Three states, one date, different approaches
January 1, 2026 marked the effective date for three new state privacy laws: Indiana's INCDPA, Kentucky's KCDPA, and Rhode Island's RIDTPPA. While all three grant consumers rights over their personal data, the details differ significantly — especially Rhode Island, which takes a notably different approach from the other two.
Here's what e-commerce businesses need to know about each.
Indiana Consumer Data Protection Act (INCDPA)
Indiana's law closely follows the Virginia model — the same template used by most states that passed privacy laws after 2022.
Who's covered:
- Businesses processing data of 100,000+ Indiana consumers, OR
- 25,000+ consumers while deriving 50%+ revenue from data sales
Key features:
- Full consumer rights: access, correct, delete, portability, opt-out
- Data protection assessments required
- Sensitive data requires opt-in consent
- Permanent 30-day cure period — the AG must give you 30 days to fix violations before enforcement
What's notable: The Indiana AG published a "Data Consumer Bill of Rights" guidance document ahead of the effective date, providing practical interpretation of the law's requirements. This is worth reading if you're assessing your Indiana compliance obligations.
Bottom line: If you're already compliant with Virginia's VCDPA, you're likely compliant with Indiana's law. The requirements are very similar.
Kentucky Consumer Data Protection Act (KCDPA)
Kentucky's law also follows the Virginia model, with some noteworthy additions around health care data.
Who's covered:
- Businesses processing data of 100,000+ Kentucky consumers, OR
- 25,000+ consumers while deriving 50%+ revenue from data sales
Key features:
- Full consumer rights: access, correct, delete, portability, opt-out
- Data protection assessments required
- Sensitive data requires opt-in consent
- Permanent 30-day cure period
- HIPAA and GLBA exemptions
What's notable: Kentucky amended its law before it took effect through HB 473, which clarified exemptions for health care data. If your e-commerce business intersects with health care products or services (supplements, medical devices, health-related personal care), the HIPAA exemption details are relevant.
Bottom line: Another Virginia-model law. Compliance with Virginia, Indiana, or similar states covers most Kentucky requirements.
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island is the outlier. While it shares the basic consumer rights framework, several features make it significantly different from the Virginia-model states.
Who's covered:
- Businesses processing data of 35,000+ Rhode Island consumers, OR
- 10,000+ consumers while deriving 20%+ revenue from data sales
These are the lowest thresholds of any state. Rhode Island has a small population (about 1.1 million), but the 35,000 consumer threshold means businesses with relatively modest Rhode Island customer bases are covered.
Key features — and key differences:
No cure period. Rhode Island does not provide a right to cure. The AG can pursue enforcement immediately upon discovering a violation. This puts it in the same category as California, New Jersey, and Maryland.
Full third-party disclosure. This is Rhode Island's most distinctive requirement. Businesses must disclose the identity of ALL third parties to whom personal data is sold. Not categories of third parties — actual identities. This is unique among state privacy laws and requires a level of transparency that many businesses are not accustomed to.
No universal opt-out recognition. Unlike 10 other states, Rhode Island does not require businesses to honor universal opt-out signals like Global Privacy Control.
No enhanced children's protections. Unlike several newer state laws that include heightened protections for minors, Rhode Island's law does not include special children's privacy provisions.
Mixed HIPAA/GLBA treatment. GLBA-regulated entities get a full entity-level exemption, but HIPAA-covered entities only get a data-level exemption. This means health care companies are still subject to RIDTPPA for any personal data that isn't specifically HIPAA-protected.
Side-by-side comparison
| Feature | Indiana | Kentucky | Rhode Island |
|---|---|---|---|
| Consumer threshold | 100,000 | 100,000 | 35,000 |
| Data sale threshold | 25,000 (50%) | 25,000 (50%) | 10,000 (20%) |
| Cure period | 30 days (permanent) | 30 days (permanent) | None |
| Universal opt-out | Not required | Not required | Not required |
| DPAs required | Yes | Yes | No specific requirement |
| Third-party naming | Not required | Not required | Required |
| Children's protections | Standard | Standard | None enhanced |
| HIPAA exemption | Standard | Enhanced (HB 473) | Data-level only |
| GLBA exemption | Standard | Standard | Entity-level |
What this means for e-commerce businesses
If you're already multi-state compliant: Indiana and Kentucky add minimal new obligations. Rhode Island's third-party disclosure requirement is the one that likely needs attention.
If you're just starting compliance: Don't treat these three states identically. Rhode Island's combination of low thresholds, no cure period, and the third-party naming requirement makes it meaningfully harder to comply with than Indiana or Kentucky.
Action items for January 2026 compliance:
Check your Rhode Island consumer count. The 35,000 threshold includes website visitors, not just purchasers. You might be closer than you think.
Audit your third-party data sharing. For Rhode Island, you need to name every third party receiving sold data. Start building that list now.
Review your privacy policy. Add state-specific disclosures for all three states.
Document your data protection assessments. Required by Indiana and Kentucky.
Check HIPAA interactions. If you sell health-related products, Kentucky's enhanced HIPAA exemptions and Rhode Island's limited HIPAA treatment both affect your compliance approach.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.