Three new state privacy laws go live in 2026, plus Connecticut's expanded sensitive data rules covering neural and genetic information.
Topics: US Privacy, CTDPA, Indiana, Kentucky, Rhode Island, Multi-State
The United States is entering a new phase of state-level privacy regulation. In 2026, this "patchwork" finally becomes a real compliance minefield. For mid-sized consultancies and service providers, the complexity is now impossible to ignore.
New 2026 State Laws Go Live
Indiana, Kentucky, and Rhode Island each bring new Consumer Data Protection Acts into force on January 1, 2026. These laws follow the general pattern of earlier state frameworks, but they extend coverage and rights further.
They apply to many organisations that process personal data about state residents, regardless of where the company is headquartered. Consequently, UK and EU providers with US clients will feel these obligations through contracts and vendor assessments.
All three laws give residents rights to access, correct, delete, and port personal data. However, they also grant rights to opt out of profiling and targeted advertising, which raises the stakes for digital marketing teams.
Profiling And Targeted Advertising Under Pressure
Profiling and targeted advertising are not new concepts in US privacy laws. Yet each wave of state laws brings sharper definitions and enforcement tools.
Indiana, Kentucky, and Rhode Island now explicitly treat targeted advertising as a distinct processing purpose that requires clear opt-out mechanisms. This means organisations must manage cookies, trackers, and cross-site tools with more precision.
Furthermore, profiling for significant decisions, such as lending or eligibility, faces higher scrutiny. Organisations must be ready to explain how profiles are built and how they influence outcomes.
Connecticut’s New Sensitive Data Categories
While these three laws go live, Connecticut’s Data Privacy Act (CTDPA) receives important updates in 2026. The scope of "sensitive data" expands to include neural data and genetic information.
Neural data can include information generated by brain-computer interfaces or similar technologies. Genetic data relates to inherited or acquired characteristics that provide unique information about a person’s physiology.
Because these categories now require explicit opt-in consent, any firm dealing with advanced health, neuroscience, or biometric products faces higher obligations. They must ensure collection is minimised, consent is documented, and security controls match sensitivity.
Why The Patchwork Hurts Mid-Sized Consultancies
Large enterprises can usually absorb regulatory change with internal legal teams and dedicated privacy officers. Mid-sized consultancies, however, often manage privacy as one responsibility among many.
They may support clients across several US states, each with slightly different rights and definitions. As the patchwork grows, the effort required to track obligations and update notices increases exponentially.
Without a centralised approach, teams risk inconsistent notices, outdated consent language, and gaps in sensitive data mapping. These gaps become visible when clients face audits or regulator questions.
How Privacy360 Simplifies Multi-State Compliance
Privacy360 is designed for exactly this type of fragmented environment. Its multi-jurisdictional engine helps organisations apply the correct rules across regions without duplicating effort.
For US privacy in 2026, Privacy360 can:
- Deploy Multi-State Privacy Controllers that adjust notices based on visitors’ US locations.
- Align consent and opt-out options with Indiana, Kentucky, Rhode Island, and other state laws.
- Map sensitive data, including neural, genetic, and biometric information, so teams understand where higher standards apply.
Additionally, Privacy360 supports Data Subject Access Requests under multiple laws from one interface. Teams can respond consistently while respecting state-specific requirements and deadlines. See how the operational modules fit together across jurisdictions.
For organisations that need strategic guidance on the US patchwork, Formiti provides global privacy consulting services. Its experts help design multi-state privacy strategies, update data maps, and negotiate contract terms with US partners. Learn more at Formiti – Global Data Protection Consultancy.
Do you currently treat US state privacy as one unified framework, or do you differentiate obligations by individual state?