TL;DR
In 2026, several US state privacy laws come into force or expand: Indiana, Kentucky, and Rhode Island enacted comprehensive privacy laws effective in 2026; Maryland's MODPA goes into operative effect April 1, 2026; California's revised CCPA regulations added new ADMT (automated decision-making technology) and risk assessment rules; the federal COPPA rule update has an April 22, 2026 compliance deadline. This post is a state-by-state checklist you can use to track obligations. Save each policy and notice as a PDF with Convert: Web to PDF for your compliance binder. For collecting structured data from regulator notices and law-tracking sites, ScrapeMaster helps build a tidy compliance database while you browse.
The Quick Answer: What's Effective in 2026
| Law | State / Authority | Operative Date in 2026 | What's New |
|---|---|---|---|
| Indiana Consumer Data Protection Act | Indiana | January 1, 2026 | Comprehensive privacy law |
| Kentucky Consumer Data Protection Act | Kentucky | January 1, 2026 | Comprehensive privacy law |
| Rhode Island Data Transparency and Privacy Protection Act | Rhode Island | January 1, 2026 | Comprehensive privacy law |
| Maryland Online Data Privacy Act (MODPA) | Maryland | April 1, 2026 (operative date for processing) | Strict data minimization, sensitive data limits |
| Minnesota Consumer Data Privacy Act | Minnesota | January 1, 2026 (some provisions) | Comprehensive privacy law |
| Updated CCPA Regulations (ADMT, risk assessments, audits) | California (CPPA) | January 1, 2026 (effective); phased timelines after | ADMT, risk assessments, mandatory cybersecurity audits |
| COPPA (federal, FTC) | United States | April 22, 2026 (compliance deadline) | New consent, retention, disclosure rules |
This is the broad picture. Each law has scope thresholds, exemptions, and definitions that determine whether your business is covered.
Indiana Consumer Data Protection Act (ICDPA)
Effective: January 1, 2026.
Scope: Persons conducting business in Indiana or producing products/services targeted to Indiana residents that meet specific thresholds (annual processing of personal data of 100,000 consumers or 25,000 consumers and 50% revenue from sale of data).
Consumer rights: Access, correction, deletion, portability, opt-out of sale and targeted advertising.
Key obligations:
- Privacy notice with specified content
- Data Protection Assessments (DPAs) for high-risk processing
- Contracts with processors meeting required terms
- Reasonable security practices
Sensitive data: Requires consent (or, for known children, age-appropriate authorization).
Enforcement: Indiana Attorney General. No private right of action.
What to save now: Your privacy notice as published on January 1, 2026; any consumer rights request templates; your processor agreements.
Kentucky Consumer Data Protection Act
Effective: January 1, 2026.
Scope: Similar to ICDPA. Thresholds based on processing volume and revenue from data sale.
Consumer rights: Access, correction, deletion, portability, opt-out rights.
Key obligations: Privacy notice; DPAs; processor contracts; reasonable security.
Notable feature: Kentucky's law largely tracks the broader Virginia/Indiana model.
Enforcement: Kentucky Attorney General; no private right of action.
Rhode Island Data Transparency and Privacy Protection Act
Effective: January 1, 2026.
Scope: Persons conducting business in Rhode Island that meet thresholds.
Consumer rights: Standard set (access, correction, deletion, portability, opt-out).
Key feature: Stronger transparency requirements around what data is collected and shared. Privacy notices must specifically describe categories of data sold or shared and identify third parties.
Enforcement: Rhode Island Attorney General. The law also includes consumer-friendly transparency provisions.
Maryland Online Data Privacy Act (MODPA)
Effective: October 1, 2025. Operative date for processing personal data: April 1, 2026.
This split is important: the law was enacted earlier but doesn't apply to ongoing processing until April 1, 2026.
Scope: Persons conducting business in Maryland or targeting Maryland residents that meet thresholds (35,000 consumers; 10,000 consumers and 20% revenue from data sale).
Consumer rights: Access, correction, deletion, portability, opt-out of sale, targeted advertising, and certain profiling.
Distinctive features:
- Strict data minimization. MODPA requires that personal data collection be limited to what is reasonably necessary and proportionate to the purposes disclosed.
- Sensitive data restrictions. Sale of sensitive data is largely prohibited; processing requires consent and limitations.
- Children's data. MODPA imposes additional obligations around children's data (under 18 in some cases).
- Geofencing of sensitive locations. Restricts geofencing around sensitive locations.
