CBA Blog

As businesses prepare for the holiday season and the new year inches closer, now is the time to revisit Indiana and Kentucky’s comprehensive data privacy laws taking effect on January 1, 2026.  As data privacy laws travel east and become effective across the Midwest, many businesses that target consumers in Indiana and Kentucky will have increased risk despite previous efforts to comply with more onerous regulations.  In addition to Indiana, nine other state AGs have joined a Bipartisan Consortium of regulators intending to coordinate and share resources to enforce their respective state privacy laws. These laws will have an impact on businesses, including those based in Ohio, that collect or process personal data from residents of these neighboring states. The laws establish new consumer rights, impose obligations on businesses, and set forth substantial penalties for non-compliance. Below is an overview of the key provisions in each law and what businesses should do to prepare for the new year.

Applicability and Exemptions

The Kentucky Consumer Data Protection Act (KCDPA) and Indiana Consumer Data Protection Act (ICDPA) both apply to businesses that either conduct business in the applicable state or target products or services to the state’s residents and, during a calendar year, control or process personal data of at least 100,000 of the state’s consumers, or control or process data of at least 25,000 of the state’s consumers and derive over 50% of gross revenue from the sale of personal data. Exemptions include:

• State and local government entities
• Financial institutions and data subject to the Gramm-Leach-Bliley Act
• Covered entities and business associates under HIPAA
• Nonprofit organizations
• Institutions of higher education
• Certain public utilities and organizations assisting law enforcement or first responders

Consumer Rights

Both laws grant consumers a suite of rights regarding their personal data. Businesses subject to the laws must provide consumers with the ability to:

• Access their personal data
• Correct inaccuracies in their personal data
• Delete personal data provided by or obtained about the consumer
• Obtain a copy (or summary, in Indiana) of their personal data in a portable format
• Opt out of:
  • Targeted advertising
  • The sale of personal data
  • Profiling that produces legal or similarly significant effects

Business Obligations

Covered businesses must comply with a range of requirements, including:

• Implementing reasonable administrative, technical, and physical data security practices
• Limiting data collection and processing to what is necessary and relevant for disclosed purposes
• Obtaining consent before processing sensitive data
• Providing clear, accessible, and meaningful privacy notices that detail data practices and consumer rights
• Entering into contracts with data processors that set forth data handling obligations and responsibilities

Enforcement and Penalties

Enforcement of both the Kentucky and Indiana laws is handled exclusively by the respective state Attorneys General, with no private right of action. Key enforcement provisions include:

• A 30-day notice and cure period before any enforcement action is initiated
• Civil penalties of up to $7,500 per violation
• Recovery of investigation and legal costs by the Attorney General

Conclusion

With both Indiana and Kentucky’s data privacy laws taking effect on January 1, 2026, this is the time for businesses to review their data collection, processing, and security practices. Key steps include:

• Assessing whether your business meets the applicability thresholds in either state
• Reviewing and updating privacy notices and internal procedures
• Ensuring contracts with data processors meet statutory requirements
• Implementing or enhancing data security measures
• Preparing to respond to consumer requests regarding their data