General |
| Kentucky |
Kentucky Consumer Data Protection Act (KCDPA) |
Jan 1, 2026 |
100k consumers / 25k consumers + 50% data-sale revenue |
Access, correction, deletion, portability, opt-out |
Permanent cure period; no universal opt-out requirement; Virginia-style baseline |
Kentucky Attorney General |
| Rhode Island |
Rhode Island Data Transparency & Privacy Protection Act (RIDTPPA) |
Jan 1, 2026 |
35k consumers / 10k + 20% data-sale revenue |
Access, deletion, opt-out of targeted ads, sales, certain profiling |
Requires data protection assessments; transparency obligations; sensitive data consent |
Rhode Island AG (UDAP authority) |
Major 2026 Amendments & children privacy laws
| State |
Law / Amendment |
Effective Date |
Scope / Applicability |
Key Changes in 2026 |
Operational Impact |
| Nebraska |
Parental Rights in Social Media Act (LB 383) |
Jul 1, 2026 |
Social media platforms operating in Nebraska |
Mandatory age verification; verifiable parental consent for users under 18; parental rights to manage and revoke minor accounts |
Requires age-verification systems, parental consent workflows, and minor account management controls |
| Connecticut |
CTDPA Amendments (SB 1295) |
Jul 1, 2026 |
Existing CTDPA-covered entities |
Expands “sensitive data” to neural data; strengthens minors’ protections; prohibits requiring children to create accounts to exercise rights |
Requires neural data classification, youth-specific DPIAs, and redesigned minors’ rights workflows |
| Oregon |
OCPA Amendments (HB 2008) |
Jan 1, 2026 |
Controllers and processors subject to OCPA |
Ban on sale of precise geolocation data; restrictions on data of consumers under 16 for ads, sales, and profiling; cure period ends; universal opt-out required |
Requires geolocation governance, opt-out signal integration, and teen advertising restrictions |
| Texas |
App Store Accountability Act (SB 2420) |
Jan 1, 2026 |
App stores and app developers |
Mandatory age verification; parental consent for minors; transmission of age category to developers; enforcement of age ratings |
Impacts onboarding flows, age-gating, app distribution, and developer–store data exchange |
| Utah |
Utah Digital Choice Act |
Jul 1, 2026 |
Social media platforms |
Requires social graph data portability; mandates interoperable protocols; strengthens rights over content and connection data |
Requires API infrastructure, portability engines, and new compliance engineering |
| Virginia |
VCDPA Social Media Amendments (SB 854) |
Jan 1, 2026 |
Large social media platforms |
Platforms must identify users under 16; limits minors’ use to one hour per day absent parental consent; tighter profiling and advertising restrictions |
Requires age estimation, session-time controls, and parental consent systems |
| Arkansas |
ACTOPPA — Children & Teens’ Online Privacy Protection Act |
Jul 1, 2026 |
Online services directed to or knowingly used by users under 16 |
Strict data minimization; prohibition on targeted advertising without consent; enhanced parental consent; limits on profiling |
Requires redesign of teen experiences, reduced ad-tech usage, and updated consent pathways |
What to expect in 2026: enforcement & regulatory trends
2026 is a transition from “law creation” to “law enforcement.” Regulatory agencies now have settlement precedents and technical expectations—especially around opt-out signals, data sharing, sensitive data, and dark patterns.
Trend 1: Increased enforcement across states
Multiple 2025 enforcement actions signal what regulators will target in 2026:
These actions show stricter expectations for opt-out governance, ad-tech transparency, health data handling, and data-sharing disclosures.
Trend 2: Expanded rulemaking and technical specifications
New Jersey and Colorado are producing more detailed rules defining:
- Profiling restrictions
- Universal opt-out obligations
- Consumer rights response processes
- Data-retention requirements
- Automated decision-making documentation
- Data protection assessment standards
California is expected to expand rules on cybersecurity audits, automated decision-making, and global opt-out enforcement.
Read more: California Finalizes Regulations to Strengthen Consumers' Privacy
Trend 3: Growing focus on age-appropriate design
States like Texas, California, Maryland, Delaware, Minnesota, Utah, Arkansas, and Virginia are implementing youth-centric design standards. Requirements include:
- Age verification
- Limits on profiling
- Restrictions on targeted advertising
- Prohibitions on manipulative UX
- Daily usage caps (Virginia)
Businesses serving minors must review UX patterns, data collection defaults, and parent-child consent pathways.
Everyone is a little bit frenetic about Texas and all of the obligations that come with age gating. We're talking to customers left, right, and center who have no clue and no confidence right now on exactly what they're gonna do. We even hear people say, we're just gonna wait and see. One of the things that we're excited about right now is that we actually have software in place to solve this problem. We're super excited about the capabilities that we have in the Consent Management Platform. You can actually go in and describe the rules of engagement as it relates to an individual's age or age band. You can say, for individuals zero to thirteen, they should have no ability to opt in consent in a specific jurisdiction. Conversely, you can say that people in this tween range, need to provide express opt in consent, where individuals eighteen and older, of course, have the standard rights that they would have in an opt out context. You can describe all of that in the CMP, and you can also describe the rules of engagement when it comes to parents, parental guidance, and controls that parents give their children to express their consent choices in the context of an app that they're engaging with.