Enforcement: Maryland Attorney General.
MODPA is among the strictest US state privacy laws. If your business collects data on Maryland residents, the April 1, 2026 operative date for processing is the deadline to have controls in place — not the October 2025 effective date.
Minnesota Consumer Data Privacy Act
Effective: January 1, 2026 (for most controllers and processors).
Scope: Thresholds similar to Virginia model.
Consumer rights: Access, correction, deletion, portability, opt-out, plus rights related to profiling.
Distinctive features:
- Right to question profiling decisions
- Strong DPA requirements
- Enforcement involves Minnesota Attorney General
California: CCPA Updates and ADMT (Automated Decision-Making Technology)
California's CCPA, as amended by the CPRA, has continued to evolve. The CPPA finalized regulations covering several new areas effective January 1, 2026:
Automated Decision-Making Technology (ADMT)
Businesses using ADMT for significant decisions (employment, housing, financial services, healthcare, education, essential goods) must:
- Provide pre-use notice
- Honor opt-out rights
- Allow access to information about how the ADMT works
- Conduct risk assessments before deployment
Risk Assessments
Required before initiating any processing that presents significant risk to consumer privacy. Documents must:
- Identify the processing purposes
- Identify categories of data processed
- Identify benefits and risks
- Identify safeguards
- Be retained and made available to the CPPA on request
Cybersecurity Audits
For businesses meeting specified revenue/data-volume thresholds, annual independent cybersecurity audits are mandatory. First certifications phased starting April 1, 2028 based on size.
Data Broker Audits
The CPPA is accepting preliminary comments on Data Broker Audit regulations through 2026. Data brokers are increasingly subject to specific rules.
For a deeper dive on ADMT specifically, see our piece on CCPA 2026 neural data and ADMT.
Federal: COPPA April 22, 2026 Compliance Deadline
The FTC's updated COPPA rule has a compliance deadline of April 22, 2026. Operators of sites and services directed to children (or with actual knowledge of collecting data from children under 13) must:
- Update privacy policies to reflect new requirements
- Implement new verifiable parental consent practices
- Apply new data retention limits
- Update disclosure practices
This is federal, applies nationwide, and comes from the FTC. State laws don't displace it; they overlap.
For COPPA-specific guidance see our COPPA April 2026 deadline guide.
What This Means If You Operate Across States
If your business operates in many US states (typical for any web service), you face a layered compliance environment:
Adopt the strictest applicable rule. When laws overlap, applying the most stringent rule across all users is administratively simpler than tracking per-state rules.
Sensitive data: opt-in, not opt-out. Several state laws (and MODPA particularly) treat sensitive data with stricter consent rules. Build opt-in sensitive data flows.
Consumer rights endpoint. A unified rights request mechanism (for access, deletion, opt-out) reduces operational complexity.
Data Protection / Risk Assessments. Multiple laws require these. Maintaining a single template that covers all required elements is efficient.
Universal Opt-Out signals (GPC). California, Colorado, and others recognize the Global Privacy Control. Honor it broadly.
Cookie banners. State laws differ, but a banner providing opt-outs (sale, sharing, targeted advertising) covers most.
What to Save in Your Compliance Binder
For each law, capture and save as PDF:
- The statute itself (the official text from state legislative sites)
- Any final regulations (e.g., CPPA's ADMT rules)
- Your privacy notice as published on the effective date
- Your DPA/risk assessment templates
- Your consumer rights request workflow
- Processor agreements (template + key signed)
- Vendor list with privacy classifications
- Any AG / regulator guidance documents
- Your data inventory snapshot at the effective date
Why PDF? Statutes and regulations get amended. Your privacy notice changes. The version that was in effect on a specific date matters for compliance defense. PDFs capture a date-stamped record.
Use Convert: Web to PDF for online statutes and regulator pages. Use Convert: Anything to PDF for internal Word, Excel, and email-based compliance materials.
Tracking Updates: Why Scraping Helps Compliance
Privacy laws change constantly. State AGs publish guidance. The CPPA issues new advisories. The FTC updates COPPA enforcement. Tracking all of this manually is impractical.
ScrapeMaster helps you collect data from law-tracking sites (IAPP, state AG pages, FTC press releases) as structured data while you browse. Build a CSV of "Date | Source | Title | URL | Summary | Affects [Indiana, Kentucky, etc.]" that you can review and triage for changes that matter.
This keeps your compliance team focused on changes that affect your business rather than reading the entire universe of privacy commentary.
