Don’t Drop the Ball on January 1: Three States Ring in Major Privacy Changes

With only a month left in 2025, businesses that handle consumer data should be preparing for three new state privacy laws taking effect on January 1 in Indiana, Kentucky, and Rhode Island. Each law fits within the growing patchwork of U.S. privacy regulation, but the applicability thresholds differ enough that companies may find themselves covered in one state but not another.

Indiana Consumer Data Protection Act:

• Applies to businesses processing 100,000+ consumer records, or

• 25,000+ records if over 50% of revenue comes from selling personal data.

Kentucky Consumer Data Protection Act:

• Applies to businesses processing 100,000+ consumer records, or

• 25,000+ records with over 50% of revenue from data sales.

Rhode Island Data Transparency and Privacy Protection Act:

• Applies to businesses processing 35,000+ consumer records (payment data excluded), or

• 10,000+ records with 20%+ revenue from selling personal data.

All three laws give consumers rights to access, correct, delete, and obtain their data and to opt out of targeted ads, data sales, and certain profiling. Rhode Island goes further with consent for sensitive data, expanded disclosures, and impact assessments for higher-risk processing.

None of the laws provides a private right of action. Enforcement is limited to state attorneys general. Each law also includes several exemptions, such as those for employment data, nonprofit organizations, and other specified categories. 

With January 1 approaching, this is a good moment to pressure-test your privacy program. Use the countdown to map your data, rethink legacy practices, and close gaps before regulators start asking questions. Reach out if you need help determining if the new laws apply.