Identity, Privacy, Governance, Risk and Compliance, Government Regulations, Government security

New year brings new privacy laws in Kentucky, Indiana and Rhode Island

Abstract tech background with a judge gavel, blending justice with advanced technology.

State privacy laws in Kentucky, Indiana, and Rhode Island went into effect Jan. 1, 2026. The total number of states enacting such laws is now 19, but security professionals don’t necessarily view these measures as progress.

“The arrival of the Kentucky, Indiana, and Rhode Island laws should not be celebrated as progress,” said Ted Miracco, chief executive officer at Approov. “The U.S. remains the only major global economy that treats human privacy as a local issue rather than a national security imperative.” 

Miracco said it’s an especially egregious failure at a time when our industry enters the era of Vibe programming and AI-driven fraud. With “AI slop” and deep fake consumer fraud skyrocketing, Miracco said the country's regulatory response has become “a mess of state-level geofencing bans."

Denis Calderone, chief operating officer at  Suzu Labs, added that of the three new state laws, only Rhode Island has raised the privacy bar.

Rhode Island's legislation has a proactive disclosure requirement that forces companies to publish who they're selling data to by name, not just category, without waiting for consumers to ask, Calderone explained.

“That goes beyond what even the California privacy law requires,” said Calderone. “The entire industry is waiting for a national standard, rather than this patchwork of state regulations. The past and existing federal efforts to build a national standard have been stalled or just dying on the vine. These efforts continue at the federal level, but until something passes, these state laws, like Rhode Island, will continue to act as the proving ground.”

Calderone pointed out that if proactive disclosure works at the state level without the industry collapsing, that removes the “too burdensome” objection that has stalled federal legislation. On the flip side, Calderone said history suggests that it could end up weaker than the strictest state requirements — not stronger — the louder the industry pushes for a national privacy law.

“Companies betting on federal law to simplify their lives might get a floor, not a ceiling,” said Calderone.

Industry affect of global patchwork of regulations

Heath Renfrow, co-founder and CISO at Fenix24, added that despite the challenges of managing all the different laws, state attorneys general are becoming more sophisticated, and privacy enforcement increasingly overlaps with breach response, incident investigations, and cyber insurance scrutiny.

“In a fragmented regulatory environment, the organizations that fare best are the ones treating privacy as an operational capability — embedded into security, recovery, and resilience — rather than a once-a-year compliance update,” said Renfrow.

Tim Mackey, head of software supply chain risk strategy at Black Duck, pointed out that managing a tapestry of privacy regulations in the U.S. isn’t easy, but it’s not just an American problem. Companies over the years have had to maintain compliance with multiple global regulations in which the legal frameworks are often fundamentally different than where the business is headquartered, he continued.

“One tactic in dealing with privacy requirements is to distill them down to essential requirements and then implement strong governance around those requirements,” said Mackey. “It’s far more than just a least common denominator effort. Instead, it should be thought of as establishing a guidebook for internal teams to know when they are on the safe side of the line and encourage them to engage if they find themselves straying closer to the line.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds