U.S. state privacy enforcement is increasing as several laws took effect on January 1, 2026. New California regulations under the CCPA expand requirements for automated decision-making technology, risk assessments, and cybersecurity audits, and launch the DROP data-broker deletion/opt-out platform. Comprehensive privacy laws in Indiana, Kentucky, and Rhode Island also began, bringing data subject rights, impact assessments, and opt-out rules. Oregon’s privacy updates and phased implementations further broaden state-level obligations.