Trend 4: Heightened scrutiny of consent and dark Patterns
Regulators are targeting:
- Cookie banners with confusing paths
- Interfaces that bury opt-out options
- Flows that require more steps for refusal than acceptance
- Misleading toggles or color cues
- Pre-selected preferences
The 2025 Honda settlement established that asymmetric opt-out flows are unlawful, setting a clear enforcement template.
Read more: Are dark patterns illegal in 2026? Honda, the law, and UX loopholes
Hi, Alyssa. How are you doing today? Hi. Good to see you. How's your week been so far? You know, being a privacy attorney these days is just every day you're shot out of a cannon. This privacy news cycle lately is hot. One major piece of enforcement news. Right? We saw out of California, the CPPA enforcement order against Honda, I think. California, the CPPA enforcement order against Honda. It's been talked maybe to death on LinkedIn with all sorts of takes on their opt out compliance and their dark patterns. But largely, it's made me just think about how much the regulars were focused on the consumer and the the journey that the consumer would go through on that Honda website and really forces us to put ourselves in that consumer's shoes. What do you think? I definitely have that takeaway. They are counting the clicks. They are looking at it through the lens of a consumer. They've gotten complaints. And what is that journey like? Where is a not a lawyer, not a privacy attorney or privacy practitioner. Are they gonna understand it? Do the words you use? Does the flow do the instructions? Is there a confirmation email? All of the action items, how would a consumer understand those and respond to that if they want to exercise their privacy rights? So I thought that was really interesting, and it makes you really wonder. Like, when was the last time you do all these things for compliance, but when did you pressure test it as a consumer? Going on different browsers, trying to do it from an app, and then do it periodically because websites get refreshed. Like, things change, and I think it really just emphasizes the constant diligence you need to do on making sure that process works as intended. Absolutely. This is something we've been thinking about at Ketch last couple weeks as we saw this enforcement order and, of course, are checking with our customers, making sure deployments are okay. Something that we're really, focusing on is the importance of integration between your consent management and your data subject rights products. Right? And when it comes to opting out of sale, that potentially includes advertising data than your CMP. That potentially includes data that lives in back end systems that might typically be handled by a DSAR request. And if we're forcing a consumer to take actions in your consent manager, in your DSAR, that's that's probably gonna be asymmetrical, right, and a and a potential dark pattern if we're requiring too much of them. Are we thinking about that the right way, creating that comprehensive opt out experience across tools? Well, I mean, I think what what does the consumer expect? What is the consumer's experience when they're making these requests? And if they thought they made the request and they come back on another browser and they have an account with you, I think they're gonna have some questions. It's persistent, but GDPR is where we really first learned about cookie banners, and the structure of those still just is really hard to evolve for a lot of companies from a mindset on what US privacy laws require. And US privacy laws are not limited to cookies. And so when you're only talking about cookies or your solutions are really only focused about cookies, it's incomplete. And I think more and more, we're seeing just, a lack of patience with accept That brings me to the second thing I wanted to touch on with you, which is consumer inquiries that fall outside of the perfect banner opt out or DSAR web form. There's other avenues. Right? Can Can you share what you've been seeing lately when it comes to those creative ways consumers get in touch? I started out as a consumer protection and advertising lawyer, and it is common sense that you need to have a good ear to your consumer complaint volume and what they're complaining about. Because if they're complaining to you, they're complaining to regulators. So there's always an importance of being able to filter and look through and have some sense. And by the way, we've heard from regulators, they've said, monitor your privacy inbox. Make sure somebody's looking at that email. That inbox is not like a nice, neat inbox of just consumer privacy complaints. And so I will just recognize the burden that a lot of companies have because you get a lot of spam. And then I think the latest thing that I've seen is ChatGPT authored legal briefs that are privacy complaints that throw in a whole lot of things, and they look like a lawyer wrote them. And then you start reading them, and there's made up cases and made up rights and made up all sorts of things. And at the core of it, it's it's probably a consumer who really didn't have a good experience, and they're not a lawyer. They don't know how to write a complaint. They wanna get somebody's attention. So I will just say whoever is monitoring your inbox, be prepared to see a lot of things and be able to know how to respond and prioritize and also just what how to evaluate a lot of what those messaging just attempts are and still understand there's a consumer probably behind that that has an issue. The more we can put ourselves in the consumer shoes, right, to try to experience it and create a more seamless process, the better. We talk a lot about the front of the house here, right, that consumer experience. But when it comes to getting subpoenaed or receiving a demand letter, there's questions that privacy professionals and their teams are gonna be asked that run the gamut from how you're collecting data at the front end all the way through where is it going on the back end. What are you seeing lately when it comes to what we're hearing from regulators? What's going on under the hood