2026 is a turning point in U.S. privacy regulation: multiple new comprehensive state laws go live, enforcement provisions activate, and novel mechanisms (like the California DROP platform) begin requiring operational action from businesses of all sizes.

These are laws that become active on Jan 1, 2026, and require compliance from covered entities: 

Indiana Consumer Data Protection Act (INCDPA)

• Expands consumer rights (access, delete, correct, portability, opt-out). 
• Requires opt-in for sensitive data processing.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $7,500 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Kentucky Consumer Data Protection Act (KCDPA)

• Mirroring Virginia’s model but business-friendly; sensitive data consent, DPIAs. 
• Thresholds similar to other comprehensive laws.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $7,500 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

• Consumer rights plus strict transparency obligations. 
• Does not include a cure period in many cases, increasing risk exposure.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $10,000 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Why this matters: These states join the existing wave (CA, VA, CO, CT, UT, IA, NE, NH, TN, MN, MD, DE, etc.) in establishing a multi-jurisdictional privacy compliance environment that businesses must prepare for. 

The California Delete Act (SB 362) and its Delete Request and Opt-Out Platform (DROP) become functionally enforceable in 2026:

• The DROP portal launched Jan 1, 2026, allowing CA residents to file a single deletion/opt-out request to hundreds of data brokers.
• Data brokers must process delete requests submitted through DROP beginning August 1, 2026 (with defined compliance timelines like reporting status within 45-90 days).
• Residents can now request deletion of personal data, including browsing history and geolocation, via a centralized mechanism.

Impact for businesses: Platforms and enforcement procedures (including potential fines for noncompliance) now require systems to handle standardized deletion/opt-out requests from California residents.

Several existing laws enter new phases of enforceability in 2026:

Delaware (DPDPA)

• The requirement to honor Universal Opt-Out Mechanisms (UOOMs) becomes mandatory in early 2026. 
• The 60-day “right to cure” period sunsets Dec 31, 2025, allowing immediate enforcement in 2026.

Montana Consumer Data Privacy Act (MTCDPA) 

• The cure period ends April 1, 2026, meaning violations are enforceable without a grace period.

New Jersey SB 332 

• Includes a cure period that expires mid-2026, increasing enforcement risk.
• NJ also requires honoring universal opt-out mechanisms starting mid-2025.

Connecticut, Oregon and Other States (Amendments Effective in 2026) 

• Oregon privacy law is being updated effective January 1, 2026, with stricter limits on precise geolocation data and youth data.
• Connecticut is enhancing sensitive data definitions and youth protections effective July 1, 2026.

California CCPA/CPRA Rule Changes 

• New CCPA/CPRA regulations are operational as of January 1, 2026, broadening annual cybersecurity audit requirements, risk assessments, and automated decision-making disclosures.

AI & Data Privacy Intersection

• While not strictly privacy laws, several states (especially Colorado) adopt AI risk, data use, and discrimination obligations effective in early 2026. 
• These intersect with privacy compliance when automated profiling or decision-making occurs in customer-facing apps and services – an area where automated scanning and classification is helpful.

Telemarketing / Communications Opt-Out Extensions

• Some states update text and call opt-out duration requirements, e.g., longer opt-out period obligations under telemarketing law amendments. (e.g., Virginia). 
• While primarily communications law, they affect privacy-related messaging systems and consent management workflows.

Consent Model 

States with “Strong model” (honoring GPC is mandatory): 

• California, Colorado, Connecticut, Montana, New Hampshire, Nebraska, Texas, New Jersey, Minnesota, Maryland, Oregon, Delaware.

States with “Weak model” (opt-out links in footer/privacy policy, potentially link per each third party):

• Virginia, Iowa, Tennessee, Indiana, Kentucky, Rhone Island