U.S. Privacy Laws (and Key Provisions) That Take Effect or Become Enforceable in 2026

• Three new comprehensive state privacy laws took effect on January 1, 2026, in Indiana, Kentucky, and Rhode Island. All three grant consumers rights to access, delete, correct, and port their data, require opt-in consent for sensitive data processing, and are enforced exclusively by their attorneys general with civil penalties up to $7,500 to $10,000 per violation.
• Cure periods are expiring across multiple states, enabling immediate enforcement without a grace period. Delaware’s 60-day cure period ended December 31, 2025. Montana’s expires April 1, 2026. New Jersey’s expires mid-2026. For organizations that relied on cure windows as a buffer against penalties, that safety net is disappearing.
• California’s Delete Act (SB 362) and DROP platform are now operational, creating a centralized deletion mechanism that data brokers must honor by August 1, 2026. California residents can file a single request to delete personal data from hundreds of data brokers, and new CCPA/CPRA regulations effective January 1, 2026, expand cybersecurity audit, risk assessment, and automated decision-making disclosure requirements.

2026 is a turning point in U.S. privacy regulation: multiple new comprehensive state laws go live, enforcement provisions activate, and novel mechanisms (like the California DROP platform) begin requiring operational action from businesses of all sizes.

These are laws that become active on Jan 1, 2026, and require compliance from covered entities: 

Indiana Consumer Data Protection Act (INCDPA)

• Expands consumer rights (access, delete, correct, portability, opt-out). 
• Requires opt-in for sensitive data processing.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $7,500 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Kentucky Consumer Data Protection Act (KCDPA)

• Mirroring Virginia’s model but business-friendly; sensitive data consent, DPIAs. 
• Thresholds similar to other comprehensive laws.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $7,500 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

• Consumer rights plus strict transparency obligations. 
• Does not include a cure period in many cases, increasing risk exposure.
• Enforcement: Exclusively by the attorney general. Civil penalty up to $10,000 per violation, plus recovery of reasonable investigation and attorneys’ fees.

Why this matters: These states join the existing wave (CA, VA, CO, CT, UT, IA, NE, NH, TN, MN, MD, DE, OK, etc.) in establishing a multi-jurisdictional privacy compliance environment that businesses must prepare for. 

The California Delete Act (SB 362) and its Delete Request and Opt-Out Platform (DROP) become functionally enforceable in 2026:

• The DROP portal launched Jan 1, 2026, allowing CA residents to file a single deletion/opt-out request to hundreds of data brokers.
• Data brokers must process delete requests submitted through DROP beginning August 1, 2026 (with defined compliance timelines like reporting status within 45-90 days).
• Residents can now request deletion of personal data, including browsing history and geolocation, via a centralized mechanism.

Impact for businesses: Platforms and enforcement procedures (including potential fines for noncompliance) now require systems to handle standardized deletion/opt-out requests from California residents.

Several existing laws enter new phases of enforceability in 2026:

Delaware (DPDPA)

• The requirement to honor Universal Opt-Out Mechanisms (UOOMs) becomes mandatory in early 2026. 
• The 60-day “right to cure” period sunsets Dec 31, 2025, allowing immediate enforcement in 2026.

Montana Consumer Data Privacy Act (MTCDPA) 

• The cure period ends April 1, 2026, meaning violations are enforceable without a grace period.

New Jersey SB 332 

• Includes a cure period that expires mid-2026, increasing enforcement risk.
• NJ also requires honoring universal opt-out mechanisms starting mid-2025.

Connecticut, Oregon and Other States (Amendments Effective in 2026) 

• Oregon privacy law is being updated effective January 1, 2026, with stricter limits on precise geolocation data and youth data.
• Connecticut is enhancing sensitive data definitions and youth protections effective July 1, 2026.

California CCPA/CPRA Rule Changes 

• New CCPA/CPRA regulations are operational as of January 1, 2026, broadening annual cybersecurity audit requirements, risk assessments, and automated decision-making disclosures.

AI & Data Privacy Intersection

• While not strictly privacy laws, several states (especially Colorado) adopt AI risk, data use, and discrimination obligations effective in early 2026. 
• These intersect with privacy compliance when automated profiling or decision-making occurs in customer-facing apps and services – an area where automated scanning and classification is helpful.

Telemarketing / Communications Opt-Out Extensions

• Some states update text and call opt-out duration requirements, e.g., longer opt-out period obligations under telemarketing law amendments. (e.g., Virginia). 
• While primarily communications law, they affect privacy-related messaging systems and consent management workflows.

States with “Strong model” (honoring GPC is mandatory): 

• California, Colorado, Connecticut, Montana, New Hampshire, Nebraska, Texas, New Jersey, Minnesota, Maryland, Oregon, Delaware.

States with “Weak model” (opt-out links in footer/privacy policy, potentially link per each third party):

• Virginia, Iowa, Tennessee, Indiana, Kentucky, Rhone Island

Karel Kubicek
Senior Privacy Researcher, Vault JS

He holds a PhD from ETH Zurich in automated privacy compliance and was previously a postdoctoral researcher at INRIA. His work focuses on using machine learning to measure and detect privacy violations at scale, and he led the development of CookieBlock, a privacy-enhancing browser extension with over 20,000 installations that received a USENIX Security Distinguished Artifact Award.