and how companies are handling that? They are asking what's under the hood. When you're answering very specific questions to a regulator, obviously, the statements have to be truthful. But in order to answer it fully and accurately, you really need to know the under the hood practices. And particularly, you're you're saying, here is our deletion practices. Here are the steps we take. Here is how we know that we have addressed all of the relevant information. You really need to know your environment. So companies are evolving. There's nothing static about it. And so it is a cat and mouse of you wanna be truthful, you wanna respond within a pretty compressed period of time usually, but you also need to know your business practices. And so that's where you lean in on what's the diligence we've already relied on to understand our environments. Data maps can be really helpful for that as they get into those specific questions. I think always having at least a periodically refreshed sense of your environments and what data, how it's being used, making sure it maps to your DSAR request in an appropriate way. When I think from a a privacy tech perspective, data map is certainly where my mind first goes as a reasonable undertaking to have a better sense of that under the hood landscape of your data. But for many privacy professionals we talk to, a data map implementation project is a big undertaking. It involves a lot of stakeholders. So I wonder if it's challenging as a privacy approach to know when it makes sense to employ tech versus you can get away with kind of a static what do you think? So it's a really good question. I think there's just the practical reality of who's buying the tech, who's initiating, and, if it is the lawyer, the lawyer does not have the budget for doing something that affects the entire enterprise. And a company's environments can be really complicated, and you really need buy in by a lot of business stakeholders that just may not know the urgency or may not have budget for that. And so I think there's a lot of homework that has to happen before any company really has the appetite and the resources to devote to that because it is it's pretty time intensive. There's a lot of benefits from that. They need to know that they're ready. And my sense is, like, the more headlines we're seeing on enforcements, it is raising awareness. The hard questions, I think, are being asked. I think more businesses are going to be sensitive to privacy issues, but we're on a very moving trajectory. Well, wonderful talking with you as always, Alisa. Folks, if you wanna hear more in any of these topics, let us know in the comments. We're happy to expand next time, and I'll see you soon.
Trend 5: Universal opt-out signals become mandatory
Global Privacy Control (GPC) is now a practical requirement in states such as:
- California
- Colorado
- Connecticut
- Oregon (2026)
- New Hampshire (2025)
Failure to honor GPC has already resulted in fines, making technical detection and system-wide enforcement essential.
Trend 6: Strengthened sensitive data requirements
States are expanding definitions and restrictions for:
- Biometric data
- Neural data (CT, 2026)
- Health data (multiple enforcement cases)
- Precise geolocation (Oregon ban, 2026)
- Teen data under 16 (Oregon, Virginia, Arkansas)
Organizations need robust data classification systems, purpose-binding rules, and DPIAs for sensitive-data processing.
Trend 7: Rising cross-state operational complexity
Divergence across states means compliance programs must handle:
- Different rights-request timelines
- Different definitions for “sale” and “sharing”
- Different age-verification standards
- Different opt-out requirements
- Different sensitive-data categories
- Different cure-period rules
Manual compliance is no longer feasible. Jurisdiction-aware automation is required.
What should privacy leaders focus on now?
2026 requires stronger data governance, automated workflows, and jurisdiction-aware privacy configuration:
- Understand 2026 requirements: Three new laws (IN, KY, RI) and major amendments (CT, OR, TX, UT, VA, AR) introduce new definitions, youth protections, geolocation limits, and consent rules.
- Refresh data inventories: Add fields for neural data (CT), precise geolocation (OR), minors’ data (TX/VA/AR), and social-graph data (UT).
- Enable universal opt-out enforcement: Ensure GPC and other signals are detected and applied consistently across web, mobile, and downstream systems.
- Fix consent and cookie UX: Remove asymmetry, reduce friction, and eliminate dark patterns; ensure opt-out experiences are equal to opt-in.
- Audit ad-tech and data sharing: Review all tags, analytics tools, and partners for sensitive-data leakage and ensure compliant information flows.
- Update privacy notices: Reflect new state obligations, sensitive-data categories, youth restrictions, and geolocation limits.
- Run DPIAs for minors and high-risk processing: Assess profiling, targeted ads, age-verification methods, and sensitive-data processing.
- Use privacy automation: Deploy tools like Ketch for state-specific consent, rights workflows, and configurable jurisdiction-aware controls.
How Ketch can help
Navigating the evolving privacy landscape can be complex. At Ketch, we offer data privacy solutions that help businesses comply with regulations across jurisdictions. Our tools streamline consent management, data access requests, and compliance workflows, so you can focus on growing your business.
Request a demo to see how Ketch can support your compliance efforts.
“The privacy of our customers' data is very important to us, and we want to make sure we are acting in accordance with their wishes as well as complying with all state laws. Ketch helps us do this without a lot of overhead so we can focus our internal resources on growing our technology capabilities and supporting our aggressive omni-channel growth plans.”
- Mike Early, Chief Technology Officer, Francesca's
Optimizing your compliance strategy is not just a legal requirement–it’s an opportunity to build trust with your customers. Start preparing today to stay ahead of the curve.
FAQs
.webp)
