Kentucky and Indiana both have established new consumer data privacy laws that went into effect on January 1, 2026: The Kentucky Consumer Data Protection Act (KCDPA) and the Indiana Consumer Data Protection Act (ICDPA).

As previously reported in our December 4, 2025 blog post titled “The Kentucky Consumer Data Protection Act Goes into Effect on January 1, 2026: Is Your Business Ready?,” the KCDPA is Kentucky’s new consumer privacy law that imposes certain requirements on qualifying businesses that either control or process personal data. For a full explanation of this new law and to determine if your business must comply, please view the December blog post here.

The Kentucky Attorney General established a new Office of Data Privacy to enforce the KCDPA.  The Office of Data Privacy’s webpage provides a portal for consumers to file a complaint alleging violations of the KCDPA. The complaint portal includes a link to KCDPA FAQs, including defined terms and how Kentucky residents can exercise their rights under the KCDPA.

Indiana’s new consumer protection law, the ICDPA, grants similar rights to consumers as the KCDPA and imposes similar requirements on qualifying businesses in order to protect consumers’ personal data that is either collected or used.  The Indiana Attorney General will enforce the new law and released a Consumer Data Bill of Rights providing a summary of the ICDPA and how Indiana residents can exercise their rights under the new law.

Businesses who collect and/or process personal information of a Kentucky resident should review the KCDPA and ICDPA along with the guidance documents published by the Kentucky and Indiana Attorney Generals to understand whether these new laws apply to them and, if so, determine whether they should modify how they collect, use and disclose personal information for compliance with these laws.

Looking for assistance in navigating compliance with the KCDPA and ICDPA? If your business is considered a “controller” or “processor” under the KCDPA or ICDPA, it is imperative that you come into compliance now to avoid any adverse action. If you are unsure whether your business must comply with these new laws, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Young Levi at (859) 288-7469.We work with our clients regarding their policies and procedures related to compliance with state consumer privacy laws, HIPAA, FERPA, GLBA, and other data privacy and security laws and regulations.