Indiana, Kentucky and Rhode Island Privacy Laws All Hit on January 1, 2026
Indiana’s ICDPA, Kentucky’s KCDPA, and Rhode Island’s RIDTPPA all became enforceable on January 1, 2026, bringing the total number of US states with comprehensive privacy laws to 19. The Indiana Attorney General has published a Consumer Data Bill of Rights and indicated enforcement through both consumer complaints and proactive investigations, with fines up to $7,500 per violation. All three laws follow the Virginia opt-out model but differ on thresholds, biometric data definitions, and DPIA triggers. For WooCommerce stores selling nationally, this isn’t about adding one more consent banner — it’s about per-jurisdiction event filtering at the server level.
- Three Laws, One Day, 19 States
- Indiana ICDPA: Permanent Cure Period, Proactive AG
- Kentucky KCDPA: Same Thresholds, Different Biometric Rules
- Rhode Island RIDTPPA: Lowest Thresholds of the Three
- Side-by-Side: How the Three Laws Differ
- What This Means for WooCommerce Stores Selling Nationally
- Key Takeaways
- FAQ
Three Laws, One Day, 19 States
Indiana, Kentucky and Rhode Island didn’t coordinate — but their laws all went live on the same date, creating a triple-state enforcement layer that didn’t exist in Q4 2025.
On January 1, 2026, three comprehensive state privacy laws became enforceable simultaneously, bringing the total number of US states with active consumer privacy legislation to 19 (Cozen O’Connor, 2025). Indiana’s Consumer Data Protection Act (ICDPA), Kentucky’s Consumer Data Protection Act (KCDPA), and Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA) each impose data processing obligations, consumer rights frameworks, and enforcement mechanisms on businesses that meet their respective thresholds.
For a WooCommerce store selling nationally, this isn’t one new law. It’s three new jurisdictions with three sets of thresholds, three definitions of sensitive data, and three enforcement timelines — layered on top of the 16 state privacy laws already in force.
The practical question isn’t whether these laws apply to your store — it’s how many of the 19 state laws you’re already subject to without knowing it. A WooCommerce store processing 100,000 unique visitors from Indiana in a calendar year crosses the ICDPA threshold. A store processing just 35,000 Rhode Island consumers crosses the RIDTPPA threshold. The thresholds are lower than most store owners assume.
Indiana, Kentucky and Rhode Island privacy laws all became enforceable on January 1, 2026, bringing the total to 19 US states with comprehensive consumer privacy laws.
Indiana ICDPA: Permanent Cure Period, Proactive AG
Indiana’s law is the most business-friendly of the three — but the Attorney General isn’t waiting for complaints to start investigating.
The Indiana ICDPA applies to entities processing personal data of 100,000 or more Indiana residents, or 25,000 residents if more than 50% of gross revenue comes from data sales (Lexology / Koley Jessen, 2026). Consumer rights include access, correction, deletion, data portability, and the right to opt out of targeted advertising, data sales, and profiling. Sensitive data — including health, biometric, racial, religious, and sexual orientation information — requires opt-in consent before processing.
Two features distinguish Indiana from the pack. First, Indiana’s 30-day cure period is permanent (Recording Law, 2026). Unlike Colorado, Connecticut, and other states where cure periods sunset after a set date, Indiana’s cure window doesn’t expire. The AG must provide written notice identifying specific violations, and the business has 30 days to fix the issue before penalties apply. That’s a structural advantage for businesses willing to remediate quickly.
Second, enforcement runs on two tracks. The Indiana Attorney General released a Consumer Data Bill of Rights summarising consumer rights under the ICDPA and indicated enforcement would proceed through both consumer complaints and proactive investigations (Inside Privacy / Covington, 2025). Proactive means the AG’s office can open an investigation without waiting for a complaint — a more aggressive posture than most state privacy laws establish at launch.
Penalties reach $7,500 per violation (Securiti, 2025). With no private right of action, consumers can’t sue directly — but they can file complaints with the AG’s online portal, and those complaints can trigger the investigative process. There’s no cap on cumulative penalties, so a single enforcement action involving thousands of affected consumers can compound rapidly.
Kentucky KCDPA: Same Thresholds, Different Biometric Rules
Kentucky mirrors Indiana on most provisions — but the biometric data definition and DPIA triggers create compliance gaps for stores that assume the two laws are identical.
Kentucky’s KCDPA applies at the same thresholds as Indiana: 100,000 Kentucky residents, or 25,000 with more than 50% of revenue from data sales (LP Legal, 2026). The rights framework is nearly identical — access, correction, deletion, portability, and opt-out rights for targeted advertising, data sales, and profiling.
Where Kentucky diverges is in the details that most compliance checklists miss. Kentucky’s definition of sensitive data includes biometric data, but the scope of what constitutes biometric data differs from Indiana’s definition. A WooCommerce store using facial recognition for age verification or fingerprint authentication for subscription access may be processing biometric data under one state’s definition but not the other.
Kentucky’s law also requires data protection impact assessments (DPIAs) for processing that presents a heightened risk of harm to consumers. The DPIA requirement covers targeted advertising, data sales, processing sensitive data, and profiling — but the threshold for “heightened risk” varies from state to state, creating a patchwork of DPIA obligations across the 19 active jurisdictions.
For practical WooCommerce compliance, treating Kentucky and Indiana as identical is simpler but legally imprecise. The safer approach is the Virginia-model baseline — which both laws follow — with state-specific supplements for definitions that diverge.
Rhode Island RIDTPPA: Lowest Thresholds of the Three
Rhode Island’s law catches smaller stores than Indiana or Kentucky — and requires DPIAs for high-risk processing activities created after January 1, 2026.
Rhode Island’s RIDTPPA applies at significantly lower thresholds: 35,000 consumers, or 10,000 consumers plus 20% of revenue from data sales (CompliancePoint, 2025). That’s less than half the Indiana and Kentucky threshold. A mid-sized WooCommerce store that doesn’t cross the 100,000-consumer bar in Indiana may already be in scope in Rhode Island.
The rights framework follows the same Virginia-model pattern: access, correction, deletion, portability, opt-out from targeted advertising, data sales, and profiling. Sensitive data requires opt-in consent. Rhode Island does not require businesses to honour universal opt-out mechanisms (ArentFox Schiff, 2025) — a departure from states like Colorado and Connecticut that mandate recognition of browser-level Global Privacy Control signals.
Rhode Island requires data protection impact assessments for high-risk processing activities created or generated on or after January 1, 2026 (ArentFox Schiff, 2025). That means DPIAs are not retroactive — processing activities that existed before January 1 are not covered — but any new tracking, profiling, or targeted advertising implementation launched after that date requires an assessment before processing begins.
Rhode Island’s thresholds are the lowest of the three: 35,000 consumers or 10,000 consumers plus 20% revenue from data sales — putting smaller WooCommerce stores in scope.
For a WooCommerce store that launched server-side tracking in February 2026, that’s a DPIA obligation. For a store that’s been running Meta Pixel since 2023, the existing implementation is grandfathered — but any configuration change or new platform integration triggers the assessment requirement.
You may be interested in: Cookie Consent Now Costs WooCommerce Stores More Data Than Ad Blockers
Side-by-Side: How the Three Laws Differ
The three laws share a Virginia-model foundation but diverge on thresholds, cure periods, and DPIA triggers in ways that matter for WooCommerce compliance.
| Provision | Indiana (ICDPA) | Kentucky (KCDPA) | Rhode Island (RIDTPPA) |
|---|---|---|---|
| Effective date | January 1, 2026 | January 1, 2026 | January 1, 2026 |
| Threshold (consumers) | 100,000 or 25,000 + 50% revenue | 100,000 or 25,000 + 50% revenue | 35,000 or 10,000 + 20% revenue |
| Consent model | Opt-out (opt-in for sensitive) | Opt-out (opt-in for sensitive) | Opt-out (opt-in for sensitive) |
| Cure period | 30 days (permanent) | 30 days | 30 days |
| Penalties per violation | $7,500 | $7,500 | $10,000 |
| Private right of action | No | No | No |
| Universal opt-out required | No | No | No |
| DPIA required | Yes | Yes | Yes (post-Jan 1, 2026 only) |
| Enforced by | Attorney General | Attorney General | Attorney General |
What This Means for WooCommerce Stores Selling Nationally
This isn’t about adding one more consent banner — it’s about per-jurisdiction event filtering at the server level.
A WooCommerce store that sells to customers across the United States is now potentially subject to 19 state privacy laws. Each law has its own thresholds, its own definitions, and its own enforcement timeline. The compliance obligation isn’t a single privacy policy update — it’s an operational architecture that handles different rules for different jurisdictions simultaneously.
