New Privacy Laws in Kentucky, Indiana, Rhode Island, and Updated Rules in Oregon and California
On January 1, 2026, the three latest state consumer data privacy laws will become effective in Kentucky, Indiana, and Rhode Island, accompanied by important amendments to Oregon’s existing privacy law. At the same time, California has adopted major updates to the CCPA regulations, some of which require immediate dealership action, with additional requirements taking effect in 2027. These developments reflect the rapidly growing number of states enacting comprehensive privacy laws and the increasing complexity dealers must navigate when handling consumer data.
DEALERS TAKE NOTE:
If you are in Kentucky, Indiana, Rhode Island, Oregon, or California – you must take action today to ensure you are complying with the new (or amended) laws. ComplyAuto has held or is soon holding webinars under each state law with further details. (Contact info@complyauto.com and/or your state dealer association for webinar links and details).
If you are not already using ComplyAuto Privacy, contact us today to ensure you are ready to meet these deadlines.
Kentucky Consumer Data Protection Act
Kentucky’s new privacy law, the Kentucky Consumer Data Protection Act, takes effect on January 1, 2026. It applies to businesses operating in Kentucky or targeting Kentucky residents that control or process the data of at least 100,000 consumers annually, or 25,000 consumers while deriving 50% or more of gross revenue from the sale of personal data. The law does not apply to information collected in an employment or commercial (B2B) context.
Kentucky residents gain rights to access, correct, delete, and obtain copies of their data, as well as opt out of the processing of their personal data for targeted advertising, sales of personal data, and certain automated decision-making. ‘Sale’ of personal data is defined as a sale for monetary consideration only. Controllers must respond to consumer requests within 45 days (with one 45-day extension), allow appeals, and provide consumers with an online mechanism to submit complaints to the Attorney General.
Sensitive data—including health, sexual orientation, immigration status, biometric identifiers, children’s data, and precise geolocation within 1,750 feet—may not be processed without consent.
Indiana Consumer Data Protection Act
Indiana’s new law, the Indiana Consumer Data Protection Act, closely mirrors Kentucky’s and applies to businesses that control or process the personal data of 100,000 consumers, or 25,000 consumers and derive at least 50% of gross revenue from data sales. It similarly excludes B2B and employment information.
Like Kentucky, Indiana grants rights to confirm, access, correct, delete, and obtain copies or summaries of personal data, and to opt out of targeted advertising, the sale of data, and profiling that produces legal or similarly significant effects. ‘Sale’ of personal data is defined as a sale for monetary consideration only. Controllers face the same 45-day response timeline, a 45-day possible extension, a mandatory appeals process, and exclusive enforcement by the Attorney General with a 30-day right to cure.
Sensitive data may not be processed without consent, and precise geolocation is defined using the same 1,750-foot standard.
Rhode Island Data Transparency and Privacy Protection Act
Rhode Island’s new law, the Rhode Island Data Transparency and Privacy Protection Act, will also become effective on January 1, 2026. It applies to businesses that control or process the personal data of 35,000 customers (excluding payment transaction data) or 10,000 customers while deriving at least 20% of gross revenue from the sale of data. Like the other states, the law does not apply to employment or commercial contexts.
Rhode Island grants consumers the rights to access, correct, delete, and obtain copies of their data, and to opt out of targeted advertising, sales, and automated profiling decisions with legal or similarly significant effects. Rhode Island uses a broader definition of ‘sale’ of personal data as a sale for monetary or other valuable consideration. The law expressly permits authorized agents to submit requests on behalf of consumers, requires controllers to respond within 45 days with a possible 45-day extension, and mandates appeals to be resolved within 60 days.
Sensitive data—including health conditions, sexual orientation, immigration status, biometric data, children’s data, and precise geolocation—cannot be processed without consent. Violations constitute unfair or deceptive acts or practices, and the Attorney General maintains enforcement authority.
Oregon Updates
Oregon has adopted new restrictions to its privacy law that significantly limit the sale of certain types of personal data. Beginning January 1, 2026, a controller may not sell the personal data of a consumer if it knows, or willfully disregards, that the consumer is under 16 years old, nor may it sell precise geolocation data that identifies a consumer’s present or past location (or a device linked to the consumer) within a 1,750-foot radius. The restriction on selling precise geolocation data is most likely to affect dealers, significantly narrowing the circumstances in which location data may be monetized or shared.
CCPA Regulations Updates
In addition to these new state laws, California has adopted substantial updates to the CCPA regulations that dealers should begin preparing for immediately, which we covered in more detail in this article from August. While more complex obligations—such as privacy risk assessments, cybersecurity audits, and automated decision-making rules—will take effect starting January 1, 2027, several near-term requirements directly affect dealership websites, disclosures, and data practices. Dealers must now display the “Do Not Sell or Share My Personal Information” link on every webpage where personal information is collected, ensure cookie banners avoid dark patterns, and avoid bundling privacy terms with general terms of use. California also expanded the requirement to provide a notice of the right to limit sensitive personal information, requiring dealers to deliver this notice through the same method used to collect the information—requiring dealers to update showroom signage and including it in phone scripts. Privacy policies must now clearly identify meaningful categories of third-party recipients (such as OEMs, finance companies, or marketing vendors), and dealers should review service provider contracts to ensure they include required CCPA language. California also added stricter requirements around verifying and processing requests involving sensitive data, additionally, dealers must confirm when opt-out requests have been processed, and notify third parties of consumer opt-out requests.
Honoring Consumer Rights Is The De Facto Standard
State consumer privacy laws are complex and vary widely, making it difficult for dealers to determine their exact obligations. It is not only best practice to comply with all applicable state privacy laws (even if a dealership concludes that its state law may not clearly apply), these laws have arguably become the new de facto legal and consumer protection standard with respect to consumer data.
Moreover, there are several independent reasons to comply with state consumer privacy laws:
- Industry Standard: These laws have effectively become the nationwide benchmark for consumer privacy. Every dealer should maintain a clear, compliant privacy notice, regardless of state requirements.
- Customer Expectations: Many dealers choose to honor privacy requests rather than explain exemptions to consumers.
- Operational Simplicity: Larger and multi-state dealer groups often apply the same privacy practices across all stores to avoid case-by-case determinations.
- OEM or Other Contractual Requirements: Many OEMs, finance sources, and others routinely require dealers to adopt certain privacy practices and to comply with state privacy laws by policy or contract.
- Uncertain Exemptions: The scope of exemptions—especially GLBA entity exemptions—is unsettled and varies by state. Some states have even repealed exemptions due to concerns about their breadth. Dealers should discuss these nuances with their attorneys.
Given these factors, many dealerships choose to follow these privacy standards—even in states without such laws or where they may technically be exempt.
ComplyAuto Has Dealers Covered
Complying with this patchwork of laws can be challenging, but ComplyAuto has already simplified the process. Our Privacy solution meets the latest requirements in these and all other state privacy laws (and federal law). We make it simple for you.
If you have questions or want to automate your privacy compliance, contact ComplyAuto. Our solutions make compliance simple, automatic, and efficient—putting your dealership at the forefront of state privacy compliance.