Comparison: 2026 State Privacy Laws Side-by-Side
| Feature | Indiana | Kentucky | Rhode Island | Maryland (MODPA) | Minnesota | California (updated) |
|---|---|---|---|---|---|---|
| Effective | Jan 1, 2026 | Jan 1, 2026 | Jan 1, 2026 | Apr 1, 2026 (operative) | Jan 1, 2026 | Jan 1, 2026 (regs) |
| Consumer rights | Standard | Standard | Standard + transparency | Standard + strong | Standard + profiling | Comprehensive |
| Sensitive data | Consent | Consent | Consent | Strong limits | Consent | Limit/right to limit |
| Data minimization | General | General | General | Strict | General | General |
| Universal opt-out signal | Yes (eventually) | Yes | Yes | Yes | Yes | Yes (GPC) |
| Private right of action | No | No | No | No | No | Limited (breach) |
| Enforcement | AG | AG | AG | AG | AG | CPPA + AG |
Maryland's strict data minimization is the standout — it's enforceable in a way the more general "purpose-limited" language in other state laws is not.
Frequently asked questions
Which states have new privacy laws taking effect in 2026?
Indiana, Kentucky, Rhode Island, and Minnesota take effect January 1, 2026. Maryland's MODPA is operative for processing on April 1, 2026. California's updated CCPA regulations (ADMT, risk assessments, cybersecurity audits) became effective January 1, 2026 with phased deadlines.
What is the Maryland Online Data Privacy Act (MODPA)?
MODPA is Maryland's comprehensive privacy law. It was enacted to take effect October 1, 2025, but does not apply to processing of personal data until April 1, 2026. MODPA includes strict data minimization rules, strong sensitive data protections, and additional obligations around children's data.
When does COPPA's update take effect?
The FTC's updated COPPA rule has a compliance deadline of April 22, 2026. Sites and services directed to children must implement updated consent, retention, and disclosure practices by then.
Do these state laws apply to my business?
Each law has scope thresholds. Common thresholds: processing personal data of 100,000+ consumers in the state, or 25,000+ consumers AND 50% revenue from data sale (varies). If you operate a national web service, you almost certainly hit thresholds in multiple states.
Is there a federal privacy law to follow instead?
There is no comprehensive federal privacy law as of 2026. There are sectoral laws (HIPAA, GLBA, COPPA, FERPA) and state laws. Compliance requires tracking the patchwork.
What is ADMT under California law?
Automated Decision-Making Technology (ADMT) covers algorithmic systems used in significant decisions like employment, financial services, housing, and health. The CPPA's 2026 regulations require pre-use notice, opt-out rights, access to ADMT logic, and risk assessments.
How should I document my compliance?
Maintain a compliance binder (digital folder of dated PDFs) with: privacy notices, DPAs / risk assessments, processor contracts, data inventories, consumer rights logs, and regulator correspondence. Save each as PDF on the effective date so you have a snapshot of compliance state.
Are state privacy laws enforced privately or only by AGs?
Most state privacy laws (Indiana, Kentucky, Rhode Island, Minnesota, Maryland) are enforced exclusively by state attorneys general and have no private right of action. California has a limited private right of action for certain data breaches.
What does "operative date" mean for MODPA?
MODPA's effective date is October 1, 2025 (when the law became part of Maryland code), but it doesn't apply to processing of personal data until April 1, 2026 — meaning controllers don't have to comply with the data-handling requirements until that date.
How does ScrapeMaster help with privacy compliance?
ScrapeMaster lets you build structured records as you browse regulator websites, AG announcements, and law tracking sites. You get a CSV/JSON of source documents, dates, and summaries — useful for compliance teams tracking changes across multiple jurisdictions.
Bottom Line
2026 is the year US state privacy law became comprehensive across most US population. Indiana, Kentucky, Rhode Island, Minnesota, Maryland (operative April 1), and California (updated regs) all impose meaningful obligations. The federal COPPA update on April 22 adds another layer.
For each law and each obligation, document. Save the statute, the regulations, your privacy notice, your processor contracts, and your DPAs as date-stamped PDFs. Use Convert: Web to PDF for online sources and Convert: Anything to PDF for internal documents.
For ongoing tracking of regulator updates, AG enforcement actions, and law amendments, use ScrapeMaster to build a structured compliance database from the sites your team monitors. And when you find a long analysis piece from a privacy law firm or research site, CineMan AI summarizes it inline so you can capture the key points alongside the source.