The practical impact for WooCommerce tracking is specific. When a visitor from Indiana lands on your store, the tracking events that fire — Meta Pixel, Google Ads tags, GA4 events — must comply with Indiana’s ICDPA requirements. When a visitor from Rhode Island arrives, a different (and lower) threshold may apply. When a Californian visits, CCPA/CPRA rules apply. The consent framework, the data collected, and the events forwarded to ad platforms may need to differ based on the visitor’s jurisdiction.
Browser-side consent management handles the banner. It doesn’t handle per-jurisdiction event filtering. A consent management platform can display different banners to different states, but the decision about which events to fire, which data to include, and which platforms to forward to requires server-level logic that runs after consent is collected and before events leave your infrastructure.
The architectural answer is the same one Seresa has been building toward: server-side event pipelines that detect visitor jurisdiction from IP geolocation, apply the correct consent and data processing rules, and filter events before they reach Meta CAPI, Google Ads, or BigQuery. The tracking infrastructure becomes the compliance infrastructure — not a separate layer bolted on after the fact.
You may be interested in: Four German Courts Ruled Meta Pixel Illegal — Your WooCommerce Store Is Next
Key Takeaways
- Three laws, one day, 19 states: Indiana, Kentucky and Rhode Island all became enforceable on January 1, 2026. WooCommerce stores selling nationally are now subject to a complex patchwork of state-level privacy obligations.
- Indiana’s AG is proactive: Enforcement proceeds through both consumer complaints and proactive investigations, with penalties up to $7,500 per violation. The 30-day cure period is permanent but doesn’t protect against all violation types.
- Rhode Island catches smaller stores: Thresholds of 35,000 consumers (or 10,000 plus 20% revenue) are significantly lower than Indiana and Kentucky’s 100,000-consumer bar.
- All three require opt-in for sensitive data: Health, biometric, racial, religious, and sexual orientation data require explicit consent before processing — not just opt-out.
- Per-jurisdiction event filtering is the real compliance fix: Server-side tracking pipelines that detect visitor state and apply different data processing rules before events leave your infrastructure turn tracking architecture into compliance architecture.
If your WooCommerce store sells to customers in any of these states and meets the applicable thresholds, you must provide consumer rights (access, correct, delete, opt-out), obtain opt-in consent for sensitive data, publish compliant privacy notices, and respond to consumer requests within the timeframes each law specifies.
Indiana and Kentucky: 100,000 consumers or 25,000 consumers plus 50% revenue from data sales. Rhode Island: 35,000 consumers or 10,000 consumers plus 20% revenue from data sales. Rhode Island’s thresholds are significantly lower, putting smaller WooCommerce stores in scope.
Yes. Indiana’s 30-day cure period is permanent and does not sunset on a particular date, which is rare among state privacy laws. The AG must provide written notice identifying specific violations before pursuing penalties of up to $7,500 per violation.
All three follow the Virginia model: opt-out for standard data processing (targeted advertising, sale of data, profiling) and opt-in consent required for sensitive data including health, biometric, racial, and sexual orientation information.
Per-jurisdiction event filtering at the server level. A server-side tracking pipeline can detect a visitor’s state from IP geolocation and apply the correct consent and data processing rules before events are sent to ad platforms — different states trigger different tracking controls automatically.
References
- Cozen O’Connor – Three States Will Ring in 2026 with New Privacy Laws (December 2025)
- Lexology / Koley Jessen – New State Privacy Laws Effective January 1, 2026 (January 2026)
- CompliancePoint – State Privacy Laws Taking Effect in 2026 (December 2025)
- Securiti – Indiana Consumer Data Protection Act Compliance Guide (February 2025)
- Inside Privacy / Covington – Indiana Attorney General Releases Data Consumer Bill of Rights (December 2025)
- LP Legal – New Consumer Data Privacy Laws and Rules for 2026 (January 2026)
- Recording Law – Indiana Data Privacy Laws: ICDPA Consumer Rights Guide (March 2026)
- ArentFox Schiff – New Year, New Privacy Obligations (December 2025)
- CookieScript – 2026 Privacy Laws: KCDPA, RIDTPPA and INCDPA Explained (November 2025)
If your WooCommerce store fires Meta Pixel and Google Ads tags to visitors from 19 different states without per-jurisdiction consent logic, your tracking infrastructure is your compliance liability. Seresa builds server-side event pipelines that detect visitor jurisdiction, apply the correct consent rules, and filter events before they leave your server — turning your tracking architecture into your compliance architecture.